Navigation

Archive | Privacy

Privacy policies invalid when companies go bust?

By on September 15, 2015 in Data Protection, Facebook, Google, Privacy

Washington Post has this interesting story: Bankrupt RadioShack wants to sell off user data. But the bigger risk is if a Facebook or Google goes bust. »

The headline speaks for itself. And apparently, also companies like Google and Facebook have some sort of open-ended privacy policies.

In its privacy policy, Google says that if the company is “involved in a merger, acquisition or asset sale” it would continue to safeguard the confidentiality of its users. Users would be notified before their personal information ends up in new hands, the policy says.

Facebook’s data policy is a little more open-ended: “If the ownership or control of all or part of our Services or their assets changes, we may transfer your information to the new owner.”

The difference is not if personal data might change hands, but if you are going to be told about it.

This ought to be something for the EU to tackle in its new data protection package.

0

EU: Parliament just came out in favour of Snowden, open-source, encryption, digital freedom and anonymity

By on September 8, 2015 in Big Brother, Civil liberties, Cryptography, Data Retention, EU, Free Software, NSA & Snowden, Privacy, Rule of law, surveillance

Today, the European Parliament adopted a resolution called “Human rights and technology in third countries” (2014/2232(INI)).

This is just a resolution, not legislation, but very interesting nevertheless. The European Parliament…

3. Believes that the active complicity of certain EU Member States in the NSA’s mass surveillance of citizens and spying on political leaders, as revealed by Edward Snowden, has caused serious damage to the credibility of the EU’s human rights policy and has undermined global trust in the benefits of ICTs;

Shame on the Brits, French, Germans and Swedes. (And several others.)

6. Calls for the active development and dissemination of technologies that help protect human rights and facilitate people´s digital rights and freedoms as well as their security, and that promote best practices and appropriate legislative frameworks, while guaranteeing the security and integrity of personal data; urges, in particular, the EU and its Member States to promote the global use and development of open standards, and of free and open-source software and cryptographic technologies;

Nice. This is one we should remind the European Parliament about over and over again–when it tries to make decisions going in the other direction.

9. Urges the EU itself, and in particular the EEAS, to use encryption in its communications with human rights defenders, to avoid putting defenders at risk and to protect its own communications with outsiders from surveillance;

Welcome to the real world.

10. Calls on the EU to adopt free and open-source software, and to encourage other actors to do so, as such software provides for better security and for greater respect for human rights;

This is not the first time the EP makes such a statement. But real progress seems to be very slow.

14. Draws attention to the plight of whistleblowers and their supporters, including journalists, following their revelations of abusive surveillance practices in third countries; believes that such individuals should be considered human rights defenders and that, as such, they deserve the EU’s protection, as required under the EU Guidelines on Human Rights Defenders; reiterates its call on the Commission and the Member States to examine thoroughly the possibility of granting whistleblowers international protection from prosecution;

65. Calls for the scope for international protection of whistleblowers to be extended, and encourages the Member States to table laws to protect whistleblowers;

Very nice. But still, no EU member state is prepared to grant Edward Snowden refuge or asylum.

19. Calls for the inclusion of clauses in all agreements with third countries that refer explicitly to the need to promote, guarantee and respect digital freedoms, net neutrality, uncensored and unrestricted access to the internet, privacy rights and the protection of data;

So, if the EU-US Trade Agreement (TTIP) will include copyright enforcement threatening digital freedom and privacy–the EP will vote no?

We must be sure to make a note of that one. And the next…

20. Urges the EU to counter the criminalisation of human rights defenders’ use of encryption, censorship-bypassing and privacy tools, by refusing to limit the use of encryption within the EU, and to challenge third-country governments that level such charges against human rights defenders;

21. Urges the EU to counter the criminalisation of the use of encryption, anti-censorship and privacy tools by refusing to limit the use of encryption within the EU, and by challenging third-country governments that criminalise such tools;

61. Calls for each individual to be entitled to encryption, and for the conditions needed to allow encryption to be created; takes the view that controls should be a matter for the end user, who will need the skills required to carry out such controls properly;

62. Calls for the introduction of ‘end to end’ encryption standards as a matter of course for all communication services, so as to make it more difficult for governments, intelligence agencies and surveillance bodies to read content;

As far as I can understand, the European Parliament just came out strongly against a ban on encryption.

27. Considers mass surveillance that is not justified by a heightened risk of terrorist attacks and threats to be in violation of the principles of necessity and proportionality, and, therefore, a violation of human rights;

63. Emphasises the special responsibility of government intelligence services to build trust, and calls for an end to mass surveillance; considers that the monitoring of European citizens through domestic and foreign intelligence services must be addressed and stopped;

So, what’s about EU member states continuing data retention?

40. Calls for the development of policies to regulate the sales of zero-day exploits and vulnerabilities to avoid their being used for cyber-attacks, or for unauthorised access to devices leading to human rights violations, without such regulations having a meaningful impact on academic and otherwise bona fide security research;

In your face, NSA…

45. Condemns the weakening and undermining of encryption protocols and products, particularly by intelligence services seeking to intercept encrypted communications;

…and the GCHQ.

46. Warns against the privatisation of law enforcement through internet companies and ISPs;

This ought to be seen as a clear warning not to go down that road in the TTIP.

49. Calls explicitly for the promotion of tools enabling the anonymous and/or pseudonymous use of the internet, and challenges the one-sided view that such tools serve only to allow criminal activities, and not to empower human rights activists beyond and within the EU;

Actually, I’m overwhelmed. But then again, this is not legislation.

