37-Year-Old ‘Syrian Electronic Army’ Hacker Pleads Guilty in US court

One of the FBI’s Most Wanted Hackers who was arrested in Germany earlier this year has pleaded guilty to federal charges for his role in a scheme that hacked computers and targeted the US government, foreign governments, and multiple US media outlets.

One of the FBI's Most Wanted Hackers who was arrested in Germany earlier this year has pleaded guilty to federal charges for his role in a scheme that hacked computers and targeted the US government, foreign governments, and multiple US media outlets. Peter Romar, 37, pleaded guilty Wednesday in a federal court in Alexandria to felony charges of conspiring to receive extortion proceeds and to

Needless meddling

… specific seasons and limits, trespassing, eminent domain, private property rights and the like would remain the same if the amendment doesn’t pass.

... specific seasons and limits, trespassing, eminent domain, private property rights and the like would remain the same if the amendment doesn't pass.

Multiple Backdoors found in D-Link DWR-932 B LTE Router

If you own a D-Link wireless router, especially DWR-932 B LTE router, you should get rid of it, rather than wait for a firmware upgrade that never lands soon.

D-Link DWR-932B LTE router is allegedly vulnerable to over 20 issues, including backdoor acc…

If you own a D-Link wireless router, especially DWR-932 B LTE router, you should get rid of it, rather than wait for a firmware upgrade that never lands soon. D-Link DWR-932B LTE router is allegedly vulnerable to over 20 issues, including backdoor accounts, default credentials, leaky credentials, firmware upgrade vulnerabilities and insecure UPnP (Universal Plug-and-Play) configuration. If

Improve Your Online Privacy And Security Using NordVPN

Today, most users surf the web unaware of the fact that websites collect their data and track their locations – and if this is not enough, then there are hackers and cyber criminals who can easily steal sensitive data from the ill-equipped.

In short, the simple truth is that you have no or very little privacy when you’re online.

So, if you’re worried about identity thieves, or ISPs spying on

Today, most users surf the web unaware of the fact that websites collect their data and track their locations – and if this is not enough, then there are hackers and cyber criminals who can easily steal sensitive data from the ill-equipped. In short, the simple truth is that you have no or very little privacy when you're online. So, if you're worried about identity thieves, or ISPs spying on

Study Group: On the Impossibility of Tight Cryptographic Reductions

Today I kicked off the study groups for 2016/17. I spoke about On the Impossibility of Tight Cryptographic Reductions, from this year’s Eurocrypt. Keen readers of the blog might recall that this paper is a particular favourite of mine.Since I’ve wrote …

Today I kicked off the study groups for 2016/17. I spoke about On the Impossibility of Tight Cryptographic Reductions, from this year's Eurocrypt. Keen readers of the blog might recall that this paper is a particular favourite of mine.

Since I've wrote about it before, I won't go into much detail about the paper. Instead I'll say why I (still) like it, and a bit about how it's shaped my own work this year.

So, why choose this paper again? First and foremost, it's just really good. It's well written and the result - that certain reductions are necessarily lossy - has big implications for the way we do things in provable security. There is an increasing drive for theoreticians to produce work that has a meaningful impact on the real world. Choosing security parameters is an important part of that picture, but this paper shows that the traditional tools of provable security can sometimes be inadequate in this regard - especially in a setting like the internet, with billions of users of cryptography.

Is it that our methods need changing? Or should practitioners ignore the theory and 'go with their gut' when choosing parameters? Do we need to actively avoid using those crytographic primitives for whom reductions are always lossy,  like rerandomisable signatures and encryption schemes where each public key has a unique secret key? These are profound questions for the community.

Another reason I chose to talk about this paper is that it's nicely self-contained. This is not an incremental result about something obscure. Almost everyone here at Bristol has encountered reductions, and after recalling the standard EUF-CMA definition for signatures it was easy to build up to the main theorem of the paper (or at least the particular case of signatures in the main theorem). If any new PhD students are looking for some theory to get their teeth into, this paper would be a great starting point.

Finally, I cheated a bit by giving my presentation about a paper that I've become very familiar with in the last few months, as I'm trying to extend it. At the moment, the result only applies to certain public-key primitives; I'd like to say something about multi-key to single-key reductions for symmetric encryption (which is of particular relevance to my PhD project, on Key Management APIs). I hope to have more to say on this in the not-too-distant future.

