Data protection

Data protectionGoogleLawPrivacyUK news

UK class action accuses Google of unlawfully harvesting personal data | Technology

no thumb

More than 5 million people in the UK could be entitled to compensation from Google if a class action against the internet giant for allegedly harvesting personal data is successful.

A group led by the executive director of consumer body Which?, Richard Lloyd, and advised by City law firm Mischon de Reya claims Google unlawfully collected personal information by bypassing the default privacy settings on the iPhone between June 2011 and February 2012.

They have launched a legal action with the aim of securing compensation for those affected. The group, called Google You Owe Us, says that approximately 5.4 million people in Britain used the iPhone during this period and could be entitled to compensation.

Google is accused of breaching principles in the UK’s data protection laws in a “violation of trust” against iPhone users.

The lawsuit was unprecedented and represented “one of the biggest fights of my life”, said Lloyd, who has led legal actions against companies before.

“I believe that what Google did was simply against the law. Their actions have affected millions, and we’ll be asking the courts to remedy this major breach of trust.

“Through this action, we will send a strong message to Google and other tech giants in Silicon Valley that we’re not afraid to fight back if our laws are broken.

“In all my years speaking up for consumers, I’ve rarely seen such as massive abuse of trust where so many people have no way to seek redress on their own.”

He added: “This is … the first case of its kind in the UK against a major tech company for misusing our valuable personal data.

“I want to spread the world about our claim. Google owes all of those affected fairness, trust and money. By joining together, we can show Google that they can’t get away with taking our data without our consent, and that no matter how large and powerful they are, nobody is above the law.”

A Google spokesperson said: “This is not new. We have defended similar cases before. We don’t believe it has any merit and we will contest it.”

Source link

read more
Australia newsAustralian politicsData and computer securityData protectionTechnology

Data breach hits Department of Social Services credit card system | Technology

no thumb

The Department of Social Services has written to 8,500 current and former employees warning them their personal data held by a contractor has been breached.

In letters sent in early November the department alerted the employees to “a data compromise relating to staff profiles within the department’s credit card management system prior to 2016”.

Compromised data includes credit card information, employees’ names, user names, work phone numbers, work emails, system passwords, Australian government services number, public service classification and organisation unit.

The department failed to warn staff how long the data was exposed for but a DSS spokesman told Guardian Australia that the contractor, Business Information Services, had advised that the data was open from June 2016 until October 2017. The data related to the period 2004 to 2015.

The letters from the DSS chief financial officer, Scott Dilley, blame “the actions of the department’s third-party provider” and say the compromise “is not a result of any of the department’s internal systems”.

“The data has now been secured,” Dilley wrote. He said there was “no evidence” of improper use of the data or the department’s credit cards.

The DSS spokesman said that on 3 October the Australian Signals Directorate had notified it of the compromise. “The Australian Cyber Security Centre immediately contacted the external contractor to secure the information and remove the vulnerability within hours of notification,” he said.

Asked to assess the severity of the breach, the Australian Privacy Foundation chairman, David Vaile, said it had affected a “significant number” of people and noted the department had given staff “no clue how far back” it extended or how long data was exposed for.

He said that employees’ usernames, full names and system passwords were “material that could be quite useful for identity theft, fraud and masquerading”, where an attacker pretends to be an authorised user.

Vaile said the notification was a “masterpiece of passive aggressive writing” that sought to downplay the effect of the breach, when it should be for the benefit of the victims to provide as much information as possible to counter the threat.

It did not contain acknowledgement that outsourcing functions to an external provider “represents an increase risk and in this case it has come home to roost”, he said.

Vaile questioned how extensive the department’s inquiries were into whether the data was accessed, adding that little comfort could be taken from the fact departmental credit cards had not been charged because consequences of a data breach can take time to materialise.

A spokeswoman for Business Information Services said that as a result of a “control vulnerability” some historical information about employees’ work expenses “was vulnerable to possible cyber breach”.

“There is no evidence of a cyber-attack, only that it was possible,” she said.

The spokeswoman said the information included “partially anonymous work-related expenses” including “cost centres, corporate credit cards without CCV and expiry dates and passwords that were hashed and therefore not visible”.

“The bulk of credit card information within the data had expired.”

The BIS spokeswoman said the vulnerability was “secured within four hours”, the data is no longer publicly accessible and it had undertaken a security review.

The DSS spokesman said the department “takes security seriously”.

He said the department has been working with the ACSC and Office of the Australian information commissioner to notify 2,000 current and 6,500 former employees and to work with the external contractor “to ensure effective arrangements are in place, and to support affected staff”.

