The Public Privacy

Tag: Hacking

Opinion of the EDPS on the dissemination and use of intrusive surveillance technologies

December 27, 2015 / / 0 Comments
We need some more surveillance here!

We need some more surveillance here! [1]Copyright by Quevaal under the Creative Commons Attribution-Share Alike 3.0 Unported

In a recently published opinion, the EDPS addressed its concerns in regards of the dissemination and use of intrusive surveillance technologies, which are described as aiming “to remotely infiltrate IT systems (usually over the Internet) in order to covertly monitor the activities of those IT systems and over time, send data back to the user of the surveillance tools.”

The opinion specifically refers to surveillance tools which are designed, marketed and sold for mass surveillance, intrusion and exfiltration.

The data accessed and collected through intrusive surveillance tools may contain “any data processed by the target such as browsing data from any browser used on that target, e-mails sent and received, files residing on the hard drives accessible to the target (files located either on the target itself or on other IT systems to which the target has access), all logs recorded, all keys pressed on the keyboard (this would allow collecting passwords), screenshots of what the user of the target sees, capture the video and audio feeds of webcams and microphones connected to the target, etc.

Therefore these tools may be adequately used for human rights violations, such as censorship, surveillance, unauthorised access to devices, jamming, interception, or tracking of individuals.

This is particularly worrisome considering that software designed for intrusive surveillance has been known to have been sold as well to governments conducting hostile surveillance of citizens, activists and journalists.

As they are also used by law enforcement bodies and intelligence agencies, this is a timely document, considering the security concerns dictating the legislative amendments intended to be implemented in several Member States. Indeed, as pointed by the EDPS, although cybersecurity must not be used for disproportionate impact on privacy and processing of personal data, intelligence services and police may indeed adopt intrusive technological measures (including intrusive surveillance technology), in order to make their investigations better targeted and more effective.

It is evident that the principles of necessity and proportionality should dictate the use of intrusion and surveillance technologies. However, it remains to be assessed where to draw the line between what is proportional and necessary and disproportional and unnecessary. That is the core of the problem.

Regarding the export of surveillance and interception technologies to third countries, the EDPS considered that, despite not addressing all the questions concerning the dissemination and use of surveillance technologies, “the EU dual use regime fails to fully address the issue of export of all ICT technologies to a country where all appropriate safeguards regarding the use of this technology are not provided. Therefore, the current revision of the ‘dual-use’ regulation should be seen as an opportunity to limit the export of potentially harmful devices, services and information to third countries presenting a risk for human rights.

As this document relates to the EU cybersecurity strategy and the data protection framework, I would recommend its reading for those interested in those questions. You can find the document here.

References

References
1 Copyright by Quevaal under the Creative Commons Attribution-Share Alike 3.0 Unported

From your hard drives to your SIM cards: how interesting are you?

February 22, 2015 / / 0 Comments
Let's see how can we hack these?

Let’s see how can we hack these?

Just recently, the Investigatory Powers Tribunal (IPT), the Court that oversees British intelligence services’ activities, declared that the electronic mass surveillance of mobile phones and other private communications data retrieved from USA surveillance programs, such as Prism, conducted prior to December 2014, contravened Articles 8, referring to the right to private and family life, and 10, referring to freedom of expression, of the European Convention on Human Rights.

One is not so optimistic as to expect that this would suffice to make intelligence agencies cease sharing this kind of information. Mainly because the same Court already recognized that the current legal framework governing data collection by intelligence agencies no longer violates human rights.

However, the decision was still applauded by many with the expectation that, at least, large-scale uncontrolled surveillance activities would not be so bluntly practiced.

Let’s just say that such expectation did not last long.

According to Kaspersky Lab this week’s revelations, it seems that the NSA was able to hide spying software in any hard drive produced by some top manufacturers such as Toshiba, IBM and Samsung. Consequently, it has been able to monitor a large majority of personal, governmental and businesses’ (among which, financial institutions, telecommunications, oil and gas, transportation companies) computers worldwide.

Similarly, the Intercept reported that the NSA and GCHQ were able to get access to the encryption keys used on mobile phone SIM cards intending to protect the privacy of mobile communications manufactured by Gemalto. Normally, an encrypted communication, even if intercepted, would be indecipherable. That would cease to be the case if the intercepting party has the encryption key as it is able to decrypt that communication.

What awe-inspiring ways to circumvent the consent of telecommunications companies and the authorization of foreign governments! Isn’t it dignifying and trustworthy when intelligence services just behave as hackers?

