25. May 2016
Most of the market leaders in smartphone manufacturing have been developing fingerprint sensors as a security measure in order to protect the smartphone against unauthorized access. However, legal complications might force them to reconsider this security measure.
As NBC reported, a woman in California was compelled by a search warrant to unlock her iPhone via fingerprint in February. Some experts say, that this falls in a legal gray area.
Although it has not been clarified why the FBI wanted the iPhone of the woman in California, as the search warrant did not specify the reason the FBI wanted access to the phone, only that it was granted. The smartphone, however, was found in the home of the boyfriend, who is a suspected gang member, as the Los Angeles Times reported in April.
Is there a difference in opening the smartphone via passcode and via fingerprint?
Neil Richards, a privacy law professor at Washington University, said that opening the smartphone with a passcode violates the Fifth Amendment protection against self-incrimination, whereas the use of a fingerprint provides law enforcement some legal cover. He went on “Most people don’t draw a distinction between a fingerprint and a password, but the law does”. The problem is due to the fact that the laws have been made before smartphones were invented. According to the respected law, it is allowed to collect physical evidence during the course of an arrest, such as DNA evidence or fingerprints. Therefore, typing a passcode, for example 1-2-3-4, in order to access a smartphone counts as testimonial whereas the fingerprint sensor that also opens the smartphone, only with biometric data instead of a password, can be seen as physical evidence.
Due to the fact that eight people are killed and 1,161 are injured every day in the USA as a result of distracted driving, there is the discussion to implement a test for texting while driving. As the New York times reported that the state legislature considers roadside tests called the Textalyzer. Police officers would be able to plug a cellphone into a laptop and determine if it was used while driving. However, in case a police officer looks at the content of a phone the Textalyzer could cause a number of privacy problems.
Richards concluded “They’re going to start thinking twice about nudging people toward just using fingerprints. It is secure against private parties, but under current law, it’s not as secure against the government.”
24. May 2016
Allo, the new instant messaging app from Google, has been presented this week and is expected to be available for users this summer. As many other technological companies, such as WhatsApp, Facebook, or Apple, Google has decided to implement end-to-end encryption in this app. End-to-end encryption ensures privacy in certain messaging and video call apps so that not even authorities have access to the information stored.
However, unlike WhatsApp, Facebook messenger or iMessage, end-to-end encryption in Allo has to be activated by the user by selecting the “incognito” mode, what has been subject to strong criticism. As Google explained, end-to-end encryption is not activated by default in order to be able to connect it with the functionalities of Google Assistant, which provides tailored recommendations to its users according to the data stored in Google apps. This means that queries to Google’s own servers may be necessary. If “incognito” mode is active Google Assistant’s features may not be able to be used.
Morey Haber, Vice-President of technology, at the cybersecurity company BeyondTrust, acknowledges the possibility to combine end-to-end encryption with the artificial intelligence feature, but he admits that in this case it is not possible that the queries to Google Assistant are fully processed.
Google engineer, Thai Duong, has posted in his personal blog about the security and privacy features of the app.
23. May 2016
On the 19th May, the Article 31 Committee, made up of representatives of the EU Member States, met in order to discuss the implications of the proposed draft of the EU-U.S. Privacy Shield. The Article 31 was created in order to reach decisions that require the approval of the EU Member States according to the Data Protection Directive 95/46/EC. This is the case, for example of the adoption of adequacy decisions, such as Safe Harbor in the past or the EU-U.S. Privacy Shield currently.
Article 31 concluded that it needed more time to reach a decision about the proposal. Moreover, a source of the Commission affirmed that further meetings in May and early June will take place. Also, the recommendations of the Article 29 WP are being taken into consideration before reaching a decision.
The decision of the Article 31 is expected by the end of June. The EU-U.S. Privacy Shield can be only adopted if a qualified majority of 16 Member States representing 65 percent of the EU population votes for the adoption of the Privacy Shield.
Until a decision is reached, Standard Contractual Clauses and Binding Corporate Rules can still be used to carry out international data transfers on a legal basis.
19. May 2016
In 2012 LinkedIn was hacked and 6.5 million encrypted passwords were posted online.
This data breach has now turned out to be far more extensive than originally thoght. This is due to the fact that a hacker called “Peace” is trying to sell account information of 117 million LinkedIn users, including their e-mail addresses and passwords.
The hacked data search engine LeakedSource, has also obtained the data. Although the passwords were originally encrypted, so that a series of random digits were attached to the end of hashes, in order to make them harder to be cracked, LeakedSource claims to have cracked 90 percent of the passwords in 72 hours.
