Chinese police uses gait recognition for identification

30. July 2019

The police in Beijing and Shanghai have begun to use a new form of surveillance. The gait recognition technology analyzes the body shapes and ways people walk to identify them, even if their faces are hidden from the camera.

The gait recognition software is part of an advance in China towards the development of artificial intelligence and data-driven surveillance.

On their website, the Chinese technology startup Watrix explains that gait functions with a low-resolution video are remotely obtainable and recognizable compared to other biometrics such as face, iris, palm print and fingerprint. With the features of the contactless, far-reaching, transparent recognition range and the difficult to disguise gait recognition, it closes the gap in the market for remote identification in the public security industry. “You don’t need people’s cooperation for us to be able to recognize their identity,” Huang Yongzhen, the CEO of Watrix, said in an interview. “Gait analysis can’t be fooled by simply limping, walking with splayed feet or hunching over, because we’re analyzing all the features of an entire body.”

Watrix’s software extracts a person’s silhouette from the video and analyzes their movements to create a model of the person’s gait. However, it is not yet able to identify people in real time. Users must upload videos to the program. Yet no special cameras are needed. The software can use footage from regular surveillance cameras to analyze the gait.

The technology is not new. Scientists in Japan, the UK and the U.S. Defense Information Systems Agency have been researching gait detection for over a decade. Professors from the University of Osaka have been working with the Japanese National Police Agency since 2013 to pilot the gait recognition software.

Category: China
Tags: , ,

Settlement of $13 Million for Google in Street View Privacy Case

In an attempt to settle a long-running litigation of a class-action case started in 2010, Google agrees to pay $13 million over claims that it violated U.S. wire-tapping laws. The issue came from vehicles used for its Street View mapping Project that captured and collected personal data from private wifi networks along the way.

Street View is a feature that lets users interact with panoramic and detailed images of locations all around the world. The legal action began when several people whose data was collected sued Google after it admitted the cars photographing neighborhoods for Street View had also gathered emails, passwords and other private information from wifi networks in more than 30 countries.

While the company was quick to call this collection of data a mistake,  investigators found out that the capture of personal data was built and embedded by Google engineers in the software of the vehicles to intentionally collect personal data from accessed networks.

The new agreement would make Google to be required to destroy any collected data via Street View, agree not to use Street View to collect personal data from wifi networks without consent, and to create webpages and instructions to explain to people how to secure their wireless content.

Google had been asked to refrain from using and collecting personal data from wifi networks in an earlier settlement in 2013, which raises questions as to why it was necessary to include it in the current settlement as well.

Category: Cyber security · General · USA
Tags: , ,

CNIL fines French insurance company

26. July 2019

The French Data Protection Authority (CNIL) imposed a € 180.000 fine on a French insurance company for violating customer data security on their website.

Active Assurance is an insurance intermediary and distributor of motor insurances to customers. On their website, people can request offers, subscribe to contracts and access their personal space.

In 2018, CNIL received a complaint from an Active Assurance customer, saying that he had been able access other users’ data. The other accounts were accessible via hypertext links referred on a search engine. Customers’ documents were also available by slightly changing the URL. Among those records were drivers’ licences, bank statements and documents revealing whether someone has been subject of a licence withdrawal or hit and run.

CNIL informed the company about the violations and a few days later, the company stated that measures had been taken to rectify the infringements. After an on-site audit at the company’s premises, CNIL found that the measures taken were not sufficient and that Active Assurance violates Art. 32 GDPR. Active Assurance should have ensured that only authorized persons had access to the documents. The company should have also instructed the customers to use strong passwords and it should not have send them the passwords in plain text by e-mail.

Based on the seriousness of the breach and the number of people involved, CNIL imposed a fine of € 180.000.

FaceApp reacts to privacy concerns

22. July 2019

The picture editing app FaceApp, which became increasingly popular on social media, was confronted with various concerns about their privacy.

Created in Russia by a four-person start-up company, the app applies a newly developed technology that uses neural networks to modify a face in any photo while remaining photorealistic. In this process, no filters are placed on the photo, but the image itself is modified with the help of deep learning technology.

However, the app is accused of not explaining that the images are uploaded to a cloud for editing. In addition, the app is accused of uploading not only the image selected by the user, but also the entire camera roll in the background. The latter in particular raises high security concerns due to the large number of screenshots that people nowadays take of sensitive information such as access data or bank details.

While there is no evidence for the latter accusation and FaceApp emphasizes in its statement that no image other than the one chosen by the user is uploaded, they confirm the upload into a cloud.

The upload to the cloud justifies FaceApp with reasons of performance and traffic. With this, the app developers want to ensure that the user does not upload the photo repeatedly during each editing process.

Finally, FaceApp declares that no user data will be sold or passed on to third parties. Also, in 99 % of cases, they are unable to identify a person because the app can be and actually is used without registration by a large number of users.

