Obviously, the bar- and QR-codes om your airline boarding card contains a lot of information.
It turns out, it cannot only be used to spy on you and your ongoing travel. With the bar code it is easy to gain access to your airline account, including e.g. future bookings.
Read more: What’s in a Boarding Pass Barcode? A Lot »
Washington Post has this interesting story: Bankrupt RadioShack wants to sell off user data. But the bigger risk is if a Facebook or Google goes bust. »
The headline speaks for itself. And apparently, also companies like Google and Facebook have some sort of open-ended privacy policies.
In its privacy policy, Google says that if the company is “involved in a merger, acquisition or asset sale” it would continue to safeguard the confidentiality of its users. Users would be notified before their personal information ends up in new hands, the policy says.
Facebook’s data policy is a little more open-ended: “If the ownership or control of all or part of our Services or their assets changes, we may transfer your information to the new owner.”
The difference is not if personal data might change hands, but if you are going to be told about it.
This ought to be something for the EU to tackle in its new data protection package.
The EU and US have reached a data protection “Umbrella agreement”.
The spin in the news is “EU citizens will have the right to sue US in case of privacy breaches”. (Link»)
And on the European Commissions web site eurocrats are trying to white wash the agreement. (Link»)
What is the EU-US data protection “Umbrella Agreement”?
The EU-US data protection “Umbrella Agreement” puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The Agreement covers all personal data (for example names, addresses, criminal records) exchanged between the EU and the U.S. for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism.
The Umbrella Agreement will provide safeguards and guarantees of lawfulness for data transfers, thereby strengthening fundamental rights, facilitating EU-U.S. law enforcement cooperation and restoring trust.
In particular, EU citizens will benefit from equal treatment: they will have the same judicial redress rights as US citizens in case of privacy breaches. This point was outlined by President Juncker in his political guidelines, when he stated: “The United States must […] guarantee that all EU citizens have the right to enforce data protection rights in U.S. courts, whether or not they reside on U.S. soil. Removing such discrimination will be essential for restoring trust in transatlantic relations”
Given the current, rather lawless, situation this is a step in the right direction.
But in a wider perspective, this might be bad news: It will open the flood gates when it comes to EU transferring sensitive personal data (e.g. concerning air traffic passenger information and European bank transfers) to the US. And this will serve as an argument for the European Commission to ignore the European Parliaments call to repeal the much criticized and abused Terrorist Finance Tracking Program.
So, at the end of the day, this will be a carte blanche to transfer sensitive European personal data to the US. I’m not sure that is a good thing.
/ HAX
Rick Falkvinge writes:
If you don’t build a bridge to best practices, people die. If you don’t build a computer system to best practices, people die. Why is it the vendor’s fault in one case, but not in the other? In other words, why is privacy always your own responsibility, and never the liability of those who promise it to you?
The EU is in the process of modernising data protection — in the General Data Protection Regulation (GDPR).
One key point is that European personal data, stored in Europe should be protected under European law. Companies should be able to deny requests for personal data from non-member countries. Politico.eu explains…
A small section, Article 43a, says companies should not always comply with requests from courts, tribunals and administrative authorities in non-EU countries for the personal data of Europeans. The only exceptions would be under law enforcement treaties or relevant agreements between those countries and the EU, or individual European countries.
This ought to be a no-brainer. But it has turned out to be highly controversial. One reason might be that US intelligence and law enforcement would like to have access to as much as possible. (And sadly they probably will, under other agreements and treaties. But it shouldn’t be the default mode.)
This is the position of the European Parliament. However, EU member states in the European Council are not at all happy with this article. Apparently, their allegiance does not lie with the citizens and European business.
And now the Industry Coalition for Data Protection (ICDP) composed of Big Data, IT- and telecoms multinationals have stepped in to kill article 43a.
The coalition sent a letter this week to Justice Commissioner Věra Jourová, parliamentary rapporteur Jan Philipp Albrecht MEP, and the Luxembourg presidency of the Council of the EU — the key representatives of the three institutions that are currently negotiating the regulation’s text.
The letter from ICDP said that adopting a “unilateral approach” would create deliberate conflicts of law and severely undermine “both the principles of reciprocity in diplomatic relations as well as the credibility of the EU data protection reform.”
Apparently, these companies are more concerned about their relations with US authorities than data protection.
Politico.eu: Industry issues plea over data reform »
/ HAX
A US court has decided that companies that are negligent when it comes to data protection can be fined, if hacked.
