Tag: Data Storage

Mobile spyware or how to be connected with the last person you want to be connected with… your ex, who else?

Just be careful and monitor the apps installed in your phone.

Just be careful and monitor the apps installed in your phone.[1]Copyright by LG under the Creative Commons Attribution 2.0 Generic

In my professional experience, I have dealt with and witnessed some quite serious and delicate situations subsequent to the ending of relationships and marriages. Stalking, threats, violence, harassment, attacks against property, home trespassing, defamation, nuisance to family members and closer friends, blackmail, outbursts of rage in the ex’s workplace or neighbourhood… I could go on, really, but you get the point. Let’s just euphemistically say that love has a very unromantic side which is not usually portrayed on romantic comedies.

In spite of all the good brought by technologies, they have a dark side which this blog – as you might have figured it out already by now – is usually about. Today’s post is not an exception. In fact, technologies have made a lot easier for unloved lovers to actually turn their partner’s or ex’s lives into hell.

How?

Well, with mobile monitoring software. This kind of technology has been legally around for quite a while now and is deemed the favourite tool for jealous (psycho?) lovers. Well, it suffices to type “app spy ex” on your favourite search engine to get a clear idea about their popularity.

You would be surprised about how easy it actually is. To start with, there are plenty of apps available in the market. A quick online search will give you an idea about the diversity of the options available. They are cheap, accessible and they are easy and quick to install.

Therefore, it suffices to gain a short access to the targeted mobile phone, let’s say, when the owner is taking a shower or trustfully provide the phone for a call. The app can even be set up before the Smartphone is offered as a birthday or a Christmas gift. How thoughtful!

In this regard, I would like to point out that when the app is side loaded (for instance, not from a legitimate app store such as Google playstore), there is the double risk of installing monitoring backdoors which could enable the access for third parties (besides your very personal spy) for unknown purposes.

Another sneakily effective way to monitor someone’s activities is to access the information contained in the cloud. It suffices to know the username and password, elements easily given away to your partner when you are in a trustful relationship. Cloud storage is another particular issue in itself due to its link to computers. As spyware could have been installed remotely through the e-mail, it is useless to change the login details for the cloud on the mobile phone, as those can be accessed on the computer.

What happens next?

Well, your unacknowledged personal spy will be able to access almost all activity which takes place on your cell phone: listen to and record your calls, scrutinize your messages, track your location, watch the photos and videos you shoot and monitor your online activities… or really just browse your Facebook account which actually contains by itself almost all this information.

As this wasn’t enough, these tracking technologies can run imperceptibility in the background, making it difficult to be detected. So unless your covert ‘admirer’ cannot help himself/herself but giving away hints about his/her privileged awareness of your life, you might not even suspect its existence.

The truth is a jealous partner or an ex who does not accept the ending of the relationship will be almost as effective as intelligence services in tracking you down. In fact, this kind of technology is increasingly becoming the favourite tool for abusers. Let’s not fool ourselves here. Women are the main victims of these technologies. Many do not even realise that they have a cloud account associated to their Smartphone.

Women experiencing domestic violence are particularly vulnerable in this context, as these technologies allow for the perpetuation of persecuting and intimidating behaviour when they try to flee an abusive relationship.

Of course, this kind of behaviour has always existed. From the old fashion ways of going through the pockets of a coat, listening to conversations, reading letters, looking for a trace of lipstick on a shirt, for a new piece of jewellery, to hiring a private detective or following the victim around… However, technologies have made all this so much easier and invasive.

Obviously technologies are not to blame. The subjacent motivations are. They are just a tool with great potential put to bad use. For instance, the very same technologies can be used for parent monitoring which is acceptable to a certain extent.

Thus said, I do not want to sound alarmist. But if you recently ended up a romantic relationship, and it happens that your ex was the jealous and possessive type, and/or that person suspiciously appears to know a lot about your current whereabouts and social activities, I would say that there is a fairly high chance that your phone is being spied on!

I would therefore advise you to have your mobile phone checked to confirm or exclude that possibility and, subsequently, be able to assess if you are the aim of any other kind of stalking.

Lastly, I would like to outline that such secretive interception of electronic communications is illegal, thus I would also recommend for you to seek legal advice in that regard.

References

References
1 Copyright by LG under the Creative Commons Attribution 2.0 Generic

The Sony data breach: when
fiction meets reality?

You better believe SONY. You have been HACKED!

You better believe SONY. You have been HACKED!

It is not the first time that Sony suffers a massive cyber attack. Back in 2011, due to some vulnerabilities found in its data servers, a hacking of its Play Station online network service enabled the theft of names, addresses and credit card data belonging to 77 million user accounts.

A few days ago, Sony Pictures computer systems were hacked again allegedly by a group of hackers calling themselves Guardians of Peace. As a consequence, a humongous amount of data, including confidential details, such as medical information, salaries, home addresses, social security numbers, regarding 47 thousands of Sony employees and former employees, namely Hollywood stars, as well as contracts, budgets, layoffs strategies, scripts for movies not yet in production, full length unreleased movies and thousands of passwords were leaked to the Internet.

