Privacy and technology

Apr 02

Jules Polonetsky, Christopher Wolf, Josh Harris and Joseph Jerome (Future of Privacy Forum) | US | [Comments for the White House "Big Data review"] [PDF] -

From the introduction:

"Unlocking the value of data and instituting responsible data practices go hand-in-hand, and both have been an important focus of FPF’s work since our founding in 2008. FPF recognizes the enormous potential benefits to consumers and to society from sophisticated data analytics, yet FPF also understands that taking advantage of big data may require evolving how we implement traditional privacy principles. Through our work on inter-connected devices and applications and the emerging Internet of Things, FPF has acquired experience with the technologies involved in data collection and use. FPF appreciates this opportunity to provide Comments and share its insights into how best to promote the benefits of big data while minimizing any resulting privacy risks or harms."

See also: Related blog post.

Apr 01

Article 29 Data Protection Working Party | EU | Opinion [...] on personal data breach notification [PDF] -

From the Executive Summary:

"In this Opinion, the Article 29 Working Party provides guidance to controllers in order to help them to decide whether to notify data subjects in case of a “personal data breach”. Although this opinion considers the existing obligation of providers of electronic communications regarding Directive 2002/58/EC, it provides examples from multiple sectors, in the context of the draft data protection regulation, and presents good practices for all controllers."

See also: Overview of all opinions and recommendations by WP29.

(Source: huntonprivacyblog.com)

Mar 31

Lillian Ablon, Martin C. Libicki and Andrea A. Golay (RAND National Security Research Division, Juniper Networks) | Markets voor cybercrime tools and stolen data - Hackers' Bazaar [PDF linked from this page] -

From ‘Preface’:

"Criminal activities in cyberspace are increasingly facilitated by burgeoning black markets in both the tools (e.g., exploit kits) and the take (e.g., credit card information). As with most things, intent is what can make something criminal or legitimate, and there are cases where goods or services can be used for altruistic or malicious purposes (e.g., bulletproof hosting and zero-day vulnerabilities). This report describes the fundamental characteristics of these markets and how they have grown into their current state in order to give insight into how their existence can harm the information security environment. Understanding the current and predicted landscape for these markets lays the groundwork for follow-on exploration of options that could minimize the potentially harmful influence these markets impart."

See also: Related blog post.

(Source: webwereld.nl)

Mar 30

Jalal Mahmud, Jeffrey Nichols and Clemens Drews | Home location identification of Twitter users [PDF] -

Abstract:

"We present a new algorithm for inferring the home location of Twitter users at different granularities, including city, state, time zone or geographic region, using the content of users’ tweets and their tweeting behavior. Unlike existing approaches, our algorithm uses an ensemble of statistical and heuristic classifiers to predict locations and makes use of a geographic gazetteer dictionary to identify place-name entities. We find that a hierarchical classification approach, where time zone, state or geographic region is predicted first and city is predicted next, can improve prediction accuracy. We have also analyzed movement variations of Twitter users, built a classifier to predict whether a user was travelling in a certain period of time and use that to further improve the location detection accuracy. Experimental evidence suggests that our algorithm works well in practice and outperforms the best existing algorithms for predicting the home location of Twitter users."

(Source: Ars Technica)

Mar 29

Catherine Crump and Matthew Harwood (ACLU) | Invasion of the data snatchers - Big Data and the Internet of Things means the surveillance of everything -

From the blog post:

"A future Internet of Things does have the potential to offer real benefits, but the dark side of that seemingly shiny coin is this: companies will increasingly know all there is to know about you. Most people are already aware that virtually everything a typical person does on the Internet is tracked. In the not-too-distant future, however, real space will be increasingly like cyberspace, thanks to our headlong rush toward that Internet of Things. With the rise of the networked device, what people do in their homes, in their cars, in stores, and within their communities will be monitored and analyzed in ever more intrusive ways by corporations and, by extension, the government."