The security researcher Troy Hunt, maintaining the breach notification site “Have I Been Pwned?,”talked to some of the victims of this data breach. Two of them confirmed that they were users of LinkedIn and that the password that Hunt shared with them was indeed the one they were using at the time of the data breach.
LinkedIn confirmed this week that the new data is legitimate:
The company’s chief information security officer Cory Scott stated that “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,“ and went on “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.“ Furthermore, Scott also suggested that in order to keep their accounts as safe as possible, members visit their safety center to learn about enabling two-step verification, and to use strong passwords.
The EU Council adopted this week the Network and Information Security Directive (NIS Directive) at first reading. The NIS Directive is part of the EU cyber security strategy, which main objective is to prevent and respond to disruptions and cyber-attacks in telecommunications systems located in the EU.
The Directive aims at achieving a minimum level of IT security and implementing an effective risk management culture for digital technologies. Furthermore, it also aims at dealing with IT security breaches by imposing the obligation to report significant incidents without delay, especially for business or organizations whose main activity is subject to a higher risk, such as cloud providers or social networks.
The five main goals of the NIS Directive are:
- To achieve cyber resilience
- To reduce cybercrime significantly
- To develop a cyber defense policy at EU level by creating authorities at national level
- To promote the development of technological resources
- To implement a solid international cyberspace policy
After the EU Council has adopted the NIS Directive at first reading, the draft must be approved by the EU Parliament at second reading. If the EU Parliament approves the Directive, it might enter into force in August 2016.
18. May 2016
Background
In 2014, Mr. Breyer filed a suit against the Federal Republic of Germany regarding the storing of IP Addresses. Several German public bodies operate internet websites that are publicly accessible. In order to avoid and be able to prosecute criminal attacks, the access to these websites is protocolled, including names, retrieved data/website, words searched in the search fields, date and time of retrieval, data transmitted and the IP Address of the device in question.
Mr. Breyer requested that neither the Federal Republic of Germany nor third parties store the IP Address of users that accesses these websites, as there was no consent for this processing and the storage was not based on the recovery due to a disruption of the service.
Prejudicial question from the German Federal Supreme Court (Bundesgerichtshof)
The suit from Mr. Breyer was dismissed in the First Instance. However, the appeal succeed partly and the Federal Republic of Germany was sentenced not to store IP Addresses for a longer period of time than that of the access in question. Though, this was subject to the condition that Mr. Breyer provided his personal data when he accessed the website. Both parties appealed to the German Federal Supreme Court, who submitted the following questions to the ECJ:
– Question 1: Must the Data Protection Directive 95/46/EC be interpreted as meaning that an Internet Protocol address (IP Address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?
– Question 2: Does the Data Protection Directive 95/46/EC preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?
Position of the ECJ General Advocate
The ECJ General Advocate answers the above questions as follows:
– To question 1: A dynamic IP Address, through which a user has retrieved a website from a telemedia service provider, constitutes for the latter a personal data to the extent that the service provider has enough additional information, which connected with the IP-Address makes possible to identify the user. Dynamic IP-Addresses contain information regarding the time and date in which a website was accessed from a device. This data can provide information about behavioural patterns that can affect the right to privacy of individuals. Additionally it can also provide additional information about a user if it is connected to other personal data.
– To question 2: The finality to guarantee the operability of the telemedium should be basically seen as a legitimate interest that justifies the processing of an IP Address. This legitimation can be only alleged if it has primacy over the fundamental rights of the data subject. A national legal disposition that does not allow such legitimate interest, is not consistent with the Data Protection Directive 45/95/EC.
What to expect regarding IP addresses with the GDPR?
The problematic of the IP Addresses may be solved with the GDPR, as the Recital 30 enumerates, among others, also IP addresses as examples of personal data. As such, they can lead to identify an individual if combined with other information, therefore they fall under the scope of the GDPR and they are to be handled as personal data.
17. May 2016
Two years ago, the Court of Justice of the European Union established the “right to be forgotten”. An organization named Reputation VIP launched a website, forget.me, that should help consumers in Europe submitting requests to Google and Bing.
Based on the consumer submissions through the site, 130,000 URLs, the company released a new report on the trends of the outcome of the requests of the “right to be forgotten” related to geographic location and success rates of those requests.
The study shows, that with regard to geographical means the top three countries from which requests originate are Germany, the UK and France. In more detail it is to say, that more than half of all requests came from Germany and the UK.
With respect to the success rates of the mentioned requests the report states, that Google denies about 70 percent to 75 percent of them.