The letter also suggested employees may wish to change or strengthen passwords if they used the same password across work and personal accounts.

Source link

read more
Artificial intelligence (AI)ComputingData protectionRobotsScienceTechnology

Swift action needed to set framework for AI and machine learning | Letters | Technology

no thumb

Machine learning and artificial intelligence have the potential to make significant improvements to our lives in areas such as health and public services. However, as Ian Sample points out (Computer says no: why making AIs fair, open and accountable is crucial, 6 November), there are real concerns about fairness and accountability. The Royal Society and the British Academy, in Data Management and Use: Governance in the 21st century, make the urgent case for a stewardship body for data use. The governance response must be driven by the overarching principle of human flourishing – recognising that humans do not serve data, but that data must be used to serve humans and human communities. A number of principles follow from this, including the need to protect individual and collective rights and interests. We need an independent, interdisciplinary stewardship body that can identify where there are governance gaps, with the power to urge the right bodies to fill those gaps. Swift action is needed to ensure that this important area of technology operates in a way that deserves and secures public trust.
Professor Dame Ottoline Leyser
Chair of the Royal Society Science Policy Advisory Group

Join the debate – email [email protected]

Read more Guardian letters – click here to visit

Source link

read more
Data protectionDigital mediaFacebookMediaPrivacySocial mediaSocial networkingTechnologyWorld news

No, Facebook isn’t spying on you. At least not with the microphone | Technology

No, Facebook isn’t spying on you. At least not with the microphone | Technology

Last week, Facebook issued yet another denial that the company eavesdrops on its users to target them with adverts.

“Just not true,” said Rob Goldman, the company’s head of ad product, in response to an open query from podcast Reply All.

After writing about the denial, my inbox almost immediately began filling with missives from people insisting that Facebook must be lying.

One person wrote they never drink wine, but a friend of his mentioned a wine delivery service to his wife and he saw the ad the next day. Another insisted he had proved it to his friends once before. A third said she had met many users where eavesdropping was “the only option” for explaining why they had received the adverts they had.

What is it about this conspiracy theory that makes it the most persistent in tech?

Part of the explanation is that it’s really very hard for Facebook to prove that it isn’t doing what it’s accused of. The company’s apps will generally have permission to access the camera and microphone, because people film video and take pictures using Facebook, Instagram, WhatsApp and/or Messenger.

While you can tell from looking at the traffic to and from your phone – or even just from your mobile data usage – that Facebook isn’t uploading a livestream of everything you say and do, there are always other possibilities. Perhaps it’s doing the processing on-device? Or only listening for key phrases? Or uploading everything in a burst when you get on wifi?

Facebook doesn’t help itself. It has a long history of pushing the boundaries of what’s acceptable in order to increase ad revenue, from profiling the “ethnic affinity” of users (totally different from racial profiling, it swears) to merging user data from WhatsApp with its main service. With that history, it’s not a giant leap for many people to simply assume Facebook is lying in its denials.

But the sheer wealth of evidence many are able to summon to support the theory also demonstrates another element to its persistence: the true nature of algorithmic ad targeting is still not widely known.

The sheer volume of information the social network has about a typical user is difficult to comprehend. It logs every action of you and your friends, and a substantial proportion of browsing off-site thanks to its Facebook share button. It also has information provided by friends, such as that ex who uploaded her address book containing your phone number and your embarrassing teenage email address, allowing Facebook to work out that you know that high-school friend who you haven’t seen for a few years but who still has your older contact details.

And, apologies, but you aren’t that special. If you have had a conversation about a particular topic, then it’s unlikely you are the only one. While your conversation may have been held in person, a lot of others will have happened on Messenger or in Instagram comments. It’s not a stretch to assume that if a lot of London-based men aged 25 to 34, whose interests include stadium rock and panel shows on Dave, start talking about buying tickets to see the Foo Fighters, then other London-based men aged 25 to 34 are probably solid targets for the same advertising.

‘The sheer volume of information Facebook has about a typical user is difficult to comprehend.’ Photograph: Lauren Hurley/PA

Part of the reason Facebook’s creepy levels of knowledge skirts below the radar is that it’s rarely used to its full extent with on-site adverts. There are enough advertisers out there with deep pockets and a desire to hit as many people as possible that the hyper-targeted adverts can be outbid. Facebook provides advertisers with the tools to get uncomfortably accurate targeting, but it’s up to the advertisers themselves to actually use them.

