Tag: Cyber-Attack

Opinion of the EDPS on the dissemination and use of intrusive surveillance technologies

We need some more surveillance here!

We need some more surveillance here! [1]Copyright by Quevaal under the Creative Commons Attribution-Share Alike 3.0 Unported

In a recently published opinion, the EDPS addressed its concerns in regards of the dissemination and use of intrusive surveillance technologies, which are described as aiming “to remotely infiltrate IT systems (usually over the Internet) in order to covertly monitor the activities of those IT systems and over time, send data back to the user of the surveillance tools.”

The opinion specifically refers to surveillance tools which are designed, marketed and sold for mass surveillance, intrusion and exfiltration.

The data accessed and collected through intrusive surveillance tools may contain “any data processed by the target such as browsing data from any browser used on that target, e-mails sent and received, files residing on the hard drives accessible to the target (files located either on the target itself or on other IT systems to which the target has access), all logs recorded, all keys pressed on the keyboard (this would allow collecting passwords), screenshots of what the user of the target sees, capture the video and audio feeds of webcams and microphones connected to the target, etc.

Therefore these tools may be adequately used for human rights violations, such as censorship, surveillance, unauthorised access to devices, jamming, interception, or tracking of individuals.

This is particularly worrisome considering that software designed for intrusive surveillance has been known to have been sold as well to governments conducting hostile surveillance of citizens, activists and journalists.

As they are also used by law enforcement bodies and intelligence agencies, this is a timely document, considering the security concerns dictating the legislative amendments intended to be implemented in several Member States. Indeed, as pointed by the EDPS, although cybersecurity must not be used for disproportionate impact on privacy and processing of personal data, intelligence services and police may indeed adopt intrusive technological measures (including intrusive surveillance technology), in order to make their investigations better targeted and more effective.

It is evident that the principles of necessity and proportionality should dictate the use of intrusion and surveillance technologies. However, it remains to be assessed where to draw the line between what is proportional and necessary and disproportional and unnecessary. That is the core of the problem.

Regarding the export of surveillance and interception technologies to third countries, the EDPS considered that, despite not addressing all the questions concerning the dissemination and use of surveillance technologies, “the EU dual use regime fails to fully address the issue of export of all ICT technologies to a country where all appropriate safeguards regarding the use of this technology are not provided. Therefore, the current revision of the ‘dual-use’ regulation should be seen as an opportunity to limit the export of potentially harmful devices, services and information to third countries presenting a risk for human rights.

As this document relates to the EU cybersecurity strategy and the data protection framework, I would recommend its reading for those interested in those questions. You can find the document here.


1 Copyright by Quevaal under the Creative Commons Attribution-Share Alike 3.0 Unported

The Sony data breach: when
fiction meets reality?

You better believe SONY. You have been HACKED!

You better believe SONY. You have been HACKED!

It is not the first time that Sony suffers a massive cyber attack. Back in 2011, due to some vulnerabilities found in its data servers, a hacking of its Play Station online network service enabled the theft of names, addresses and credit card data belonging to 77 million user accounts.

A few days ago, Sony Pictures computer systems were hacked again allegedly by a group of hackers calling themselves Guardians of Peace. As a consequence, a humongous amount of data, including confidential details, such as medical information, salaries, home addresses, social security numbers, regarding 47 thousands of Sony employees and former employees, namely Hollywood stars, as well as contracts, budgets, layoffs strategies, scripts for movies not yet in production, full length unreleased movies and thousands of passwords were leaked to the Internet.

The reason remains unclear. Despite the denial of a North Korea representative regarding a possible involvement of that country, it is being speculated that this attack is a retaliation from the North Korea government as a response to an upcoming Sony comedy, ‘The Interview’, starring actors Seth Rogen and James Franco, which depicts an assassination attempt against the North Korea’s leader Kim Jong-un. If Hollywood comedies are now deemed a sufficient reason to conduct cyber-attacks on real life, fiction and reality are meeting in a very wrong way.

Anyway, considering the volume and the sensitive nature of the information disclosed, this can actually be one of the largest corporate cyber attacks which has ever been known of.

