Privacy Watch Weekly – 2016-09-09

PIL filed in Court to Ban ‘Pokémon Go’ in India for Hurting Religious Sentiments

Pokémon GO has yet not been officially launched in India, but the location-based augmented reality game has already fueled a privacy debate and request for Ban.

Isn’t that weird?

A Gujarat resident, Alay Anil Dave has recently filed a Public Interest Litigation (PIL) in the Gujarat High Court against Niantic, developers of Pokémon Go, over allegations that the game is hurting religious

Setting up a decoy network may help deflect a hacker’s hits

Computer networks may never float like a butterfly, but information scientists suggest that creating nimble networks that can sense jabs from hackers could help deflect the stinging blows of those attacks.

Oh, It’s On Sale! USB Kill to Destroy any Computer within Seconds

Remember Killer USB stick?

A proof-of-concept USB prototype that was designed by a Russian researcher, Dark Purple, last year, to effectively destroy sensitive components of a computer when plugged in.

Now, someone has actually created the Killer USB stick that destroys almost anything – such as Laptops, PCs, or televisions – it is plugged into.
<!– adsense –>
A Hong Kong-based technology

FRANCE: New rules for processing patient health data

France’s Law for the Modernization of the Health System, adopted earlier this year, applies to all processing of health data for the purpose of evaluating or analyzing medical treatments and preventive actions.

The Law amends the Data Protection Law of 1978, creating a new framework for obtaining authorization to process health data, as well as a new consent requirement.

Requirements for processing interventional and non-interventional human biomedical research data (such as clinical trial data) are not affected by the new law.

New Authorization Procedure

There are four steps to the new authorization procedure:

  1. Processing personal data for research, study or evaluation purposes will require authorization from a new agency, the National Health Data Institute, created by the Law for the Modernization of the Health System.
  2. The request for authorization will be relayed to the new Expert Committee on Health Research, Study and Evaluation, which must within a month issue an opinion on the project methodology, the necessity of processing personal data, the pertinence of such data in light of the purposes of processing, and the scientific value of the project. The Committee replaces the soon to be defunct CCTIRS, Consultative Committee for the Processing of Health Research Data. In conjunction with the Expert Committee opinion, the French Data Protection Authority (the CNIL) or the Health Ministry has the option of petitioning the newly created INDS (National Health Data Institute) for an opinion on the public interest in the research, study, or evaluation that justifies the data processing. Alternatively, INDS can take the initiative to issue an opinion. In all cases, INDS has one month to issue its opinion.
  3. The CNIL must authorize the project, taking into consideration data protection principles and the benefits of the project. In particular, for each authorization request, the CNIL will verify whether the project is consistent with the petitioner’s organizational purpose, the need to process personal data, the security measures deployed, and the guarantees provided in terms of medical secrecy. The CNIL will also determine the appropriate data retention period. For-profit entities – in particular entities that market health products, credit institutions, insurers and reinsurers – must meet additional requirements to obtain an authorization. These entities must demonstrate that their methodology precludes any use of the data for any prohibited purpose. Failing that, these entities must contract with a public or private research laboratory or research center to undertake the data processing. The research laboratory or center must certify compliance with a standard setting forth requirements for confidentiality, expertise, and independence.
  4. If the processing requires access to data in the new National Health Data System, then the petitioner must provide INDS the CNIL’s authorization and a statement of interest related to the purpose of the processing and the project protocol, specifying the means for evaluating the validity and results of the study. The INDS will publish the CNIL authorization, the statement of interests and the results and method.

Several exceptions to the authorization requirement are contemplated, including processing of medical data or therapeutic data used by persons who administer treatment for their sole use, or processing for reimbursement or monitoring by organizations responsible for managing the national health insurance system.

The CNIL may decide to simplify the authorization procedure by issuing standard methodologies and security standards.

These methodologies and standards (including security standards) will be developed by the CNIL with input from the Expert Committee and public and private institutions representing relevant stakeholders. The CNIL followed a similar procedure for establishing a reference methodology for processing clinical trial data (the so-called MR-001), the reference methodology for non-interventional studies of in vitro diagnostic devices (MR-002), and, most recently, a reference methodology for research that does not require explicit or written consent of the patient (MR-003).

