Privacy Watch Weekly – 2016-09-23


Cheers to ‘jail’ homes, jeers to growth law

Elected officials are not allowed to violate development rules and reject private property rights based on popular opinion. That would be costly — very …


Apple Weakens iOS 10 Backup Encryption; Now Can Be Cracked 2,500 Times Faster

After the iPhone encryption battle between Apple and the FBI, Apple was inspired to work toward making an unhackable future iPhones by implementing stronger security measures even the company can’t hack.

Even at that point the company hired one of the key developers of Signal — one of the world’s most secure, encrypted messaging apps — its core security team to achieve this goal.

But it


Watch now – Sophos Intercept X in two minutes!

sophos-intercept-x-icon-150Today’s cybercriminals are more sophisticated than ever, and next-generation attacks call for next-generation solutions.

Launched last week, Sophos Intercept X is a completely new approach to endpoint security.

It features signatureless anti-exploit, anti-ransomware and anti-hacker technology that includes visual root-cause analysis and advanced malware cleanup – all managed via the Sophos Central Admin console.

No other solution on the market offers so many features in a single package.

Want to know more? Watch our video!

If you’re interested in learning more about Intercept X, as well as seeing a live demo of the product, please sign up for our webinar on 4 October at 2.00pm-3.00pm EDT.

If you’d like to try the product yourself, you can sign up for a free trial of Intercept X here.

Filed under: Enduser Tagged: Intercept X, ransomware, Sophos Intercept X


Local water utility provider petitions Commissioners Court to follow the law

… were both appointed by the court, and have the court appoint representatives who agree to protect private property rights in Montgomery County.


BELGIUM: Belgian Privacy Commission issues a 13 step plan for companies preparing for GDPR compliance

By Patrick Van Eecke, Charlotte Suffys and Senne Mennes

Following a series of guidance published by fellow national DPAs, the Belgian Privacy Commission launched a 13 step GDPR-readiness roadmap to help companies processing personal data to start preparing themselves.

The Privacy Commission will also create a GDPR-themed section on its website where data controllers and processor can consult additional guidelines, instruments and frequently asked questions.

The 13 steps forming the roadmap for ensuring GDPR compliance by 25 May 2018 are:

1. Raising awareness

Inform key figures and policymakers on upcoming changes. They will have to assess the impact of the GDPR for the organisation.

2. Data mapping

Document which personal data you manage, where it comes from and with whom it has been shared. Map your data processing activities. You may potentially have to organize an information audit.

3. Communication

Evaluate your existing privacy policy and plan necessary changes in view of the GDPR.

4. Rights of the data subject

Verify whether the current procedures within your organisation provide all the rights granted by the GDPR to the data subject. Check how personal data can be erased or how personal data will be communicated electronically.

5. Access requests

Update your existing access procedures and think about how you will process future access requests under the new GDPR terms.

6. Legal basis for processing personal data

Document the various types of data processing by your organisation and identify the legal basis for each of them.

7. Consent

Evaluate your way of requesting, obtaining and registering consent. Modify where necessary.

8. Minors

Develop systems to verify the age of the individual concerned and request parental or custodial consent when processing personal data of minors.

9. Data breaches

Foresee adequate procedures to detect, report and investigate personal data breaches.

10. Privacy by design and privacy impact assessment

Get acquainted with terms such as “privacy by design” and “privacy impact assessment” and verify how you can implement these concepts in your organisation’s day to day operations.

11. Data protection officer

If necessary, appoint a data protection officer or someone responsible for ensuring compliance with data protection laws. Evaluate how this person will function within the management of your organisation.

12. International

Determine who is your supervisory data protection authority if your organisation is active in multiple jurisdictions.

13. Existing contracts

Evaluate your existing contracts – mainly with processors and subcontractors – and adopt the necessary changes in a timely manner.

Please feel free to contact Patrick Van Eecke to learn more about how you can prepare your organisation in Belgium for GDPR compliance.


Water Rights in Goleta

… now spent millions of dollars at the expense of their ratepayers in an attempt to use the courts to usurp Slippery Rock Ranch's private property rights.