Apple Tracks Who You’re Chatting Using iMessage — and Shares that Data with Police

Doing conversations with your friend on iMessage and thinking that they are safe and out of reach from anyone else other than you and your friend? No, it’s not.

End-to-end encryption doesn’t mean that your iMessages are secure enough to hide your trac…

Doing conversations with your friend on iMessage and thinking that they are safe and out of reach from anyone else other than you and your friend? No, it's not. End-to-end encryption doesn't mean that your iMessages are secure enough to hide your trace because Apple not only stores a lot of information about your iMessages that could reveal your contacts and location, but even share that

World’s largest 1 Tbps DDoS Attack launched from 152,000 hacked Smart Devices

Do you know — Your Smart Devices may have inadvertently participated in a record-breaking largest cyber attack that Internet has just witnessed.

If you own a smart device like Internet-connected televisions, cars, refrigerators or thermostats, you might already be part of a botnet of millions of infected devices that was used to launch the biggest DDoS attack known to date, with peaks of over

Do you know — Your Smart Devices may have inadvertently participated in a record-breaking largest cyber attack that Internet has just witnessed. If you own a smart device like Internet-connected televisions, cars, refrigerators or thermostats, you might already be part of a botnet of millions of infected devices that was used to launch the biggest DDoS attack known to date, with peaks of over

Macs are not safe from Bears

Mac users have long had an unwarranted level of confidence about their immunity to malware and hackers. Palo Alto Networks’ recently discovered some Mac malware in the wild, which I hope will make us Mac users pay more attention to security. The malware, which targets mostly the aerospace industry, appears to be from an APT […]

The post Macs are not safe from Bears appeared first on The Privacy Blog.

Bear fancy pattern

Mac users have long had an unwarranted level of confidence about their immunity to malware and hackers. Palo Alto Networks’ recently discovered some Mac malware in the wild, which I hope will make us Mac users pay more attention to security. The malware, which targets mostly the aerospace industry, appears to be from an APT group they call “Fancy Bear”.

The malware is a trojan executable designed to look and act like a PDF file. It is being used in highly targeted attacks where the apparent content of the file is something that the recipient was expecting to receive.

These kinds of attacks typically start with the nation state level APT attackers and quickly make their way down to the street level cybercriminals. Everyone on every platform needs to pay attention to their security and take proper precautions.

The post Macs are not safe from Bears appeared first on The Privacy Blog.

Facebook releases Osquery Security Tool for Windows

OSquery, an open-source framework created by Facebook that allows organizations to look for potential malware or malicious activity on their networks, was available for Mac OS X and Linux environments until today.

But now the social network has announ…

OSquery, an open-source framework created by Facebook that allows organizations to look for potential malware or malicious activity on their networks, was available for Mac OS X and Linux environments until today. But now the social network has announced that the company has developed a Windows version of its osquery tool, too. When Facebook engineers want to monitor thousands of Apple Mac

Germany Bans Facebook From Collecting WhatsApp Data

Just last month, the most popular messaging app WhatsApp updated its privacy policy and T&Cs to start sharing its user data with its parent company, and now both the companies are in trouble, at least in Germany and India.

Both Facebook, as well a…

Just last month, the most popular messaging app WhatsApp updated its privacy policy and T&Cs to start sharing its user data with its parent company, and now both the companies are in trouble, at least in Germany and India. Both Facebook, as well as WhatsApp, have been told to immediately stop collecting and storing data on roughly 35 Million WhatsApp users in Germany. The Hamburg

Google to Launch ‘Andromeda OS’ — An Android-Chrome OS Hybrid

Google’s long-rumored Android-Chrome hybrid operating system is expected to debut at the company’s upcoming hardware event on October 4.

The company has been working to merge the two OSes for roughly 3 years with a release planned for 2017, but an “ea…

Google's long-rumored Android-Chrome hybrid operating system is expected to debut at the company's upcoming hardware event on October 4. The company has been working to merge the two OSes for roughly 3 years with a release planned for 2017, but an "early version" to show things off to the world in 2016. <!-- adsense --> Android + Chrome = Andromeda The hybrid OS, currently nicknamed '

Sissi Johnson: Our Lives In Data: 3 Takeaways

Data, and especially big data, has a certain appeal when uttered from the lips of Apple’s Tim Cook and other deep-minded algorithm enthusiasts and marketers.
Read more: Big Data, Privacy, Online Privacy, Technology, Sissi Johnso…

Data, and especially big data, has a certain appeal when uttered from the lips of Apple's Tim Cook and other deep-minded algorithm enthusiasts and marketers.