Somehow, and unfortunately, such news almost lacks of any surprising effect, considering well, everything we already know, really… From the Snowden’s revelations to the logic-challenging- argumentation subsequent to Apple and Google’s plans regarding the encryption of communications…

Thus said, perhaps we should all feel flattered to be spied upon. After all, as former NSA Director points out, the agency does not spy on “bad people” but on “interesting people”. Those pretty much convinced – as myself – of being just regular individuals must now be reassured with this extra boost of self-esteem.

The Sony data breach: when
fiction meets reality?

December 9, 2014 / / 0 Comments
You better believe SONY. You have been HACKED!

You better believe SONY. You have been HACKED!

It is not the first time that Sony suffers a massive cyber attack. Back in 2011, due to some vulnerabilities found in its data servers, a hacking of its Play Station online network service enabled the theft of names, addresses and credit card data belonging to 77 million user accounts.

A few days ago, Sony Pictures computer systems were hacked again allegedly by a group of hackers calling themselves Guardians of Peace. As a consequence, a humongous amount of data, including confidential details, such as medical information, salaries, home addresses, social security numbers, regarding 47 thousands of Sony employees and former employees, namely Hollywood stars, as well as contracts, budgets, layoffs strategies, scripts for movies not yet in production, full length unreleased movies and thousands of passwords were leaked to the Internet.

The reason remains unclear. Despite the denial of a North Korea representative regarding a possible involvement of that country, it is being speculated that this attack is a retaliation from the North Korea government as a response to an upcoming Sony comedy, ‘The Interview’, starring actors Seth Rogen and James Franco, which depicts an assassination attempt against the North Korea’s leader Kim Jong-un. If Hollywood comedies are now deemed a sufficient reason to conduct cyber-attacks on real life, fiction and reality are meeting in a very wrong way.

Anyway, considering the volume and the sensitive nature of the information disclosed, this can actually be one of the largest corporate cyber attacks which has ever been known of.

It is a sharp reminder that hacking attacks can be directed to any company and can take all forms, equally damaging. This attack demonstrates once again that not only critical infrastructure is at risk. Sony Pictures Entertainment is one of the largest studios in Hollywood. It is really not the expected victim of a cyber-attack. However, it was an easy prey as its business decisions regarding information security have been publicly stated in previous occasions. Despite their ludicrous nature, I guess someone took those comments seriously.

Considerations regarding the absurdity of having a file directory named ‘Passwords’ aside, this attack outlines that data breach is one of the major threats that companies face nowadays. Cyber attacks are conducted against companies of all sizes. Large companies do eventually recover from these breaches. Small businesses generally hardly pull through after suffering a cyber-attack. It is therefore essential that businesses implement a solid cyber-security programme, namely conducting regular self-hacking exercises to assess the vulnerabilities of their security systems in order to prevent a potential breach.

What about Sony? Well, the value of the damages regarding its employees is incalculable considering that their identities may be stolen, their bank accounts may be compromised and their houses may be robbed. Only time will tell if and how it will recover.

Are you ready for the Internet of Things?

November 13, 2014 / / 0 Comments
Everything is connected.

Everything is connected. [1]Copyright by Wilgengebroed under the Creative Commons Licence – Attribution 2.0 Generic

Imagine a world where people would receive information on their smart phone about the contents of their fridge; cars involved in an accident would call emergency services, allowing for quicker location and deployment of help; cars would suggest alternative routes in order to avoid traffic jam; personal devices would allow to monitor the health developments of patients or to control the regular medication of elderly persons; washing machines would turn on when energy demand on the grid would be lowest and where alarm clocks and coffee machines could automatically be reset when a morning appointment would be cancelled; a smart oven could be remotely triggered to heat up the dinner inside by the time you would reach home…

If it is true that these scenarios once belonged to the sci-fi world, it is not so hard to picture any of these technologies nowadays. The momentum we are living in and all the progress which is already involved in our lives brings the certitude that it is only a matter of time for us to reach such a future. Technological advancements are allowing achievements that once may have seemed impractical and are turning the sci-fi scenarios into reality.

We are smoothly entering in a new age… The age of the Internet of Things (hereafter IoT). The IoT might be indeed already start happening around us. It suffices to think about all the quite recent changes that we already accept as ordinary.

But what is the IoT all about?

The IoT is a concept which refers to a reality where everyday physical objects will be wirelessly connected to the Internet and be able, without human intervention, to sense and identify themselves to other surrounding devices and create a network of communication and interaction, collecting and sharing data. It  is therefore associated to products with machine-to-machine communication capabilities, which are called ‘smart’.

The high-tech evolution has made ‘smart’ more convenient and accessible and made the vast majority of us technologically dependent on several areas of our daily living. Connected devices have proliferated around us. Consider, for instance, the number of smart phones and other smart devices that most of us cannot conceive a life without anymore as it allows us to connect with the world as it was never possible before.