For a real picture of the extent of Facebook’s knowledge, the best place to turn is the section where it applies its vast banks of data in service of its own aims: the “people you may know” suggestions.

That section has outed sex workers, psychiatrists and family secrets, all using as much data as possible to find every single connection in your life and show you that they’re on Facebook. People you may know is also subject to its own, lesser, conspiracy theory: many who have been connected with people they would rather remain invisible to blame location tracking, a feature the company swears it doesn’t use for this purpose. Then there’s the possibility that Facebook shows you people who have been searching for you.

This is creepy on a personal level. My Facebook account has zero friends, manages one page with five likes, and follows one person – Mark Zuckerberg. Despite that, the site has still managed to link me with a bunch of fellow journalists, some friends of friends, someone I went to school with and the brother of an ex. As well as someone from the Household Cavalry Mounted Regiment, and a whole load of Turkish people, for some reason. It’s not perfect, but it’s still an alarming amount of insight to be gleaned from a site that I have been scrupulously careful to avoid telling anything of use.

And that’s the core of the problem. The unsettling ability of Facebook to make accurate guesses based on what feels like barely any information doesn’t match with what we think should be possible. But rather than updating our beliefs, the easier thing to do is turn to another thing that we know is possible: spying.

This will become an increasingly fraught issue as AI pervades more and more of our lives. Just think of the first time an AI security guard arrests someone for shoplifting in the changing room – leading to an accusation that the shop is spying on people getting dressed. Or Amazon sending you coupons for some shoes you broke in front of its Echo Show video screen, but based only on its expectations about how often someone like you breaks the heels on shoes like that. Will we resort to more conspiracy theories? Or will we confront the new issues head on?

Source link

read more
Big dataCultureData protectionDigital mediaFacebookGoogleMark ZuckerbergMediaReligionSocial mediaTechnology

Why we need a 21st-century Martin Luther to challenge the church of tech | Technology

Why we need a 21st-century Martin Luther to challenge the church of tech | Technology

A new power is loose in the world. It is nowhere and yet it’s everywhere. It knows everything about us – our movements, our thoughts, our desires, our fears, our secrets, who our friends are, our financial status, even how well we sleep at night. We tell it things that we would not whisper to another human being. It shapes our politics, stokes our appetites, loosens our tongues, heightens our moral panics, keeps us entertained (and therefore passive). We engage with it 150 times or more every day, and with every moment of contact we add to the unfathomable wealth of its priesthood. And we worship it because we are, somehow, mesmerised by it.

In other words, we are all members of the Church of Technopoly, and what we worship is digital technology. Most of us are so happy in our obeisance to this new power that we spend an average of 50 minutes on our daily devotion to Facebook alone without a flicker of concern. It makes us feel modern, connected, empowered, sophisticated and informed.

Suppose, though, you were one of a minority who was becoming assailed by doubt – stumbling towards the conclusion that what you once thought of as liberating might actually be malign and dangerous. But yet everywhere you look you see only happy-clappy believers. How would you go about convincing the world that it was in the grip of a power that was deeply hypocritical and corrupt? Especially when that power apparently offers salvation and self-realisation for those who worship at its sites?

It would be a tough assignment. But take heart: there once was a man who had similar doubts about the dominant power of his time. His name was Martin Luther and 500 years ago on Tuesday he pinned a long screed on to the church door in Wittenberg, which was then a small and relatively obscure town in Saxony. The screed contained a list of 95 “theses” challenging the theology (and therefore the authority) of the then all-powerful Catholic church. This rebellious stunt by an obscure monk must have seemed at the time like a flea bite on an elephant. But it was the event that triggered a revolution in religious belief, undermined the authority of the Roman church, unleashed ferocious wars in Europe and shaped the world in which most of us (at least in the west) grew up. Some flea bite.

In posting his theses Luther was conforming to an established tradition of scholastic discourse. A “thesis”, in this sense, is a succinctly expressed proposition put forward as the starting point for a discussion. What made Luther’s theses really provocative, though, was that they represented a refutation of both the theology and the business model of the Catholic church. In those days, challenging either would not have been a good career move for an Augustinian monk. Challenging both was suicidal.

‘He lit the fire that consumed Christendom’: Martin Luther nails up his theses. Photograph: Alamy

To understand the significance of this, some theological background helps. A central part of Catholic theology revolved around sin and the consequences thereof. Sins were divided into three grades – original, venial and mortal. The first was what you were born with (because the default setting for humans was “flawed”) and was absolved by baptism. The second category consisted of peccadillos. The third – mortal – were grievous sins.