It is a sharp reminder that hacking attacks can be directed to any company and can take all forms, equally damaging. This attack demonstrates once again that not only critical infrastructure is at risk. Sony Pictures Entertainment is one of the largest studios in Hollywood. It is really not the expected victim of a cyber-attack. However, it was an easy prey as its business decisions regarding information security have been publicly stated in previous occasions. Despite their ludicrous nature, I guess someone took those comments seriously.

Considerations regarding the absurdity of having a file directory named ‘Passwords’ aside, this attack outlines that data breach is one of the major threats that companies face nowadays. Cyber attacks are conducted against companies of all sizes. Large companies do eventually recover from these breaches. Small businesses generally hardly pull through after suffering a cyber-attack. It is therefore essential that businesses implement a solid cyber-security programme, namely conducting regular self-hacking exercises to assess the vulnerabilities of their security systems in order to prevent a potential breach.

What about Sony? Well, the value of the damages regarding its employees is incalculable considering that their identities may be stolen, their bank accounts may be compromised and their houses may be robbed. Only time will tell if and how it will recover.

Meet Regin

Yes, You have been hacked and spied upon!

Yes, You have been hacked and spied upon!

Regin is not like all the other regular viruses you can find in your computer. It is the most recently discovered powerful tool for cyber espionage between nation-states, as reported by computer security research lab Symantec, and by its main competitor Kaspersky Labs.

Regin is described as a sophisticated cyber attack platform, which operates much like a back-door Trojan, mainly affecting Windows-based computers. It can be customized with different capabilities depending on the target and, while it operates in five stages, only the first one is detectable.

Among its diversified range of features, Regin allows the remote access and control of a computer, thus enabling the attacker to copy files from the hard drive, to recover deleted files, to steal passwords, to monitor network traffic, to turn the microphone or the camera on, and to capture screenshots.

According to the above mentioned reports, Regin has been sneakily around since, at least, 2008, and has been used in systematic spying campaigns against a wide range of international targets, namely governments’ entities, Internet services providers, telecom operators, financial institutions, mathematical/cryptographic researchers, big and small businesses, and individuals.

As for the geographical incidence, Saudi Arabia and Russia appear to be the major targets of Regin. Mexico, Iran, Afghanistan, India, Belgium and Ireland were among the other targeted countries.

The conclusions drawn in the Symantec’s report are, at the very least, very unsettling. It is stated that, considering its high degree of technical competence, its development is likely to have taken months, if not years, to be completed.

Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns. The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.

Therefore, the new million dollar question is: who is behind its conception? Unfortunately, it is very difficult to find out who has created or has otherwise financed its development because little trace of the culprits was left behind. However, it is well known that not all countries are so technologically advanced to be able to engineer such an accurate tool or to conduct such a large scale operation.

As a governmental instrument for mass surveillance, cyber espionage and intelligence gathering, Regin is just one of its kind. A few years ago, the world assisted to the rise of similar viruses, also from a nation state origin. Stuxnet, Duqu and Flame were three of the detected viruses previously employed to perform industrial sabotage or to conduct cyber espionage.

Thus said, this historical pattern for cyber attacks clearly shows that virtual wars are being fought, in an almost invisible battlefield that is the cyberspace, where nation-states clash silently. Once limited to opportunistic criminals, viruses are currently the new weaponry in this cyber warfare.

But a state sponsored cyber attack does not really come as a surprise. Governments have always spy on each other in order to obtain strategic, economic, political, or military advantage. The discovery of Regin just confirms that investments are continuing to be made in order to develop implacable instruments for espionage and intelligence gathering purposes.

In this context, it is no coincidence that cyber security is increasingly appointed as a decisive part of any governments’ security strategy, as it involves protecting national information and infrastructure systems from major cyber threats.

And while these sophisticated attacks are conducted, sensitive information about individuals is accessed, stolen, collected and stored by unknown attackers. To what end? Well, it can be any, really…

A World of Data = Big Data x Little Privacy

Next evolution, Humongous Data?