Critical DoS Flaw found in OpenSSL — How It Works

The OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks.

OpenSSL is a widely used open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well


Leaked NSA Hacking Tools Were ‘Mistakenly’ Left By An Agent On A Remote Server

If you are a hacker, you might have enjoyed the NSA’s private zero-day exploits, malware and hacking tools that were leaked last month.

But the question is: How these hacking tools ended up into the hands of hackers?

It has been found that the NSA itself was not directly hacked, but a former NSA employee carelessly left those hacking tools on a remote server three years ago after an


Yahoo Confirms 500 Million Accounts Were Hacked by ‘State Sponsored’ Hackers

500 million accounts — that’s half a Billion users!

That’s how many Yahoo accounts were compromised in a massive data breach dating back to 2014 by what was believed to be a “state sponsored” hacking group.
<!– adsense –>
Over a month ago, a hacker was found to be selling login information related to 200 million Yahoo accounts on the Dark Web, although Yahoo acknowledged that the breach was


iPhone 7 Jailbreak Has Already Been Achieved In Just 24 Hours!

It has only been a few days since the launch of Apple’s brand new iPhone 7 and iPhone 7 Plus, but it appears that the new iPhone has already been jailbroken.

That didn’t take long. Right?
<!– adsense –>
Security researcher and well-known hacker Luca Tedesco shared an image of his jailbroken smartphone on his Twitter account to show off the world that the new iPhone 7 has been jailbroken.


How fit is your gadget? Putting web-connected health/wellness devices through their privacy paces

Smart TVs . . . Fitness trackers . . . Automated thermostats . . . Self-driving cars . . .

The Internet of Things is the next frontier in digital technology which is why the Global Privacy Enforcement Network focused its 2016 Privacy Sweep on this emerging market. Sweep participants were especially interested in how companies communicate their personal information handling practices.

Given the sensitivity of the information that health and wellness devices, as well as their associated apps and websites, are capable of collecting, the Office of the Privacy Commissioner of Canada (OPC) focused its Sweep on 21 devices ranging from smart scales, blood pressure monitors and fitness trackers, to sleep and heart rate monitors, a smart breathalyzer and a web-connected fitness shirt.

The choice of devices dovetails with one of our four strategic privacy priorities—the body as information. Identified as an important area of focus during a priority-setting exercise that culminated in May 2015, the body as information refers to the mounting privacy concerns related to highly sensitive health, genetic and biometric information that is being used by organizations and governments in all sorts of new ways.

During the Sweep, our Sweepers—aka OPC staff—put the products to use to see first-hand what information the devices requested, compared to what privacy communications said would be collected. In some cases, they followed up with specific privacy questions for the companies.

Below is a brief assessment of how the devices stacked up.

Note: the Global Privacy Sweep is not a formal investigation. We did not seek to conclusively identify compliance issues or possible violations of privacy legislation. This was not an assessment of a device’s overall privacy practices, nor was it an in-depth analysis of device design or functionality.

We sought to recreate the user experience and for the purposes of this blog, we compared and contrasted certain features observed by our Sweepers—namely those they found particularly fit, with those they felt could benefit from some rehab. We learned a lot and hope these concrete examples will help device makers, as well as Canadians, better understand our conclusions.

We’ve also offered some takeaways for companies and consumers. The purpose is to provide some basic tips on how to improve privacy communications from a user’s perspective. These takeaways should not be viewed as legal advice or a substitute for any legal requirements under applicable privacy legislation. Organizations that would like more information on their legal obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, may wish to have a look at our Privacy Toolkit.

Location, location, location!

Why do so many devices want to know where you are at any given time? Sure, it might make sense for a fitness tracker that needs to follow your route to calculate your distance travelled. But a blood pressure monitor or thermometer?

The QardioArm blood pressure monitor seeks access to location when the user creates an account and provides the following explanation which seemed a bit odd to our Sweeper.

quardioarmxxx

Then again, it might be interesting to check whether a visit to the in-laws does indeed thrust the ticker into overdrive.

