Privacy and technology

Oct 06

Robert Graham (Errata Security) | The shockingly obsolete code of bash -

From the blog post:

"One of the problems with bash is that it’s simply obsolete code. We have modern objective standards about code quality, and bash doesn’t meet those standards. In this post, I’m going to review the code […]"

See also: Do shellshock scans violate CFAA?

Oct 05

Cindy Cohn (EFF) | US | Nine epic failures of regulating cryptography -

From the blog post:

"If the government howls of protest at the idea that people will be using encryption sound familiar, it’s because regulating and controlling consumer use of encryption was a monstrous proposal officially declared dead in 2001 after threatening Americans’ privacy, free speech rights, and innovation for nearly a decade. But like a zombie, it’s now rising from the grave, bringing the same disastrous flaws with it. For those who weren’t following digital civil liberties issues in 1995, or for those who have forgotten, here’s a refresher list of why forcing companies to break their own privacy and security measures by installing a back door was a bad idea 15 years ago: […]"

Oct 04

Shoshana Zuboff (FAZ) | A digital declaration -

From the blog post:

"When we look to the digital future there is one anxiety from which all others derive: What kind of home will it be? Will we be masters in a community of masters, or something else - guests, fugitives, or perhaps unwitting slaves subdued by interests beyond our influence or understanding? If the digital future is to be our home, then it is we who must make it so."


Oct 03

Monica Lagazio, David Barnard-Wills, Rowena Rodrigues and David Wright (European Commission) | EU | Certification schemes for cloud computing [PDF linked from this page] -


"This report examines existing certification schemes relevant to cloud computing, focusing on benefits and challenges of such schemes as well as the identification of possible supporting actions and next steps recommendations as regards the implementation of the key action on certification of the European Cloud Computing Strategy. The report is based on research of the state of the art in cloud certification, how cloud certification schemes could enhance trust and transparency in the cloud; which elements of cloud computing could be considered for certification; challenges still affecting existing cloud certification schemes; and the role of public sector. The key findings from the research have been used to develop seven recommendations detailing possible intervention by the European Union with regards to cloud certification."

See also: News release.

Oct 02

Hendrik vom Lehn | On data markets as a means of privacy protection - An ethical evaluation of the treatment of personal data as a commodity [PDF linked from this page] -

From the Executive Summary:

"A number of technological developments such as cloud computing and big data analysis have affected the way in which personal data are processed. These developments go coupled with the currently prevalent business model of free online services that are financed through advertisements and an analysis of user data. Based on these developments, it seems that the new requirements have exposed deficits in the current approach to data protection in the European Union. In the debate on this topic, one of the solutions that are discussed is to create market structures in which users can sell personal data to businesses, thereby gaining control over the ways in which their data is used. Such an approach would constitute an alternative way to the protection of privacy, which is different from the current form of data protection. In order to better assess the validity of claims about the effectiveness of such an alternative approach, it therefore is of importance to know the possible effects that data markets would have on the privacy of online service users. This study investigates this question by means of an ethical evaluation."

See also: Full text in PDF.


Oct 01

Daniel Solove (LinkedIn) | How to enter the privacy profession -

From the blog post:

"Earlier this year, I asked several privacy professionals for their insights and advice about entering the profession. […] Here are some excerpts from some of the most helpful comments, which I tried my best to organize. I also edited a few slightly for smoother syntax. I decided not attributing comments to particular people because I’m not sure who would want to be mentioned by name. In addition to the comments by the professionals, I’m also including some of my own thoughts and advice too."

See also: Earlier related blog post.


Sep 30

Megan Geuss (Ars Technica) | NG | MasterCard-backed biometric ID system launched in Nigeria -

From the blog post:

"Last week, Nigerian President Goodluck Jonathan was one of the first citizens to receive a National eID card, a biometric identification card that will be rolled out to 13 million Nigerians in the near future. Although a handful of countries already use biometric identification systems, Nigeria’s will be unique as its pilot program will be branded with MasterCard logos. The program will eventually be expanded to encompass the rest of the country’s adult population, and the BBC says that all Nigerians will be required to have such a card by 2019 if they wish to vote in the country’s upcoming elections."

See also: News release by the Nigerian National Identity Management Commission.

Sep 29

European Commission | EU | Myth-busting - The Court of Justice of the EU and the "right to be forgotten" [PDF linked from this page] -

The introduction to the document:

"On 13 May 2014, the Court of Justice of the European Union acknowledged that under existing European data protection legislation, EU citizens have the right to request internet search engines such as Google, to remove search results directly related to them. This landmark ruling has sparked a lively and timely debate on the rights and wrongs of the so-called right to be forgotten. It is important to make sure the discussion is based on facts. A sober reading of the judgment shows that the concerns that have emerged in this debate are exaggerated or simply unfounded."

See also: Full text in PDF.

Sep 28

PCI Security Standards Council | Skimming prevention - best practices for merchants, version 2.0 [PDF] -

From ‘Chapter 1 - Overview’:

"This document was created to assist and educate merchants regarding security best practices associated with skimming attacks. Though currently not mandated by PCI SSC, guidelines and best practices documents are produced to help educate and create awareness of challenges faced by the payment industry. The guidelines are the result of industry and law enforcement understanding of the current and evolving threat landscape associated with skimming. In addition we have incorporated known best practices, currently conducted by many merchants, to mitigate skimming attacks taking place in their respective point-of-sale environments."


