New Eurpoean Privacy Standards Comming into Effect

Two years ago the European Union passed the General Data Protection Regulation (GDPR), on May 25th these regulations become enforceable. The GDPR aims to increase the number of privacy controls users have on the web through new privacy standards. Although the regulations were specifically passed by the EU, due to the international nature of the web many people from all over the world will feel its impacts.

These regulations aim to increase user privacy through expanding the scope of consent that sites are required to request. First, consent has to be explicitly given for each specific use of data provided by a customer – meaning web services must implement gradual permission systems. The user must be told exactly what the data is being used for and has a right to access all the information the company has on the user. Companies must also have the ability to prove that consent was given for a particular use of data. Second, a user must be able to withdraw their consent at any time. Lastly, all users have the right to be forgotten. This final provision means that a user can request that any data associated with them to be permanently erased from a companies database.

It is unknown at this time how willing the EU will be to enforce these provisions. However, breaking any of these cars large penalties on per-violation bases. These rules could potentially change the global playfield as many advertising, social media, and other businesses that rely heavily on data collection will be massively affected.

https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice

https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html

https://www.huntonprivacyblog.com/2017/12/15/article-29-working-party-publishes-guidance-on-consent-under-the-gdpr/

Advertisements

Snapchat makes you vulnerable?

Snapchat became a social media giant a few years ago, and as always, with social media comes security risks.

A method for saving photo and videos in Snapchat included connecting to API, the app’s application programming interface. By using this technique, the third-party developers were capable to log into the app remotely without using the original Snapchat application. In 2013, a number of third-party applications were developed in relation to API vulnerability. The apps that enabled downloading and saving received images were publicly available in app stores, such as iTunes App Store or Google Play. The Federal Trade Commission claims that, during that period, “on Google Play alone, ten of these applications have been downloaded as many as 1.7 million times.” Using the hacked API, one of the biggest cyber-crimes related to Snapchat was committed.

13 gigabytes of pictures/videos from users was leaked, in response to this, the third party application was shutdown by snapchat.

Another flaw in the photo/video mechanism was the screenshot feature. Snapchat’s privacy policy contained a claim that the user would be informed as soon as the screenshot of a user’s Snap would be made. However, the mechanism of screenshot detection could be easily circumvented in the iOS operating system. This method is not very sophisticated, which made this tool available for many users, and made the data not secure.

Another defect was found in the app’s authorization system allows hackers to use denial-of-service attacks that can crash users’ smartphones by sending a large number of messages in a short period of time. Receiving multiple messages at once causes freezing of the device and requires rebooting it. For Apple iPhone users, this security defect can cause more harm than for Android users. In Android operational system, such incident only slows down the work of the device but does not require the system to reboot. This technical issue has not been addressed by Snapchat yet.

 

-Jacob Mayer

 

Social Networks are not Designed for Privacy

This might seem a tad common sense, but it seems that many people are upset over how Facebook has been mishandling data as of late. Specifically how much of the information on the site is not well protected by “privacy” settings.

Basically, Aleksandr Krogan, a UK citizen, used a Facebook personality test app to harvest information of Facebook profiles. Notably it could harvest data of the friends of people that took the personality test. Krogan would then go on to send all of this data to Cambridge Analytica. Its not clear how this information was used, but with the many political organizations that pay for Cambridge Analytica’s services, many people have found this revelation to be disturbing.

Now, there will no doubt be a long period of finger pointing and upset users for the rest of the week. WhatsApp co-founder Brian Acton has suggested that people delete their Facebook account with the trending hashtag “#DeleteFacebook”. Mark Zuckerburg is expected to break silence on this matter soon, so far Facebook’s response has been to say that Dr. Krogan violated site policy. This is also not Facebook’s first incident of their platform getting inadvertently involved in politics. In the last year incidents with Russian run campaign ads during the US election, and incidents with “fake news” have caused much turmoil for the company’s public opinion.

I personally think that this whole situation begs a new question. Should we honestly be surprised that information that we put on social media is actually not private? Facebook’s business model relies on gathering userdata and using it for advertising. Beyond mischievous motives, the service is exists to allow users to share data with other users. With that in mind, you have to realise that you not only trust Facebook to enforce your privacy settings, but every single person on your friendslist. Each one of your friends has to keep their account secure, whether it be from intrusion or just a malicious app such as this personality test from Aleksandr Krogan. Its unrealistic honestly, making user data harder to access hampers the social part of a social network; and as it is, there are plenty of vectors for someone to harvest “private” information. Hopefully with each one of these large events people can learn the value of their own personal information, and maybe show restraint towards what they share online. People can’t expect the facade of account visibility to keep their information truly private, it can only delay the inevitable breach.

https://www.theguardian.com/news/2018/mar/18/what-is-cambridge-analytica-firm-at-centre-of-facebook-data-breach
https://www.washingtonpost.com/opinions/i-worked-at-facebook-i-know-how-cambridge-analytica-could-have-happened/2018/03/20/edc7ef8a-2bc4-11e8-8ad6-fbc50284fce8_story.html?utm_term=.622969e33044