Similarly, our domestic convenience and comfort have been expanded in ways that once belonged to the imaginary. Homes, housework and household activity can be fully automatized in order to enable us to remotely control lighting, alarm systems, heating or ventilation. The domestic devices that can be connected to the Internet are usually referred to as “home automation” or “domotics”.

In parallel, we are currently able of the ‘quantified self’, which is commonly defined as the self knowledge acquired through self tracking with technology (for instance, pedometers, sleep trackers). One can now track, for example, biometrics as insulin and cortisol, or record more random information about our own habits and lifestyles, as physical activity and caloric intake. This monitoring can be done increasingly by wearables, i.e., computer-powered devices or equipment that can be worn by an individual, including watches, clothing, glasses and items alike. The Google glasses, Google Wear and the Apple Watch are the most famous recent examples.

Scarily enough, the number of objects connected to the Internet already exceeds the number of people on earth. The European Commission claims that an average person currently has at least two objects connected to the Internet and states that this is expected to grow to 7 by 2015 with 25 billion wirelessly connected devices globally. By 2020 that number could double to 50 billion.

However, every time we add another device to our lives, we give away a little more piece of ourselves.

Consequently, along with its conveniences, and due to the easy and cheaply obtained amount of data collection it allows, the idea of a hyper-connected world raises important concerns regarding privacy, security and data protection. To be true, while it is a relatively well-known fact that our mobile devices are frequently sending off data to the Internet, many of us do not understand the far-reaching implications of carrying around an always-on connection, let alone to have almost all your life connected to the Internet.

In fact, such objects will make it possible to access a humongous amount of personal data and to spread it around without any awareness nor control of the users concerned. From preferences, habits and lifestyle, to sensitive data as health or religion information, from geo-location and movements to other behaviour patterns, we will put out there a huge amount of information. In this context, the crossing of data collected by means of different IoT devices will allow the building of a very detailed user profile.

It is essential that users are given control over the data which directly refers to them and are properly informed of what purposes its processing might serve. In fact, currently, it is very common that the data generated is  processed without consent or with a poorly given consent. Quite often further processing of the original data is not subjected to any purpose limitation.

Moreover, as each device will be attributed an IP address in order to connect to internet, each one will be inherently insecure by its very own nature. Indeed, with almost everything connected to the Internet, every device will be at risk of being compromised and hackable. Imagine that your car or home could be subjected to a hacking attack through which it could take control of the vehicle or install a spying application in your TV. Imagine that your fridge could get spam and send phishing e-mails. The data collected through medical devices could be exposed. After all, it is already easier to hack routers and modems than computers.

Last but not the least, as IoT devices will be able to communicate with other devices, the security concerns would multiply exponentially. Indeed, a single compromised device could lead to vulnerability of all the other devices on the network.

Now imagine that all your life is embedded in internet connected devices… Think, for instance, fridges, ovens, washing machines, air conditioners, thermostats, light systems, music players, baby monitors, TVs, webcams, door locks, home alarms, garage door openers, just to name a few. The diversity of connected devices is just astonishing! So we may reach the point where you will have to install firewall for your toaster and a password to secure your fridge.

From a business point of view, questions regarding the security setup and software and operating systems vulnerabilities of devices that will be connected to the internet also have to be answered. Indeed, companies are increasingly using smart industrial equipment and IoT devices and systems, from cars to cameras and elevators, from building management systems to supply chain management system, from financial system to alarm system.

On another level, the security of nations’ critical infrastructures could also be at stake. Imagine, for instance, that the the traffic system, the electric city grid or the water supply can be easily accessed by a third party with ill intentions.

Of course, the EU could not be indifferent to this emerging new reality and to the challenges it presents.

In 2012, the European Commission launched a public consultation, seeking inputs regarding a future policy approach to smart electronic devices and the framework required in order to ensure an adequate level of control of the data gathering, processing and storing, without impairing the economic and societal potential of the IoT. As a result, the European Commission published, in 2013, its conclusions.

Last month, the European data protection authorities, assembled in the Article 29 Working Party, adopted an opinion regarding the IoT, according to which the expected benefits for businesses and citizens cannot come at the detriment privacy security. Therefore, the EU Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC are deemed to be fully applicable to the processing of personal data through different types of devices, applications and services in the context of the IoT. The opinion addresses some recommendations to several stakeholders participating in the development of the IoT, namely, device manufacturers, application developers and social platforms.

More recently, at the 36th International Conference of Data Protection, Data Protection Officials and Privacy Commissioners adopted a declaration on the Internet of things and a resolution on big data analytics.

The aforementioned initiatives demonstrate the existing concerns regarding Big Data and IoT and the intention to subject them to data protection laws. In this context, it is assumed that data collected through IoT devices should be regarded and treated as personal data, as it implies the processing of data which relate to identified or identifiable natural persons.

