10. May 2016
Dataminr is used as a tool that analyzes and traces social media posts and notifies users about breaking news in real time, such as the terror attack in Brussel´s airport in March. This analysis is carried out by using key words, patterns, or geotags.
Twitter, that owns 5% of Dataminr, has now blocked U.S. intelligence services from its Dataminr service, in order not to appear to support the surveillance activities of the U.S. Intelligence services.
Dataminr services where used by the American Government in 2013 to detect any risks on the inauguration of U.S. President Obama´s second term. However, it is not clear how Dataminr provided this service to the U.S. Intelligence services, as Twitter´s privacy policy prohibits selling its data to governmental agencies.
9. May 2016
After the EU Parliament voted the final draft of the GDPR on April 14th and the EU Commission signed it, the GDPR was finally published in the Official Journal of the EU on May 4th. The GDPR will harmonize several aspects of data protection in order to achieve a higher data protection level within the EU.
The Regulation will enter into force 20 days after publication in the Official Journal of the EU but will be directly applicable two years after its entry into force, this is ending May 2018. This means that organizations have two years to implement the provisions of the GDPR and be compliant.
4. May 2016
Korea´s Personal Information Protection Act (“PIPA”) has been recently updated. The modifications reflect the increasing importance of privacy and data protection issues in this country. The most relevant amendments refer to the following points:
- The legal grounds for the processing of RRN (Residence Registration Number) and the applicable security measures have been strengthened. It will be possible to process RRN data only in the cases stipulated by law. Moreover, it is mandatory to encrypt this data. However, this will be done gradually depending on the number of RRN held by the data controller. Inspections will be also carried out by the competent authorities.
- The technical and organizational security measures that should be implemented have been also strengthened regarding sensitive information.
- A notification obligation to data subjects regarding third party transfers has been also introduced. The notification should include the organization from which the data was received and the purposes for which the personal data will be used by the recipient. Previously, the data controller was the responsible for informing and obtaining consent from data subjects regarding data transfers to third parties, or the recipients upon the data subject´s request.
- The amount of fines will increase considerably in cases of data breach (loss, theft, destruction, alteration etc.) and data subjects affected by the data breach will do not even have to prove actual damages.
Additionally, the Act on the Promotion of IT Network Use and Information Protection (IT Network Act) has been updated and will enter into force in September 2016. This Act relates to telecommunications service providers and the amendments aim at enforcing security of IT networks and of data protection
29. April 2016
During this week credential data from hundreds of Spotify users was posted on the internet. This data includes country of registration, user name, password and type of account.
However, Spotify denied having suffered a data security breach. Furthermore, a company spokesman stated that they monitor certain websites regularly in order to find out if user credentials have been stolen and check if these credentials are authentic. If so, they inform the user and request a password change. Despite the statement of the spokesman, several users confirmed that their playlists had been accessed and their passwords and associated e-mails changed.
Spotify has suffered during the last years several hacker attacks. The last occurred in November 2015 and also user data was made public. Regarding the data posted online this week, the company states that it could affect data related to previous hack attacks.
The U.S. House of Representatives voted unanimously on Wednesday about the Email Privacy Bill. The bill aims at updating the current Electronic Communications Privacy Act (ECPA) from 1986. Under the ECPA, U.S. Authorities can access email communications directly from service providers with just a subpoena, if data is more than 180 old. However, under the new Email Privacy Act, they will need furthermore a warrant to access emails or other electronic communications no matter how old they are.
Currently, access to electronic communications from U.S. authorities is being subject to debate at an international level. Specially, after some weeks ago the FBI requested Apple to develop a software that allows to extract data from an iPhone device that belonged to the San Bernardino terrorist.
The Email Privacy Bill will have to be voted by the Senate, but the position of the upper chamber towards the bill is still not clear.
28. April 2016
As BBC just reported the data of more than a million members of the dating website www.beauftifulpeole.com has been sold online. The traded data not only included the weight, height, job, and phone numbers of members but further more income, sexual preferences, smoking and drinking habits and relationship status. The firm stated that the data belonged to members, who joined before July 2015 and that no passwords or financial information were included.
The data has now been sold on the online black market, said security expert Troy Hunt, an Australian security expert, who runs the website HaveIBeenPwned.com, where people can verify whether their data has been leaked. Although he does not know exactly where or for how much money the data was sold, he stated that by selling data tens of thousands of dollars can be earned, bearing in mind that the data originally can cost as little as $300.