Next evolution, Humongous Data?

With massive amounts of our personal data now being routinely entered, collected, stored and exchanged, data security and privacy breaches are almost inevitable, in particular the large-scale attacks that lead to the theft of millions of individuals’ data are becoming more and more common nowadays.

With technology at our fingertips, we are sharing more and more information online and by electronic means. From sensors that fit into our cars to wearables, from cloud computing to social networking interaction, from digital pictures and videos to cell phone GPS signals, from online purchase transactions to a sign up process, from the telecommunications’ and insurance to medical or banking sectors, we leave traces of information with every move we make.

The massive volume of data generated and gathered is popularly referred to as ‘Big Data’. The concept commonly describes such a large amount of complex, unstructured, diverse and fast information that it is difficult to process using traditional database and software techniques. Billions to trillions of records of millions of people are now measured in new units as petabytes and exabytes. The golden era for gigabytes is long gone.

So what is so special about Big Data?

The analysis that can be done with Big Data enables the establishment of correlations among large populations that is useful to individuals. It creates a remarkable opportunity for the worldwide society in any field you can think about, ranging from criminal rate predictions to medical research, from public health to national security and from marketing to risk analysis. Companies and governments no longer have to rely on sampling: they have access to the entire plentiful digitized knowledge of digital age, a myriad of data points collected for unrelated purposes and updated in real time.

For instance, a few years ago, Google was able to predict flu outbreaks faster than what was possible using hospital admission records, just by analyzing clusters of search terms by region in the United States. All with algorithms! Quite impressive, huh?

In our enthusiasm to share and bond with others, to live up to the facilities allowed by new technologies, as the world grows more and more connected, we are quite easy when it comes to give away information about ourselves. Businesses know that. And they are continuously developing new means to collect information about their customers.

Why wouldn’t they?

They can try to look for hidden patterns, trends or other insights that will enable them to better mould their products and services to customers, anticipate demand or improve performance. Big Data certainly can bring the appropriate knowledge that will allow innovative improvements for businesses… from which all of us will ultimately benefit. As a result, personal data is consistently collected and traded, being the new money in the new economy that is internet.

For instance, have you noticed how frequently it happens that, after having searched a certain type of good or of services on Google, you will have matching publicity, on the right side of your ‘gmail’ window tab next time you open it?

But the astonishing advantages coming from the analysis of Big Data are tempered by concerns over privacy and data protection.

I believe that many of us don’t think much about the implications of easily sharing and giving away personal details online nowadays. After all, how many of us actually read the consent form regarding the use of our personal data?

But it is important to reflect on a few points which I assume won’t let anybody comfortable after consideration.

Consider, for instance, that some retailers are able, through the analysis of purchasing habits, to predict such intimate details as the pregnancy of a customer and that, despite the will of the concerned customer, ensuing marketing activities which result in disclosing that information.

Consider, for example, with such a volume of data and powerful analytical mechanisms, the combination of data might lead to the identification of individuals, despite the anonymisation of certain elements.

Consider, now, that the data contain biases, inaccuracies, obsolete and missing information, flaw correlations, that unavoidably affect the predictions and conclusions resulting from its analysis and that decisions that can affect your welfare will still be taken based on those predictions and conclusions.

Consider also that most of the data being collected about us more and more doesn’t come directly from us.

At last, consider that hospital records of national health system patients could be sold for insurance purposes.

Scary, at the very least…

The good or bad news is that Big Data analysis isn’t as efficient as many would like or fear it to be.

The risk of biases inherent to data and false correlations and associations is great and increases as bigger volumes of data are analyzed.

For instance, Google’s model of predicting the spread of flu ended up pointing to an overestimated the phenomenon by almost a factor of two.

Regarding public security, Big Data hasn’t proven itself either able to detect patterns or anomalies that could help prevent acts of terror.

No so reliable after all…

Neverthless, one cannot escape Big Data. We live so entangled in it that is more and more usual to talk about an ‘internet of things’. Good things can come from it. But nobody can be entirely sure that it will be used for the legitimate purposes.