Read more: Big Data, Privacy, Online Privacy, Technology, Sissi Johnson, London, Technology News

What is…an exploit?

Most cyberattacks involve criminals exploiting some sort of security weakness. That weakness could be down to a poorly chosen password, a user who falls for a fake login link, or an attachment that someone opened without thinking. However, in the field of computer security, the word exploit has a specific meaning: an exploit is a […]

shutterstock_189045062Most cyberattacks involve criminals exploiting some sort of security weakness.

That weakness could be down to a poorly chosen password, a user who falls for a fake login link, or an attachment that someone opened without thinking.

However, in the field of computer security, the word exploit has a specific meaning: an exploit is a way of abusing a software bug to bypass one or more security protections that are in place.

Software bugs that can be exploited in this way are known as vulnerabilities, for obvious reasons, and can take many forms.

For example, a home router might have a password page with a secret “backdoor code” that a crook can use to login, even if you deliberately set the official password to something unique.

Or a software product that you use might have a bug that causes it to crash if you feed it unexpected input such as a super-long username or an unusually-sized image – and not all software bugs of this sort can be detected and handled safely by the operating system.

Some software crashes can be orchestrated and controlled so that they do something dangerous, before the operating system can intervene and protect you.

When attackers outside your network exploit a vulnerability of this sort, they often do so by tricking one of the applications you are using, such as your browser or word processor, into running a program or program fragment that was sent in from outside.

By using what’s called a Remote Code Execution exploit, or RCE for short, an attacker can bypass any security popups or “Are you sure” download dialogs, so that even just looking at a web page could infect you silently with malware.

Worst of all is a so-called zero-day exploit, where the hackers take advantage of a vulnerability that is not yet public knowledge, and for which no patch is currently available.

(The name “zero-day” comes from the fact that there were zero days during which you could have patched in advance.)

What to do?

Patch early, patch often!

Reputable vendors patch exploitable vulnerabilities as soon as they can. Many vulnerabilities never turn into zero-days because they are discovered responsibly through the vendor’s own research, or thanks to bug bounty programs, and patched before the crooks find them out.

Use security software that blocks exploits proactively

Many vulnerabilities require an attacker to trigger a series of suspicious operations to line things up before they can be exploited. Good security software like Sophos Endpoint Security and Sophos Intercept X can detect, report and block these precursor operations and prevent exploits altogether, regardless of what malware those exploits were trying to implant.


Filed under: Corporate, Enduser, Security Tips Tagged: Exploit, Sophos Endpoint Protection, Sophos Intercept X, What is, Zero-day

Hacker Who Helped ISIS to Build ‘Hit List’ Of US Military Personnel Jailed for 20 Years

A computer hacker who allegedly helped the terrorist organization ISIS by handing over data for 1,351 US government and military personnel has been sentenced to 20 years in a U.S. prison.

Ardit Ferizi, aka Th3Dir3ctorY, from Kosovo was sentenced in fe…

A computer hacker who allegedly helped the terrorist organization ISIS by handing over data for 1,351 US government and military personnel has been sentenced to 20 years in a U.S. prison. Ardit Ferizi, aka Th3Dir3ctorY, from Kosovo was sentenced in federal court in Alexandria, for "providing material support to the Islamic State of Iraq and the Levant (ISIL) and accessing a protected computer

Google WiFi Router — Combine Multiple Routers to Boost WiFi Signal

Can you rely on a single loudspeaker in your living room for great sound throughout your home?

Nah!

In the same way, you can not expect a single WiFi router to provide stable range throughout your home.

To solve this issue, Google will soon power your home’s wireless internet network with its own-brand new WiFi router called Google WiFi, according to a new report.
<!– adsense –>
Google is

Can you rely on a single loudspeaker in your living room for great sound throughout your home? Nah! In the same way, you can not expect a single WiFi router to provide stable range throughout your home. To solve this issue, Google will soon power your home's wireless internet network with its own-brand new WiFi router called Google WiFi, according to a new report. <!-- adsense --> Google is

Apple Weakens iOS 10 Backup Encryption; Now Can Be Cracked 2,500 Times Faster

After the iPhone encryption battle between Apple and the FBI, Apple was inspired to work toward making an unhackable future iPhones by implementing stronger security measures even the company can’t hack.