OURSA Conference

One of the worlds largest computer security conferences, RSA, has recently been in the spotlight for all of the wrong reasons. The conference, which is six weeks away, just released their lineup of keynote speakers, which contains 22 individuals, and only one of those are female. Even worse, the one female speaker, Monica Lewinsky, is not even in the security field, she is speaking about anti-bullying. There was a large uproar regarding this which resulted in the foundation of a new conference, ironically named OURSA, which was formed in a mere 5 days. It is a predominantly female created conference, with the help of allies, that will take place at the same date and time as RSA. The lack of representation isn’t a new issue though, since over many different conferences there has been a collective loss of inclusion of different minorities, including women. RSA responded to the conference by saying the keynote speaker list is not final, and “…it also blamed the lack of women in the field, where just 11% of positions worldwide are held by women.” Firstly, that is an extremely sexist response, but second, if the percentage of positions held by women are so low, wouldn’t it be inspiring to see more female keynote speakers to inspire the next generation? This will only be a one time event and will only be able to host 1000 people instead of the 43,000 that RSA hosted last year. Nevertheless, this will be a groundbreaking conference that will hopefully shed light upon the issues with diversity in the community and the promotion of inclusion within all groups.

 

Source:

https://www.usatoday.com/story/tech/news/2018/03/05/women-create-alternate-tech-conference-protesting-snub-big-security-confab/395323002/

 

-Becca Fried

Facebook’s personal data acquisition and use in the wake of court rulings

On Monday, February 12, a ruling from a German court regarding Facebook’s default privacy settings and personal data use was made publicly available. The ruling handed down from a regional court in Berlin found five of Facebook’s default privacy settings and eight clauses of their terms of service to be in breach of consumer law. A similar case in Belgium occurred later that week, on the 16th of February, in which Facebook has been ordered to cease tracking through third party sites. These rulings appear to be continuing a precedent of European concern regarding Facebook’s collection, use, and distribution of both consumer and non-consumer data.

Under the requirement for explicit and informed consent, the German court ruled that the default privacy settings were in violation of German data protection laws. Other rulings of interest are as follows: “read and understood” clauses are invalid, a clause that required users to use their real names or names they are popularly identified by was ruled invalid, and a clause that was designed to give consent for Facebook to transfer user data to the United States was ruled invalid.

The ruling regarding “read and understood” clauses has interesting implications regarding the future of methods of consent in Europe. A great number of services have obscenely long terms of service contracts which are generally ignored but serve as the primary form of communicating the conditions of a product’s use. If these sorts of terms and service contracts can be declared invalid under the assumption that a user cannot be expected to fully read and understand the terms, then it could potentially force companies to either find alternative ways of setting terms of use or just encourage companies to shorten them.

The removal of a “real name” clause theoretically removes a convenient user id for select users, possibly requiring Facebook to resort to cross referencing to tie data available on Facebook with other identifying data in order to maintain the same user data structure they once had. This would be complicated by the fact that cross-referencing personally identifiable data is currently illegal in all EU countries, and Facebook has already faced an EU taskforce in October of the previous year regarding the cross-referencing of data between Facebook and WhatsApp. Of course, the implications of the removal of the “real name” clause runs under the assumption that Facebook haven’t already discovered or designed a more convenient alternative.

The final ruling of interest here regarding the transfer of personal data to the US actually has much stronger implications on the value of the personal data collected by Facebook than it seems. Much of the data collected by Facebook is very niche, and not very useful for their advertisement algorithms on their own. To allow for more insights into this data, Facebook cross-references the individual data sources in order to generate a more valuable combined dataset for their algorithms and for other companies. In Europe, however, the cross-referencing is complicated because of the illegality mentioned previously. To circumvent this, Facebook would send the individual data to the United States, where cross-referencing personal data is legal, combine the data sets, and then send the combined dataset back to Europe. This ruling could remove the ability for companies to circumvent the data protection laws via this method, which would reduce the desire for companies to gather as much niche data.

– S. Carlton

References:

Court Ruling (German):

https://www.vzbv.de/sites/default/files/downloads/2018/02/12/facebook_lg_berlin.pdf

German Court News:

https://www.reuters.com/article/us-germany-facebook/german-court-rules-facebook-use-of-personal-data-illegal-idUSKBN1FW1FI?il=0

https://www.theguardian.com/technology/2018/feb/12/facebook-personal-data-privacy-settings-ruled-illegal-german-court

https://www.theguardian.com/technology/2017/oct/26/whatsapp-facebook-eu-data-article-29-working-party-taskforce-sharing-user

Belgian Court News:

https://www.theguardian.com/technology/2018/feb/16/facebook-ordered-stop-collecting-user-data-fines-belgian-court