The reason remains unclear. Despite the denial of a North Korea representative regarding a possible involvement of that country, it is being speculated that this attack is a retaliation from the North Korea government as a response to an upcoming Sony comedy, ‘The Interview’, starring actors Seth Rogen and James Franco, which depicts an assassination attempt against the North Korea’s leader Kim Jong-un. If Hollywood comedies are now deemed a sufficient reason to conduct cyber-attacks on real life, fiction and reality are meeting in a very wrong way.

Anyway, considering the volume and the sensitive nature of the information disclosed, this can actually be one of the largest corporate cyber attacks which has ever been known of.

It is a sharp reminder that hacking attacks can be directed to any company and can take all forms, equally damaging. This attack demonstrates once again that not only critical infrastructure is at risk. Sony Pictures Entertainment is one of the largest studios in Hollywood. It is really not the expected victim of a cyber-attack. However, it was an easy prey as its business decisions regarding information security have been publicly stated in previous occasions. Despite their ludicrous nature, I guess someone took those comments seriously.

Considerations regarding the absurdity of having a file directory named ‘Passwords’ aside, this attack outlines that data breach is one of the major threats that companies face nowadays. Cyber attacks are conducted against companies of all sizes. Large companies do eventually recover from these breaches. Small businesses generally hardly pull through after suffering a cyber-attack. It is therefore essential that businesses implement a solid cyber-security programme, namely conducting regular self-hacking exercises to assess the vulnerabilities of their security systems in order to prevent a potential breach.

What about Sony? Well, the value of the damages regarding its employees is incalculable considering that their identities may be stolen, their bank accounts may be compromised and their houses may be robbed. Only time will tell if and how it will recover.

Meet Regin

Yes, You have been hacked and spied upon!

Yes, You have been hacked and spied upon!

Regin is not like all the other regular viruses you can find in your computer. It is the most recently discovered powerful tool for cyber espionage between nation-states, as reported by computer security research lab Symantec, and by its main competitor Kaspersky Labs.

Regin is described as a sophisticated cyber attack platform, which operates much like a back-door Trojan, mainly affecting Windows-based computers. It can be customized with different capabilities depending on the target and, while it operates in five stages, only the first one is detectable.

Among its diversified range of features, Regin allows the remote access and control of a computer, thus enabling the attacker to copy files from the hard drive, to recover deleted files, to steal passwords, to monitor network traffic, to turn the microphone or the camera on, and to capture screenshots.

According to the above mentioned reports, Regin has been sneakily around since, at least, 2008, and has been used in systematic spying campaigns against a wide range of international targets, namely governments’ entities, Internet services providers, telecom operators, financial institutions, mathematical/cryptographic researchers, big and small businesses, and individuals.

As for the geographical incidence, Saudi Arabia and Russia appear to be the major targets of Regin. Mexico, Iran, Afghanistan, India, Belgium and Ireland were among the other targeted countries.

The conclusions drawn in the Symantec’s report are, at the very least, very unsettling. It is stated that, considering its high degree of technical competence, its development is likely to have taken months, if not years, to be completed.

Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns. The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.

Therefore, the new million dollar question is: who is behind its conception? Unfortunately, it is very difficult to find out who has created or has otherwise financed its development because little trace of the culprits was left behind. However, it is well known that not all countries are so technologically advanced to be able to engineer such an accurate tool or to conduct such a large scale operation.

As a governmental instrument for mass surveillance, cyber espionage and intelligence gathering, Regin is just one of its kind. A few years ago, the world assisted to the rise of similar viruses, also from a nation state origin. Stuxnet, Duqu and Flame were three of the detected viruses previously employed to perform industrial sabotage or to conduct cyber espionage.

Thus said, this historical pattern for cyber attacks clearly shows that virtual wars are being fought, in an almost invisible battlefield that is the cyberspace, where nation-states clash silently. Once limited to opportunistic criminals, viruses are currently the new weaponry in this cyber warfare.

But a state sponsored cyber attack does not really come as a surprise. Governments have always spy on each other in order to obtain strategic, economic, political, or military advantage. The discovery of Regin just confirms that investments are continuing to be made in order to develop implacable instruments for espionage and intelligence gathering purposes.

In this context, it is no coincidence that cyber security is increasingly appointed as a decisive part of any governments’ security strategy, as it involves protecting national information and infrastructure systems from major cyber threats.

And while these sophisticated attacks are conducted, sensitive information about individuals is accessed, stolen, collected and stored by unknown attackers. To what end? Well, it can be any, really…

EU PNR – A plane not yet ready to fly

Plane Not Ready to fly!

Plane Not Ready to fly!

The Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament has recently discussed the Passenger Name Record (hereafter PNR) draft Directive according to which air carriers would be required, in order to help fight serious crime and terrorism, to provide EU Member States’ law enforcement bodies with information regarding passengers entering or leaving the EU.

This airline passenger information is usually collected during reservation and check-in procedures and relates to a large amount of data, such as travel dates, baggage information, travel itinerary, ticket information, home addresses, mobile phone numbers, frequent flyer information, email addresses, and credit card details.

Similar systems are already in place between the EU and the United States, Canada and Australia, through bilateral agreements, allowing those countries to require EU air carriers to send PNR data regarding all persons who fly to and from these countries. The European Commission’s proposal would now require airlines flying to and from the EU to transfer the PNR data of the passengers’ onboard passengers on international flights to the Member States of arrival or departure.