Even at that point the company hired one of the key developers of Signal — one of the world’s most secure, encrypted messaging apps — its core security team to achieve this goal.

But it

After the iPhone encryption battle between Apple and the FBI, Apple was inspired to work toward making an unhackable future iPhones by implementing stronger security measures even the company can't hack. Even at that point the company hired one of the key developers of Signal — one of the world's most secure, encrypted messaging apps — its core security team to achieve this goal. But it

Watch now – Sophos Intercept X in two minutes!

Today’s cybercriminals are more sophisticated than ever, and next-generation attacks call for next-generation solutions. Launched last week, Sophos Intercept X is a completely new approach to endpoint security. It features signatureless anti-exploit, anti-ransomware and anti-hacker technology that includes visual root-cause analysis and advanced malware cleanup – all managed via the Sophos Central Admin console. No […]

sophos-intercept-x-icon-150Today’s cybercriminals are more sophisticated than ever, and next-generation attacks call for next-generation solutions.

Launched last week, Sophos Intercept X is a completely new approach to endpoint security.

It features signatureless anti-exploit, anti-ransomware and anti-hacker technology that includes visual root-cause analysis and advanced malware cleanup – all managed via the Sophos Central Admin console.

No other solution on the market offers so many features in a single package.

Want to know more? Watch our video!

If you’re interested in learning more about Intercept X, as well as seeing a live demo of the product, please sign up for our webinar on 4 October at 2.00pm-3.00pm EDT.

If you’d like to try the product yourself, you can sign up for a free trial of Intercept X here.


Filed under: Enduser Tagged: Intercept X, ransomware, Sophos Intercept X

BELGIUM: Belgian Privacy Commission issues a 13 step plan for companies preparing for GDPR compliance

By Patrick Van Eecke, Charlotte Suffys and Senne Mennes Following a series of guidance published by fellow national DPAs, the Belgian Privacy Commission launched a 13 step GDPR-readiness roadmap to help companies processing personal data to start preparing themselves. The Privacy Commission will also create a GDPR-themed section on its website where data controllers and …

Continue reading »

By Patrick Van Eecke, Charlotte Suffys and Senne Mennes

Following a series of guidance published by fellow national DPAs, the Belgian Privacy Commission launched a 13 step GDPR-readiness roadmap to help companies processing personal data to start preparing themselves.

The Privacy Commission will also create a GDPR-themed section on its website where data controllers and processor can consult additional guidelines, instruments and frequently asked questions.

The 13 steps forming the roadmap for ensuring GDPR compliance by 25 May 2018 are:

1. Raising awareness

Inform key figures and policymakers on upcoming changes. They will have to assess the impact of the GDPR for the organisation.

2. Data mapping

Document which personal data you manage, where it comes from and with whom it has been shared. Map your data processing activities. You may potentially have to organize an information audit.

3. Communication

Evaluate your existing privacy policy and plan necessary changes in view of the GDPR.

4. Rights of the data subject

Verify whether the current procedures within your organisation provide all the rights granted by the GDPR to the data subject. Check how personal data can be erased or how personal data will be communicated electronically.

5. Access requests

Update your existing access procedures and think about how you will process future access requests under the new GDPR terms.

6. Legal basis for processing personal data

Document the various types of data processing by your organisation and identify the legal basis for each of them.

7. Consent

Evaluate your way of requesting, obtaining and registering consent. Modify where necessary.

8. Minors

Develop systems to verify the age of the individual concerned and request parental or custodial consent when processing personal data of minors.

9. Data breaches

Foresee adequate procedures to detect, report and investigate personal data breaches.

10. Privacy by design and privacy impact assessment

Get acquainted with terms such as “privacy by design” and “privacy impact assessment” and verify how you can implement these concepts in your organisation’s day to day operations.

11. Data protection officer

If necessary, appoint a data protection officer or someone responsible for ensuring compliance with data protection laws. Evaluate how this person will function within the management of your organisation.