However all of the above can be very useful as a reminder when the EU Commission and Council tries to get the Parliament to do the opposite. Or when the Parliament suddenly goes bananas on its own. (It frequently does. It surely will happen again very soon.)

The text as PDF »

/ HAX

3

Post Ashley Madison

By on August 30, 2015 in Data Protection, Privacy

Rick Falkvinge writes:

If you don’t build a bridge to best practices, people die. If you don’t build a computer system to best practices, people die. Why is it the vendor’s fault in one case, but not in the other? In other words, why is privacy always your own responsibility, and never the liability of those who promise it to you?

Read more: Ashley Madison: When Will Privacy Breach Liability Be Taken As Seriously As Other Safety Breach Liabilities? »

0

Both hackers and negligent companies to be held responsible for data protection breaches

By on August 25, 2015 in Data Protection, Privacy

A US court has decided that companies that are negligent when it comes to data protection can be fined, if hacked.

From a privacy perspective, this is good news. There are far too many cases where companies are so lax when it comes to IT security and data protection that they are just as responsible for privacy breaches as the hackers.

As an example we have the Swedish / Danish cases against Gottfrid Svartholm Warg — totally focused on the alleged hacker but with no serious attention directed towards the broad negligence at the hacked companies. (In this case it seems that some vulnerabilities have not been addressed even after the case has been closed.)

We should also remember that many companies promise more than they can live up to in their privacy policies, thus misleading people. This should open up the possibility of civil litigation.

Hopefully, now companies (and government institutions) will take data protection more seriously.

/ HAX

Link: Court Says the FTC Can Slap Companies for Getting Hacked »

1

Mass surveillance creates a suspicious society

By on July 26, 2015 in Big Brother, Police state, Privacy, surveillance, War on Terror

Society is getting more and more complex. The number of rules and laws is enormous, beyond the point where you reasonably can be expected have a grasp of what you may and may not do. And far from all rules are reasonable or intuitive. There are laws based on very subjective moral grounds, laws that creates crimes without victims and laws that are there for no apparent reason at all.

Most likely most of us are unknowingly breaking some laws every day. (And some knowingly.)

And where you have rules, you always have smug and self-righteous people acting as some sort of sentinels — telling others how to behave and ratting on people.

This happens in all sorts of groups and societies. But it has been especially noticeable in authoritarian societies. Ratting on others is perceived to prove to people in power that you are on their side — and it shifts focus away from looking closer at you and your behaviour. Sadly, this is a rather rational behaviour under certain circumstances.

So, what happens when you add mass surveillance to the equation? Everyone has something to hide. And when the authorities are able to scrutinise the lives, communications and actions of everybody — there are even stronger incentives for people to sell out others (by the same reasons as mentioned above).

Mass surveillance creates a suspicious society, where you cannot trust other people.

It’s easy for governments to exploit the publics fear of terrorism and crime — and rather difficult to get people to understand the dangers of a society where trust between people is being eroded.

/ HAX

1

EU & mass surveillance: Business as usual

By on July 15, 2015 in Civil liberties, Data Protection, EU, Intelligence, NSA & Snowden, Privacy, Rule of law, US

I took some time looking trough some of my Youtube-clips on the European Parliaments hearings om mass surveillance during the last legislature (2009-14).

It’s amazing. Everything was laid out in front of the MEP:s. But all the EP could come up with was some half-lame resolution (an opinion, not legislation). And thats it. The new parliament (2014-19) has so far done nothing to follow up on this.

You really should look trough this hearing, with the late Caspar Bowden. He served the MEP:s everything on a silver plate. (If you don’t have the time, give it at least ten minutes.)

Youtube »

Did they read the paper? Nah. Did they act on the information? Not really. Did they care? I don’t think so.

Today it’s business as usual. Nothing of substance has been done when it comes to the EU acting on US mass surveillance. The British and the French (and many others) have — if anything — learned from NSA, now collecting everything. NSA partners (such as the Swedish FRA) carries on as usual. And the European Commission has failed to act on the few recommendations the EP actually gave.

Somehow, I get the impression that our political leaders don’t care. Or don’t want to know. Or maybe… they are not on our side.

We really should elect better politicians.

/ HAX

0

Caspar Bowden in Memoriam

By on July 12, 2015 in Data Protection, Privacy

We have lost the well known and well respected privacy advocate Caspar Bowden to cancer. How very sad.

Caspar Bowden was one of those rare activists on privacy and pan-european data protection who knew… maybe not everything, but more than almost everybody else.

I met him a few times, even though I didn’t knew him personally. He was very important to our cause when I used to work for the Swedish Pirate Party in the European Parliament. He was there for you when you needed hard facts and the bigger picture.

To give you an image of Caspar Bowdens expertise, he predicted many of the NSA activities revealed by Edward Snowden years before these finally where exposed.

Now it’s up to us to carry on Caspar Bowdens work. We must do more, know more and dare more.

A few video clips:
Caspar Bowden forsees PRISM in October 2012 »
Caspar Bowden, NSA Hearing LIBE European Parliament, 24 Sept. 2013 »
Caspar Bowden on Cloud Computing and Surveillance (FISA) »

The Guardian:
Outspoken privacy campaigner Caspar Bowden dies after battle with cancer »

Wall Street Journal » | Techcrunch » | The Register »

Caspar Bowden will be sadly missed. And kept in light memory.

Update: According to his family, Caspar Bowdens funeral will be podcasted.

/ HAX

0