The church had established an elaborate machine for enabling its members to deal with their moral transgressions. They could confess them to a priest and receive absolution on condition that they did a prescribed penance. But for a medieval Catholic, the visceral fear was of dying with an unconfessed – and therefore unabsolved – mortal sin on your record. In that case, you went to hell for eternity, tortured by perennial fire and all the horrors imagined by Hieronymous Bosch.

If you died with just unabsolved venial sins, however, then you did time in an intermediate prison called purgatory until you were eventually discharged and passed on to paradise. Being in purgatory was obviously better than roasting at gas mark six, and your place in heaven was ultimately guaranteed. But if you could minimise your time in the holding area then you would.

Into this market opportunity stepped the Roman church with an ingenious product called an indulgence. This was like a voucher that gave you a reduction in your purgatorial stay. Initially, you could get an indulgence in return for an act of genuine penitence – following the confessional model – or for visiting a holy relic. But there came a moment (in 1476) when Pope Sixtus IV announced that indulgences could be purchased on behalf of another person – say a deceased relative who was assumed to be suffering in purgatory, and therefore lying beyond the reach of confession and absolution. In a continent of credulous and devout believers, this turned indulgences into a very big business. And, as with the US sub-prime mortgage market pre-2007, it got out of hand. By 1517, as Luther saw it, indulgences had become a racket in which a crass financial transaction substituted for the serious duty of real repentance. A couplet coined by a particularly enthusiastic indulgence-hawker captured this crudity nicely:

As soon as a coin in the coffer rings,
The soul from purgatory springs.

The audacity of Luther’s 95 Theses on the Power and Efficacy of Indulgences came from the fact that in attacking the theology underpinning the doctrine of purgatory they were also undermining the business model built upon it. In two consecutive theses, 20 and 21, for example, Luther set about attacking the very essence of papal authority. “When he [the pope] uses the words plenary [ie total] remission of all penalties,” Luther wrote, “he does not actually mean ‘all penalties’, but only those imposed by himself.” Therefore, continues thesis 21, “those indulgence preachers are in error who say that a man is absolved from every penalty and saved by papal indulgences.”

This might not look like much to a modern reader, unfamiliar with the intricacies of 16th-century Catholicism, but it was the equivalent of calling the pope a liar. And in the Europe of 1517, that was fighting talk. People had been burned at the stake for less. In the ordinary course of events, the church would have squashed such a turbulent friar as one would a mosquito. All it would have required was a letter to his religious superior, followed by a kangaroo court in Rome, and that would be that.

But it didn’t happen. Instead, Luther escaped death, survived excommunication and went on to light the fire that consumed Christendom. How come? Historians cite two main reasons. The first is that Luther was lucky in that Frederick the Wise – the local bigwig who was one of the seven electors of the Holy Roman Emperor – protected him and indeed saved his life (protection that was continued by Frederick’s heirs and successors). The second is the printing press, which is what enabled Luther to “go viral”, as modern parlance has it.

Of course we’ve known for eons about the role of print in the Reformation. But it’s especially interesting to look back at the story in the light of what has happened to our own media ecosystem in the past few years. After all, we have lived through political earthquakes that were fuelled at least in part by new media, and we find ourselves contemplating what has happened with the same kind of “informed bewilderment” that must have afflicted Pope Leo X as he watched his pestilential priest become the most famous man in Germany.

An 1817 edition of Martin Luther’s 95 theses

‘The printing press enabled him to ‘go viral’: an edition of Martin Luther’s 95 theses printed in Basel in 1517. Photograph: Sean Gallup/Getty Images

What happened, in a nutshell, is that Luther understood the significance and utility of the new communication technology better than his adversaries. In that sense, he reminds me of Donald Trump, who sussed how to use Twitter and exploit the 24-hour news cycle better than anyone else. But whereas Trump contributed nothing to the communications technology that he exploited, Luther did.

His understanding of the new media ecosystem brought about by print has been expertly explored by the Reformation historian Andrew Pettegree in a brilliant book, Brand Luther: 1517, Printing, and the Making of the Reformation (Penguin, 2015). Unlike most scholars of his time, Luther was both interested in and knowledgable about the technology of printing; he knew the economics of the business, cared about the aesthetics and presentation of books and understood the importance of what we would now call building a brand.