Mar 28

Amy Collins, Adam J. Fleisher, Reed Freeman and Alistair Maughan (SCL) | The Internet of Things - the old problem squared -

From the blog post:

"Cisco estimates that some 25 billion devices will be connected in the IoT by 2015, and 50 billion by 2020. Analyst firm IDC makes an even bolder prediction: 212 billion connected devices by 2020. This massive increase in connectedness will drive a wave of innovation and could generate up to $19 trillion in savings over the next decade, according to Cisco’s estimates. But the ingenuity and innovation which companies will apply to turn the IoT into practical reality is constrained by law and regulation. Existing issues may take on new dimensions and, as technologies combine, so will the legal consequences of those technologies. In this article, we look at the prospects for the IoT as well as the likely legal and regulatory factors that will affect the development and growth of IoT technology and the markets that such technology will create."

Mar 27

Human Rights Watch | ET | "They know everything we do" - Telecom and internet surveillance in Ethiopia [PDF linked from this page] -

From the Summary:

"The Ethiopian government has maintained strict control over Internet and mobile technologies so it can monitor their use and limit the type of information that is being communicated and accessed. Unlike most other African countries, Ethiopia has a complete monopoly over its rapidly growing telecommunications sector through the state-owned operator, Ethio Telecom. This monopoly ensures that Ethiopia can effectively limit access to information and curtail freedoms of expression and association without any oversight since independent legislative or judicial mechanisms that would ensure that surveillance capabilities are not misused do not exist in Ethiopia. All governments around the world engage in surveillance, but in most countries at least some judicial and legislative mechanisms are in place to protect privacy and other rights. In Ethiopia these mechanisms are largely absent. The government’s actual control is exacerbated by the perception among Ethiopia’s population that government surveillance is omnipresent. This results in considerable self-censorship, with many Ethiopians refraining from openly communicating on a variety of topics across the telecom network."

Mar 26

Brian Krebs (Krebs on Security) | US | Are credit monitoring services worth it? -

From the blog post:

"In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America."

(Source: databreaches.net)

Mar 25

Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M. Léveillé and Benjamin Vanheuverzwijn (WeLiveSecurity) | Operation Windigo - The vivisection of a large Linux server-side credential stealing malware campaign [PDF] -

From the Executive Summary:

"This document details a large and sophisticated operation, code named ‘Windigo’, in which a malicious group has compromised thousands of Linux and Unix servers. The compromised servers are used to steal SSH credentials, redirect web visitors to malicious content and send spam. This operation has been ongoing since at least 2011 and has affected high profile servers and companies […] This report contains a detailed description of our ongoing investigation of the Windigo operation. We provide details on the number of users that have been victimized and the exact type of resources that are now in control of the gang. Furthermore, we provide a detailed analysis for the three main malicious components of this operation […]"

See also: Related blog post.

(Source: Ars Technica)

Mar 24

Yaniv Taigman, Ming Yang, Marc'Aurelio Ranzato and Lior Wolf | DeepFace - Closing the gap to human-level performance in face verification [PDF linked from this page] -

Abstract:

"In modern face recognition, the conventional pipeline consists of four stages: detect => align => represent => classify. We revisit both the alignment step and the representation step by employing explicit 3D face modeling in order to apply a piecewise affine transformation, and derive a face representation from a nine-layer deep neural network. This deep network involves more than 120 million parameters using several locally connected layers without weight sharing, rather than the standard convolutional layers. Thus we trained it on the largest facial dataset to-date, an identity labeled dataset of four million facial images belonging to more than 4,000 identities, where each identity has an average of over a thousand samples. The learned representations coupling the accurate model-based alignment with the large facial database generalize remarkably well to faces in unconstrained environments, even with a simple classifier. Our method reaches an accuracy of 97.25% on the Labeled Faces in the Wild (LFW) dataset, reducing the error of the current state of the art by more than 25%, closely approaching human-level performance."