The CNIL is also empowered to simplify the authorization procedure by issuing so-called Single Authorizations.

Single Authorizations are one-time authorizations issued by the CNIL. Any controller that complies with the conditions set forth in a Single Authorization can certify its compliance therewith and within a few days obtain an authorization to process data. The CNIL has already adopted, after consultation with ASIP-Santé, a Single Authorization for the processing of health data by secured messaging systems. Other Single Authorizations already issued by the CNIL relate to cancer diagnoses, pharmacovigilance, and temporary use authorizations.

The CNIL can also determine exceptions to the authorization requirement, in particular for aggregated data sets.

New Notice Requirements

Finally, a forthcoming decree will set forth notice requirements to patients regarding the use of their indirectly identifying data for research or evaluation. The CNIL will be issuing an opinion on the decree, which it is hoped will be adopted by the Supreme Administrative Court before the end of the year.

Learn more about these developments by contacting either Jeanne Bossi Malafosse or Carol Umhoefer.

Google Chrome to Label Sensitive HTTP Pages as “Not Secure”

Although over three months remaining, Google has planned a New Year gift for the Internet users, who’re concerned about their privacy and security.

Starting in January of 2017, the world’s most popular web browser Chrome will begin labeling HTTP sites that transmit passwords or ask for credit card details as “Not Secure” — the first step in Google’s plan to discourage the use of sites that

FBI Arrests Two Hackers Who Hacked US Spy Chief, FBI and CIA Director

US authorities have arrested two North Carolina men on charges that they were part of the notorious hacking group “Crackas With Attitude.”

Crackas with Attitude is the group of hackers who allegedly was behind a series of audacious and embarrassing hacks that targeted personal email accounts of senior officials at the CIA, FBI, the White House, Homeland Security Department, and other US

Telecom networks could back up GPS time signals, say experts

Experts involved in the operation of US civilian and military time standards have worked with two companies to identify a practical GPS backup possibility: commercial fiber-optic telecommunications networks.

New SophosLabs research: Cryptomining malware on NAS servers worldwide

sophoslabs-150SophosLabs has just released a research paper on a new way that cybercriminals are distributing malware that makes money by “borrowing” your computer to mine cryptocurrency.

The report by Attila Marosi, Senior Threat Researcher at Sophos, investigates the Mal/Miner-C malware, which criminals are using to mine the cryptocurrency Monero.

In this paper, Marosi examines how Mal/Miner-C quietly infects victims’ computers and communicates with host servers to run mining operations covertly in the background.


Alone, one computer may not make a big impact on cryptocurrency mining, but the criminals aim to infect as many computers as possible with their malware so they can reap the cumulative financial reward from hundreds of thousands of infected computers.

Marosi investigates how NAS devices are used as a distribution server for the Mal/Miner-C malware, and explores the criminals’ mining activities and how much money this racket is potentially worth to them.

Download this new technical paper today to learn about Mal/Miner-C, how it is used to mine cryptocurrencies, and how you can help to stop the crooks.

Filed under: Corporate, SophosLabs Tagged: mal/miner-c, research, seagate, SophosLabs

US rules for targeted killing using drones need clarifying, RAND report asserts

Current US policies on using drones for targeted killing are characterized by ambiguities in interpretations of international law and too many generalities, despite recent efforts by the Obama administration to clarify the policies, a new RAND Corporation report finds.

Warning! This Cross-Platform Malware Can Hack Windows, Linux and OS X Computers

Unlike specially crafted malware specifically developed to take advantage of Windows operating system platform, cyber attackers have started creating cross-platform malware for wider exploitation.

Due to the rise in popularity of Mac OS X and other Windows desktop alternatives, hackers have begun designing cross-platform malware modularly for wide distribution.

Cross-platform malware is

Sophos is a Magic Quadrant Leader in Unified Threat Management for the fifth year running

gartner-magic-quadrant-150We’re excited to announce that the new Gartner Magic Quadrant for Unified Threat Management* is out, and Sophos is positioned in the Leaders Quadrant for the fifth year running.