Nevertheless, the negotiation of the EU PNR proposed airline passengers’ data exchange scheme has been quite wobbly. The European Commission proposed the legal basis, in 2011, which ended up being rejected, in 2013, by the above mentioned committee, allegedly because it does not comply with the principle of proportionality and does not adequately protect personal data as required by the Charter of Fundamental Rights of the EU (hereafter CFREU) and by the Treaty on the Functioning of the EU (hereafter TFEU).

But concerns over possible threats to the EU’s internal security posed by European citizens returning home after fighting for the so-called “Islamic State” restarted the debate. Last summer, the European Council called on Parliament and Council to finalise work on the EU PNR proposal before the end of the year.

However, following the ruling of the Court of Justice of the European Union, regarding the EU’s Data Retention Directive, last April, which declared the mass-scale, systematic and indiscriminate collection of data as a serious violation of fundamental rights, leads to question if these PNR exchange systems with third countries are effectively valid under EU law.

Similarly, many wonder if the abovementioned ruling shouldn’t be taken into account in the negotiations of this draft directive considering that it also refers to the retention of personal data by a commercial operator in order to be made available to law enforcement authorities.

And there are, indeed, real concerns involved.

Of course, an effective fight against terrorism might require law enforcement bodies to access PNR data, namely to tackle the issue regarding ‘foreign fighters’ who benefit from EU free movement rights which allow them to return from conflict zones without border checks. For this reason, some Member States are very keen on pushing forward this scheme.

However, the most elemental principles of the rule of law and the most fundamental rights of innocent citizens (the vast majority of travellers) should not be overstepped.

For instance, as the proposal stands, the PNR data could be retained for up to five years. Moreover, the linking of PNR data with other personal data will enable the access to data of innocent citizens in violation of their fundamental rights.

As ISIS fighters are mostly well-known by the law enforcement authorities as well as by the secret services, it is therefore questionable how reasonable and proportionate can be such an unlimited access to this private information in order to prevent crime. How effective would be the tracking of people’s movements in order to fight against extremism? Won’t such a widespread surveillance ultimately turn everyone into a suspect?

Thus said, from the airlines point of view, the recording of such amount of data would undoubtedly imply an excessive increase of costs and, therefore, an unjustifiable burden.

The European Data Protection Supervisor (EDPS) has already considered that such a system on a European scale does not meet the requirements of transparency, necessity and proportionality, imposed by Article 8 of the CFREU, Article 8 of the European Convention of Human Rights and Article 16 of the TFEU. Similarly, several features of the PNR scheme have been highly criticized by the Fundamental Rights Agency (FRA).

At the moment, the EU Commission has financed national PNR systems in 15 member states (Austria, Bulgaria, Estonia, Finland, France, Hungary, Latvia, Lithuania, the Netherlands, Portugal, Romania, Slovenia, Spain, Sweden, and the UK) which leads to a fractioned and incoherent system. This constitutes a very onerous outcome for airlines and a need for a harmonization among data exchanges systems. The initiative is therefore believed by some MEPs to intend to circumvent the European Parliament’s opposition to the Directive.

Thus considering, it is legitimate to question if the EU-PNR will be finalized, as firstly intended, before the end of year. Given the thick differences between MEPs and among Member States, it appears that the deadline will be more and more unlikely to be meet.

Are you ready for the Internet of Things?

Everything is connected.

Everything is connected. [1]Copyright by Wilgengebroed under the Creative Commons Licence – Attribution 2.0 Generic

Imagine a world where people would receive information on their smart phone about the contents of their fridge; cars involved in an accident would call emergency services, allowing for quicker location and deployment of help; cars would suggest alternative routes in order to avoid traffic jam; personal devices would allow to monitor the health developments of patients or to control the regular medication of elderly persons; washing machines would turn on when energy demand on the grid would be lowest and where alarm clocks and coffee machines could automatically be reset when a morning appointment would be cancelled; a smart oven could be remotely triggered to heat up the dinner inside by the time you would reach home…

If it is true that these scenarios once belonged to the sci-fi world, it is not so hard to picture any of these technologies nowadays. The momentum we are living in and all the progress which is already involved in our lives brings the certitude that it is only a matter of time for us to reach such a future. Technological advancements are allowing achievements that once may have seemed impractical and are turning the sci-fi scenarios into reality.

We are smoothly entering in a new age… The age of the Internet of Things (hereafter IoT). The IoT might be indeed already start happening around us. It suffices to think about all the quite recent changes that we already accept as ordinary.

But what is the IoT all about?

The IoT is a concept which refers to a reality where everyday physical objects will be wirelessly connected to the Internet and be able, without human intervention, to sense and identify themselves to other surrounding devices and create a network of communication and interaction, collecting and sharing data. It  is therefore associated to products with machine-to-machine communication capabilities, which are called ‘smart’.

The high-tech evolution has made ‘smart’ more convenient and accessible and made the vast majority of us technologically dependent on several areas of our daily living. Connected devices have proliferated around us. Consider, for instance, the number of smart phones and other smart devices that most of us cannot conceive a life without anymore as it allows us to connect with the world as it was never possible before.