The Kinsa thermometer also gives users the option to enable location tracking and provides a couple of reasons for it.

In a follow-up email to our Sweeper, the company explained that access to location helps users find groups of other Kinsa users. Presumably to swap riveting tales of temperature readings?

The Privacy Policy also offered an interesting use for location data:

kinsaxxx

I suppose it might be nice to know if there’s a strep throat outbreak before everybody starts double dipping the guacamole at your next party.

Takeaway for companies: Besides location, users also want to know why you need to collect certain information such as full date of birth, height, weight and why you require access to such things as one’s photos and contact list. Provide the purposes for the collection up front and you’ll avoid leaving users guessing. For something as sensitive as location tracking, Sweepers were pleased that many devices gave users the option to turn it on or off.

Takeaway for consumers: Just because a device or associated app asks for data, doesn’t mean you’re required to turn it over. Many data points are optional and users should be prudent before handing over information. Make sure you understand and agree with the intended use of your personal information.

Checking out?

Had enough health tracking for one lifetime? Time to resume your position on the couch with a bag of chips? Deleting your account may not be so simple.

Despite technological advances that allow users to share data electronically with doctors and relatives, the Everlast Health blood pressure monitor relies on snail mail to fulfil requests for data deletion. Seriously?

everlastxxx

By contrast, the Jawbone UP3 wireless activity, sleep and heart rate tracker offers what appears to be a comprehensive series of instructions for deleting data, whether it’s specific readings or all personal data on the company’s servers and beyond, including that collected by its partners.

jawbone1xxx

jawbone2xxx

Unfortunately, despite all these seemingly quick click mechanisms for deleting data, our Sweeper noted his account was still active and personal information was still accessible two months later, despite following up with the company’s customer service department to confirm deletion.

Takeaway for companies: There’s no need to make things difficult for customers who wish to delete their data. As technological innovators, we are confident in your ability to come up with a simple and quick way for people to delete account information that does not require more than a few clicks of a mouse. Simplicity is a great way to build trust and credibility with your customers.

Takeaway for consumers: Know what you’re getting into before diving in. Before providing personal information, make a point of finding out what’s going to happen to it and whether you can erase it later if you so desire. If you’re not sure, contact the company for more information. Most organizations are sensitive to consumer concerns about privacy. Let them know if something doesn’t feel right. Positive changes to the general policies or practices of an organization are more likely when people speak up.

Three (or more’s) a crowd

Transactions in the online world are never black and white. From marketing, to analytics, to scientific research, behind seemingly every company you think you’re dealing with is a myriad of third parties potentially getting access to your data for one reason or another.

The QardioArm wireless blood pressure monitor offers a crystal clear explanation of who it won’t share your information with, such as advertisers and marketers, data brokers and information resellers. To our Sweeper’s delight, there’s an added caveat that nothing will be shared without the user’s express (opt-in) consent.

Meanwhile, the BACtrack Mobile breathalyzer device gives users the option to store blood-alcohol level readings and sets its default to not keep this data on file, which is great. But if you decide to create an account and keep a record of your readings, your data, including your readings as well as your location, notes, photographs, gender, weight and other data will be stored and may be shared with third parties, including the media. BACtrack warns in the printed Privacy Policy that comes with the device that “although we will not associate your name with such data, your identity may be determined by the other data available.”

Curiously, we did not find this same clause in the online version of the privacy or terms of use policies.

Takeaway for companies: Consumers want to know who their personal information is being shared with and for what purposes. Ideally, companies should provide details about what information is being shared and with whom. For example, is it being shared for marketing, research or operational purposes?

Takeaway for consumers: Read and make sure that you are comfortable with the use and sharing practices of a company you are dealing with. Remember, many companies will not only sell you a device, they may sell your data as well. Note, however, that you do not have to agree to all a company’s requests to share your data. Certain requests to disclose, such as for marketing purposes, should not necessarily be a condition for using a device. Also know that devices may connect to existing social media platforms or offer their own social media features that allow you to share data publicly. Think twice. Once information is out there, it may be impossible to get back. Think of the impact certain comments or images could have on your reputation or the reputation of others. What might seem like a good idea in the moment, might not in the days, weeks, months or years ahead.

