New Eurpoean Privacy Standards Comming into Effect

Two years ago the European Union passed the General Data Protection Regulation (GDPR), on May 25th these regulations become enforceable. The GDPR aims to increase the number of privacy controls users have on the web through new privacy standards. Although the regulations were specifically passed by the EU, due to the international nature of the web many people from all over the world will feel its impacts.

These regulations aim to increase user privacy through expanding the scope of consent that sites are required to request. First, consent has to be explicitly given for each specific use of data provided by a customer – meaning web services must implement gradual permission systems. The user must be told exactly what the data is being used for and has a right to access all the information the company has on the user. Companies must also have the ability to prove that consent was given for a particular use of data. Second, a user must be able to withdraw their consent at any time. Lastly, all users have the right to be forgotten. This final provision means that a user can request that any data associated with them to be permanently erased from a companies database.

It is unknown at this time how willing the EU will be to enforce these provisions. However, breaking any of these cars large penalties on per-violation bases. These rules could potentially change the global playfield as many advertising, social media, and other businesses that rely heavily on data collection will be massively affected.

https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice

https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html

https://www.huntonprivacyblog.com/2017/12/15/article-29-working-party-publishes-guidance-on-consent-under-the-gdpr/

Advertisements

Facebook’s personal data acquisition and use in the wake of court rulings

On Monday, February 12, a ruling from a German court regarding Facebook’s default privacy settings and personal data use was made publicly available. The ruling handed down from a regional court in Berlin found five of Facebook’s default privacy settings and eight clauses of their terms of service to be in breach of consumer law. A similar case in Belgium occurred later that week, on the 16th of February, in which Facebook has been ordered to cease tracking through third party sites. These rulings appear to be continuing a precedent of European concern regarding Facebook’s collection, use, and distribution of both consumer and non-consumer data.

Under the requirement for explicit and informed consent, the German court ruled that the default privacy settings were in violation of German data protection laws. Other rulings of interest are as follows: “read and understood” clauses are invalid, a clause that required users to use their real names or names they are popularly identified by was ruled invalid, and a clause that was designed to give consent for Facebook to transfer user data to the United States was ruled invalid.

The ruling regarding “read and understood” clauses has interesting implications regarding the future of methods of consent in Europe. A great number of services have obscenely long terms of service contracts which are generally ignored but serve as the primary form of communicating the conditions of a product’s use. If these sorts of terms and service contracts can be declared invalid under the assumption that a user cannot be expected to fully read and understand the terms, then it could potentially force companies to either find alternative ways of setting terms of use or just encourage companies to shorten them.

The removal of a “real name” clause theoretically removes a convenient user id for select users, possibly requiring Facebook to resort to cross referencing to tie data available on Facebook with other identifying data in order to maintain the same user data structure they once had. This would be complicated by the fact that cross-referencing personally identifiable data is currently illegal in all EU countries, and Facebook has already faced an EU taskforce in October of the previous year regarding the cross-referencing of data between Facebook and WhatsApp. Of course, the implications of the removal of the “real name” clause runs under the assumption that Facebook haven’t already discovered or designed a more convenient alternative.

The final ruling of interest here regarding the transfer of personal data to the US actually has much stronger implications on the value of the personal data collected by Facebook than it seems. Much of the data collected by Facebook is very niche, and not very useful for their advertisement algorithms on their own. To allow for more insights into this data, Facebook cross-references the individual data sources in order to generate a more valuable combined dataset for their algorithms and for other companies. In Europe, however, the cross-referencing is complicated because of the illegality mentioned previously. To circumvent this, Facebook would send the individual data to the United States, where cross-referencing personal data is legal, combine the data sets, and then send the combined dataset back to Europe. This ruling could remove the ability for companies to circumvent the data protection laws via this method, which would reduce the desire for companies to gather as much niche data.

– S. Carlton

References:

Court Ruling (German):

https://www.vzbv.de/sites/default/files/downloads/2018/02/12/facebook_lg_berlin.pdf

German Court News:

https://www.reuters.com/article/us-germany-facebook/german-court-rules-facebook-use-of-personal-data-illegal-idUSKBN1FW1FI?il=0

https://www.theguardian.com/technology/2018/feb/12/facebook-personal-data-privacy-settings-ruled-illegal-german-court

https://www.theguardian.com/technology/2017/oct/26/whatsapp-facebook-eu-data-article-29-working-party-taskforce-sharing-user

Belgian Court News:

https://www.theguardian.com/technology/2018/feb/16/facebook-ordered-stop-collecting-user-data-fines-belgian-court

Strava Exposes Military Bases

Like many people today, you probably have a smartphone you carry around with you and among the many useful things it does is tell you your current location using GPS. This can be used to find out how to get to somewhere, keep track of traveled distance, use it for fitness, or some other thing via some app that comes preinstalled or you downloaded from the app store. Such apps tend to have a data collection policy which is often ignored or skimmed over by many people. When you are using the app, do you know whether your data is being collected and do you know how it is being used?