12. International

Determine who is your supervisory data protection authority if your organisation is active in multiple jurisdictions.

13. Existing contracts

Evaluate your existing contracts – mainly with processors and subcontractors – and adopt the necessary changes in a timely manner.

Please feel free to contact Patrick Van Eecke to learn more about how you can prepare your organisation in Belgium for GDPR compliance.

Critical DoS Flaw found in OpenSSL — How It Works

The OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks.

OpenSSL is a widely used open-source cryptographic library that…

The OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks. OpenSSL is a widely used open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well

Leaked NSA Hacking Tools Were ‘Mistakenly’ Left By An Agent On A Remote Server

If you are a hacker, you might have enjoyed the NSA’s private zero-day exploits, malware and hacking tools that were leaked last month.

But the question is: How these hacking tools ended up into the hands of hackers?

It has been found that the NSA it…

If you are a hacker, you might have enjoyed the NSA's private zero-day exploits, malware and hacking tools that were leaked last month. But the question is: How these hacking tools ended up into the hands of hackers? It has been found that the NSA itself was not directly hacked, but a former NSA employee carelessly left those hacking tools on a remote server three years ago after an

Yahoo Confirms 500 Million Accounts Were Hacked by ‘State Sponsored’ Hackers

500 million accounts — that’s half a Billion users!

That’s how many Yahoo accounts were compromised in a massive data breach dating back to 2014 by what was believed to be a “state sponsored” hacking group.
<!– adsense –>
Over a month ago, a hacker was found to be selling login information related to 200 million Yahoo accounts on the Dark Web, although Yahoo acknowledged that the breach was

500 million accounts — that's half a Billion users! That's how many Yahoo accounts were compromised in a massive data breach dating back to 2014 by what was believed to be a "state sponsored" hacking group. <!-- adsense --> Over a month ago, a hacker was found to be selling login information related to 200 million Yahoo accounts on the Dark Web, although Yahoo acknowledged that the breach was

iPhone 7 Jailbreak Has Already Been Achieved In Just 24 Hours!

It has only been a few days since the launch of Apple’s brand new iPhone 7 and iPhone 7 Plus, but it appears that the new iPhone has already been jailbroken.

That didn’t take long. Right?
<!– adsense –>
Security researcher and well-known hack…

It has only been a few days since the launch of Apple's brand new iPhone 7 and iPhone 7 Plus, but it appears that the new iPhone has already been jailbroken. That didn't take long. Right? <!-- adsense --> Security researcher and well-known hacker Luca Tedesco shared an image of his jailbroken smartphone on his Twitter account to show off the world that the new iPhone 7 has been jailbroken.

How fit is your gadget? Putting web-connected health/wellness devices through their privacy paces

Smart TVs . . . Fitness trackers . . . Automated thermostats . . . Self-driving cars . . . The Internet of Things is the next frontier in digital technology which is why the Global Privacy Enforcement Network focused its 2016 Privacy Sweep on this emerging market. Sweep participants were especially interested in how […]

Smart TVs . . . Fitness trackers . . . Automated thermostats . . . Self-driving cars . . .

The Internet of Things is the next frontier in digital technology which is why the Global Privacy Enforcement Network focused its 2016 Privacy Sweep on this emerging market. Sweep participants were especially interested in how companies communicate their personal information handling practices.

Given the sensitivity of the information that health and wellness devices, as well as their associated apps and websites, are capable of collecting, the Office of the Privacy Commissioner of Canada (OPC) focused its Sweep on 21 devices ranging from smart scales, blood pressure monitors and fitness trackers, to sleep and heart rate monitors, a smart breathalyzer and a web-connected fitness shirt.

The choice of devices dovetails with one of our four strategic privacy priorities—the body as information. Identified as an important area of focus during a priority-setting exercise that culminated in May 2015, the body as information refers to the mounting privacy concerns related to highly sensitive health, genetic and biometric information that is being used by organizations and governments in all sorts of new ways.

During the Sweep, our Sweepers—aka OPC staff—put the products to use to see first-hand what information the devices requested, compared to what privacy communications said would be collected. In some cases, they followed up with specific privacy questions for the companies.

Below is a brief assessment of how the devices stacked up.

Note: the Global Privacy Sweep is not a formal investigation. We did not seek to conclusively identify compliance issues or possible violations of privacy legislation. This was not an assessment of a device’s overall privacy practices, nor was it an in-depth analysis of device design or functionality.