Details please

Sweepers were certainly conscious of the sensitive nature of health data and were protective of it. While they understood that providing too much information about safeguards could compromise a company’s security, they felt some detail was important.

The Garmin Vivosmart HR fitness tracker monitor offers users a pretty detailed explanation of its security controls under the heading “Keeping Data Safe at Garmin” and encourages users to report any security or vulnerability issues they might encounter.

The company also explained its use of encryption, but our Sweeper was left wondering whether it only applied to financial data and if health information is also encrypted.

garminxxx

Meanwhile, the Fitbit Charge HR fitness tracker offered a single vague line about safeguards in its privacy policy and invited users to contact the company for details:

fitnitxxx

A follow-up email to the company yielded a slightly more detailed explanation that included some information about its use of encryption, but it mostly just “rest assured” us that its products were “designed with security in mind.”

Takeaway for companies: Sweepers noted a number of vague statements about the use of safeguards, with organizations reassuring users that their information is safe. Ensure you have the necessary robust safeguards in place, commensurate with the sensitivity of the personal information you have collected.

Takeaway for consumers: If, after reading about what safeguards a company has employed to protect your personal information, things still aren’t clear or you have questions, ask. If you believe your data has been compromised, raise your concerns with the company. If you are not satisfied with the results, you have a right to file a formal complaint about organizations subject to PIPEDA with our Office.

Get to the point

Ever purchase a product only to wonder whether the company realizes they’ve provided the wrong privacy communications? Generic privacy policies that read as though they were written for another product are frustrating and unhelpful. But it doesn’t have to be this way.

The Razer Nabu fitness tracker provides a great example of just-in-time notification—a practice that provides valuable information to users about how their data is going to be used at the very moment they are asked to provide it.

nabuxxx

The iMazeFitness HR strap, on the other hand, offered a link to a privacy policy that seemed completely unrelated to the device or company in question. On top of that, after our Sweepers were desperately looking for some form of relevant privacy communications for iMaze, they were disappointed to find a placeholder inserted at the bottom of a profile page that said: “insert customer data privacy clause here.” How embarrassing!

imazexxx

Takeaway for companies: Privacy communications that are specific to the device in question are far more useful than generic policies that will simply leave your customers scratching their heads. Just-in-time notifications provided on the device at the moment data is sought is a best practice worth considering. Finally, do your due diligence. Generic templates and unfilled placeholders are embarrassing and do little to engender trust and credibility with customers.

Takeaway for consumers: If the privacy communications do not match your experience using the product, let the company know. As mentioned before, companies tend to be responsive to consumers when they express concerns about privacy. A testament to this statement is the fact that 19 of the 21 companies we wrote to with follow-up questions got back to us in a timely fashion. We were satisfied with the responses from two-thirds of them. It’s a start!


How the new privacy portability right will change your industry

The new privacy data portability right is empowering individuals to have a full control on their personal data representing both an opportunity and a risk for companies. 

 

What is the privacy data portability right?

The EU Privacy Regulation provides that

the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent [—] or on a contract [—]; and (b) the processing is carried out by automated means.

Also, the regulation adds that “the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Considering that nowadays most of data is processed by automated means, the scope of this new right is massive. The regulation does not oblige data controllers to make their systems technically compatible with any other system. But, when systems are not compatible, data shall be in any case handed over to individuals so that he/she can transmit them to their new supplier.

The purpose of the right is to grant individuals with more freedom of choice when selecting their service providers making easier the switch to a new supplier.

What is the impact on your industry?

With the technological development that is leading to services that are exponentially customised on the users’ profile, the portability right enables individuals to “transfer” their profile from a supplier to another.