He knew, for example, that his message would only spread if he gave printers texts that would be economical to print and easy to sell – unlike conventional scholarly books in the early decades of printing. Because paper was expensive, printing a standard scholarly tome required capital resources for buying and storing the necessary reams of paper. And because there was no developed market for distributing and marketing the result, many printers went bankrupt – which is why most printing and publishing was concentrated in large towns with established universities where at least some of the necessary infrastructure existed.

Although the original 95 theses were in Latin, as were most theological books of the period, Luther decided that he would write in German. In doing so he immediately expanded his potential market by orders of magnitude. He also developed a literary style that was, as Pettegree observes, “lucid, readable and to the point”. But his masterstroke was in enabling printers to make money by publishing his works. Because paper was expensive, he channelled his output into extended pamphlets that could be printed on one or two sheets of paper, suitably folded into eight or 16 pages at most.

The strategy worked. Within five years of posting his theses he was Europe’s most published author. A printed sermon or a commentary by Luther was a surefire seller, and appealingly inexpensive to produce. The nascent printing industry was quick to respond: Wittenberg, which had a solitary shambolic printer when Luther began, was soon home to a handful of presses, including one run by Germany’s most accomplished publisher, Moritz Goltz. Luther, proactive to a fault, took care to spread his work among all of these new publishing houses and was, Pettegree observes, “sufficiently popular to put bread on the table of publishers throughout Germany”. By the time Luther died in 1546, nearly 30 years after posting the 95 theses, this small town in Saxony had a publishing output that matched that of Germany’s biggest cities.

Luther was clearly a remarkable, complex individual – charismatic, divisive, inspiring, intense, gifted, musical, courageous, devout and lucky. He also had a very unattractive side – as seen most starkly in the misogyny and ferocious antisemitism with which his works are peppered. But I’ve always been fascinated by him, and as the 500th anniversary loomed and Trump rose to power on the back of our new media ecosystem, I fell to pondering whether there are lessons to be learned from the 95 theses and their astonishing aftermath.

One thing above all stands out from those theses. It is that if one is going to challenge an established power, then one needs to attack it on two fronts – its ideology (which in Luther’s time was its theology), and its business model. And the challenge should be articulated in a format that is appropriate to its time. Which led me to think about an analogous strategy in understanding digital technology and addressing the problems posed by the tech corporations that are now running amok in our networked world.

These are subjects that I’ve been thinking and writing about for decades – in two books, a weekly Observer column, innumerable seminars and lectures and a couple of academic research projects. Many years ago I wrote a history of the internet, motivated partly by annoyance at the ignorant condescension with which it was then viewed by the political and journalistic establishments of the time. “Don’t you think, dear boy,” said one grandee to me in the early 1990s, “that this internet thingy is just the citizens band [CB] radio de nos jours?”

“You poor sap,” I remember thinking, “you have no idea what’s coming down the track.”

Twenty-five years on, I now describe myself as a recovering utopian. When the internet first appeared I was dazzled by its empowering, enlightening, democratising potential. It’s difficult to imagine today the utopian visions that it conjured up in whose of us who understood the technology and had access to it. We really thought that it would change the world, slipping the surly bonds of older power structures and bringing about a more open, democratic, networked future.

We were right about one thing, though: it did change the world, but not in the ways we expected. The old power structures woke up, reasserted themselves and got the technology under control. A new generation of corporate giants emerged, and came to wield enormous power. We watched as millions – and later billions – of people happily surrendered their personal data and online trails to be monetised by these companies. We grimaced as the people whose creativity we thought would be liberated instead turned the network into billion-channel TV and morphed into a new generation of couch-potatoes. We saw governments that had initially been caught napping by the internet build the most comprehensive surveillance machine in human history. And we wondered why so few of our fellow citizens seemed to be alarmed by the implications of all this – why the world was apparently sleepwalking into a nightmare. Why can’t people see what’s happening? And what would it take to make them care about it?

Why not, I thought, compose 95 theses about what has happened to our world, and post them not on a church door but on a website? Its URL is and it will go live on 31 October, the morning of the anniversary. The format is simple: each thesis is a proposition about the tech world and the ecosystem it has spawned, followed by a brief discussion and recommendations for further reading. The website will be followed in due course by an ebook and – who knows? – perhaps eventually by a printed book. But at its heart is Luther’s great idea – that a thesis is the beginning, not the end, of an argument.

The door of Wittenberg castle church, where Martin Luther nailed his 95 theses.