In parallel to the enthusiasm of connecting and sharing, there is an increasing concern surrounding the lack of privacy.

In this context, it might indeed be a big place in the market for privacy products. And the seeds are being planted now. Just recently Google has announced that data encryption will come as a default setting on the next Android operating system, known as Android Lollipop, which will make impossible for anyone to gain access to the data without the consent of the owner. This initiative is in line with the announcement made by Tim Cook, the CEO of Apple, regarding the privacy policy of the company. Both guarantee that even police won’t be able to gain access to the user’s personal information. It is however worth mentioning that the upgraded security feature will only protect data and information stored within the iOS device itself and not data stored within the iCloud service.

The advantages which result from Big Data analysis will only be reached if privacy expectations of users are appropriately met and their data protection rights are respected. However, finding the right balance between all the interests at stake: those of the individuals concerned, those of businesses and, ultimately, the general public interest might not be an easy end to chieve, namely in the field of health research.

The Article 29 Working Party recently issued a statement on the impact of the development of Big Data on the protection of individuals with regard to the processing of their personal data in the EU, where it found “no reason to believe that the EU data protection principles are no longer valid and appropriate for the development of Big Data.” Nevertheless, it envisaged the possibility of “further improvements to make [the principles] more effective in practice” in the context of Big Data.

In my opinion, data protection principles shall be deemed to be applicable, as they refer to fairness, transparency and, ultimately, trust. For that reason, the ‘notice and consent’ and the ‘purpose limitation’ models should be preserved as much as possible and data ought to be anonymized to the point where re-identification is secluded.

This week, the European Commission and Big Data Value Association, an industry-led organisation which acts on behalf of companies including ATOS, Nokia Solutions and Networks, Orange, SAP, SIEMENS, have committed in a public-private partnership (PPP) that aims to support research and innovation in Big Data technologies and infrastructures to ensure privacy and security.

No statistics can predict what uncertainties do the future holds regarding Bid Data… However, in these high-speed changing times of information and communications technology, we will surely know anytime soon…

Mirror Mirror on the Wall, Who Is the Stupidest of Them All?

Half serious Günther Oettinger.

Half serious Günther Oettinger.

So, the European Parliament has begun its hearings in order to evaluate the Commissioners designated by the European Commission’s President Jean-Claude Juncker. But the hearings have shown quite a few surprises…

After Cecilia Malmström, it was up to Günther Oettinger, appointed to be the commissioner responsible for ‘digital economy and society’, to be in the spotlight last Monday. This time, however, it was not due to some compromising correspondence, but to some highly questionable answers.

The MEPs’ questions focused on issues such as roaming and net neutrality, data protection, mass surveillance, the ‘right to be forgotten’ ruling, and copyright law. On the overall, Oettinger was vague and superficial and mainly dodged the questions, namely regarding net neutrality. However, infrastructure (whatever this is supposed to mean) appeared to be one of its main priorities, as it came up in almost every statement.

But what  this hearing will always be remembered for is by how he referred to the recent data breach involving several  female celebrities, which I have previously addressed here.

According to Oettinger, it would not be his role as a commissioner to protect celebrities who have taken under-dressed pictures of themselves, and his precise words were as follows:

We should say: We can mitigate or even eliminate some risks. But like with any technology, you can’t exclude all risks. I’ll give an example. This may be a little, um… semi-serious. The fact that recently there have been an increasing number of public lamentations about nude photos of celebrities who took selfies – I just can’t believe it! If someone is dumb enough to as a celebrity take a nude photo of themselves and put it online, they surely can’t expect us to protect them. I mean, stupidity is something you can not – or only partly – save people from.

In conclusion, Oettinger obviously  considered (half-seriously?? is this remotely funny in any sense?) that the private photos that female celebrities took of themselves would be a good example for whichever point he wanted to make concerning the limitations of technological security.