This might have considerable effects, among others, in the following sectors

  • Insurance -> as of today, individuals are “ranked” on the basis of their previous insurance history and the ranking is necessary to determine the insurance premium.  If an individual switches to a new provider, such individual will be obliged to pass on to his new insurer only a certificate testifying his “classification“. On the contrary, the portability right will allow to transfer the whole profile of the individual, which might considerably detailed as a consequence of the development of insurance telematics and might contain also useful information/trade secrets on what type of data is collected by the insurer;
  • Online/e-commerce/online gaming -> cookies, footprinting and other similar technologies allow to create a detailed profile of online customers which contains not only the history of his purchases, but a full profile of his preferences. Individuals might require under the new Privacy Regulation the transfer of such profile to their new favourite e-commerce platform or online gaming operator which also in this case would oblige the operator to be fully transparent on the data collected in relation to its users;
  • Research and clinical trials -> individuals that are enrolled in such projects and want their data to be used for a new project on the same topic, might require the hospitals involved in the first clinical trial to pass on the data to those running the new one. This practice might lead to abuses as the “migration” of data might enable the new hospital to take advantage of the activities previously performed;
  • Internet of Things technologies -> if we consider connected cars or eHealth devices, users might decide to transfer their profile when they buy a new car so that this is already customised on their size and preferences. Likewise, the whole health related data of an individual could be transferred from a eHealth provider to another;
  • Cloud platforms -> most of data are now stored in cloud platforms and after years of usage of the same provider, users might find a disincentive in switching to a new supplier. However, the data portability right make the competitive advantage of consolidated cloud providers much weaker.

Is this right a potential source of anti-competitive conducts?

A major issue pertains to the portability relates to the potential disclosure of trade secrets and confidential information by means of the transmission of “portable” data.

Likewise, the exercise of the portability right might impact also the intellectual property rights of the data controller. Indeed, a supplier might acquire considerable contents of the database of one of its competitors just granting incentives to customers to the exercise of their portability right. As a consequence, it cannot be excluded that the exercise of the portability right might lead to unfair competition conducts.

Therefore the issue is whether the above rights could represent a limit to the exercise of the portability right or it will be on businesses to allow its exercise in a manner that avoids the breach of their rights.

What to do to minimise negative effects and be ready?

There is no doubt that the portability right might lead to considerable costs for data controllers. And the Privacy Regulation is silent on the possibility to charge any fee to individuals exercising their portability right. But the possibility to charge a possible reasonable fee is mentioned with reference to the exercise of the access right of which the portability right might be considered an extension.

In order to be ready for such right, data controllers shall, among others,

  1. adopt procedures in order to deal portability rights requests;
  2. have a standard process that enables the transmission of data to the new supplier;
  3. adopt measures that allow the removal of confidential information/trade secrets from communicated data; and
  4. have systems that monitor the amount and types of portability right requests to limit the risks of abuses by competitors.

If you found this article interesting, please share it on your favourite social media!

@GiulioCoraggio


Beware — Someone is dropping Malware-infected USB Sticks into People’s Letterbox

Hey! Wait! Wait! Wait!

Don’t plug in that USB stick into your laptop. It could infect your computer with malware and viruses.

Australia’s Victoria Police Force has issued a warning regarding unmarked USB flash drives containing harmful malware being dropped inside random people’s letterboxes in the Melbourne suburb of Pakenham.

It seems to one of the latest tactics of cyber criminals to


Sophos XG Firewall is coming to Microsoft Azure

XG FirewallWe are excited to announce that Sophos XG Firewall is coming to Microsoft Azure in October.

Sophos XG Firewall is a next-generation firewall that deploys as an all-in-one solution. It combines advanced networking with protections such as Intrusion Prevention (IPS) and Web Application Firewall (WAF), as well as user and application controls.

Sophos XG Firewall is designed to help you protect your Azure-based workloads against advanced threats.

XG Firewall is available as a preconfigured virtual machine within the Azure Marketplace. You can use Azure Resource Manager templates to speed deployment, or customize the configuration to meet the specific needs of your environment.

You can choose between two pricing plans – pay-as-you go, and bring-your-own-license (BYOL). Pay-as-you-go allows you to pay only for what you use, while BYOL allows you to use your existing investment in XG Firewall.

If you’re interested in learning more, you can read all about Sophos XG on Microsoft Azure here.