The door of Wittenberg castle church, where Martin Luther nailed his 95 theses. Photograph: Alamy Stock Photo

John Naughton’s theses

No 19: The technical is political
This thesis challenges the contemporary assertion of the tech industry that it stands apart from the political system in which it exists and thrives. This delusion has deep roots – for example in the fact some of the dominant figures of the 1970s computer industry were influenced by 1960s “counterculture”, which was suspicious of, and hostile to, the US political and corporate system that had enmeshed the country in the Vietnam war. It found its wildest expression in John Perry Barlow’s 1996 Declaration of the Independence of Cyberspace.

The idea that the tech industry exists, somehow, “outside” of society was always misconceived, even when the industry was in its infancy. After all, it was built on the back of massive public investment in defence electronics, networking and research conducted in corporate laboratories such as Bell Labs or consultancies such as BBN. But in an era where it’s clear that Google and Facebook have, unintentionally or otherwise, been influencing democratic politics and elections, it is positively delusional. We have reached the point where almost every “technological” issue posed by the five giant tech companies is also a political problem requiring political and possibly legislative responses. The technical has become political.

No 92: Facebook is many things, but a “community” it ain’t
One of the favourite phrases of Mark Zuckerberg is “the Facebook community”. Facebook is many things, but a community it is not. It’s a social network, which is something quite different. In a social network (online or off), people are connected by pre-existing personal relationships. Communities, on the other hand, are complex social systems because they consist of people from different walks of life who may have no personal connections at all. A good example is the English village where I live. I am friends with some villagers, and know my neighbours pretty well. But there are many others in the village whom I don’t know and with whom I may have little in common. But there’s no doubt that they and I are all members of the same community.

Online groups confirm the power of homophily – the tendency of individuals to associate and bond with others of similar ilk. Facebook provides a framework that contains innumerable homophilic groups. But it isn’t a community in any meaningful sense of the world.

Source link

read more
Australia newsBusiness (Australia)CybercrimeData and computer securityData protectionDomino's PizzaPrivacySpamTechnology

Domino’s blames data breach on former supplier’s systems | Technology

no thumb

Domino’s Australia has blamed a system “issue” of a former supplier for a leak of customer personal information to spam email lists.

The pizza seller has called in the Australian information commissioner to investigate the breach but insists its systems haven’t been compromised. Instead, it blames a “former supplier’s systems” for leaking customer email addresses, names and store suburb.

“Domino’s acted quickly to contain the information when it became aware of the issue and has commenced a detailed review process,” an undated statement posted on the company’s website reads.

The company did not say when it first became aware of the issue and insists no financial information has been accessed.

Customers complained on social media about the “eerie” personalised emails and the lack of communication from Domino’s Australia.

“It was a bit eery [sic] getting all these spam emails that somehow knew my name and suburb and initially were making it past the spam filter,” Mitchell Dale posted on Domino’s Facebook page.

“The decision to try to keep me in the dark and not announce what had happened is why I will not be ordering Dominos again.”

“Nothing better than waking up finding out your data has been breached,” Dylan James posted on Facebook. “Why haven’t you informed anyone yet?”

“I won’t be ordering from you again, not because of the breach but because of how you chose to handle it,” Lara Douglas posted.

Mandatory data breach notification laws will come into effect in February 2018, meaning organisations like Domino’s will have to notify customers of any data breaches.

The assistant minister for cybersecurity, Dan Tehan, advised people to watch for suspicious messages, links and attachments. “You should always be suspicious of unsolicited emails requesting personal or financial information,” he said.

Domino’s Australia says it ceased working with the former supplier in July.

Source link

read more
CispaData and computer securityData protectionGCHQInternetLawMI5MI6PrivacyTechnologyUK newsUK security and counter-terrorismWorld news

UK spy agencies may be circumventing data-sharing law, tribunal told | Technology

no thumb

MI5 and MI6 may be circumventing legal safeguards when they share bulk datasets with foreign intelligence services and commercial partners, a court has been told.

Most of the bulk personal datasets relate to UK citizens who are not of “legitimate intelligence interest”, the investigatory powers tribunal (IPT) has heard.

The system of independent commissioners, usually retired judges, who were supposed to maintain independent oversight over these procedures had been inadequate and was a “blatant failure”, Ben Jaffey QC, for Privacy International, told the IPT.

While GCHQ has said it insists its partners adopt equivalent standards when processing bulk data, Jaffey said, neither MI5 not MI6 adopt a similar approach.
“The effect will be the circumvention of the UK legal regimes,” he added. “Protections will be avoided.”

The challenge brought by Privacy International alleges that data-sharing regimes and the legal oversight system are illegal.