This obviously requires a valid consent from data subjects for its use. Parties collecting IoT devices information therefore have to ensure that the consent is fully informed, freely given and specific. The cookie consent requirement is also applicable in this context.

In parallel, data protection principles are deemed to be applicable in the IoT context. Therefore, according to the principle of transparency, parties using IoT devices information have to inform data subjects about what data is collected, how it is processed, for which purposes it will be used and whether it will be shared with third parties. Similarly, the principle of purpose limitation, according to which personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes, is also applicable. Furthermore, considering the data minimization principle, the data collected should not be excessive in relation to the purpose and not be retained longer than necessary.

Considering the vast number of stakeholders involved (device manufacturers, social platforms, third-party applications, device lenders or renters, data brokers or data platforms), a well-defined allocation of legal responsibilities is required. Therefore, a clear accountability of data controllers shall be established.

In this context, the Directive 2002/58/EC is deemed applicable when an IoT stakeholder stores or gains access to information already stored on an IoT device, in as much as IoT devices qualify as “terminal equipment” (smartphones and tablets), on which software or apps were previously installed to both monitor the user’s environment through embedded sensors or network interfaces, and to then send the data collected by these devices to the various data controllers involved…

Thus said, one can only rejoice that the enchantment about the possibilities of IoT does not surpass the awareness regarding the existent vulnerabilities. But it remains to be found how can these and the other data protection and privacy requirements be effectively implemented in practice.

We certainly are in the good way to dodge any black swan event. However, it won’t be that easy to find the appropriate answers for the massive security issues that come along. And one should not forget that technology seems to always be one step ahead of legislation.

So, the big question to ask is:

Are we really ready for the Internet of Things?

References

References
1 Copyright by Wilgengebroed under the Creative Commons Licence – Attribution 2.0 Generic

The Snappening: the new hacking in town

October 15, 2014 / / 0 Comments
Oh snap!

Oh snap!

Digital privacy is once again in the spotlight due to rumours that emerged last week of a widespread hack of Snapchat accounts. The incident, which has already been dubbed ‘The Snappening’, has allegedly allowed a massive collection of thousands of both random and intimate Snapchat pictures and videos.

Vaguely reminiscent of the iCloud security breach Celebgate, right?

Well, indeed, thousands of private pictures and videos  are said to have recently been published on the notorious 4Chan message board and the online forum Redditt, the same places where hackers published the stolen iCloud pictures of nude celebrities this past summer.

Except, in this case, it is not about pictures and videos of female celebrities which would never have made to the public eye if it wasn’t for the  obvious gender directed attack.

Instead, the pictures have been intentionally sent by the people they concern to others  through the Snapchat mobile application. And, more grievously, it might involve a vast majority of underaged individuals.

For those who are less technologically aware, the Snapchat is a mobile application which allows users to send personalised and draw-on messages to others, with the promise of an instant and automatic deletion of images, pictures and videos within seconds after having been watched by the receiver.

It is like in those Hollywood movies where the message would self destroy in five or ten seconds. How enigmatic!

One romantic viewpoint of the application is that the ephemerity of the content is deemed to make it more treasured and valued and, consequently,  to make people more attentive to it.

On the pragmatic side, it is as well quite obviously  intended that no record of the content will ever be kept and, once self deleted, it won’t surface ever again.

Nevertheless, I fail to understand how someone could trust that the information sent would be secure just because it couldn’t be saved. In my opinion, the whole concept was a pure illusion. In fact, it would suffice to take a screenshot of an image within a phone before it would expire or to use another camera to capture a Snapchat screen and the receiver would be able to make the moment last forever.

Anyway, the overall effect is that the promise of instant and short lasting content has made the application particularly popular among teenagers, who represent the vast majority of its users base. And, therefore, the main concern is that the collection might, in parallel to random content, involve pictures and videos which would legally be considered child pornography.

Although Snapchat has faced security problems before,  it seems that, this time, the incident is due to the use of a third-party website which allows to store and catalogue snaps that would otherwise be deleted.

Indeed, the data has apparently been obtained through a third-party website  Snapsaved.com, which allows Snapchat users to use the service on a desktop computer, rather than just on a mobile phone. By getting a user’s login details, such as username and password, the website could access to Snapchat’s servers. Therefore, it was able to access and store the shared information, thus circumventing Snapchat’s instantaneous deletion most famous feature.

Therefore, its users were able to save photos sent to them via Snapchat without the sender’s knowledge. Not too comforting, I suppose…

Snapchat was quick at issuing a statement according to which the scenario of a security breach of its servers was absolutely rejected:

We can confirm that Snapchat’s servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.