We’ll also be at the Microsoft Ignite conference from 26-30 September. If you’re at the event, please stop by and say hi to us at booth #2031!

Filed under: Corporate, Network Tagged: Firewall, Microsoft Azure, XG Firewall


Warning — You Can’t Install Linux On Microsoft Signature Edition PCs from Lenovo

In past few months, Microsoft opened the source code of a lot of its projects, convincing people that the company loves Linux.

But a new report shows that Microsoft is not really a big supporter of Linux.

Microsoft has banned Linux on some Windows 10 powered Signature Edition PCs, which provides the cleanest Windows experience on the market.
<!– adsense –>
Signature Edition PCs are


Hey, Poker Face — This Wi-Fi Router Can Read Your Emotions

Are you good at hiding your feelings?

No issues, your Wi-Fi router may soon be able to tell how you feel, even if you have a good poker face.

A team of researchers at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have developed a device that can measure human inner emotional states using wireless signals.

Dubbed EQ-Radio, the new device measures heartbeat, and


Photos On Dark Web Reveal Geo-locations Of 229 Drug Dealers — Here’s How

It’s a Fact! No matter how smart the criminals are, they always leave some trace behind.

Two Harvard students have unmasked around 229 drug and weapon dealers with the help of pictures taken by criminals and used in advertisements placed on dark web markets.

Do you know each image contains a range of additional hidden data stored within it that can be a treasure to the investigators fighting


HONG KONG – HONG KONG’s Privacy Commissioner addersses privacy compliance and best practice for BYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the “HKAB Guidelines“), the trend towards Bring Your Own Device (“BYOD“) has come to the attention of Hong Kong’s Privacy Commissioner. The Commissioner published an information leaflet on 31 August 2016 (the “Information Leaflet“), which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emails/systems, and suggests best practices for organisations allowing BYOD. Unlike previous industry-specific guidance, the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong. It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap. 486) (the “Ordinance“) and the Data Protection Principles (“DPPs“).

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security, implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and likelihood of loss or unauthorised disclosure. This reflects the approach taken in the HKAB Guidelines, which recommend specific and distinct practices which differ depending on whether or not the organisation’s data is stored on the personal devices or within a “sandbox”. The Commissioner has suggested as best practice that organisations should, at the outset of any BYOD implementation, conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance.

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance. For instance, organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device, and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (e.g. sandboxing, password protection and independent encryption).

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme, and any practices implemented to manage employees’ BYOD devices should respect the employees’ private information.

For more information, the Information Leaflet is available here.


Hackers take Remote Control of Tesla’s Brakes and Door locks from 12 Miles Away

Next time when you find yourself hooked up behind the wheel, make sure your car is actually in your control.

Hackers can remotely hijack your car and even control its brakes from 12 miles away.

Car hacking is a hot topic.

Today many automobiles companies have been offering vehicles with the majority of functions electronically controlled, from instrument cluster to steering, brakes, and


Cisco finds new Zero-Day Exploit linked to NSA Hackers

Network equipment vendor Cisco is finally warning its customers of another zero-day vulnerability the company discovered in the trove of NSA’s hacking exploits and implants leaked by the group calling itself “The Shadow Brokers.”

Last month, the Shadow Brokers published firewall exploits, implants, and hacking tools allegedly stolen from the NSA’s Equation Group, which was designed to target


The kids are alright: Children’s Privacy Sweep yields positive changes

So whatever happened with that Children’s Privacy Sweep, you ask?

Before we delve into the results of the 2016 Internet of Things Sweep—look out for them very soon—we thought we should update you on the outcome of our discussions with developers behind the mobile applications (apps) and websites we raised concerns about in a blog post and/or letters issued last fall.

As you may remember, the Office of the Privacy Commissioner of Canada assessed the privacy practices of 172 mobile apps and websites either targeted directly at children, or considered popular among them as part of the Global Privacy Enforcement Network’s annual Privacy Sweep.