From a privacy perspective, this is good news. There are far too many cases where companies are so lax when it comes to IT security and data protection that they are just as responsible for privacy breaches as the hackers.
As an example we have the Swedish / Danish cases against Gottfrid Svartholm Warg — totally focused on the alleged hacker but with no serious attention directed towards the broad negligence at the hacked companies. (In this case it seems that some vulnerabilities have not been addressed even after the case has been closed.)
We should also remember that many companies promise more than they can live up to in their privacy policies, thus misleading people. This should open up the possibility of civil litigation.
Hopefully, now companies (and government institutions) will take data protection more seriously.
/ HAX
Link: Court Says the FTC Can Slap Companies for Getting Hacked »
I took some time looking trough some of my Youtube-clips on the European Parliaments hearings om mass surveillance during the last legislature (2009-14).
It’s amazing. Everything was laid out in front of the MEP:s. But all the EP could come up with was some half-lame resolution (an opinion, not legislation). And thats it. The new parliament (2014-19) has so far done nothing to follow up on this.
You really should look trough this hearing, with the late Caspar Bowden. He served the MEP:s everything on a silver plate. (If you don’t have the time, give it at least ten minutes.)
Did they read the paper? Nah. Did they act on the information? Not really. Did they care? I don’t think so.
Today it’s business as usual. Nothing of substance has been done when it comes to the EU acting on US mass surveillance. The British and the French (and many others) have — if anything — learned from NSA, now collecting everything. NSA partners (such as the Swedish FRA) carries on as usual. And the European Commission has failed to act on the few recommendations the EP actually gave.
Somehow, I get the impression that our political leaders don’t care. Or don’t want to know. Or maybe… they are not on our side.
We really should elect better politicians.
/ HAX
We have lost the well known and well respected privacy advocate Caspar Bowden to cancer. How very sad.
Caspar Bowden was one of those rare activists on privacy and pan-european data protection who knew… maybe not everything, but more than almost everybody else.
I met him a few times, even though I didn’t knew him personally. He was very important to our cause when I used to work for the Swedish Pirate Party in the European Parliament. He was there for you when you needed hard facts and the bigger picture.
To give you an image of Caspar Bowdens expertise, he predicted many of the NSA activities revealed by Edward Snowden years before these finally where exposed.
Now it’s up to us to carry on Caspar Bowdens work. We must do more, know more and dare more.
A few video clips:
Caspar Bowden forsees PRISM in October 2012 »
Caspar Bowden, NSA Hearing LIBE European Parliament, 24 Sept. 2013 »
Caspar Bowden on Cloud Computing and Surveillance (FISA) »
The Guardian:
Outspoken privacy campaigner Caspar Bowden dies after battle with cancer »
Wall Street Journal » | Techcrunch » | The Register »
Caspar Bowden will be sadly missed. And kept in light memory.
Update: According to his family, Caspar Bowdens funeral will be podcasted.
/ HAX
The European Union is currently working on a new legal framework for data protection.
This process has been subject to massive lobbying from companies on both sides of the Atlantic – trying to water it down.
At the moment the dossier is dealt with at the European Council. There EU member states seems to be just as eager to undermine any substantial protection of citizens rights to their own data as the industry lobbyists.
This is a complex process, hidden behind a wall of documents and often carried out behind closed doors. It’s all so complicated that the media seems to choose to ignore it.
So, what is the conflict all about?
To put it simply: It’s about your right to control your own personal data.
The principle that lobbyists and member states refuse to accept is that it should be up to you to decide if and how your data is to be used. It’s a matter of consent.
The Big Business and Big Government approach is that there is no need for consent. That you should not be in control of how your personal information is used. That you and your rights are not important.
The usual suspects would like to keep us all as digital slaves.
This is about privacy. And it’s about your right to control your own life.
/ HAX
EDRi reports on the EU data protection reform…
Leaked documents from the Council
According to the leaked proposals, crucial privacy protections have been drastically undermined, including the right to be asked for consent, the right to know how your data are used and the right to object to your data being used, minimum standards of behaviour for companies exploiting individuals’ data. In several places, the text would not likely pass judicial scrutiny under Europe’s human rights framework.
It has been expected that the Council (EU member states) would be trying to undermine the EU data protection package. And now we have it in writing.
As usual when the Council is trying to bully other EU institutions, it probably will try to short-circuit a thorough and reflective democratic process — by rushing it through a trialouge, leading to a compromise in a “first reading agreement”.
Read more at EDRi: Leaked documents: European data protection reform is badly broken »
/ HAX