Hackers steal millions of Bulgarians’ financial data

18. July 2019

After a cyberattack on the Bulgarian’s tax agency (NRA) millions of taxpayers’ financial data has been stolen. In an estimate, it is said that most working adults in the 7 million country are affected by some of their data being compromised. The stolen data included names, adresses, income and social security information.

The attack happened in June, but an E-mail from the self-proclaimed perpetrator was sent to Bulgarian media on Monday. It stated that more than 110 databases of the agency had been compromised, the hacker calling the NRA’s cybersecurity a parody. The Bulgarian media were further offered access to the stolen data. One stolen file, e-mailed to the newspaper 24 Chasa,  contained up to 1,1 million personal identification numbers with income, social security and healthcare figures.

The country’s finance minister Vladislav Goranov has appologized in parliament and to the Bulgarian citizens, adding that about 3% of the tax agency’s database had been affected. He made clear that whoever attempted to exploit the stolen data would fall under the impact of Bulgarian law.

In result to this hacking attack, the Bulgarian tax agency now faces a fine of up to 20 million euros by the Commission of Personal Data Protection (CPDP). In addition, the issue has reignited an old debate about the lax cybersecurity standards in Bulgaria, and its adjustement to the modern times.

Google data breach notification sent to IDPC

Google may face further investigations under the General Data Protection Regulation(GDPR), after unauthorized audio recordings have been forwarded to subcontractors. The Irish Data Protection Commission (IDPC) has confirmed through a spokesperson that they have received a data breach notification concerning the issue last week.

The recordings were exposed by the Belgian broadcast VRT, said to affect 1000 clips of conversations in the region of Belgium and the Netherlands. Being logged by Google Assistant, the recordings were then sent to Google’s subcontractors for review. At least 153 of those recordings were not authorized by Google’s wake phrase “Ok/Hey, Google,” and were never meant to be recorded in the first place. They contained personal data reaching from family conversations over bedroom chatter to business calls with confidential information.

Google has addressed this violation of their data security policies in a blog post. It said that the audio recordings were sent to experts, who understand nuances and accents, in order to refine Home’s linguistic abilities, which is a critical part in the process of building speech technology. Google stresses that the storing of recorded data on its services is turned off by default, and only sends audio data to Google once its wake phrase is said. The recordings in question were most likely initiated by the users saying a phrase that sounded similar to “Ok/Hey, Google,” therefore confusing Google Assistant and turning it on.

According to Google’s statement, Security and Privacy teams are working on the issue and will fully review its safeguards to prevent this sort of misconduct from happening again. If, however, following investigations by the IDPC discover a GDPR violation on the matter, it could result in significant financial penalty for the tech giant.

Hearing on the legal challenge of SCC and US-EU Privacy Shield before CJEU

17. July 2019

On Tuesday last week, the European Court of Justice (CJEU) held the hearing on case 311/18, commonly known as “Schrems II”, following a complaint to the Irish Data Protection Commission (DPC) by Maximilian Schrems about the transfer of his personal data from Facebook Ireland to Facebook in the U.S. The case deals with two consecutive questions. The initial question refers to whether U.S. law, the Foreign Intelligence Service Act (FISA), that consists a legal ground for national security agencies to access the personal data of citizens of the European Union (EU) violates EU data protection laws. If confirmed, this would raise the second question namely whether current legal data transfer mechanisms could be invalid (we already reported on the backgrounds).

If both, the US-EU Privacy Shield and the EU Standard Contractual Clauses (SCCs) as currently primeraly used transfer mechanisms, were ruled invalid, businesses would probably have to deal with a complex and diffucult scenario. As Gabriela Zanfir-Fortuna, senior counsel at Future of Privacy Forum said, the hearing would have had a particularly higher impact than the first Schrems/EU-US Safe Harbor case, because this time it could affect not only data transfers from the EU to the U.S., but from the EU to all countries around the world where international data transfers are based on the SCCs.

This is what also Facebook lawyer, Paul Gallagher, argued. He told the CJEU that if SCCs were hold invalid, “the effect on trade would be immense.” He added that not all U.S. companies would be covered by FISA – that would allow them to provide the law enforcement agencies with EU personal data. In particular, Facebook could not be hold responsible for unduly handing personal data over to national security agencies, as there was no evidence of that.

Eileen Barrington, lawyer of the US government assured, of course, by referring to a “hypothetical scenario” in which the US would tap data streams from a cable in the Atlantic, it was not about “undirected” mass surveillance. But about “targeted” collection of data – a lesson that would have been learned from the Snowden revelations according to which the US wanted to regain the trust of Europeans. Only suspicious material would be filtered out using particular selectors. She also had a message for the European feeling of security: “It has been proven that there is an essential benefit to the signal intelligence of the USA – for the security of American as well as EU citizens”.