We raised concerns about the sheer volume of personal information being collected from children, including sensitive data such as photos, videos and location. We found many companies failed to provide adequate protective controls to limit collection and often provided links redirecting children to other sites with different privacy protection practices and sometimes questionable content.

We pointed to a number of best practices and areas for improvement and ultimately wrote to 13 targeted apps and websites and 16 popular ones to explain our concerns in a bid to effect positive change. We heard back from eight of those targeted at children while just four popular sites got back to us.

Of those targeted at children, three elaborated on their privacy practices and clarified that they were either not collecting information as described in their privacy communications or that they did indeed have parental controls.

Five targeted sites said they’d made positive changes as a result of our letter and their subsequent review of their privacy practices.

YTV.com is a prime example. The website belonging to the specialty TV channel raised concerns around collecting the full name, age, postal code, phone number and email address of children who sign up for a contest.

The company says it’s since stopped collecting the information from children and will instead ask for the parent or guardian’s particulars. The company said it would delete the information 120 days after the close of a contest.

ytv1

In response to our concerns that kids could be redirected to third-party sites with inadequate warning, the company has addressed that with a child-friendly drop-down message that’s hard to miss.

ytv3

Meanwhile, we didn’t even have to send a letter to one company that proactively made positive changes after seeing our blog post.

Santasvillage.ca originally made our naughty list for urging kids to hand over their full name and email address in order to receive contest details and other marketing materials. The company has since revised its site to make it clear that this section is for adults.

santa1     santa2

Before                                                                              After

Unfortunately, three targeted companies didn’t respond and two letters were returned to us unread.

But while the response rate for targeted apps and websites was a respectable 83 per cent, the same cannot be said for those sites that are considered popular among children, but are geared to all ages.

Only four of the 16 popular apps and websites we wrote to responded. Bell Media, which is responsible for MuchMusic.com, was among the few that gave us something to sing about.

After we raised concerns, the company wrote back indicating they’d made a number of changes.

Bell added a check box to ensure underage users seek parental consent and reviewed existing profiles, deleting those of users under the age of 13 and those with incomplete date of birth information.

much1

The company also added language explaining that usernames should not be real names and links to its Privacy Policy on all pages in which personal information was sought. The company is also now offering users a simple way to delete their profile.

much2

FIFA also got back to us with a plan to review its digital platforms and what information is being collected by next year. As you might remember, our Sweeper was able to post publicly his age and location despite a note in the Terms of Service that the site was moderated. We also had concerns at the time about language in its Terms of Service that put the onus on parents to supervise children on the site.

Pending the completion of its review, the company says it will block access to its FIFA Club to users under the age of 18.

Websites and apps cannot abdicate responsibility for children who are obvious users just because they are geared at a general audience. Developers should know their users and if children are among them, there is an expectation that developers will take responsibility for protecting their privacy.

We urge developers to find innovative and technical solutions to protect children’s privacy on their sites and apps. These efforts could include the use of protective controls such as moderated chat and message boards to prevent the inadvertent sharing of personal information and the use of parental dashboards.

We also expect developers, which may be subject to privacy laws, to provide a proper means for deleting an account to ensure personal information is not retained indefinitely.

While we haven’t re-swept all the sites, we have noticed that some made changes quietly and we appreciate those efforts. We remain confident that public education and outreach can lead to positive change.

Stay tuned for the results of the 2016 Internet of Things Privacy Sweep in the days ahead!


Firefox Browser vulnerable to Man-in-the-Middle Attack

A critical vulnerability resides in the fully-patched version of the Mozilla’s Firefox browser that could allow well-resourced attackers to launch man-in-the-middle (MITM) impersonation attacks and also affects the Tor anonymity network.

The Tor Project patched the issue in the browser’s HTTPS certificate pinning system on Friday with the release of its Tor Browser version 6.0.5, while


The right to be forgotten and the role of the Companies Registry

On 8 September 2016, Advocate General Bot released his opinion on the “Camera di Commercio Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni” c-398/15  (“Manni Case“). If confirmed by the European Court of Justice, the opinion will no doubt shed further light on the construction of the right to be forgotten.

