Monthly Archives: January 2014

News

Twelve US companies settle FTC claims of Safe Harbor misrepresentation

Leave a comment

Twelve US companies have allowed their US-EU Safe Harbor certification to expire, but continued to display certification seals on their websites. When pressed by the FTC, all 12 companies quickly agreed to settle the FTC complaints. Settlement details have not yet been released.

US Companies allowed their self-certifications to lapse
US Companies allowed their self-certifications to lapse

What is the US-EU Safe Harbor Certification?

The European Union Data Protection Directive acts to restrict the private data storage, use, and transmission among participating EU states. The directive’s seven principles are:

  1. Notice – people should know that data is being collected
  2. Purpose – data should only be used for stated purposes
  3. Consent – people should be required to give consent for data disclosure
  4. Security – data should be kept secure
  5. Disclosure – people should know who is collecting their data
  6. Access – people should be allowed to access their data and make corrections to any inaccurate data (for example, if a credit reporting agency incorrectly lists an account)
  7. Accountability – people should be able to hold companies accountable when they mess up

EU companies must abide by each local EU state’s enforcement laws in order to do business. International businesses must abide by the same protection laws, and if they don’t, they won’t be allowed to transfer personal data into or out-of the EU countries. Obviously compliance with so many different local data laws is difficult; the US attempts to solve this problem with the Safe Harbor Certification. If a US company self-certifies that they comply with all seven principles, they can operate within the EU countries without hassle. This self-certification needs to be renewed once a year, and if they fail to do so, as these 12 companies did, they must remove all certification marks from their websites. If they don’t, the FTC will investigate and fine them.

Which US Companies let their certification lapse?

According to the FTC, the following 12 companies let their certification lapse, didn’t remove their certification marks, were charged by the FTC, and decided to settle the FTC charges against them:

What’s the significance?

We don’t know the penalty that will be imposed yet, but each company can be fined up to $16,000. The fine is pitifully insignificant for all of these companies, so it will likely not have much dissuasive impact on US companies for non-compliance. There is no indication that any of the companies intentionally mis-used personal data, so in reality there won’t be much of a functional impact for US or EU citizens. The most significant result of these enforcement actions is the message that the US sends to the EU: that we respect their sovereignty, that we intend to comply with their laws, and that we will hold our own companies responsible when they break those laws.

News

Project “Quantum” gives NSA access to 100k+ offline computers

Leave a comment

Project Code-name “Quantum” gives the NSA the ability to remotely access computers disconnected from the internet from up to 8-miles away.

The NSA Project Quantum can access data from offline computers from up to 8-miles away
The NSA Project Quantum can access data from offline computers from up to 8-miles away

If you’re tech-savvy enough to be reading this blog, you should at least have an intuitive understanding that computers connected to the internet are vulnerable to remote access and attack. Less intuitive is that computers completely disconnected from the internet can also be remotely accessed. The New York Times recently released an article detailing Project Quantum, which gives the NSA the ability to remotely access a computer from up to 8-miles away. Initial estimates puts the NSA’s reach with this program at more than 100,000 computers.

How it Works

The NSA needs to first physically embed circuitry onto the computer. It’s been revealed the NSA has in the past intercepted computer shipments and embedded the circuitry inside the computer itself. Another technique is to hide the circuitry inside a USB plug for a device that will eventually be connected to the computer.  These circuits, when powered, can transmit data through a covert radio frequency to a mobile receiving station. The receiving station can fit inside a regular briefcase, and must be within 8-miles of the compromised computer. The receiving station then transmits the data back to the NSA.

No Domestic Use Detected so far

So far, there is no evidence that the NSA has used these intercept programs domestically; the intended targets are all high-value international intelligence figures. There’s little reason to doubt this claim, because the expense and effort required to physically bug an individual computer is immense.

The takeaway

Even if you think yourself important enough to warrant personal surveillance from the NSA, it’s unlikely you would have the technical expertise required to identify and remove these hidden circuits. While we lack specifics about the exact transmission method, we know it to be within the radio spectrum, so it is reasonable to assume that a computer placed in a fully electromagnetically shielded room might be protected from this particular method. Certainly I do not recommend disconnecting your devices from the internet and wrapping your house in aluminum foil; rather, just take this post as a reminder of the NSA’s incredible technological reach.

News

Holiday season credit card hacks are more extensive than first thought

Leave a comment

In addition to Target and Neiman Marcus, at least three other unidentified retailers were also hacked in December and leaked their customers’ private information.

Target, Neiman Marcus, and three other unidentified merchants were hacked in mid-December of 2013.
Target, Neiman Marcus, and three other unidentified merchants were hacked in mid-December of 2013.