Similarly, our domestic convenience and comfort have been expanded in ways that once belonged to the imaginary. Homes, housework and household activity can be fully automatized in order to enable us to remotely control lighting, alarm systems, heating or ventilation. The domestic devices that can be connected to the Internet are usually referred to as “home automation” or “domotics”.

In parallel, we are currently able of the ‘quantified self’, which is commonly defined as the self knowledge acquired through self tracking with technology (for instance, pedometers, sleep trackers). One can now track, for example, biometrics as insulin and cortisol, or record more random information about our own habits and lifestyles, as physical activity and caloric intake. This monitoring can be done increasingly by wearables, i.e., computer-powered devices or equipment that can be worn by an individual, including watches, clothing, glasses and items alike. The Google glasses, Google Wear and the Apple Watch are the most famous recent examples.

Scarily enough, the number of objects connected to the Internet already exceeds the number of people on earth. The European Commission claims that an average person currently has at least two objects connected to the Internet and states that this is expected to grow to 7 by 2015 with 25 billion wirelessly connected devices globally. By 2020 that number could double to 50 billion.

However, every time we add another device to our lives, we give away a little more piece of ourselves.

Consequently, along with its conveniences, and due to the easy and cheaply obtained amount of data collection it allows, the idea of a hyper-connected world raises important concerns regarding privacy, security and data protection. To be true, while it is a relatively well-known fact that our mobile devices are frequently sending off data to the Internet, many of us do not understand the far-reaching implications of carrying around an always-on connection, let alone to have almost all your life connected to the Internet.

In fact, such objects will make it possible to access a humongous amount of personal data and to spread it around without any awareness nor control of the users concerned. From preferences, habits and lifestyle, to sensitive data as health or religion information, from geo-location and movements to other behaviour patterns, we will put out there a huge amount of information. In this context, the crossing of data collected by means of different IoT devices will allow the building of a very detailed user profile.

It is essential that users are given control over the data which directly refers to them and are properly informed of what purposes its processing might serve. In fact, currently, it is very common that the data generated is  processed without consent or with a poorly given consent. Quite often further processing of the original data is not subjected to any purpose limitation.

Moreover, as each device will be attributed an IP address in order to connect to internet, each one will be inherently insecure by its very own nature. Indeed, with almost everything connected to the Internet, every device will be at risk of being compromised and hackable. Imagine that your car or home could be subjected to a hacking attack through which it could take control of the vehicle or install a spying application in your TV. Imagine that your fridge could get spam and send phishing e-mails. The data collected through medical devices could be exposed. After all, it is already easier to hack routers and modems than computers.

Last but not the least, as IoT devices will be able to communicate with other devices, the security concerns would multiply exponentially. Indeed, a single compromised device could lead to vulnerability of all the other devices on the network.

Now imagine that all your life is embedded in internet connected devices… Think, for instance, fridges, ovens, washing machines, air conditioners, thermostats, light systems, music players, baby monitors, TVs, webcams, door locks, home alarms, garage door openers, just to name a few. The diversity of connected devices is just astonishing! So we may reach the point where you will have to install firewall for your toaster and a password to secure your fridge.

From a business point of view, questions regarding the security setup and software and operating systems vulnerabilities of devices that will be connected to the internet also have to be answered. Indeed, companies are increasingly using smart industrial equipment and IoT devices and systems, from cars to cameras and elevators, from building management systems to supply chain management system, from financial system to alarm system.

On another level, the security of nations’ critical infrastructures could also be at stake. Imagine, for instance, that the the traffic system, the electric city grid or the water supply can be easily accessed by a third party with ill intentions.

Of course, the EU could not be indifferent to this emerging new reality and to the challenges it presents.

In 2012, the European Commission launched a public consultation, seeking inputs regarding a future policy approach to smart electronic devices and the framework required in order to ensure an adequate level of control of the data gathering, processing and storing, without impairing the economic and societal potential of the IoT. As a result, the European Commission published, in 2013, its conclusions.

Last month, the European data protection authorities, assembled in the Article 29 Working Party, adopted an opinion regarding the IoT, according to which the expected benefits for businesses and citizens cannot come at the detriment privacy security. Therefore, the EU Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC are deemed to be fully applicable to the processing of personal data through different types of devices, applications and services in the context of the IoT. The opinion addresses some recommendations to several stakeholders participating in the development of the IoT, namely, device manufacturers, application developers and social platforms.

More recently, at the 36th International Conference of Data Protection, Data Protection Officials and Privacy Commissioners adopted a declaration on the Internet of things and a resolution on big data analytics.

The aforementioned initiatives demonstrate the existing concerns regarding Big Data and IoT and the intention to subject them to data protection laws. In this context, it is assumed that data collected through IoT devices should be regarded and treated as personal data, as it implies the processing of data which relate to identified or identifiable natural persons.

This obviously requires a valid consent from data subjects for its use. Parties collecting IoT devices information therefore have to ensure that the consent is fully informed, freely given and specific. The cookie consent requirement is also applicable in this context.