Background

The original plaintiff, Salvatore Manni, is an Italian citizen and former sole director of a building company which went bankrupt. The information about the building company’s bankruptcy and its then sole director had been permanently stored in the Companies Registry (Registro delle Imprese) held by the local Chamber of Commerce (Camera di Commercio), despite the company had been liquidated. Mr Manni claimed that access to the above data from third parties jeopardized certain sales of real estate, and accordingly requested the Companies Registry to anonymize his data or restrict access to the same Registry. The Chamber of Commerce opposed that the Companies Registry is a public database with a specific obligation to provide to everyone (upon specific request) the companies’ main information. The case escalated up to the Italian Supreme Court (Corte Suprema di Cassazione), which referred the issue to the ECJ, asking whether certain personal information (legally) made available by the Companies Registry should after a certain time be erased, or anonymized, or restricted to a limited number of third parties.

The Advocate General’s Conclusions

According to the Advocate General all Companies Registry’s data should be made available with no restriction. Indeed, the Company Law Directive 68/151 requires Member States to take all necessary measures to ensure the compulsory disclosure by a company of a number of limited information and documents, including general details of the legal representatives.

The fundamental function of the Companies Registry is to provide a complete picture of the life and history of a company, allowing anyone to read the information at any time. While acknowledging that any derogation to a (fundamental) data protection right should be limited to the strict necessary, the Advocate General stressed that allowing a public Company Registry to keep track of the whole life of a company (even when such company no longer exists) would not be disproportionate, also taking considering that the information is very limited (i.e. the name of the individuals that had the power to represent the company) and certain rights may be exercised also after the company ceased to operate (for instance for actions against the liquidators, etc.). The  Registry does not play a limited statistical role, it safeguards legal certainty as a mean to encourage market transactions, also through information about who represented a certain company over a certain period of time. While Directive 68/151 does not provide for a period of time after which it is necessary to cancel a certain information, the Advocate General added that it should also not be for the Registry to determine when such information should be restricted or anonymized, as it would otherwise add a discretionary assessment of the legitimate interests of the parties involved, with obvious risks of uneven decisions from the various public Registries.

The Right to be Forgotten is not Absolute

The Advocate General’s analysis echoes the ruling of the Google Spain Case, confirming that the right to be forgotten is not absolute and should be balanced with other fundamental rights, such as freedom of expression or – like in the Manni Case – interests of third parties to gain information on particular persons that held a key position in a company. The right to be forgotten will still require a case-by-case assessment, taking into account the specific type of information, its sensivity for the individual’s private life as well as the interest of the public in having access to that information and the role played by the data subject.

In this case, the essence is that a Companies Registry is not a broadly disseminated newspaper or a social media, and it should be treated accordingly. It is a public registry, aimed at facilitating certain fundamental economic transactions. It is true that, by entering a specific enquiry with the Companies Registry, it is possible gather the information that a certain individual was the sole administrator of a bankrupt company, and this information may, from the perspective of potential buyer, be a determining factor in completing a certain purchase. However, the fact of associating in a public Registry a certain person holding a specific office to a company that was declared bankrupt, is not per se derogatory for such person. A bankruptcy may be due to many factors, including some external market trends.

Albeit the Advocate General took into account the balance between the Company Law Directive (68/151) and the Data Protection Directive (95/46), his views would stand also taking into account the right to be forgotten as devised by Article 17 the European General Data Protection Regulation, which among other things also confirms that the right to be forgotten does not apply for the purposes of archiving in the public interest.

For further information on this opinion, see also here from Cristina Ulessi.  It will no doubt be very interesting to review the ECJ’s final position.

@giangiolivi

 

 


British Court rules Hacktivist ‘Lauri Love’ can be extradited to USA

British citizen and alleged hacker Lauri Love will be extradited to the United States to face allegations of hacking into United States government computer systems, a UK judge ruled on Friday.

Love, 31, is currently facing up to 99 years in prison for allegedly hacking into the FBI, the US Army, the US Missile Defence Agency, the National Aeronautics and Space Administration (NASA), and New

Share

Comments are closed