The crucial factor for the outcome of the proceedings is likely to be how valid the CJEU considers the availability of legal remedies to EU data subjects. Throughout the hearing, there were serious doubts about this. The monitoring of non-US citizens data is essentially based on a presidential directive and an executive order, i.e. government orders and not on formal laws. However, EU citizens will be none the wiser, as particularly, referring to many critisists’ conlusion, they do not know whether they will be actually surveilled or not. It remains the issue regarding the independence of the ombudsperson which the US has committed itself to establish in the Privacy Shield Agreement. Of course, he or she may be independent in terms of the intelligence agencies, but most likely not of the government.

However, Henrik Saugmandsgaard Øe, the Advocate General responsible for the case, intends to present his proposal, which is not binding on the Judges, on December 12th. The court’s decision is then expected in early 2020. Referring to CJEU judge and judge-rapporteur in the case, Thomas von Danwitz, the digital services and networking would be considerably compromised, anyways, if the CJEU would declare the current content of the SCC ineffective.

 

 

Privacy incidents cost Facebook 5 billion dollar

15. July 2019

According to a report of the Washington Post the Federal Trade Commission (FTC) has approved a $ 5 billion (approx. € 4,4 billion) settlement with Facebook. The settlement was reached between the FTC and Facebook due to various Data Protection incidents, in particular the Cambridge Analytica scandal.

The settlement relies on a three to two vote – the FTC’s three republicans supported the fine the two democrats were against it- and terminates the procedure for investigating Facebook’s privacy violations against users’ personal information. The fine of $ 5 billion is the highest fine ever assessed against a tech company, but even if it sounds like a very high fine, it only corresponds to the amount of the monthly turnover and is therefore not very high in relative terms. So far, the highest fine was $ 22,5 million for Google in 2012.

The decision of the FTC needs to be approved by the Justice Department. As a rule, however, this is a formality.

This is not the first fine Facebook has to accept in connection with various data protection incidents and certainly not the last. Investigations against Facebook are still ongoing in Spain as well as in Germany. In addition, Facebook has been criticized for quite some time for privacy incidents.

Record fine by ICO for British Airways data breach

11. July 2019

After a data breach in 2018, which affected 500 000 customers, British Airways (BA) has now been fined a record £183m by the UK’s Information Commissioners Office (ICO). According to the BBC, Alex Cruz, chairman and CEO of British Airways, said he was “surprised and disappointed” by the ICO’s initial findings.

The breach happened by a hacking attack that managed to get a script on to the BA website. Unsuspecting users trying to access the BA website had been diverted to a false website, which collected their information. This information included e-mail addresses, names and credit card information. While BA had stated that they would reimburse every customer that had been affected, its owner IAG declared through its chief executive that they would take “all appropriate steps to defend the airline’s position”.

The ICO said that it was the biggest penalty that they had ever handed out and made public under the new rules of the GDPR. “When an organization fails to protect personal data from loss, damage or theft, it is more than an inconvenience,” ICO Commissioner Elizabeth Dunham said to the press.

In fact, the GDPR allows companies to be fined up to 4% of their annual turnover over data protection infringements. In relation, the fine of £183m British Airways received equals to 1,5% of its worldwide turnover for the year 2017, which lies under the possible maximum of 4%.

BA can still put forth an appeal in regards to the findings and the scale of the fine, before the ICO’s final decision is made.

China: Tourist mobile phones are scanned by an app

8. July 2019

Foreign tourists who want to enter the Chinese province of Xinjiang by land are spied out via an app.
For the first time, employees of the Süddeutsche Zeitung, Motherboard Vice and various other media portals in cooperation with IT-experts of the Ruhr University Bochum have succeeded in decrypting a Chinese surveillance software that also targets foreigners.

It has been known for some time that the Chinese authorities use apps to monitor the Uighur residents of Xinjiang province (we reported). What is new is that foreign tourists and businessmen coming from Kyrgyzstan to Xinjiang by land have to hand in their mobile phones at the borders and then get the Android app “Fengcai” (“collecting bees”) installed. They are not explicitly informed about this.

The app gets access to the contacts, the calendar, the SMS, the location or the call lists and transmits them to a computer of the border police. In addition, the app scans the phone for over 70,000  files that are suspicious from Chineses government’s point of view. Many scanned files refer to extremist content related to the Islamic state, but also harmless religious content or files related to Taiwan, Tibet or the Dalai Lama are part of the list. If the app discovers anything, it emits a warning tone and thereby informs the border police.

The app also scans the phones to see which apps were installed by the user and even extract usernames but several antivirus firms already updated their products to identify the app as malware.

Neither the Chinese authorities nor the company that developed the app reacted to a request for comment.

Category: General · Personal Data
Tags: ,
Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 38 39 40 Next
1 2 3 4 5 6 40