In parallel, data protection principles are deemed to be applicable in the IoT context. Therefore, according to the principle of transparency, parties using IoT devices information have to inform data subjects about what data is collected, how it is processed, for which purposes it will be used and whether it will be shared with third parties. Similarly, the principle of purpose limitation, according to which personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes, is also applicable. Furthermore, considering the data minimization principle, the data collected should not be excessive in relation to the purpose and not be retained longer than necessary.

Considering the vast number of stakeholders involved (device manufacturers, social platforms, third-party applications, device lenders or renters, data brokers or data platforms), a well-defined allocation of legal responsibilities is required. Therefore, a clear accountability of data controllers shall be established.

In this context, the Directive 2002/58/EC is deemed applicable when an IoT stakeholder stores or gains access to information already stored on an IoT device, in as much as IoT devices qualify as “terminal equipment” (smartphones and tablets), on which software or apps were previously installed to both monitor the user’s environment through embedded sensors or network interfaces, and to then send the data collected by these devices to the various data controllers involved…

Thus said, one can only rejoice that the enchantment about the possibilities of IoT does not surpass the awareness regarding the existent vulnerabilities. But it remains to be found how can these and the other data protection and privacy requirements be effectively implemented in practice.

We certainly are in the good way to dodge any black swan event. However, it won’t be that easy to find the appropriate answers for the massive security issues that come along. And one should not forget that technology seems to always be one step ahead of legislation.

So, the big question to ask is:

Are we really ready for the Internet of Things?

References

References
1 Copyright by Wilgengebroed under the Creative Commons Licence – Attribution 2.0 Generic

The ‘risk-based’ approach to Data Protection, too risky for SMEs?

Balance is hard, very hard.

Balance is hard, very hard.

For those businesses which collect, process and exploit personal data, the draft of Chapter IV of the forthcoming EU General Data Protection Regulation is particularly relevant as it foresees the possible future compliance obligations of data controllers and data processors.

Considering the last position of the Council of the European Union regarding this chapter, a ‘risk-based‘ approach to compliance is a core element of the accountability principle itself.[1]See article 22 of the Council’s document.

In fact, the Article 29 Working Party[2]The Article 29 Working Party gathers a representative of the supervisory authority designated by each EU Member State; a representative of the authority established for the EU institutions and … Continue reading recently issued a statement supporting a ‘risk-based‘ approach in the EU data protection legal framework.

But what is it meant by the concept of a ‘risk-based‘ approach?

It mainly refers to the consideration of any potential adverse effects associated with the processing and implies different levels of accountability obligations of data controllers, depending on the risks involved within each specific processing activity. It is therefore quite different from the ‘one size fits all‘ approach, as initially proposed by the European Commission.

In this context, the respect and protection of the data subjects’ rights (for instance, right of access, of objection, of rectification, of erasure, and rights to transparency, to data portability and to be forgotten) shall be granted throughout the data processing activities, regardless the level of risks involved in these activities.

However, principles as legitimacy, transparency, data minimization, data accuracy, purpose limitation and data integrity and the compliance obligations impending upon controllers shall be proportionate to the nature, scope, context and purposes of the processing.

This ‘risk-based‘ approach is developed throughout Chapter IV, namely regarding provisions related to the data protection by design principle[3]See article 23., the obligation for documentation[4]See article 28., the obligation of security[5]See article 30., the obligation to carry out an impact assessment[6]See article 33., and the use of certification and codes of conduct[7]See articles 38 and 39..

These accountability obligations, in each phase of the processing, will vary according to the type of processing and the risks to privacy and to other rights and freedoms of individuals.

In this context, the proportionality exercise will have an effect on the requirements of privacy by design[8]See article 23., which consists on assessing the potential risks of the data processing and implementing suitable privacy and data protection tools and measures in order to address that risk before initiating these activities.

Besides, the introduction of the ‘risk-based‘ approach is also likely to be relevant in respect of controllers not established in the EU, as they most surely won’t be required to designate a representative in the EU, regarding occasional processing activities which are unlikely to result in a risk for the rights and freedoms of individuals [9]See article 25..

Moreover, a ‘risk-based‘ approach will be implemented as well regarding the security of the processing, as technical and organisational measures, adequate to the likelihood and severity of the risk for the rights and freedoms of individuals, shall be adopted[10]See article 30..

In parallel, it has been foreseen that the obligation to report data breaches is restricted to the breaches which are likely to result in an high risk for the rights and freedoms of individuals. In this context, if the compromised data is encrypted, for instance, the data controller won’t be required to report a verified breach.[11]See article 31 and 32.

The weighing assessment is expected to be also relevant regarding the data protection impact assessment[12]See article 33. required for the processing activities that will likely result in a ‘high risk’ to the rights and freedoms of individuals, such as discrimination, identity theft, fraud or financial loss.

Another important requirement is the consultation of a Data Protection Authority prior to the processing of personal data when the impact assessment indicates that the processing would result in a high degree of risk in the absence of measures to be taken by the controller to mitigate the risk.[13]See article 34.

Of course “nothing is agreed until everything is agreed” and this chapter will be subjected to further revisions. There is, indeed, a vast room for improvement.

For instance, it is questionable if a ‘risk-based‘ approach does make data protection standards stronger, considering the inadequacy of the risk assessment methodology regarding fundamental rights.