Bulk personal datasets contain highly sensitive personal information such as social media sites or online dating sites, the tribunal heard. “Such datasets are very intrusive,” Jaffey said. “They contain information that goes right to the core of an individual’s private life.”

The IPT, which is sitting at Southwark crown court this week, hears claims about the legality of surveillance and complaints against the intelligence services.

One important industry partner of GCHQ, the tribunal has been told, is the University of Bristol. Documents revealed by Edward Snowden, the US whistleblower, indicate that researchers are given access to GCHQ’s entire raw unselected datasets, including internet usage, telephone call logs, websites visited, online file transfers and others.

Researchers are also given access to GCHQ’s targeting database, supposedly delivered at least once a day, the tribunal has been told. That, it was said, is an exceptionally sensitive dataset.

Jaffey said analysts at GCHQ were supposed to record their reasons for searching bulk datasets, yet those statements were not seen by the oversight commissioners.

Outside the court, Millie Graham Wood, a solicitor at Privacy International, said: “The intelligence agencies’ practices in relation to bulk data were previously found to be unlawful.

“After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data nonexistent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments.

“The risks associated with these activities are painfully obvious. We are pleased the investigatory powers commissioner’s office is keen to look at these activities as a matter of urgency and the report is publicly available in the near future.”

The hearing continues.

Source link

read more
CybercrimeData and computer securityData protectionHackingInternetTechnologyTelecomsWifi

Wifi security is vulnerable to hacking, US government warns | Technology

no thumb

The security protocol used to protect the vast majority of wifi connections has been broken, potentially exposing wireless internet traffic to malicious eavesdroppers and attacks, according to the US government’s cybersecurity group.

The United States Computer Emergency Readiness Team (Cert) issued a warning last night in response to the vulnerability in the wireless security protocol WPA2, which was published on Monday morning.

“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others,” the alert says, detailing a number of potential attacks. It adds that, since the vulnerability is in the protocol itself, rather than any specific device or software, “most or all correct implementations of the standard will be affected”.

The development is significant because the compromised security protocol is the most secure in general use to encrypt wifi connections. Older security standards have been broken in the past, but on those occasions a successor was available and in widespread use.

The vulnerabilities were discovered by a researcher from Belgian university KU Leuven, Mathy Vanhoef. He has given the weakness the codename Krack, short for Key Reinstallation AttaCK.

Alex Hudson, the chief technical officer of subscription service Iron, says that it is important to “keep calm”.

“There is a limited amount of physical security already on offer by wifi: an attack needs to be in proximity,” Hudson writes. “So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.

“Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an https site … your browser is negotiating a separate layer of encryption. Accessing secure websites over wifi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides.”

Crucially, the attack is unlikely to affect the security of information sent over the network, which is protected in addition to the standard WPA2 encryption. This means that connections to secure websites are still safe, as are other encrypted connections such as virtual private networks (VPN) and SSH communications.

However, insecure connections to websites – those which do not display a padlock icon in the address bar, indicating their support for HTTPS – should be considered public, and viewable to any other user on the network, until the vulnerability is fixed.

Equally, home internet connections will remain difficult to fully secure for quite some time. A fix for the vulnerability will require updating the wireless router used on the network, as well as every device connected to it. Unless that happens, anyone physically close to the network (such as neighbours and passersby) may be able to use the internet connection themselves – perhaps simply getting free bandwidth, perhaps covering their tracks for less legitimate activities.

Source link

read more
Data and computer securityData protectionEuropeHackingRussiaTechnologyWorld news

Kaspersky Lab denies involvement in Russian hack of NSA contractor | Technology

no thumb

Moscow-based cybersecurity firm Kaspersky Lab has hit back at a report in the Wall Street Journal which accused it of being involved in a Russian government hack of an NSA contractor in 2015.

The paper reported on Thursday that the NSA contractor, a Vietnamese national who was working to create replacements for the hacking tools leaked by Edward Snowden, was hacked on his personal computer after he took his work home.

There, the report says, the contractor’s use of Kaspersky’s antivirus software “alerted Russian hackers to the presence of files that may have been taken from the NSA”. Once the machine was in their sights, the Russian hackers infiltrated it and obtained a significant amount of data, according to the paper.

Calling the allegations “like the script of a C movie”, Eugene Kaspersky, the infosec firm’s founder, gave his own explanation of what might have happened.

Mr Kaspersky vehemently denied that his company had played any active role in the breach, noting: “We never betray the trust that our users put into our hands. If we would do that a single time that would be immediately spotted by the industry and our business would be done.”