As we can see, it made very clear that the privacy of Snapchat users could have been compromised with the use of a third-party application, which is an expressly prohibited practice in its Terms of Use.

In other words, according to the issued statement, if the victims have used a third-party application, they are the sole responsibles for having suffered a hacking attack.

Does this victim-blaming sounds familiar?

Anyway, although Snapchat is technically correct when it points out that the security of its own servers was not compromised, it conveniently failed to address the real issue at stake.

I am far from being a geek but I cannot help to wonder, for instance, why do these third parties applications and websites succeed in having access to the content shared through Snapchat? What is the company doing in order to prevent the connection of these applications to its own?

Snapchat conveniently dodged the very relevant issue that is: even those users that share messages by means of the real Snapchat application are at risk because it is not possible for the sender to ascertain if the receiver is using the official Snapchat application or a third-party one.

So it is all good when Snapchat blames users who use a third-party unauthorized service; but what about all the users that are unwittingly communicating with friends who use those services? Are they to blame as well? Or should we consider that, in a globally sharing world, they shouldn’t be sharing anything in the first place?

According to Snapchat’s own statement, it seems to consider that users should  envisage the possibility and perhaps expect that the receiver is able to save the pictures, namely  by using a third-party service.

While this is quite unfortunate from a marketing perspective, it is also deeply hypocrite. The whole point of making pictures disappear, besides the romantic vision of ephemeris,  to make the sharing safer.

I am fully aware that Snapchat’s Terms of Use mention the limitations of its technology, stating that services are provided “as is” without warranties of any kind regarding its security. But were most of its users – children and teenagers – equally aware? Besides, is it enough to state that an application is not entirely safe? Shouldn’t users be informed about how weak it is regarding their privacy? After all, it is sufficient to download one of the many readily available third-party application in order to be able to save indefinitely incoming messages without the sender’s knowledge.

It is without any doubt that a security flaw exists within Snapchat’s product, which cannot be ignored and for which Snapchat is responsible.

Currently, there are very few credible sources of information and most are anonymous. Many believe this whole story to be a hoax, arguing that the photos that were being spread on 4chan were images that had already leaked online. On Reddit, some of those who claim to have downloaded the photos in the Snappening hack shared their disappointment regarding the mundane nature of the pictures. No surprise here. We can always rely on internet to destroy any remaining bits of faith in humanity. Others claim that a vast amount of the content qualifies as child pornography.

Disregarding if an actual hack took place or not, this ephemeral messaging application raises serious and longstanding concerns.

It is an unfortunate reminder that privacy violations of social networks’ users may occur even if a company’s servers are not directly attacked due to the use of a third-party services.

Furthermore, it brings to spotlight issues regarding the knowledge regarding the navigation on internet, software usability and social media literacy.

Last but not the least, the exposure of children and underage individuals to the risks of privacy and security online breaches outlines their vulnerabilities in an increasingly technological-based social networking world.

Mirror Mirror on the Wall, Who Is the Stupidest of Them All?

October 3, 2014 / / 0 Comments
Half serious Günther Oettinger.

Half serious Günther Oettinger.

So, the European Parliament has begun its hearings in order to evaluate the Commissioners designated by the European Commission’s President Jean-Claude Juncker. But the hearings have shown quite a few surprises…

After Cecilia Malmström, it was up to Günther Oettinger, appointed to be the commissioner responsible for ‘digital economy and society’, to be in the spotlight last Monday. This time, however, it was not due to some compromising correspondence, but to some highly questionable answers.

The MEPs’ questions focused on issues such as roaming and net neutrality, data protection, mass surveillance, the ‘right to be forgotten’ ruling, and copyright law. On the overall, Oettinger was vague and superficial and mainly dodged the questions, namely regarding net neutrality. However, infrastructure (whatever this is supposed to mean) appeared to be one of its main priorities, as it came up in almost every statement.

But what  this hearing will always be remembered for is by how he referred to the recent data breach involving several  female celebrities, which I have previously addressed here.

According to Oettinger, it would not be his role as a commissioner to protect celebrities who have taken under-dressed pictures of themselves, and his precise words were as follows:

We should say: We can mitigate or even eliminate some risks. But like with any technology, you can’t exclude all risks. I’ll give an example. This may be a little, um… semi-serious. The fact that recently there have been an increasing number of public lamentations about nude photos of celebrities who took selfies – I just can’t believe it! If someone is dumb enough to as a celebrity take a nude photo of themselves and put it online, they surely can’t expect us to protect them. I mean, stupidity is something you can not – or only partly – save people from.

In conclusion, Oettinger obviously  considered (half-seriously?? is this remotely funny in any sense?) that the private photos that female celebrities took of themselves would be a good example for whichever point he wanted to make concerning the limitations of technological security.