In parallel, the definition of ‘high risk‘ is still too broad, including almost all businesses which are operating online. Similarly,  the impact assessment process presents itself as complex, burdensome and costly. At the current state of play, small businesses and start-ups are most likely to be negatively affected by the administrative and financial burden that some of the abovementioned provisions will entail. This is quite ironic, considering that it was precisely that concern that is at the core of the understanding according to which SMEs should be exempted from the obligation to assign a Data Protection Officer.

However, it is important for businesses to try to anticipate how the compliance requirements will be set in the future in order to be prepared for their implementation.

We will see in due time how onerous the regime will be. Whilst we do not know the exact content of the text that will eventually be adopted, it is evident now that substantive accountability obligations will be imposed upon businesses handling personal data.

References

References
1 See article 22 of the Council’s document.
2 The Article 29 Working Party gathers a representative of the supervisory authority designated by each EU Member State; a representative of the authority established for the EU institutions and bodies; and a representative of the European Commission.
3 See article 23.
4 See article 28.
5 See article 30.
6 See article 33.
7 See articles 38 and 39.
8 See article 23.
9 See article 25.
10 See article 30.
11 See article 31 and 32.
12 See article 33.
13 See article 34.

A World of Data = Big Data x Little Privacy

Next evolution, Humongous Data?

Next evolution, Humongous Data?

With massive amounts of our personal data now being routinely entered, collected, stored and exchanged, data security and privacy breaches are almost inevitable, in particular the large-scale attacks that lead to the theft of millions of individuals’ data are becoming more and more common nowadays.

With technology at our fingertips, we are sharing more and more information online and by electronic means. From sensors that fit into our cars to wearables, from cloud computing to social networking interaction, from digital pictures and videos to cell phone GPS signals, from online purchase transactions to a sign up process, from the telecommunications’ and insurance to medical or banking sectors, we leave traces of information with every move we make.

The massive volume of data generated and gathered is popularly referred to as ‘Big Data’. The concept commonly describes such a large amount of complex, unstructured, diverse and fast information that it is difficult to process using traditional database and software techniques. Billions to trillions of records of millions of people are now measured in new units as petabytes and exabytes. The golden era for gigabytes is long gone.

So what is so special about Big Data?

The analysis that can be done with Big Data enables the establishment of correlations among large populations that is useful to individuals. It creates a remarkable opportunity for the worldwide society in any field you can think about, ranging from criminal rate predictions to medical research, from public health to national security and from marketing to risk analysis. Companies and governments no longer have to rely on sampling: they have access to the entire plentiful digitized knowledge of digital age, a myriad of data points collected for unrelated purposes and updated in real time.

For instance, a few years ago, Google was able to predict flu outbreaks faster than what was possible using hospital admission records, just by analyzing clusters of search terms by region in the United States. All with algorithms! Quite impressive, huh?

In our enthusiasm to share and bond with others, to live up to the facilities allowed by new technologies, as the world grows more and more connected, we are quite easy when it comes to give away information about ourselves. Businesses know that. And they are continuously developing new means to collect information about their customers.

Why wouldn’t they?

They can try to look for hidden patterns, trends or other insights that will enable them to better mould their products and services to customers, anticipate demand or improve performance. Big Data certainly can bring the appropriate knowledge that will allow innovative improvements for businesses… from which all of us will ultimately benefit. As a result, personal data is consistently collected and traded, being the new money in the new economy that is internet.

For instance, have you noticed how frequently it happens that, after having searched a certain type of good or of services on Google, you will have matching publicity, on the right side of your ‘gmail’ window tab next time you open it?

But the astonishing advantages coming from the analysis of Big Data are tempered by concerns over privacy and data protection.

I believe that many of us don’t think much about the implications of easily sharing and giving away personal details online nowadays. After all, how many of us actually read the consent form regarding the use of our personal data?

But it is important to reflect on a few points which I assume won’t let anybody comfortable after consideration.

Consider, for instance, that some retailers are able, through the analysis of purchasing habits, to predict such intimate details as the pregnancy of a customer and that, despite the will of the concerned customer, ensuing marketing activities which result in disclosing that information.

Consider, for example, with such a volume of data and powerful analytical mechanisms, the combination of data might lead to the identification of individuals, despite the anonymisation of certain elements.

Consider, now, that the data contain biases, inaccuracies, obsolete and missing information, flaw correlations, that unavoidably affect the predictions and conclusions resulting from its analysis and that decisions that can affect your welfare will still be taken based on those predictions and conclusions.

Consider also that most of the data being collected about us more and more doesn’t come directly from us.

At last, consider that hospital records of national health system patients could be sold for insurance purposes.

Scary, at the very least…

The good or bad news is that Big Data analysis isn’t as efficient as many would like or fear it to be.

The risk of biases inherent to data and false correlations and associations is great and increases as bigger volumes of data are analyzed.

For instance, Google’s model of predicting the spread of flu ended up pointing to an overestimated the phenomenon by almost a factor of two.

Regarding public security, Big Data hasn’t proven itself either able to detect patterns or anomalies that could help prevent acts of terror.