(Source: grahamcluley.com)

Mar 23

Vanja Svajcer (SophosLabs) | Sophos mobile security threat report [PDF linked from this page] -

From the Introduction:

"With mobile subscriptions worldwide totalling approximately 7 billion by the end of 2013, it is clear that mobile devices are rapidly replacing the personal computer at home and in the workplace. We now rely on smartphones and tablets for everything Internet-related in our lives, from web surfing to e-commerce transactions and online banking. Therefore, in the space of little more than a year or so, we have gone from talking about them as an emerging threat vector, to one which is already being consistently exploited by cybercriminals. They have rapidly become a potential treasure trove of personal data for the cyber criminal and also represent an easy way to get to end users, through social engineering techniques such as fake antivirus, which trick users into paying to get rid of non-existent malware."

See also: Related blog post.

Mar 22

Marc Rotenberg, Ginger McCall, Alan Butler and David Husband (EPIC) | US | Brief of Amicus Curiae [Riley v. California] [PDF] -

Summary of the argument:

"Modern cell phone technology provides access to an extraordinary amount of personal data. Cell phone users routinely store sensitive and intimate information on a device that they keep close to their body. Misplacing a cellphone is an immediate cause for concern. Allowing police officers to search a person’s cell phone without a warrant following an arrest would be a substantial infringement on privacy, is unnecessary, and unreasonable under the Fourth Amendment. First, the warrantless search of a cell phone provides access to personal information and private files, stored both on the phone and on remote servers that are accessible from the phone. Second, there is no need to allow warrantless searches when currently available techniques allow law enforcement to secure the cell phone data pending a judicial determination of probable cause. Neither of the interests recognized by this Court underlying the search incident to arrest exception would justify the warrantless search of an individual’s cell phone."

See also: More information about Riley v. California.

Mar 21

Phil Lee (Privacy and Information Law Blog) | EU | US | How do EU and US privacy regimes compare? -

From the blog post:

"As an EU privacy professional working in the US, one of the things that regularly fascinates me is each continent’s misperception of the other’s privacy rules. Far too often have I heard EU privacy professionals (who really should know better) mutter something like ‘The US doesn’t have a privacy law’ in conversation; equally, I’ve heard US colleagues talk about the EU’s rules as being ‘nuts’ without understanding the cultural sensitivities that drive European laws. So I thought it would be worth dedicating a few lines to compare and contrast the different regimes, principally to highlight that, yes, they are indeed different, but, no, you cannot draw a conclusion from these differences that one regime is ‘better’ (whatever that means) than the other."

See also: Christopher Kuner (Privacy Perspectives): The global competition between privacy models.

(Source: pogowasright.org)

Mar 20

Cindy Cohn, Mark Rumold and Andrew Crocker (EFF, on behalf of the Amici Curiae) | US | Amici Curiae brief [ACLU v. Clapper] [PDF] -

From the Introduction:

"It is not just metadata. Telephony metadata reveals private and sensitive information about people. It can reveal political affiliation, religious practices, and people’s most intimate associations. It reveals who calls a suicide prevention hotline and who calls their elected official; who calls the local Tea Party office and who calls Planned Parenthood. The aggregation of telephony metadata—about a single person over time, about groups of people, or with other datasets—only intensifies the sensitivity of the information. Aggregated metadata ‘generates a precise, comprehensive record’ of people’s habits, which in turn ‘reflects a wealth of detail about [their] familial, political, professional, religious, and sexual associations.’ United States v. Jones, 565 U.S. __, 132 S. Ct. 945, 955 (2012) (Sotomayor, J., concurring). The call records collected by the government are not just metadata - they are intimate portraits of the lives of millions of Americans.”

See also: Press release.

Mar 19

Various authors (Future of Privacy Forum) | Privacy papers for policy makers 2013 [SSRN / PDF linked from this page] -

From the digest:

"The featured papers analyze current and emerging privacy issues and propose solutions or offer free analysis that could lead to new approaches in privacy law. Academics, privacy advocates and Chief Privacy Officers on FPF’s Advisory Board reviewed all submitted papers, emphasizing clarify, practicality and overall utility as the most important criteria for selection."