We sought to recreate the user experience and for the purposes of this blog, we compared and contrasted certain features observed by our Sweepers—namely those they found particularly fit, with those they felt could benefit from some rehab. We learned a lot and hope these concrete examples will help device makers, as well as Canadians, better understand our conclusions.

We’ve also offered some takeaways for companies and consumers. The purpose is to provide some basic tips on how to improve privacy communications from a user’s perspective. These takeaways should not be viewed as legal advice or a substitute for any legal requirements under applicable privacy legislation. Organizations that would like more information on their legal obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, may wish to have a look at our Privacy Toolkit.

Location, location, location!

Why do so many devices want to know where you are at any given time? Sure, it might make sense for a fitness tracker that needs to follow your route to calculate your distance travelled. But a blood pressure monitor or thermometer?

The QardioArm blood pressure monitor seeks access to location when the user creates an account and provides the following explanation which seemed a bit odd to our Sweeper.

quardioarmxxx

Then again, it might be interesting to check whether a visit to the in-laws does indeed thrust the ticker into overdrive.

The Kinsa thermometer also gives users the option to enable location tracking and provides a couple of reasons for it.

In a follow-up email to our Sweeper, the company explained that access to location helps users find groups of other Kinsa users. Presumably to swap riveting tales of temperature readings?

The Privacy Policy also offered an interesting use for location data:

kinsaxxx

I suppose it might be nice to know if there’s a strep throat outbreak before everybody starts double dipping the guacamole at your next party.

Takeaway for companies: Besides location, users also want to know why you need to collect certain information such as full date of birth, height, weight and why you require access to such things as one’s photos and contact list. Provide the purposes for the collection up front and you’ll avoid leaving users guessing. For something as sensitive as location tracking, Sweepers were pleased that many devices gave users the option to turn it on or off.

Takeaway for consumers: Just because a device or associated app asks for data, doesn’t mean you’re required to turn it over. Many data points are optional and users should be prudent before handing over information. Make sure you understand and agree with the intended use of your personal information.

Checking out?

Had enough health tracking for one lifetime? Time to resume your position on the couch with a bag of chips? Deleting your account may not be so simple.

Despite technological advances that allow users to share data electronically with doctors and relatives, the Everlast Health blood pressure monitor relies on snail mail to fulfil requests for data deletion. Seriously?

everlastxxx

By contrast, the Jawbone UP3 wireless activity, sleep and heart rate tracker offers what appears to be a comprehensive series of instructions for deleting data, whether it’s specific readings or all personal data on the company’s servers and beyond, including that collected by its partners.

jawbone1xxx

jawbone2xxx

Unfortunately, despite all these seemingly quick click mechanisms for deleting data, our Sweeper noted his account was still active and personal information was still accessible two months later, despite following up with the company’s customer service department to confirm deletion.

Takeaway for companies: There’s no need to make things difficult for customers who wish to delete their data. As technological innovators, we are confident in your ability to come up with a simple and quick way for people to delete account information that does not require more than a few clicks of a mouse. Simplicity is a great way to build trust and credibility with your customers.

Takeaway for consumers: Know what you’re getting into before diving in. Before providing personal information, make a point of finding out what’s going to happen to it and whether you can erase it later if you so desire. If you’re not sure, contact the company for more information. Most organizations are sensitive to consumer concerns about privacy. Let them know if something doesn’t feel right. Positive changes to the general policies or practices of an organization are more likely when people speak up.

Three (or more’s) a crowd

Transactions in the online world are never black and white. From marketing, to analytics, to scientific research, behind seemingly every company you think you’re dealing with is a myriad of third parties potentially getting access to your data for one reason or another.

The QardioArm wireless blood pressure monitor offers a crystal clear explanation of who it won’t share your information with, such as advertisers and marketers, data brokers and information resellers. To our Sweeper’s delight, there’s an added caveat that nothing will be shared without the user’s express (opt-in) consent.

Meanwhile, the BACtrack Mobile breathalyzer device gives users the option to store blood-alcohol level readings and sets its default to not keep this data on file, which is great. But if you decide to create an account and keep a record of your readings, your data, including your readings as well as your location, notes, photographs, gender, weight and other data will be stored and may be shared with third parties, including the media. BACtrack warns in the printed Privacy Policy that comes with the device that “although we will not associate your name with such data, your identity may be determined by the other data available.”