No so reliable after all…

Neverthless, one cannot escape Big Data. We live so entangled in it that is more and more usual to talk about an ‘internet of things’. Good things can come from it. But nobody can be entirely sure that it will be used for the legitimate purposes.

In parallel to the enthusiasm of connecting and sharing, there is an increasing concern surrounding the lack of privacy.

In this context, it might indeed be a big place in the market for privacy products. And the seeds are being planted now. Just recently Google has announced that data encryption will come as a default setting on the next Android operating system, known as Android Lollipop, which will make impossible for anyone to gain access to the data without the consent of the owner. This initiative is in line with the announcement made by Tim Cook, the CEO of Apple, regarding the privacy policy of the company. Both guarantee that even police won’t be able to gain access to the user’s personal information. It is however worth mentioning that the upgraded security feature will only protect data and information stored within the iOS device itself and not data stored within the iCloud service.

The advantages which result from Big Data analysis will only be reached if privacy expectations of users are appropriately met and their data protection rights are respected. However, finding the right balance between all the interests at stake: those of the individuals concerned, those of businesses and, ultimately, the general public interest might not be an easy end to chieve, namely in the field of health research.

The Article 29 Working Party recently issued a statement on the impact of the development of Big Data on the protection of individuals with regard to the processing of their personal data in the EU, where it found “no reason to believe that the EU data protection principles are no longer valid and appropriate for the development of Big Data.” Nevertheless, it envisaged the possibility of “further improvements to make [the principles] more effective in practice” in the context of Big Data.

In my opinion, data protection principles shall be deemed to be applicable, as they refer to fairness, transparency and, ultimately, trust. For that reason, the ‘notice and consent’ and the ‘purpose limitation’ models should be preserved as much as possible and data ought to be anonymized to the point where re-identification is secluded.

This week, the European Commission and Big Data Value Association, an industry-led organisation which acts on behalf of companies including ATOS, Nokia Solutions and Networks, Orange, SAP, SIEMENS, have committed in a public-private partnership (PPP) that aims to support research and innovation in Big Data technologies and infrastructures to ensure privacy and security.

No statistics can predict what uncertainties do the future holds regarding Bid Data… However, in these high-speed changing times of information and communications technology, we will surely know anytime soon…

Ello! Here to stay?

Ello, the new kid on the social networks' block.

Ello, the new kid on the social networks’ block.

It must come as a surprise, as I am writing openly on a blog, but I am not the most sociable person in this online world. In fact, my online interactions are mainly limited to an increasingly left aside Facebook account, some comments written here and there in blogs posts or news that particularly interest me and this recently created blog.

Regarding Facebook, I don’t log in as often as I used to. And truth is I find it less interesting in each visit due to the ad-filled pages and the endless requests from friends to play games. Not only am I trying to spend more time offline, but I also find the whole concept of sharing (showing off?), following, liking and commenting bits of others people’s lives very tiring at times. I recognised that is mostly due to a bad management of my account. As I realized recently, I don’t even know that well 90% of my friends and I honestly couldn’t care less about their lives, worries or interests.

However, it is an undeniable source of information regarding feedbacks on the most various subjects, through the specific groups and communities created. Moreover, it has enabled me to find lost friends and to keep in touch with friends and family members living abroad, without having to spend hours on the phone or Skype. In that context, it makes possible for people to share moments and to be part of each other’s lives in a way that would be very difficult otherwise. Besides, it has allowed me to know better people with whom I weren’t that close, making me grow fonder of them or, instead, killing any good impression I might have once had.

Nonetheless, I am more and more driven to more traditional means of communication, for instance gathering and talking. I intend to spend only meaningful time online, namely engaging in rewarding conversations with people who share the same interests as me.

So, when I first heard about the new social networking platform everybody was talking about, Ello, my first question was: what is the point of it? My second thought was: it won’t last. The history of social networks is full of unsuccessful chronicles: Friendster, MySpace, Diaspora or AppleSeed, just to mention a few. The secret for Facebook lasting so long is its most relevant feature: one can actually find almost everybody there and it feeds people’s curiosity and egocentric tendencies.

In Ello’s current Beta phase, you have to receive an invitation from a registered user in order to access the platform and each user can only send up to five invitations. This not only compels users to carefully select future friends but it avoids as well a sharp and fast expansion of the network which would threaten its normal management. However, it will be just a matter of time for it to lose its restricted nature…

Having received an invitation to join Ello, I succumbed to curiosity and created an account… just to see what the fuss was all about!I was not looking for another social network to be in but I was willing to replace Facebook with one platform that would allow me the same benefits without being so annoying.

Regarding the registration act itself, I must point out that identical user-names are not allowed. When I tried to use my real name, it was rejected, both in the integral and partial version of it, because someone else had taken it previously. As a result, I had no option but to pick up a pseudonym. I would have preferred to use my real name, regardless the fact that it might bring identity confusions.