Of course it didn’t help at all that he might seem oblivious to the outlines of the case, as to the fact that the pictures have not been put online by the victims themselves, but were, instead,stored in private cloud accounts belonging to the celebrities, accessed by third-parties following a hacking attack and then published against their authorisation. Quite a relevant little detail… And quite astonishing that  the upcoming head of EU digital policy would fail to distinguish privately accessed cloud services and the open Internet.

No wonder that Green MEP Jan Philipp Albrecht considered that, by putting Oettinger in charge of the digital economy, Juncker has committed a fatal mistake:

Oettinger does not even use social media, for example. He barely communicates publicly with people on the internet. Instead, he is a man of classical media. As regional prime minister and as energy commissioner he devoted himself to traditional issue areas. This will be an enormous challenge for him.

Currently, many – myself included – wonder if he is a suitable candidate for the intended position. The fact that data protection will very likely become the direct responsibility of designated justice, consumers and gender equality commissioner Vera Jourová is therefore a relief.

Anyway, in a dubious harmony with the opinion of a vast amount of internet users, the designated commissioner believes that the victims – all women, let’s not forget – are the major culprits for their own privacy’s violation. As any other good moralist would easily point out, being celebrities they should have known better than to take pictures intended to remain private or only to be shared with whoever they wanted. How dared they?

Unfortunately, Oettinger completely failed to consider the big picture of the incident: online security in general. He therefore missed the ugly truth that is: anybody can be a target of hacking attacks for the most diversified purposes, with more or less serious and far-reaching consequences. If, instead of private pictures, the ‘celebgate’ would have referred to intellectual property or credit cards information theft, would it have been so light-heartedly approached? One should not be so naïve as to think that this is only about pictures or videos. More sensitive data is at stake.

As understandable as it can be that, being Oettinger the previous commissioner for energy, he might feel more comfortable among gas and oil pipes,  his comments raised a strong and welcomed criticism within the public opinion. One particular MEP, Julia Reda, who represents the Pirate Party, elaborated better than I could have on all the issues brought up by these foolish comments.

But besides being strange, at the very least, that a likely to be commissioner (after all, the European Commission is the guardian of the treaties) would, in front of the MEPs (being the European Parliament the only European institution which directly represents the voice of the 500 million EU citizens), focus on the fact that the pictures were taken in the first place, it is not only disappointing but also mainly worrying.

It is indeed deeply dramatic that nowadays, in the European Union, and at this high level, one can still so blatantly find the very same reflections of the sexism and victim blaming that have been manifested online when the news of the hacking came out. It is all very wrong when a commissioner not only agrees with those moralists but feels at ease to joke about it publicly. Where are we heading to? How ironic would it be that, among all the challenges brought by the technological progress, we would somehow recede to the early stages of discussions concerning  equal rights and gender discrimination but this time – because Oettinger is a man of his time and the access to the right to vote is so last century! -within the upcoming era of Internet of Things.

Furthermore, it is quite distressful that, in regards to the data security breaches news that make, almost everyday, the headlines of worldwide newspapers, the really important point to be made – the raising of awareness regarding the risks associated to technology and the need for a more secure data storage systems, namely cloud-based  – was just overshadowed by such misogynist  remarks…

Considering all this,  Oettinger’s own words are fairly applicable:

Stupidity is something you can not – or only partly – save people from.

 

Security Breaches and the Bridge to Security

October 2, 2014 / / 0 Comments
Is it?

Is it?

Data protection is a major concern for businesses of all sizes and across all sectors due to the constant risk of information security breaches. They fear the financial impact on operational budgets, the commercial costs it entails, the reputation damage it causes and the consequent liability to third parties.

The ongoing data protection reforms are intended to harmonize and strengthen the current data protection legislation across the EU member states. The new EU General Data Protection Regulation, currently being discussed within the Council of the EU, is awaited with great expectation. Just recently 16 Member States issued a joint declaration pressing the adoption of the reforms by 2015.

If this instrument will be approved in 2015, it will be in place by 2017, thus replacing the 1995 Data Protection Directive, which does no longer adequately cater for the current technological advances. As a regulation it will be directly applicable to all EU member states without a need for national implementing legislation.

For individuals, these news come as a promise that the protection of their rights will be strengthened. But the big changes ahead mean that businesses will face stricter data security requirements and additional compliance burden.

Indeed, although nothing is decided until everything is agreed, it is evident that the new EU Regulation will entail stronger restrictions on companies’ data protection policies and systems, regarding the implementation of appropriate technical and organizational measures. It thus will have major implications for all sectors (financial services, healthcare, the legal sector, manufacturing or the public sector, just to name a few) on the way data is collected, stored and accessed.