Curiously, we did not find this same clause in the online version of the privacy or terms of use policies.

Takeaway for companies: Consumers want to know who their personal information is being shared with and for what purposes. Ideally, companies should provide details about what information is being shared and with whom. For example, is it being shared for marketing, research or operational purposes?

Takeaway for consumers: Read and make sure that you are comfortable with the use and sharing practices of a company you are dealing with. Remember, many companies will not only sell you a device, they may sell your data as well. Note, however, that you do not have to agree to all a company’s requests to share your data. Certain requests to disclose, such as for marketing purposes, should not necessarily be a condition for using a device. Also know that devices may connect to existing social media platforms or offer their own social media features that allow you to share data publicly. Think twice. Once information is out there, it may be impossible to get back. Think of the impact certain comments or images could have on your reputation or the reputation of others. What might seem like a good idea in the moment, might not in the days, weeks, months or years ahead.

Details please

Sweepers were certainly conscious of the sensitive nature of health data and were protective of it. While they understood that providing too much information about safeguards could compromise a company’s security, they felt some detail was important.

The Garmin Vivosmart HR fitness tracker monitor offers users a pretty detailed explanation of its security controls under the heading “Keeping Data Safe at Garmin” and encourages users to report any security or vulnerability issues they might encounter.

The company also explained its use of encryption, but our Sweeper was left wondering whether it only applied to financial data and if health information is also encrypted.

garminxxx

Meanwhile, the Fitbit Charge HR fitness tracker offered a single vague line about safeguards in its privacy policy and invited users to contact the company for details:

fitnitxxx

A follow-up email to the company yielded a slightly more detailed explanation that included some information about its use of encryption, but it mostly just “rest assured” us that its products were “designed with security in mind.”

Takeaway for companies: Sweepers noted a number of vague statements about the use of safeguards, with organizations reassuring users that their information is safe. Ensure you have the necessary robust safeguards in place, commensurate with the sensitivity of the personal information you have collected.

Takeaway for consumers: If, after reading about what safeguards a company has employed to protect your personal information, things still aren’t clear or you have questions, ask. If you believe your data has been compromised, raise your concerns with the company. If you are not satisfied with the results, you have a right to file a formal complaint about organizations subject to PIPEDA with our Office.

Get to the point

Ever purchase a product only to wonder whether the company realizes they’ve provided the wrong privacy communications? Generic privacy policies that read as though they were written for another product are frustrating and unhelpful. But it doesn’t have to be this way.

The Razer Nabu fitness tracker provides a great example of just-in-time notification—a practice that provides valuable information to users about how their data is going to be used at the very moment they are asked to provide it.

nabuxxx

The iMazeFitness HR strap, on the other hand, offered a link to a privacy policy that seemed completely unrelated to the device or company in question. On top of that, after our Sweepers were desperately looking for some form of relevant privacy communications for iMaze, they were disappointed to find a placeholder inserted at the bottom of a profile page that said: “insert customer data privacy clause here.” How embarrassing!

imazexxx

Takeaway for companies: Privacy communications that are specific to the device in question are far more useful than generic policies that will simply leave your customers scratching their heads. Just-in-time notifications provided on the device at the moment data is sought is a best practice worth considering. Finally, do your due diligence. Generic templates and unfilled placeholders are embarrassing and do little to engender trust and credibility with customers.

Takeaway for consumers: If the privacy communications do not match your experience using the product, let the company know. As mentioned before, companies tend to be responsive to consumers when they express concerns about privacy. A testament to this statement is the fact that 19 of the 21 companies we wrote to with follow-up questions got back to us in a timely fashion. We were satisfied with the responses from two-thirds of them. It’s a start!

How the new privacy portability right will change your industry

The new privacy data portability right is empowering individuals to have a full control on their personal data representing both an opportunity and a risk for companies.    What is the privacy data portability right? The EU Privacy Regulation provides that “the data subject shall have the right to receive the personal data concerning him …

Continue reading »

The new privacy data portability right is empowering individuals to have a full control on their personal data representing both an opportunity and a risk for companies. 

 

What is the privacy data portability right?