The direct consequence of this is that, if someone wants to add a friend, he or she needs to know what his or her username is. The use of pseudonyms made up just for the registration act makes difficult to find friends on the platform. On the bright side, it certainly helps to keep undesirable wannabe friends away. But it is nevertheless ironic, considering all the buzz surrounding Facebook real names policy, who affected people preferring to adopt pseudonyms. While I don’t believe that Facebook’s policy is unrelated with the recently announced ad network Atlas (which I will address in a future post), I must say that I am not convinced either by Ello’s policy. Google Plus, for instance, had a similar policy and dropped it. However, the same policy regarding user-names is successfully applied in Twitter or Instagram…

Anyway, what is Ello really about? Well, as any other social network platform, it is intended to enable the connection and the sharing of content among users. However, it comes with the promise that user’s data won’t be sold for marketing purposes and paid advertising won’t be allowed.

Regarding the design itself I wasn’t expecting anything special, really. As long as it wasn’t bluish, I would be flexible. I enjoyed the monochrome concept; however I have found the design exaggeratedly minimalist and not very user-friendly. Somehow, knowing that it has been created by artists and designers, I was expecting more creativity.

One feature that struck me negatively is that all the information displayed in each profile is public within the website’s community. Of course, I am fully aware that Facebook itself is far from being the gatekeeper of privacy or a paradigm for any other value. It suffices to remember the sneaky privacy changes or the ones made to please the users, the experiment conducted on users data, and the removal of campaign post-mastectomy photographs or pictures of women breastfeeding considered obscene. More recently, there is the polemic ad network called Atlas. But, I mean, it is a business and profit is its aim. No surprise there. As it is commonly said: if you are not paying for it, you are the product. Proper information and transparency on how, what and why things are done are, in my opinion, the main issues. Nevertheless, I enjoy the apparent privacy regarding the ability to share information among a pre-selected group of friends.

On Ello, users can unilaterally add ‘friends’ (as for acquaintances whose lives they are interested in) and ‘noise’ (as for random popular users) who may be followed through a newsfeed-like menu. It is fairly easy for users to delete their Ello account if they want to opt out of the service. However, one must be aware that it is an irrevocable action and the content will be lost forever. So dramatic!

In an ‘wtf’ section, one can find some elements intended to introduce Ello to the new user. In this regard, its manifest is quite engaging as it reads as follows:

Your social network is owned by advertisers.
Every post you share, every friend you make, and every link you follow is tracked, recorded, and converted into data. Advertisers buy your data so they can show you more ads. You are the product that’s bought and sold.
We believe there is a better way. We believe in audacity. We believe in beauty, simplicity, and transparency. We believe that the people who make things and the people who use them should be in partnership.
We believe a social network can be a tool for empowerment. Not a tool to deceive, coerce, and manipulate — but a place to connect, create, and celebrate life.
You are not a product.

Having navigated around the platform for a little while, I must admit that advertisements were nowhere to be seen. So far, so good… However, despite being a hopeless romantic, the new starry-eyed concept of online celebrating life failed to convince me.

To start with, it is unclear how the website will make money. Let’s not forget that other social network platforms, like Facebook or Tumblr, similarly started without advertising but, profit being intended, it was not a workable business model. According to Ello, profit will eventually come from special features that will be offered against a small amount of money (well, if they are paid for, it is not an offer anymore, just saying…) in order to customize users experience. This is not a new concept: it is called Freemium business model and is used by Evernote, for instance. That makes sense and it is utterly acceptable. After all, Ello has to capitalize somehow. Nevertheless, if the number of users continues to increase, I have serious doubts that those little charges will be sufficient to run the servers.

What is worrying, instead, is that, according to some provisions of its Privacy Policy, Ello is not everything it claims to be.

Although it might have escaped to the most distracted and laziest of us (not everybody reads the privacy policies) , Ello does collect users personal information, namely information about what pages are access, about the device used, information that is send to it directly or post on its web site, and the address of web sites that refer the user. It stores as well the name and e-mail address that users register with. In addition, Ello collects and stores an anonymized version of users IP address and of Google Analytics to gather and aggregate general information about users behaviour, although it offers the option to opt-out of Google Analytics and commits to respect “Do Not Track” browser settings. It states also that it may use or share anonymous data collected for any purpose.

Although Ello reiterates that it won’t sell information about users to any third party, including advertisers, data brokers, search engines, or anyone else, it may share some of the personal information with third parties under several circumstances. Users consent, legal compliance and the fulfilling of contracts requirements celebrated with third party services providers are among the exemptions foreseen.

It is quite strange that, while considering unethical the collecting and selling of personal information for advertising purposes, Ello broadly collects user data for non-advertising ends. Moreover, it establishes the sharing of user data as a rule, and not as an exception, considering the abstract nature of those foreseen.

Bearing in mind that advertising can be very positive as it provides useful information regarding products and services that users may be interested in, I am not sure that this is the biggest of their concerns. Indeed, the door is left open for privacy violations that come along with online tracking. Furthermore, anonymisation of the data does not ensure that, in subsequent matches, an individual won’t be identifiable. Additionally, Ello doesn’t give any guarantee regarding the deletion of information stored in backups when content posted or a personal account is deleted. As for the foreseen possibility of sharing information with future affiliated companies, it just means that the data collected and stored by Ello will be made available for businesses to which users have not delivered their data to.

Only time will tell if Ello is here to stay… But considering the above-mentioned devil in the details, one may conclude that privacy  just seems to be the newest marketing slogan, regardless if it is ensured in fact or not.

© 2023 The Public Privacy

Theme by Anders NorenUp ↑