The announced reforms will, among others constraints, require businesses and organizations to gain explicit consent from individuals before processing their data, notifying them when their data is collected, and informing for what purpose it is being processed and how long it will be stored.

The conditions include as well the already famous so-called ‘right to be forgotten’, allowing individuals to demand the erasure of their data from companies’ computer systems, if there are no legitimate grounds for keeping it.
In parallel, upcoming changes include also a ‘right to data portability’, thus enabling individuals to easily transfer their personal data between service providers.

Furthermore, companies and organizations will have to report data security breaches to the national supervisory authority (the governmental body that handles data security within a member state). Similarly, users will have to be informed about any data breaches that could adversely affect them without undue delay. Businesses are, of course, worried with the eventual impact that this compulsory disclosure will have on their brand and reputation across the EU. However individuals should undoubtedly be able to take protective measures such as changing passwords if the safety of the information related to them has been compromised by a security breach.

Additionally, companies can incur in severe fines – up to 5 per cent of their global turnover – if they are found to have been negligent or abusive in protecting their data. Fines are intended to be effective, proportionate and dissuasive.

Despite the increased responsibility and accountability, businesses will be able to be free of unnecessary administrative requirements, as notifications, which will bring considerable annual savings.

According to the intended reform, a new ‘one stop shop’ regulatory regime will also be established, which would mean that businesses will have to deal with just one data protection authority (DPA) – the one based in the country of their main establishment – instead of each DPA in every EU country in which they operate.

Of course some of the proposals will undoubtedly be amended in the course of the co-legislative decision procedure, but is has already become obvious that the end-result will require businesses to adapt internal processes and technologies. The recent massive data breaches and security threats have outlined the unfortunate existing room for improvement regarding the monitoring and protection of corporate data.

So the big question to ask is: are businesses ready for the forthcoming legislation?

Though there is no need to panic, the clock is ticking, and businesses should look ahead and prepare themselves for the major shake-up requirements.

In order to move towards compliance, it is important to reflect what are the required adjustments that need to be developped internally to that end.

It will be necessary, for instance, to ensure the legitimacy of the data processed, assessing which data currently stored actually needs to be kept and analysing the legal basis according to which personal data is used. For example, if consent has to be obtained, it must be ascertained if it is adequately documented and if it is specific, informed, explicit and freely given.

It is a paramount principle to identify vulnerabilities, build protective measures and adequate safeguards to all data processing activities which will require, for instance, the restriction of access to data to some employees, anonymising and encrypting data, assigning ownership and attributing responsibilities regarding non-compliance with legislation, namely to an appointed data protection officer.

Offering adequate data security training and education to employees is also an important feature of an effective security precaution, especially regarding their obligations of confidentiality.

The development and application of adequate procedures in order to deal properly with breaches of data security, namely the implementation of an incident management and a breach notification process, will ensure that, once detected, occurrences are notified in due time to the data protection authority.

Similarly, all data processing operations should be well documented and up to date in order to be made available promptly to the data protection authority on request at any time.

Last, but not the least, as individuals will be able to demand that organizations erase records of their personal information, businesses should have in place a system of storage, classification and search which will allow effectively finding and erasing the data collected.

The bottom line is that, regardless what the final version of the upcoming regulation will be shaped like, businesses cannot ignore the EU’s data protection reforms and the challenges and opportunities which lie ahead.

Failing to be well prepared for the impending changes represents putting the whole business at risk due to the reputation damages and the financial losses associated to a potential data breach.

In this context, news of cyber-attacks, as of the most recent software bug Shellshock, might be the greatest of incentives…

Celebgate or The Cloud Conundrum

September 17, 2014 / / 0 Comments
iCloudy with a chance of pictures.

iCloudy with a chance of pictures.

So, after women being already the main target of social engineering, street harassment, cyber harassment, workplace harassment, sexual harassment, or revenge porn, and all the other creepy forms of gender orientated attacks, the online world has recently assisted to the leak of hundreds of intimate pictures of celebrities, such as Jennifer Lawrence, Kristin Dunst, Rihanna and Kim Kardashian.

Well, the word ‘leak’ might not be the most suitable, considering the outlines of the situation… Theft, break-in, hacking, privacy violation, online assault or pirating are far more realistic expressions.

So what happened, really?

Someone – who I just cannot help but picturing as a disgusting and sexually frustrated slobbering pervert with no sense of civility – accessed the iCloud accounts of some targeted celebrities and disclosed their personal pictures online. [1]For those who might not be aware, the Cloud is a storage and back-up system which enables users to keep personal information. As the data is kept online, it allows users to save space in their … Continue reading

What do all the victims have in common? Well, to start with, they all are worldly known for some reason… and all are women.