We continue to be one of only three vendors in the Leaders Quadrant. And we think that says a lot about our standing in the eyes of customers, partners and industry analysts.


The Magic Quadrant is based on an assessment of a company’s ability to execute and completeness of vision.

Our strategy for the mid-market and our channel is clearly working very well as we deliver on our promise to make security simple with unique innovations that make our UTM products easy to deploy, manage and use. As a result, more and more partners and customers are turning to Sophos for their next firewall and UTM. In fact, the momentum in our growth is outstanding – more than triple the industry growth rate.

With the launch of our new and innovative XG Firewall and Synchronized Security we are also delivering on our vision for the future of IT Security where security components work better together to improve protection and respond to incidents. And with more and more IT infrastructure moving to the cloud, our leadership in protecting IaaS further reinforces our ability to anticipate important trends impacting your business and ensure your network is secure everywhere.

As the only IT security company to be positioned as a Leader across both Unified Threat Management* and Endpoint Protection Platforms** – we think our complete security offerings uniquely position us to deliver on the next generation of protection – Synchronized Security.

You can access the Magic Quadrant for Unified Threat Management report here (registration required).

About the Magic Quadrant

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

*Gartner Magic Quadrant for Unified Threat Management, Jeremy D’Hoinne, Adam Hils, Rajpreet Kaur, 30 August 2016
** Gartner Magic Quadrant for Endpoint Protection Platforms, Peter Firstbrook, Eric Ouellet, 1 February 2016

Filed under: Corporate Tagged: Gartner Magic Quadrant, Leaders Quadrant, Magic Quadrant for Endpoint Protection Platforms, Magic Quadrant for Unified Threat Management

Here’s How to Hack Windows/Mac OS X Login Password (When Locked)

A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer (but, logged-in) and works on both Windows as well as Mac OS X systems.

In his blog post published today, security expert Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or

Warning! Just an Image Can Hack Your Android Phone — Patch Now

Own an Android smartphone? Beware, as just an innocuous-looking image on social media or messaging app could compromise your smartphone.

Along with the dangerous Quadrooter vulnerabilities that affected 900 Million devices and other previously disclosed issues, Google has patched a previously-unknown critical bug that could let attackers deliver their hack hidden inside an innocent looking

GERMANY: Bavarian Data Protection Authority issues guidance on GDPR Sanctions

By: Dr. Thomas Jansen and Mari Martin

On September 1, 2016, the Bavarian Data Protection Authority (BayLDA) issued a brief paper outlining the basic principles of the future sanction regime under the European General Data Protection Regulation (GDPR). The document is available at the following link: (German-language only).


The GDPR will become effective on May 25, 2018, after a transition period of two years. European supervisory authorities are currently working to achieve a more uniform view of the new basis and requirements for data protection at the European level. In the meantime, the BayLDA plans to periodically publish papers such as this one on selected topics. The BayLDA explicitly notes that is not a binding interpretation of the regulation.

Amount and Scope of Administrative Violations and Fines Increased

According to the GDPR, administrative fines shall be effective, proportionate and dissuasive. Some infringements are subject to administrative fines of up to 20 million EUR or 4% of the organization’s total annual global turnover.

Further, as explained with reference to the “economic enterprise concept” in the explanatory memorandum of the Treaty on the Functioning of the European Union (recital 150), if the sanctioned entity is part of an “undertaking,” the total annual turnover of the entire undertaking is the relevant amount from which the 4% fine will be deducted, not just the annual turnover of the specific sanctioned entity (i.e. the individual controller or processor). Please see our post of July 26, 2016 titled “EU: GDPR – Group revenues at risk of fines” for more information on the meaning of an “undertaking.”

The GDPR provides for a significantly wider range of offences than does the current German Federal Data Protection Law (BDSG). Under the GDPR, violation of the vast majority of provisions regulating data controllers and processors is subject to a fine. The GDPR provisions regarding administrative fines demonstrate the European Commission’s (EC’s) intention to provide for financial sanctions for data protection infringements and to enable severe sanctions if necessary. Exceptions should exist only for minor infringements and when a fine would be disproportionately burdensome.