Furthermore, the study shows, that Google most frequently denies removal requests concerning professional activity. Whereas the type of request is in 61 % of the cases due to an invasion of privacy.
From the 1st January 2016, data controllers located in The Netherlands are obliged to notify serious data breaches according to the Amendment made to Art. 34 of the current Dutch Data Protection Act. This obligation implies:
- Notifying the Dutch DPA in the cases where there is a considerable probability that the breach hast serious adverse effects on the privacy if the affected individuals; and
- Notifying the data subjects affected if there is a considerable probability that the privacy of the data subject is negatively affected.
According to a representative of the Dutch DPA, already 1.500 data breach notifications have been received since the new rule entered into force. This is not surprising for the Dutch DPA, as currently more than 130.000 organizations located in the Netherlands are subject to the data breach notification obligation. However, the Dutch DPA suspects that the number of occurred data breaches is actually higher.
In order to review the notifications, the Dutch DPA has implemented a software that separates the notifications that require action from the DPA from those that do not require additional action. The ones that do not require additional action are archived for future references, while the formers are further examined by the Dutch DPA. Nevertheless, the DPA has examined all received notifications, in order to identify the main sources of data breaches, which result to be based on one of the following reasons:
- Loss of devices that were not encrypted; or
- Disposal of information without observing adequate security measures, such as the use of a shredder or the disposal in locked containers; or
- Insecure transfer of information, especially related to sensitive data; or
- The access by unauthorized third parties to data bases and personal data.
This shows that most of data breaches occur because organizations do not implement adequate technical and organizational security measures or they do not follow the existing obligations regarding IT security and data protection, or employees are not trained in theses aspects.
Moreover, two-thirds of the reports were subject to a further investigation by the Dutch DPA and actions have been already taken against around 70 organizations. Also, in some cases additional information was required from the organization or the individuals had to be notified about the data breach. Information to data subjects is required if sensitive personal data is affected by the breach, the Dutch DPA has enumerated some of the data categories that are included in the definition of sensitive personal data: financial information, data that may lead to an stigmatization or exclusion of the data subject, user names, passwords or data that can be misused for identity fraud.
The new GDPR also regulates the obligation to notify data breaches. According to the Regulation, the DPA should be always notified, unless it is unlikely that the breach results in a risk for the privacy of data subjects. Furthermore, data subjects should be directly notified if the breach could result in a high risk for their privacy, so that the regulation of data breaches in the GDPR is stricter than that in The Netherlands regarding the notification to data subjects.
11. May 2016
A clinic in London has been fined 180.000 GBP due to a “serious data breach”. The clinic offered a service to HIV-patients in order to receive newsletters and test results as well as make appointments via email. It sent an email newsletter to 781 of its patients with all patient emailaddresses in the “To” field and not in the “Bcc” field. 730 of the emailaddresses included the full names of the patients. The newsletter was used to inform the patients about sexual health services and general treatment details. The Information Commissioner´s Office (ICO) said, “the breach caused a great deal of upset to the people affected”. Information about the health or sexual life of a person is considered to be sensitive personal data and should be protected specifically. Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, has been fined 180.000 GBP. The responsible ICO investigation trust discovered, that a similar error had happened already in March 2010. Although some remedial measures were taken at that time, no specific training had taken place since then.
EU data protection legislation has been lately updated in several aspects. Last week, the GDPR was finally published in the Official Journal of the EU, also the Passenger Name Record (PNR) Directive and the Directive related to criminal records held by authorities have been published in the Official Journal of the EU.
In this evolving landscape, new questions related to the application of EU data protection legislation are arising. Recently, the Irish Supreme Court raised a question to the ECJ related to the scope of application of the definition of personal data. A man that took an accounting exam exercised his right to data subject access request regarding this exam on the basis of Irish Data Protection Laws. However, this access request was refused based on the argument that the data he wrote on the accounting exam could not be referred to as “personal data”, as it was not his “own” personal data, but data related to the subject of the exam in question.
According to the EU definition, personal data is “any information relating to an identified or identifiable natural person”. The scope of this definition is essential in order to determine if data protection laws are applicable or not. In this case, the ECJ will have to answer to this question in a preliminary ruling. In a similar case, an applicant for a Dutch residence permit exercised an access request, which had been refused. The refusal was based on a legal opinion. The ECJ stated that a legal opinion refers to a situation and not to personal data. However, counter-arguments may be given in order to support the inclusion of an exam in the definition of personal data, such as the person´s handwriting or the remarks of the examiner that may be related to the person who wrote the exam, etc.
The ECJ will have to decide whether such data is subject to data protection legislation and, therefore, the data subject access request should be accepted.