Of course it didn’t help at all that he might seem oblivious to the outlines of the case, as to the fact that the pictures have not been put online by the victims themselves, but were, instead,stored in private cloud accounts belonging to the celebrities, accessed by third-parties following a hacking attack and then published against their authorisation. Quite a relevant little detail… And quite astonishing that  the upcoming head of EU digital policy would fail to distinguish privately accessed cloud services and the open Internet.

No wonder that Green MEP Jan Philipp Albrecht considered that, by putting Oettinger in charge of the digital economy, Juncker has committed a fatal mistake:

Oettinger does not even use social media, for example. He barely communicates publicly with people on the internet. Instead, he is a man of classical media. As regional prime minister and as energy commissioner he devoted himself to traditional issue areas. This will be an enormous challenge for him.

Currently, many – myself included – wonder if he is a suitable candidate for the intended position. The fact that data protection will very likely become the direct responsibility of designated justice, consumers and gender equality commissioner Vera Jourová is therefore a relief.

Anyway, in a dubious harmony with the opinion of a vast amount of internet users, the designated commissioner believes that the victims – all women, let’s not forget – are the major culprits for their own privacy’s violation. As any other good moralist would easily point out, being celebrities they should have known better than to take pictures intended to remain private or only to be shared with whoever they wanted. How dared they?

Unfortunately, Oettinger completely failed to consider the big picture of the incident: online security in general. He therefore missed the ugly truth that is: anybody can be a target of hacking attacks for the most diversified purposes, with more or less serious and far-reaching consequences. If, instead of private pictures, the ‘celebgate’ would have referred to intellectual property or credit cards information theft, would it have been so light-heartedly approached? One should not be so naïve as to think that this is only about pictures or videos. More sensitive data is at stake.

As understandable as it can be that, being Oettinger the previous commissioner for energy, he might feel more comfortable among gas and oil pipes,  his comments raised a strong and welcomed criticism within the public opinion. One particular MEP, Julia Reda, who represents the Pirate Party, elaborated better than I could have on all the issues brought up by these foolish comments.

But besides being strange, at the very least, that a likely to be commissioner (after all, the European Commission is the guardian of the treaties) would, in front of the MEPs (being the European Parliament the only European institution which directly represents the voice of the 500 million EU citizens), focus on the fact that the pictures were taken in the first place, it is not only disappointing but also mainly worrying.

It is indeed deeply dramatic that nowadays, in the European Union, and at this high level, one can still so blatantly find the very same reflections of the sexism and victim blaming that have been manifested online when the news of the hacking came out. It is all very wrong when a commissioner not only agrees with those moralists but feels at ease to joke about it publicly. Where are we heading to? How ironic would it be that, among all the challenges brought by the technological progress, we would somehow recede to the early stages of discussions concerning  equal rights and gender discrimination but this time – because Oettinger is a man of his time and the access to the right to vote is so last century! -within the upcoming era of Internet of Things.

Furthermore, it is quite distressful that, in regards to the data security breaches news that make, almost everyday, the headlines of worldwide newspapers, the really important point to be made – the raising of awareness regarding the risks associated to technology and the need for a more secure data storage systems, namely cloud-based  – was just overshadowed by such misogynist  remarks…

Considering all this,  Oettinger’s own words are fairly applicable:

Stupidity is something you can not – or only partly – save people from.


Security Breaches and the Bridge to Security

Is it?

Is it?

Data protection is a major concern for businesses of all sizes and across all sectors due to the constant risk of information security breaches. They fear the financial impact on operational budgets, the commercial costs it entails, the reputation damage it causes and the consequent liability to third parties.

The ongoing data protection reforms are intended to harmonize and strengthen the current data protection legislation across the EU member states. The new EU General Data Protection Regulation, currently being discussed within the Council of the EU, is awaited with great expectation. Just recently 16 Member States issued a joint declaration pressing the adoption of the reforms by 2015.

If this instrument will be approved in 2015, it will be in place by 2017, thus replacing the 1995 Data Protection Directive, which does no longer adequately cater for the current technological advances. As a regulation it will be directly applicable to all EU member states without a need for national implementing legislation.

For individuals, these news come as a promise that the protection of their rights will be strengthened. But the big changes ahead mean that businesses will face stricter data security requirements and additional compliance burden.