The GDPR imposes fines on both controllers and processors. In addition, accredited certification bodies under Article 43 of the GDPR, which are responsible for properly assessing and certifying compliance by data controllers and processors with data protection regulation and organizational codes of conduct, may be subject to administrative fines due to breach of their obligations.

According to the BayLDA, it can be assumed that organizations may be held responsible for violations committed by their employees. However, the GDPR does not regulate the extent to which fines may be imposed on employees themselves. This issue remains unclear.

Fines Imposed for Violations of Technical and Organizational Measures

In an important change from the BDSG, the GDPR provides that violations of the duty to take appropriate and adequate technical and organizational measures to protect personal data are an administrative offense subject to fines. Also significant is the fact that the GDPR sets out fines for violations of the obligation to ensure implementation of the principles of privacy by design and privacy by default. These changes underscore the great value the EC places on the importance of technical and organizational measures and the principles of privacy by design and privacy by default for effective data protection.

Factors Influencing the Amount of Fines

According to the EC, a number of factors must be considered when determining the amount of fines. Previous breaches of data protection law should be considered an aggravating factor. The extent to which the controller or processor cooperated with the supervisory data protection authority should be considered. Further, if the controller or processor gives the supervisory authority incomplete or inaccurate information during the course of an investigation, this should be considered an aggravating factor, as recognized by the European Court of Justice in the field of competition law.

As stated by the EC, the GDPR is intended to lead to a uniform application of sanctions in Europe In the future, the European Data Protection Board may develop relevant guidelines.


All organizations operating as either a data controller or processor in any EU member state should be aware of the significant increase in both the amount and scope of potential fines under the GDPR. In particular, administrative fines under the GDPR may be up to 4% of the total worldwide annual turnover of the preceding financial year in the case of an “undertaking.” Such enhanced financial penalties for data protection violations are intended to prevent organizations from incurring any profit in the event of a data protection breach.

In addition, organizations should carefully note the imposition of fines due to violations regarding technical and organizational measures and the principles of privacy by design and privacy by default. Organizations should ensure that that appropriate technical and organizational measures are in place and that they have appropriately implemented the principles of privacy by design and privacy by default before the GDPR becomes effective in 2018.

If you would like to discuss how we can help your organisation, please get in touch with your usual DLA Piper contact or email us at

For further information on the GDPR please visit our dedicated GDPR microsite.


Russia’s Largest Portal HACKED; Nearly 100 Million Plaintext Passwords Leaked

Another data breach from 2012, and this time, it’s Russia’s biggest internet portal and email provider, also known as Russia’s Yahoo, suffered a massive data breach in 2012 in which an unknown hacker or a group of hackers managed to steal nearly 100 Million user accounts, including their unencrypted plaintext passwords.
<!– adsense –>
The copy of the hacked database

This Malware Can Transfer Data via USB Emissions from Air-Gapped Computers

Air-gapped computers that are isolated from the Internet or other networks and believed to be the most secure computers on the planet have become a regular target in recent years.

A team of researchers from Ben-Gurion University in Israel has discovered a way to extract sensitive information from air-gapped computers – this time using radio frequency transmissions from USB connectors without

Dutch Police Seize Two VPN Servers, But Without Explaining… Why?

Recently, two European countries, France and Germany, have declared war against encryption with an objective to force major technology companies to built encryption backdoors in their secure messaging services.

However, another neighborhood country, Netherlands, is proactively taking down cyber criminals, but do you know how?

Dutch Police has seized two servers belonging to Virtual Private

Hacker Who Hacked Official Linux Kernel Website Arrested in Florida

Around five years after unknown hackers gained unauthorized access to multiple servers used to maintain and distribute the Linux operating system kernel, police have arrested a South Florida computer programmer for carrying out the attack.

Donald Ryan Austin, a 27-year-old programmer from of El Portal, Florida, was charged Thursday with hacking servers belonging to the Linux Kernel


Comments are closed