Target was the first major retailer to publicly announce that it had been hacked in mid-December. Its initial disclosure estimated that 40 million customers were affected, but Target recently updated this figure to 70 million. This past weekend, Neiman Marcus also announced that it was hacked at around the same time, but hasn’t yet released how many customers were affected. Just today, anonymous sources claim at least three other brick-and-mortar retailers, most likely those with a physical presence in shopping malls, have also been subjected to a cyber attack originating from Eastern Europe. While not yet conclusively established, the similarities between the attacks seem too similar to not be connected somehow.

Worst Case Scenario

If a store leaked enough of your personally identifiable information, then new accounts could be opened in your name. To protect against new accounts being fraudulently opened in your name, you can ask the three major credit reporting agencies to place a credit freeze on your reports. When frozen, if someone (including yourself) tries to open a line of credit, it will be denied, and the credit reporting agencies will contact you for your instructions. The major down-side to this option is that in most cases you’ll have to pay a fee to unfreeze your credit reports when you actually do want someone to access your credit report. Alternatively, you could just pay close attention to your credit reports, and close down fraudulent accounts if they get opened. Even if there weren’t this massive security breach, you should be proactively monitoring your credit reports to keep an eye on the personal information that these credit agencies are authorized to keep. Remember, by federal law you’re allowed one free credit report per year from each of the three major reporting agencies. The best strategy is to stagger your free reports, pulling one report every four months, rotating the agencies as you go.

Most likely scenario

While some people will inevitably have accounts opened in their name, the large majority of people will just see fraudulent purchases charged to their credit cards. You should carefully examine your credit card statements for unauthorized charges. With the wide-scale availability of online account access, you can probably also catch fraudulent purchases as they happen. Federal law restricts your liability on unauthorized credit card purchases to $50, but all of the major card networks reduce that liability to $0 in an effort to keep customers happy. If you used a debit card instead of a credit card, your protections by law are shockingly weaker. Your liability can be as high as $500 if you don’t contest the charge within 60 days after receiving a bank statement, and your liability will be unlimited if you don’t report it within 60 days after. Again, many banks will waive the liability to keep you happy, but they don’t have to legally, so take the personal initiative to stay on top of your finances.

And in the future

Retailers will always be targets for data theft. Do your best to minimize exposure to the risks. If you like to pay in cash, continue to do so. When the merchant asks you for your phone number or e-mail address to send you coupons, just decline. And when they ask for your zip-code, decline that as well. They may try to claim it’s to prevent fraudulent purchases, but in actuality when the merchant combines the information it receives from the payment network with your zip code, that merchant will be able to personally identify you with near-100% accuracy. And remember, as the consumer, you always have the power. If the merchant insists on getting your personal information, and you don’t feel comfortable doing so, leave and support a merchant who has more respect for your privacy.

How-to, News

How to opt-out of direct Google+ e-mails

Leave a comment

If you have a gmail.com e-mail address, and a Google+ account, pay close attention: Google has released a feature that allows anyone on Google+ who adds you to his/her circles to send you an e-mail directly, without even knowing your e-mail address.

Any random Google+ user will now be able to add you to his/her circles and send you e-mails directly.
Any random Google+ user will now be able to add you to his/her circles and send you e-mails directly.

You do not need to have these people in your circles for them to e-mail you. If they are in your circles, then their e-mails will go to your Primary tab, otherwise they’ll go to your Social tab, assuming you have the tabbed inbox feature enabled. This feature is enabled by default, even for existing gmail accounts.

Here’s how the feature works

Once someone sends you an e-mail via Google+, you have three options:

  1. Allow the message and future messages by adding the person back to one of your circles, or by replying to the e-mail. NOTE: If you reply to the e-mail, your e-mail address will be made visible to the other person!
  2. Block the message and future messages by clicking on the Report Spam or Abuse button.
  3. Ignore the message. If you do nothing, that sender will be able to send replies to that specific e-mail, but won’t be able to send you any new e-mails in the future.

How can I opt-out of this new feature?

  1. Open Gmail.
  2. Click the gear-box in the top right.
  3. Select Settings.
  4. In the General tab, scroll down to the Email via Google+ section.
  5. Click the drop-down menu and choose Anyone on Google+, Extended circles, Circles or No one. Selecting “No one” will opt you out of this feature, and you won’t see these new Google+ e-mails.
  6. Click Save Changes at the bottom of the page.
Select the highlighted option to opt-out of this feature entirely.
Select the highlighted option to opt-out of this feature entirely.

There is some value to this service; maybe you live a quasi-public life, and want to allow people to contact you without necessarily making your e-mail address fully public. For these use-cases, Google should have made this feature opt-in, rather than enabled by default.

News

CNIL fines Google €150,000 for its Unified Privacy Policy

Leave a comment

Today, January 8, 2014, CNIL announced it had fined Google €150,000 last week on January 3rd for violations of the French Data Protection Act.

