EDRi | EU | EDRi-gram newsletter - Number 11.22, 20 November 2013 -
Mark Greisiger (NetDiligence) | Cyber liability & data breach insurance claims - A study of actual claim payouts [PDF] -
From the Introduction:
"For this study, we asked insurance underwriters about data breaches and the claim losses they sustained. We looked at the type of data exposed, the cause of loss and the business sector in which the incident occurred. For the first time, this year we also looked at the size of the affected organization. We then looked at the costs associated with Crisis Services (forensics, notification, credit monitoring, and legal counsel), Legal (defense and settlement), and Fines (PCI & regulatory). This report summarizes our findings for a sampling of 145 data breach insurance claims, 140 of which involved the exposure of sensitive data in a variety of sectors, including government, healthcare, hospitality, financial services, professional services, retail and many more."
Dan Goodin (Ars Technica) | Meet "badBIOS," the mysterious Mac and PC malware that jumps airgaps -
From the article:
"Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours."
See the comments on this story here, here and here.
Vincent Rijmen, Daniel de Cock, and Nigel P. Smart (ENISA) | EU | Recommended cryptographic measures - Securing personal data [PDF linked from this page] -
From the Executive Summary:
"This document addresses the protection measures applied to safeguard sensitive and/or personal data, which has been acquired legitimately by a data controller. In this respect it discusses how information technology users, who have a basic knowledge of information security, can employ cryptographic techniques to protect personal data. Finally, it addresses the need for a minimum level of requirements for cryptography across European Union (EU) Member States (MSs) in their effort to protect personal and/or sensitive data."
Rachel Levinson-Waldman (Brennan Center for Justice) | US | What the government does with Americans' data [PDF linked from this page] -
From ‘I. Introduction’:
"The attacks of September 11, 2001, and the intelligence failures preceding them, sparked a call for greater government access to information. Across a range of laws and policies, the level of suspicion required before law enforcement and intelligence agencies could collect information about U.S. persons was lowered, in some cases to zero. […] The result is not merely the collection of large amounts of information, but a presumptive increase in the quantity of information that reflects wholly innocuous, and in some cases constitutionally protected, activity. Other publications, including reports issued by the Brennan Center, have addressed whether lowering the threshold for suspicion to collect information poses an undue risk to civil liberties. This report addresses a separate question: Regardless of whether the expansion of the government’s domestic information collection activity can be expected to yield enough additional ‘hits’ to justify its various costs, how do federal agencies deal with the apparent ‘misses’ - the stores of information about Americans that are swept up under these newly expanded authorities and that do not indicate criminal or terrorist behavior?"
Viviane Reding (European Commission) | EU | Towards a more dynamic transatlantic area of growth and investment -
From the speech:
"The relations between Europe and the US run very deep, both economically and politically. Our partnership has not fallen from the sky. It is the most successful commercial partnership the world has ever seen. The energy it injects into to our economies is measured in millions, billions and trillions – of jobs, trade and investment flows. The Transatlantic Trade and Investment Partnership could improve the figures and take them to new highs. But getting there will not be easy. There are challenges to get it done and there are issues that will easily derail it. One such issue is data and the protection of personal data. This is an important issue in Europe because data protection is a fundamental right. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe’s fundamental values or our common understanding of a free society. This is why I warn against bringing data protection to the trade talks. Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable."
Robert Gellman and Pam Dixon (World Privacy Forum) | US | Data brokers and the federal government - A new front in the battle for privacy opens [PDF linked from this page] -
From ‘Background of Report’:
"This report focuses on government use of commercial data brokers, the implications for that usage, and what needs to be done to address privacy problems. The government must bring itself fully to heel in the area of privacy. If it is going to outsource its data needs to commercial data brokers, it needs to attach the privacy standards it would have been held to if it had collected the data itself. Outsourcing is not an excuse for evading privacy obligations. This report discusses new Office of Management and Budget (OMB) guidance for an initiative (Do Not Pay Initiative) that on one hand provides for expanded use of commercial data brokers by federal agencies and on the other it establishes new privacy standards for the databases used in the Initiative. Although incomplete, its extension of privacy standards to commercial databases purchased by the federal government is groundbreaking. As such, this report recommends that OMB should expand its new guidance to cover all government data purchases, bartering, and exchanges from commercial data brokers and databases containing personal information. The problems created by unregulated government use of commercial data sources need to be seen clearly and addressed directly."