Indeed, although nothing is decided until everything is agreed, it is evident that the new EU Regulation will entail stronger restrictions on companies’ data protection policies and systems, regarding the implementation of appropriate technical and organizational measures. It thus will have major implications for all sectors (financial services, healthcare, the legal sector, manufacturing or the public sector, just to name a few) on the way data is collected, stored and accessed.

The announced reforms will, among others constraints, require businesses and organizations to gain explicit consent from individuals before processing their data, notifying them when their data is collected, and informing for what purpose it is being processed and how long it will be stored.

The conditions include as well the already famous so-called ‘right to be forgotten’, allowing individuals to demand the erasure of their data from companies’ computer systems, if there are no legitimate grounds for keeping it.
In parallel, upcoming changes include also a ‘right to data portability’, thus enabling individuals to easily transfer their personal data between service providers.

Furthermore, companies and organizations will have to report data security breaches to the national supervisory authority (the governmental body that handles data security within a member state). Similarly, users will have to be informed about any data breaches that could adversely affect them without undue delay. Businesses are, of course, worried with the eventual impact that this compulsory disclosure will have on their brand and reputation across the EU. However individuals should undoubtedly be able to take protective measures such as changing passwords if the safety of the information related to them has been compromised by a security breach.

Additionally, companies can incur in severe fines – up to 5 per cent of their global turnover – if they are found to have been negligent or abusive in protecting their data. Fines are intended to be effective, proportionate and dissuasive.

Despite the increased responsibility and accountability, businesses will be able to be free of unnecessary administrative requirements, as notifications, which will bring considerable annual savings.

According to the intended reform, a new ‘one stop shop’ regulatory regime will also be established, which would mean that businesses will have to deal with just one data protection authority (DPA) – the one based in the country of their main establishment – instead of each DPA in every EU country in which they operate.

Of course some of the proposals will undoubtedly be amended in the course of the co-legislative decision procedure, but is has already become obvious that the end-result will require businesses to adapt internal processes and technologies. The recent massive data breaches and security threats have outlined the unfortunate existing room for improvement regarding the monitoring and protection of corporate data.

So the big question to ask is: are businesses ready for the forthcoming legislation?

Though there is no need to panic, the clock is ticking, and businesses should look ahead and prepare themselves for the major shake-up requirements.

In order to move towards compliance, it is important to reflect what are the required adjustments that need to be developped internally to that end.

It will be necessary, for instance, to ensure the legitimacy of the data processed, assessing which data currently stored actually needs to be kept and analysing the legal basis according to which personal data is used. For example, if consent has to be obtained, it must be ascertained if it is adequately documented and if it is specific, informed, explicit and freely given.

It is a paramount principle to identify vulnerabilities, build protective measures and adequate safeguards to all data processing activities which will require, for instance, the restriction of access to data to some employees, anonymising and encrypting data, assigning ownership and attributing responsibilities regarding non-compliance with legislation, namely to an appointed data protection officer.

Offering adequate data security training and education to employees is also an important feature of an effective security precaution, especially regarding their obligations of confidentiality.

The development and application of adequate procedures in order to deal properly with breaches of data security, namely the implementation of an incident management and a breach notification process, will ensure that, once detected, occurrences are notified in due time to the data protection authority.

Similarly, all data processing operations should be well documented and up to date in order to be made available promptly to the data protection authority on request at any time.

Last, but not the least, as individuals will be able to demand that organizations erase records of their personal information, businesses should have in place a system of storage, classification and search which will allow effectively finding and erasing the data collected.

The bottom line is that, regardless what the final version of the upcoming regulation will be shaped like, businesses cannot ignore the EU’s data protection reforms and the challenges and opportunities which lie ahead.

Failing to be well prepared for the impending changes represents putting the whole business at risk due to the reputation damages and the financial losses associated to a potential data breach.

In this context, news of cyber-attacks, as of the most recent software bug Shellshock, might be the greatest of incentives…

© 2023 The Public Privacy

Theme by Anders NorenUp ↑