Chris Vickery, security researcher, told the BBC that the affected company acted quickly after notifying them that he had discovered it. However, the data had then already been sold. He went on by saying that “they published it openly to the world with no protection whatsoever”. This is a contradiction to the company’s statement that the content was from a test server. Therefore, Vickery added that “whether or not it’s in the test database makes no difference if it’s real data”. His analysis is further supported as a second researcher had identified the same weakness on the same day.
However in a statement BeautifulPeople said that “the breach involves data that was provided by members prior to mid-July 2015. No more recent user data or any data relating to users who joined from mid-July 2015 onward is affected”.
David Emm, principal security researcher at Kaspersky Lab commented on the stolen and sold data by summarizing “now it’s public, cybercriminals have the opportunity to use this information to steal personal identities or more” and added “unfortunately, once a breach of this nature has been made, there is not much that can be done.”
Emm went by giving the advise that “organisations need to take action and use more data, analytical insights and triangulation of multiple-identity proofing techniques to minimise the potential effects of identity theft for both the user and the businesses serving them”.
26. April 2016
NBC News reports that FBI Director James Comey might have disclosed how much the agency spent for cracking the iPhone of the San Bernardino attackers.
Comey commented on the case so that the organization paid “a lot, more than I will make in the remainder of this job, which is seven years and four months, for sure” at a security conference in London. He went on that it “was in my view worth it” and that the FBI will now be able to crack any other iPhone 5s with IOS 9 by using the developed software.
Based on this given timeframe and by multiplying his salary of $180,000 per year, NBC News comes to a figure of $1.3 million. However, there was no official comment on part of the FBI.
The EU Parliament approved some weeks ago the new General Data Protection Regulation (GDPR). As a next step, the EU Commission has launched a public consultation on the evaluation and review of the ePrivacy Directive, as part of the Digital Single Market Strategy proposed by the EU Commission in May 2015. The consultation started on the 12th April and will be open until the 5th July 2016.
The current ePrivacy Directive was initially adopted for the telecoms sector. However, most of the EU Member States have also extended its application to other sectors. This Directive is also known as “cookie law”, but it also regulates the confidentiality of communications, the obligation to notify data breaches, the scope and definition of unsolicited communications, etc.
The “update” of the ePrivacy Directive is necessary in order to achieve a higher harmonization at all levels, including the field of electronic communications, and to complement the GDPR. The head of unit for policy and consultation at the EU Data Protection Supervisor, Sophie Louveaux, unofficially stated that the modification of the ePrivacy Directive is a priority regarding privacy issues and that a “full coherence” between the GDPR and the ePrivacy Directive should be achieved.
The legislative proposal for a new ePrivacy Directive is expected by the end of 2016.
25. April 2016
The UK Information Commissioner, Christopher Graham, issued last week his opinion about the EU-U.S. Privacy Shield. He criticized the reluctance of the U.S. authorities to make amendments on the agreement. On the 13th April, the Article 29WP also called American negotiators for clarification of some aspects of the Privacy Shield such as data transfers, the institution of the ombudsman or the justification for the collection of personal data, etc. Graham also remarked that the ECJ will also ask for clarification regarding these points and invited both American and European authorities to provide the required clarification.
On the other side, Stefan Selig, U.S. undersecretary of commerce for international trade, affirmed that the opinion issued by the EU Data Protection Authorities will be revised carefully. However, he believes that the current draft of the EU-U.S. Privacy Shield achieves a balance of interests for both parties.
Graham also remarks the importance of reaching an agreement regarding international data transfers, so that the English DPA (ICO) can focus on providing support to organizations regarding the implementation of the GDPR that will be effective on the first half of 2018.
22. April 2016
Due to the fact that security specialists and the EU member states have pushed for European rules on Passenger Name Record (PNR) for years, the latest acts of terror in Europe just increased these requestes. These demands have been met by EU Parliament as it approved the bill concerning a more systematic collection, use and retention of data on international airline passengers on 14 April 2016.
However, a first attempt on implementing rules on the use of PNR was rejected in 2013 due to concerns about the necessity and scope of the proposal and its compliance with fundamental rights. The civil liberties committee then discussed a new draft text on PNR on 26 February 2015 and on 15 July 2015 this text was adopted. Safeguards were included ensuring the lawfulness of any use of the data, so that the data should only be used in order to fight terrorism and serious international crime. After negotianting EU Parliament and the Council reached a provisional deal on 4 December 2015. During a plenary session on 14 April 2016 the text was then approved by 461 votes to 179, with nine absentions.