Instead, he implied that the root of the problem was that Kaspersky Lab had correctly identified the hacking tools the contractor was working on as malware – perhaps through Kaspersky Lab’s own research into the Equation Group, a “sophisticated cyber espionage platform” believed to be linked to the NSA.

From there, Mr Kaspersky implies, it may be the case that Kaspersky Lab’s own data was hacked by the Russian government. “Even though we have an internal security team, and do bug bounties, we can’t give 100% guarantee that there are no security issues in our products, name another security software vendor who can!”

Kaspersky’s defence is roughly in line with the general consensus amongnonaligned information security experts. Matthew Green, a cryptography professor at Johns Hopkins University, wrote: “Consensus on infosec Twitter is that Kaspersky may not have colluded with [the Russian government]; just maybe their product may be horrendously compromised.

“Not quite sure how that’s qualitatively different from the point of view of Kaspersky customers. But I guess it’s something.”
In an unusual move for a technology chief executive, Mr Kaspersky republished Green’s tweet calling his product “horrendously compromised” in his own blogpost.

The hacking incident in question may be the key evidence used in September to drive a US government-wide ban of Kaspersky products.

At the time, the Department of Homeland Security said it “is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks”.

In an official statement about the allegations, Kaspersky Lab said: “As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.”

Source link

read more
AppsData protectionEuropeEuropean UnionInternetPrivacyTechnologyTinderWorld news

Getting your data out of Tinder is hard. It shouldn’t be | Paul-Olivier Dehaye | Technology

no thumb

When a journalist approached me to help her get a copy of her personal data from Tinder, I knew this would be a good story. Judith Duportail had read my work researching the use of psychometrics during the US elections and the Brexit referendum. Duportail knew that Tinder computes a “desirability score” for their users: Tinder’s CEO had told another journalist their score, emphasising how complex and advanced its algorithm supposedly was. Curiosity piqued, Duportail wondered whether Tinder would tell her, or any other user who asked, their score, and how it was computed.

Any European company has in theory the obligation to disclose the personal data it holds about any individual who asks them Companies even have to disclose the “logic of the processing” of that data.

These rights can be very powerful tools for the democratic and distributed oversight of the data economy, but they have unfortunately fallen into misuse. That’s partly by design: who has the illusion they still have some power in a relationship, when they are reduced to clicking a box at the bottom of dozens of pages of a “privacy policy”?

Even though those rights do exist, due to many different national laws and lots of gaps in the regulatory framework, enforcement is very difficult. Despite complaining to two data protection authorities, enrolling the help of a human rights lawyer, my sourcing of information with Norwegian consumer advocates, and many conversations with Tinder, Duportail never got her desirability score. The Dallas-based company is, at least for now, untouchable from a legal standpoint: in most cases, a European citizen simply has no meaningful access to scores computed about them in the US.

Instead Duportail eventually got some of the rest of her data, but only on a voluntary basis, and only after she identified herself as a journalist. Her non-journalist friends who followed suit never got responses to similar requests.

Finally armed with the 800 pages she had clawed back from Tinder, Duportail wrote a story reflecting on her own relationship with her data, and the myopic view Tinder had of her love life. I feel her story helps bridge the chasm between those with information stored in the database and the architects behind it, providing much needed neutral common ground to democratically discuss power distributions in the digital economy.

Given the popularity of her story, and my overflowing inbox, I would say many agree. And indeed, you should expect more similar stories to be unearthed in the future because of the upcoming General Data Protection Regulation (GDPR). From May 2018, the new European-level regulation will come into force, claiming wider applicability – including on US-based companies, such as Tinder, processing the personal data of Europeans – and harmonising data protection and enforcement by “levelling up” protections for all European residents.

Journalists, but also educators, NGOs and the rest of civil society, will have more powerful regulators to turn to if they are prevented from informing the general public about pressing issues in the data economy.

But beyond the much older right of access, the true revolution of GDPR will come in the form of a new right for all European citizens: the right to portability.

This right will transform consumers into real actors in the data economy. Companies will have a legal obligation to move the data you provided from one company to another, if you so wish. In a world where personal data is an asset increasingly used to concentrate power, and then to abuse that position in the market, this new right will provide a much needed balancing mechanism on the incumbents. One can hope.

  • Paul-Olivier Dehaye is the co-founder of PersonalData.IO, a Swiss startup helping individuals regain control over their personal data

Source link

read more
1 4 5 6
Page 6 of 6