CNIL Headquarters in Paris. [Image Courtesy]
CNIL Headquarters in Paris. [Image Courtesy]

What’s the French Data Protection Act?

In 1978, France enacted  loi n° 78-17, the French Data Protection Act.  This Act protects how personally identifiable information, like your name, address, contact information, and sensitive personal information, is processed. When a company wants to collect, process, or otherwise use personally identifiable information, it must first inform that person, limit how long it keeps the data, provide easy ways to view and delete that data, limit international transfer of that data, and give CNIL a detailed description of its business and how it will process personal data.

What is CNIL?

This Act created Commission nationale de l’informatique et des libertés (CNIL), which is an administrative regulatory agency that monitors companies to make sure they comply with the Act, and processes applications and reviews. CNIL also has the power to fine companies for violating the Act. As a part of CNIL’s constant monitoring, it noticed Google’s new Unified Privacy Policy violated parts of the Act.

What is Google’s Unified Privacy Policy?

Companies issue Privacy Policies, which are detailed descriptions of what kinds of personal data are collected from internet users when they use the company’s website. Google has many services (Search, Gmail, Maps, Youtube, etc.), and before March 2012 each service had its own privacy policy. However, on March 1st, 2012, Google unified these policies, and one single privacy policy controlled data processing across all of Google’s services.

How did the Unified Policy violate the Act?

CNIL claims that Google:

  1. Did not inform users why data was being processed.
  2. Started tracking data before getting users’ consent.
  3. Did not say for how long data would be stored
  4. Collects user data from many of its services, and combines them together.

1 & 4 are big problems, because Google combines user data from all of its services to more accurately target advertisements to its users, but it doesn’t make it clear that’s what they’re doing. For example, if you get a wedding invitation sent to your Gmail, you might start seeing ads for tuxedo rentals in your Google Maps. CNIL claims that such integrated data collection and usage violates the Act. Of course, Google disagrees, and continues to believe that its Unified Policy is 100% legal.

The Final Thought

The fine is significant because it’s the largest single fine CNIL has ever issued on a company before. Also, France isn’t alone in thinking the Unified Policy is a privacy nightmare; both the Dutch and Spanish Data Protection Authorities came to similar conclusions last year. The unfortunate reality is that €150,000 (around $204,000 USD) is a mere drop in the bucket for Google. To put it in perspective, based on Google’s public 2012 financial reports, Google makes around $20,428 net profit every minute; CNIL’s fine works out to just under 10 minutes worth of profit. It’s unlikely Google will see these fines as a significant deterrent for its continued unified, pervasive user data collection, especially when it’s so profitable.

Edited on January 9, 2014: added net profit per minute to provide perspective on the insignificance of the fine.

Commentary, News

Should you be concerned about AT&T’s Sponsored Data plan?

Leave a comment

Today AT&T announced plans to launch a mobile Sponsored Data scheme, where consumers who use apps from participating providers would have those data charges billed directly to the provider.

A screenshot of AT&T's proposed Sponsored Data plan.
A screenshot of AT&T’s proposed Sponsored Data plan.

For example, let’s assume that Facebook will be a participating provider*, and that you have a 2gb/month data plan. When you open the Facebook app, and it begins to auto-play a video, the data that the video uses will not be charged against your 2gb/month plan, but rather will be billed directly to Facebook.

At first glance this scheme may sound great for consumers; after all, you’re getting free data. But once you look harder, it’s easy to find parts of this plan that may have privacy implications.

The Provider as a dumb tube

In an ideal world, service providers would just be a dumb tube, doing nothing more than transferring data from your content-provider to your devices. But AT&T’s scheme directly inserts itself into an otherwise private stream of data. While ISPs certainly already do examine your internet traffic, it previously was not in a position where it could directly negotiate with your content provider.

A hypothetical negotiation

It’s fairly safe to assume these participating providers will not pay retail prices for the data. Where you might be paying $7.50/gb of data, let’s assume the providers will pay $5/gb. AT&T could offer an even steeper discount to the provider if the provider gave AT&T information about you. Let’s assume Facebook knows which TV shows you Liked on Facebook. AT&T might offer a discounted rate of only $4/gb, if Facebook agreed to give AT&T that information.

Why would AT&T want to do that?

Advertising. The more AT&T knows about you, the better it can target advertising towards your interests. And it’s not inconceivable AT&T will use the Sponsored Data scheme to expand the profile data it already has on its subscribers. AT&T is already rolling out a plan where it offers a 30% discount to direct subscribers if you allow it to track everything you do on the internet. Here, it might just offer that same discount to the participating providers.

What should I do?