I really cannot understand why someone would be tempted to access intimate pictures of women against their consent, even celebrities, when the internet is full of websites with pictures of women who willingly or professionally display their naked selves.

It was an evident gender orientated attack, which seems to be a usual and sick practice on the Internet nowadays, intended to publicly expose and shame the victims. As far as I am aware, men are not usually targeted by such endeavours.

Anyway, the central hubs for the displaying and divulgation of the links to the pictures were the websites Reddit and 4chan. The photos then have spread across the Internet like wildfire and the case has been inimitably nicknamed as ‘Celebgate’.

This incident has leaded the public attention to an immediate question: how could attractive young women even dare to take pictures of them or let themselves to be photographed in erotic or sexual poses or situations? For a vast – and scary – amount of internet users, the victims are therefore the major culprits for their own violation. Being celebrities (or should I say women?) they should have known better than to take pictures intended to remain private or only to be shared with whoever they wanted.

On a second thought, this occurrence lead the internet users to reflect on how really private is our private information. A very legitimate concern considering the revelations of Edward Snowden, the recent data breaches news regarding American retailers, as Target and Home Depot, and the hacking conducted on Chinese hospitals’ medical record.

But the incident has put the spotlight on the online security in general. After all, it is very likely that hackers gained access to much more sensitive data than pictures and videos. And if celebrities’ accounts can be hacked, it can happen to anybody, right?

Apple denied having suffered a data security breach and insisted that none of the material was obtained from the company’s servers directly. In a released statement, it affirmed having discovered; instead, that the hacking seemed to be the result of a brute-force attack on users names, passwords and security questions.

Notwithstanding, while the poor choice in passwords and the non implementation of Apple’s two-factor authentication might have been a hinder in terms of security, the vulnerabilities on the security software were undeniable. For instance, iCloud specific backup system did not implement adequate safeguards against brute-force attacks. [2]Brute-force attacks refer to repetitive attempts to break into a user’s account by trying possible combinations of letters, numbers and symbols in order to discover the correct password.

Apple’s announcement that it will strengthen its security measures for its cloud storage platform iCloud thus might not come as a coincidence. Tim Cook informed that users will receive an alert when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time. Moreover, Apple intends to broaden its use of an enhanced two-factor authentication security system.

Despite the unfortunate implications for the victims, it has drawn the very much needed attention and raised awareness – as no other incident so far – to how people share, store and secure their personal and sensitive data.

There are valuable lessons to learn from this incident. The apparent ugly truth is that if someone with the proper time, knowledge and means wants to access your personal data, they will try to and might get it if the proper security measures are not taken. So it is better to assume that nobody is safe from a similar assault.

It is therefore necessary to improve our personal security posture and implement all the available tools to prevent the success of potential future attacks.

To start with, you must be aware if you use services that automatically backup your data and choose if it is convenient for you to keep that feature on or to turn it off. If you intend to use a cloud service, choose one which will encrypt your data.

Secondly, it is very important to implement strong login credentials. A multifactor authentication and the use of a complex and unique password for each online account are usually highly recommended. You can go even further and use passphrases instead of passwords. A password manager will allow you to achieve a deeper protection. [3]The two factor authentication implies two elements: something you know and something you have. Therefore, besides the password (what you know), you will asked for a second form of identification the … Continue reading

These are some basic and well-known measures but the ‘Celebgate’ is here to remind us that everybody, and not only women, needs to take a better care of their online selves. Women might be the main target of hacking intended to publicly humiliate them, but anybody can be a target of hacking with all intends and purposes, with more or less serious and far-reaching consequences: to creepily spy on friends or family or the girl that rejected them; for ‘intellectual’ challenge; to steal services and valuable files, namely regarding intellectual propriety; to collect credit cards details or engage in other forms of credit card fraud; computer take-over; identity theft; mail hacking to disseminate spam…

Some might prefer to judge the victims and to look at their pictures. But the big picture to look at is: use whatever devices and services you want, but use them knowingly and safely. Nobody will protect you online better than yourself.

References

References
1 For those who might not be aware, the Cloud is a storage and back-up system which enables users to keep personal information. As the data is kept online, it allows users to save space in their computers, smartphones or tablets, while being able to access them from any device and from anywhere. Companies as Apple, Google, Microsoft and Amazon, just to name a few, all provide cloud-based storage.
2 Brute-force attacks refer to repetitive attempts to break into a user’s account by trying possible combinations of letters, numbers and symbols in order to discover the correct password.
3 The two factor authentication implies two elements: something you know and something you have. Therefore, besides the password (what you know), you will asked for a second form of identification the first time you log onto an account from a new device. It normally involves being sent a code by text message (what you have/can access).

© 2023 The Public Privacy

Theme by Anders NorenUp ↑