The EU Privacy Regulation provides that

the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent [—] or on a contract [—]; and (b) the processing is carried out by automated means.

Also, the regulation adds that “the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Considering that nowadays most of data is processed by automated means, the scope of this new right is massive. The regulation does not oblige data controllers to make their systems technically compatible with any other system. But, when systems are not compatible, data shall be in any case handed over to individuals so that he/she can transmit them to their new supplier.

The purpose of the right is to grant individuals with more freedom of choice when selecting their service providers making easier the switch to a new supplier.

What is the impact on your industry?

With the technological development that is leading to services that are exponentially customised on the users’ profile, the portability right enables individuals to “transfer” their profile from a supplier to another.

This might have considerable effects, among others, in the following sectors

  • Insurance -> as of today, individuals are “ranked” on the basis of their previous insurance history and the ranking is necessary to determine the insurance premium.  If an individual switches to a new provider, such individual will be obliged to pass on to his new insurer only a certificate testifying his “classification“. On the contrary, the portability right will allow to transfer the whole profile of the individual, which might considerably detailed as a consequence of the development of insurance telematics and might contain also useful information/trade secrets on what type of data is collected by the insurer;
  • Online/e-commerce/online gaming -> cookies, footprinting and other similar technologies allow to create a detailed profile of online customers which contains not only the history of his purchases, but a full profile of his preferences. Individuals might require under the new Privacy Regulation the transfer of such profile to their new favourite e-commerce platform or online gaming operator which also in this case would oblige the operator to be fully transparent on the data collected in relation to its users;
  • Research and clinical trials -> individuals that are enrolled in such projects and want their data to be used for a new project on the same topic, might require the hospitals involved in the first clinical trial to pass on the data to those running the new one. This practice might lead to abuses as the “migration” of data might enable the new hospital to take advantage of the activities previously performed;
  • Internet of Things technologies -> if we consider connected cars or eHealth devices, users might decide to transfer their profile when they buy a new car so that this is already customised on their size and preferences. Likewise, the whole health related data of an individual could be transferred from a eHealth provider to another;
  • Cloud platforms -> most of data are now stored in cloud platforms and after years of usage of the same provider, users might find a disincentive in switching to a new supplier. However, the data portability right make the competitive advantage of consolidated cloud providers much weaker.

Is this right a potential source of anti-competitive conducts?

A major issue pertains to the portability relates to the potential disclosure of trade secrets and confidential information by means of the transmission of “portable” data.

Likewise, the exercise of the portability right might impact also the intellectual property rights of the data controller. Indeed, a supplier might acquire considerable contents of the database of one of its competitors just granting incentives to customers to the exercise of their portability right. As a consequence, it cannot be excluded that the exercise of the portability right might lead to unfair competition conducts.

Therefore the issue is whether the above rights could represent a limit to the exercise of the portability right or it will be on businesses to allow its exercise in a manner that avoids the breach of their rights.

What to do to minimise negative effects and be ready?

There is no doubt that the portability right might lead to considerable costs for data controllers. And the Privacy Regulation is silent on the possibility to charge any fee to individuals exercising their portability right. But the possibility to charge a possible reasonable fee is mentioned with reference to the exercise of the access right of which the portability right might be considered an extension.

In order to be ready for such right, data controllers shall, among others,

  1. adopt procedures in order to deal portability rights requests;
  2. have a standard process that enables the transmission of data to the new supplier;
  3. adopt measures that allow the removal of confidential information/trade secrets from communicated data; and
  4. have systems that monitor the amount and types of portability right requests to limit the risks of abuses by competitors.

If you found this article interesting, please share it on your favourite social media!

@GiulioCoraggio

Beware — Someone is dropping Malware-infected USB Sticks into People’s Letterbox

Hey! Wait! Wait! Wait!

Don’t plug in that USB stick into your laptop. It could infect your computer with malware and viruses.

Australia’s Victoria Police Force has issued a warning regarding unmarked USB flash drives containing harmful malware being …

Hey! Wait! Wait! Wait! Don't plug in that USB stick into your laptop. It could infect your computer with malware and viruses. Australia's Victoria Police Force has issued a warning regarding unmarked USB flash drives containing harmful malware being dropped inside random people's letterboxes in the Melbourne suburb of Pakenham. It seems to one of the latest tactics of cyber criminals to