For now, just wait. The Sponsored Data plan is not active yet, we don’t have a finalized idea of how it will work exactly. Perhaps AT&T will take the privacy-conscious route and protect consumers with strong terms of service. Perhaps AT&T will offer an opt-out mechanism for data tracking. Keep following Privacy Blawg for updates on AT&T’s plans as they come in.

*It is important to note that there is no indication Facebook will be a participating provider, it is merely suggested as an example.

News

FISC Reauthorizes NSA Bulk Telephony Metadata Program

Leave a comment

On January 3, 2014, the US Foreign Intelligence Surveillance Court (“FISC”) once again renewed the NSA’s authority to continue collecting telephone metadata.

The E. Barrett Prettyman United States Courthouse in Washington D.C. houses the United States Foreign Intelligence Surveillance Court. Image courtesy of Wikimedia.

To quickly summarize how the metadata program works, the NSA makes an application to FISC, FISC reviews the application, and (if approved) issues an order to the telephone companies. The order requires the companies to supply their metadata to the NSA, and expires after 90 days. This is why the NSA needs to seek renewal every 3 months. The most recent authorization expired on January 3rd, the NSA applied for renewal, and the FISC court approved renewal.

Why is this unsurprising?

The metadata program began in May of 2006, and since then has been renewed 36 times by 15 different FISC judges. While most of these renewals happened in secrecy, thanks to new public attention and pressure the Director of National Intelligence James R. Clapper has declassified and disclosed the most recent renewals.

As part of that declassification, we’ve learned that even when the NSA failed to comply with FISC-ordered procedures, the FISC continued to approve renewals. For example, in January of 2009, the NSA improperly searched the metadata in a non-approved way. FISC Judge Walton acknowledged this breach in procedure was significant, and issued a sanction that required the NSA to seek approval for searches on a case-by-case basis. This sanction did little to deter the NSA because it only remained in place from March 2009 to September 2009, and throughout the whole ordeal the FISC barely hesitated in renewing the NSA’s authority. [Klayman v. Obama, p. 21-22]

Even when the government admitted it misused its authority, the FISC continued to renew this program, and so it’s little surprise it has done so once again this past Friday.

So is it important at all?

Even though most courts and judges agree the NSA metadata program is legal, U.S. District Court Judge Richard Leon disagrees. Two people, Larry Klayman and Charles Strange, both sued President Obama to try and stop metadata collection. On December 16, 2013, Judge Leon found the metadata program to be “almost Orwellian”, likely unconstitutional, and ordered the government to cease data collection, but only for Klayman and Strange. Further, he ordered the NSA to delete any data it had already collected on them. [Klayman v. Obama, p. 67] Judge Leon also stayed his own order, which means it was put on pause, in case the Government wanted to appeal his ruling. Unsurprisingly, President Obama, Attorney General Eric Holder, and NSA Director Keith Alexander formally appealed this order.

So we’re left with a situation where President Obama publicly calls for review of the metadata collection program but who still tries to keep the program alive, a mere smattering of judges who believe it to be unconstitutional, and an overwhelming majority of courts and judges who think it is perfectly legal. The latest FISC renewal, made at the height of public scrutiny, is a clear indicator that the Obama Administration, the NSA, and the FISC do not intend on putting the metadata collection program on hold at all, not even for a short period to review its legality.

Commentary

An opening letter from your Editor

Leave a comment

My name is Raymond Chow, and I’m an attorney in New Jersey. As lawyers, we have a leg-up in many aspects of this world that has slowly become riddled with complex law and regulation. We can see changes in the tax code coming, and save ourselves thousands in taxes. We know our Constitutional rights better, and can protect ourselves from police abuse before it happens. And of course, we’re all experts at finding the tiniest mistake in a parking ticket.

But as proficient as most lawyers are at mundane legal topics, privacy still eludes many. Without an explicit US Constitutional framework for individual privacy rights, courts have to piece together privacy rights in a hodgepodge manner that’s confusing to even the most seasoned attorneys. Combine this confusion with the fact that technology rapidly outpaces legislation and you’re left with a situation where attorneys and non-attorneys alike are often left without a clue.

That’s where Privacy Blawg comes in. It’s disheartening to see Twitter and Facebook posts from people with great passion for individual privacy rights, but who misstate the law. It’s even worse to see people wholly apathetic to their individual rights. My hope is for Privacy Blawg to raise awareness to privacy breaches and issues, whether they occur in the private sector or public sector, whether they be high-profile or not. I hope to engage with my readers in a serious discussion about where our country is headed with their privacy rights. I hope to get everyone to see their privacy rights in a more discerning light, and take steps to protect them whenever possible. And I hope to do it all with minimum legalese.

Law school and the Bar exams were grueling, expensive processes, and perhaps attorneys should get some sort of perk for having gone through it all. For me though, that perk-train stops at getting out of parking tickets. Awareness and comprehension of individual privacy rights should be for everyone, and I hope to make it so.