Evgeny Morozov (MIT Technology Review) | The real privacy problem -
From the article:
"Few of us have had moral pangs about data-sharing schemes, but that could change. Before the environment became a global concern, few of us thought twice about taking public transport if we could drive. Before ethical consumption became a global concern, no one would have paid more for coffee that tasted the same but promised ‘fair trade.’ Consider a cheap T-shirt you see in a store. It might be perfectly legal to buy it, but after decades of hard work by activist groups, a ‘Made in Bangladesh’ label makes us think twice about doing so. Perhaps we fear that it was made by children or exploited adults. Or, having thought about it, maybe we actually do want to buy the T-shirt because we hope it might support the work of a child who would otherwise be forced into prostitution. What is the right thing to do here? We don’t know - so we do some research. Such scrutiny can’t apply to everything we buy, or we’d never leave the store. But exchanges of information - the oxygen of democratic life - should fall into the category of ‘Apply more thought, not less.’ It’s not something to be delegated to an ‘electronic butler’ - not if we don’t want to cleanse our life of its political dimension."
Future of Privacy Forum | US | Mobile location analytics code of conduct [PDF] -
"Mobile Location Analytics (MLA) provides technological solutions for Retailers by developing aggregate reports used to reduce waiting times at check-out, to optimize store layouts and to understand consumer shopping patterns. The reports are generated by recognizing the Wi-Fi or Bluetooth MAC addresses of cellphones as they interact with store Wi-Fi networks. Given the potential benefits that Mobile Location Analytics may provide to businesses and consumers, it is important that these practices are subject to privacy controls and are used responsibly to improve the consumer shopping experience. This Code puts such data protection standards in place by requiring transparency and choice for Mobile Location Analytics."
See also the comments by EFF and Sophos.
Nigel P. Smart, Vincent Rijmen, Bogdan Warinschi and Gaven Watson (ENISA) | EU | Algorithms, key sizes and parameters report - 2013 recommendations [PDF linked from this page] -
From the overview page:
"This document collates a series of recommendations for algorithms, keysizes, and parameter recommendations. It addresses the need for a minimum level of requirements for cryptography across European Union (EU) Member States (MSs) in their effort to protect personal and sensitive data of the citizens."
Wilson Sonsini Goodrich & Rosati, LLP | EU | EU legislative process updates -
From the page:
"The Draft Regulation is currently in the ordinary legislative process and has to be approved by both the European Parliament and the Council in order to become law. The legislative process should be concluded by mid-2014, with the Regulation coming into force two years after that. Below are some relevant updates: […]"
Danny O'Brien (EFF) | Ten steps you can take right now against internet surveillance -
From the blog post:
"One of the trends we’ve seen is how, as the word of the NSA’s spying has spread, more and more ordinary people want to know how (or if) they can defend themselves from surveillance online. But where to start? The bad news is: if you’re being personally targeted by a powerful intelligence agency like the NSA, it’s very, very difficult to defend yourself. The good news, if you can call it that, is that much of what the NSA is doing is mass surveillance on everybody. With a few small steps, you can make that kind of surveillance a lot more difficult and expensive, both against you individually, and more generally against everyone."
Jennifer Granick (Just Security) | US | Hands off encryption! Say new amici briefs in Lavabit case -
From the blog post:
"The Fourth Circuit Court of Appeals is in the process of deciding the first legal challenge to government seizure of the master encryption keys that secure our communications with web sites and email servers. The case could decide the future reliability of encryption protocols to protect all Internet communications. While the government wants these keys to decrypt user information, there is really no acceptable way for the Court to order a secure communications service to break its encryption protocol. The danger to innocent users is too great, and there are network effects that would shatter critical trust in SSL implementation as a whole."
NIST | US | Improving critical infrastructure cybersecurity Executive Order 13636 - Preliminary cybersecurity framework [PDF] -
From ‘1.0 Framework introduction’:
"The national and economic security of the United States depends on the reliable functioning of critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued Executive Order 13636 (EO), ‘Improving Critical Infrastructure Cybersecurity’ on February 12, 2013. This Executive Order calls for the development of a voluntary Cybersecurity Framework (‘Framework’) that provides a ‘prioritized, flexible, repeatable, performance-based, and cost-68 effective approach’ for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk."
EDRi | EU | EDRi-gram newsletter - Number 11.21, 6 November 2013 -