Sep 27

Office of the Privacy Commissioner of Canada | From APP-laudable to dis-APP-ointing, global mobile app privacy sweep yields mixed results -

From the text:

"The Office of the Privacy Commissioner of Canada coordinated 25 other privacy enforcement authorities across the country and around the globe, in an assessment of the privacy communications of some 1,211 apps designed for both tablets and smartphones in a bid to find out which of them left our sweepers most at ease in terms of how their personal information was being collected and used."

See also: Backgrounder with more detailed results.


Sep 26

Marjan Falahrastegar, Hamed Haddadi, Steve Uhlig and Richard Mortier | Anatomy of the third-party web tracking ecosystem [PDF] -


"The presence of third-party tracking on websites has become customary. However, our understanding of the third-party ecosystem is still very rudimentary. We examine third-party trackers from a geographical perspective, observing the third-party tracking ecosystem from 29 countries across the globe. When examining the data by region (North America, South America, Europe, East Asia, Middle East, and Oceania), we observe significant geographical variation between regions and countries within regions. We find trackers that focus on specific regions and countries, and some that are hosted in countries outside their expected target tracking domain. Given the differences in regulatory regimes between jurisdictions, we believe this analysis sheds light on the geographical properties of this ecosystem and on the problems that these may pose to our ability to track and manage the different data silos that now store personal data about us all."


Sep 25

Ashley Deeks | An international legal framework for surveillance [SSRN] -

From the Abstract:

"Edward Snowden’s leaks laid bare the scope and breadth of the electronic surveillance that the U.S. National Security Agency and its foreign counterparts conduct. Suddenly, foreign surveillance is understood as personal and pervasive, capturing the communications not only of foreign leaders but also of private citizens. Yet to the chagrin of many state leaders, academics, and foreign citizens, international law has had little to say about foreign surveillance. Until recently, no court, treaty body, or government had suggested that international law, including basic privacy protections in human rights treaties, applied to purely foreign intelligence collection. This is now changing: several U.N. bodies, judicial tribunals, U.S. corporations, and victims of foreign surveillance are pressuring states to bring that surveillance under tighter legal control. This article tackles three key, interrelated puzzles associated with this sudden transformation. First, it explores why international law has had so little to say about how, when, and where governments may spy on other states’ nationals. Second, it draws on international relations theory to argue that the development of new international norms regarding surveillance is both likely and essential. Third, it identifies six process-driven norms that states can and should adopt to ensure meaningful privacy restrictions on international surveillance without unduly harming their legitimate national security interests. These norms, which include limits on the use of collected data, periodic reviews of surveillance authorizations, and active oversight by neutral bodies, will increase the transparency, accountability, and legitimacy of foreign surveillance."


Sep 24

Akiva A. Miller | What do we worry about when we worry about price discrimination? The law and ethics of using personal information for pricing [SSRN] -


"New information technologies have dramatically increased sellers’ ability to engage in price discrimination in retail consumer markets. Debates over using personal information for price discrimination frequently treat it as a single concern, and are not sufficiently sensitive to the variety of price discrimination practices, the different kinds of information they require in order to succeed, and the different concerns they raise. This paper explores the ethical aspects of the debate over regulating price discrimination facilitated by personal information. By drawing distinctions between various pricing practices and the motivations behind them, this paper seeks to clarify the ethical principles that should guide legal and regulatory efforts to control the use of personal information for pricing."

Sep 23

Adam D. Thierer | The internet of things and wearable technology - addressing privacy and security concerns without derailing innovation [SSRN] -

From the Abstract:

"This paper highlights some of the opportunities presented by the rise of the so-called ‘Internet of Things’ and wearable technology in particular, and encourages policymakers to allow these technologies to develop in a relatively unabated fashion. As with other new and highly disruptive digital technologies, however, the Internet of Things and wearable tech will challenge existing social, economic, and legal norms. In particular, these technologies raise a variety of privacy and safety concerns. […] The better alternative to top-down regulation is to deal with these concerns creatively as they develop using a combination of educational efforts, technological empowerment tools, social norms, public and watchdog pressure, industry best practices and self-regulation, transparency, and targeted enforcement of existing legal standards (especially torts) as needed."


Sep 22

Jay Stanley (ACLU) | US | The video revolution in policing -

From the blog post:

"If police have generally been able to get away with abusing people, then much of the problem lies in the fact that judges, juries, prosecutors, and the public have too often deemed police officers more credible than abuse victims - especially black and poor victims. Part of the power that police have wielded comes from knowing that, should their victims complain, they will experience the nightmare of not being believed. I give the American public enough credit to believe that if police have had wide latitude to abuse black people (and others in Greene’s ‘torturable classes’), it is only because such abuse is either invisible or not believed. There may be a segment of the population that, out of fear and prejudice, would like to give the police license to abuse African-Americans, but I think the public at large wouldn’t tolerate it—if nothing else, because it does not comport with the story we tell ourselves about who we are. So that is the other part of the video revolution in policing: increasingly, abuse of this kind will no longer be hidden, and the victims will be believed."

See also: this blog post by Simon Davies (PrivacySurgeon).