One of such apps, Strava, is used by athletes to keep track of their progress and share it among your friends and community. The way it works is described by Strava as “The way you ‘post’ in this network is by being active. Strava works with your mobile phone or favorite GPS device to track your activities and share your efforts with friends.” Such thing would entail uploading your GPS data, storing, and sharing it with the community. This is fine if you know what you signed up for, but some people are not aware of how the app works and how the data is being used.

Strava has a projects section where they talk about the various analytical aspects of the data they collect and what can be found out by examining it. One of those projects is a global heatmap of all the mapped locations and data of their users. It’s an interesting project, but this and Stravas overall exposure of data does come with some consequences. Such one of these consequences is when Strava recently made headlines as it was found out that it is possible to find and see details of military bases due to soldiers using the app.

Using the heatmap, people have located and shared locations of military bases, in which it can be possible to see the internal layouts of. According to The British daily newspaper, theguardian, locations include and are not limited to US base Camp Lemonnier, US Naval Expeditionary Base, a CIA “black site”, headquarters of GCHQ, in Cheltenham, England, and CIA headquarters in Langley, Virginia. This data is the not the only thing the app exposes. Theguardian, says “The leaderboard for one 600m stretch outside an airbase in Afghanistan, for instance, reveals the full names of more than 50 service members who were stationed there, and the date they ran that stretch.”

Following this scandal, Strava made a statement saying, “We take the safety of our community seriously and are committed to working with military and government officials to address sensitive areas that might appear”, and they also took action by advising military personnel to opt out of  data collection. While militaries have policies prohibiting cellular or wifi, photographic, video capture/recording, microphone, or audio recording capabilities, there are no policies regarding bluetooth and GPS, and no policies regarding uploading such information. As these issues become more apparent, according to theguardian, “militaries around the world are contemplating bans on fitness trackers to prevent future breaches”.

– Alex Baraker

 

Sources:

https://labs.strava.com

https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

https://www.theguardian.com/technology/2018/jan/29/strava-secret-army-base-locations-heatmap-public-users-military-ban

New Rule 41 Allows FBI to Mass Hack

shutterstock_fbi_spy-640x423

An amendment to Rule 41 would allow the FBI to obtain a warrant from any court to hack multiple computers rather than from one with jurisdiction over the target’s location. All the FBI would have to do in order to get the warrant would be to prove the target is obscuring their location.

Therefore, the FBI would theoretically only need one warrant from anywhere in America to hack multiple computers all over the world. This is scary to think about. Tor users should be aware of this.

Some people seem to be not as worried stating that the FBI would still need probable cause. They also point out the logic in that it is hard to get a warrant to hack a computer if you cannot determine the computer’s location.

This will go into effect starting December 1st unless Congress blocks it.

Source: https://news.bitcoin.com/update-bitcoiners-use-tor-warned

– jar311

Government vs Corporations: The Battle of Security and Privacy

After Edward Snowden released information that the NSA was tapping into private companies servers and getting their information without their knowledge, corporations have made promises to customers and buffed up security on their servers immensely. Higher levels of encryption, no backdoors, and buffing up servers make it much harder for hackers to break into your sensitive information, but it also keeps the government out.

The United States is currently in or contemplating legal battles with large tech companies such as Apple, Google, and Microsoft to compel them to give them information, break encryptions, or leave them a way in to look at the data themselves. Specifically with Microsoft, the company refuses to hand over data to the government without an Irish warrant because the servers the data is stored in are in Dublin.  Companies aren’t willing to cooperate with the government on this because of the promises they made to their customers and the huge security breaches it could cause leaving possible holes for hackers to steal or tamper with data.

The UK is facing a similar issue where their MI5 is looking for more power from Parliament to keep up with technological advances, and Andrew Parker, Director General of MI5, recently said in an interview that companies have an ethical responsibility to to turn over the information the government wants to them.

Major corporations remain hesitant to readily give over information to the government for fear of backlash from consumers and the fact that the government has not really been truthful with them in the past.  This argument is definitely one that comes down to ethics and we must determine what point we sacrifice too much privacy for the sake of security.  We will have to see what the courts or Congress say on the matter.

Sources:

http://www.nytimes.com/2015/09/08/us/politics/apple-and-other-tech-companies-tangle-with-us-over-access-to-data.html?_r=0

http://www.scmagazine.com/andrew-parker-says-mi5-needs-greater-cyber-security-powers/article/439663/

– Quinn White