Today is International Data Privacy Day

January 28th marks the annual Data Privacy Day, a day to highlight and educate people and organisations on how individual’s privacy should be protected. To mark the day there will be numerous events held worldwide to raise awareness about privacy and data protection.

This video from Belgium is one of the more powerful demonstrations of how people can leak their personal information online and potentially how it could be abused by others.

For organisations looking to determine how they should be protecting the personal data entrusted to them, the Irish Data Protection Commissioner’s Office has a useful self-assessment checklist. If your organisation gathers information from individuals then this is an excellent resource for you to use.

If you are looking to develop applications and/or services then it is important to ensure you design privacy in from the very beginning. ENISA’s ” Privacy and Data Protection by Design – from policy to engineering” document is an excellent resource.

Happy Data Protection Day !!

Privacy – by Design?

This is our first blog of 2015 and we’d like to wish all the readers of SecurityWatch a very Happy New Year!

So what are the predictions for cybersecurity issues this year?! More open source software bugs, vulnerabilities in mobile payment systems, IoT attacks…etc. Apart from these issues, there is one global concern which is ongoing and undoubtedly growing – PRIVACY.Privacy Image

Surveillance issues are at the forefront due to rising terrorist activities. Such activities that could be potential threats to a nation or it’s people, compel governments (or as claimed so by them) to keep a close eye on all activity over the wire within their remit.

Not long ago, such operations were conducted covertly. But the NSA and GCHQ revelations by Edward Snowden starting June 2013, were an eye-opener for many. An international survey on Internet security and trust reported that, of ‘23,376 Internet users in 24 countries reported that 60% of Internet users have heard of Edward Snowden, and 39% of those ‘have taken steps to protect their online privacy and security as a result of his revelations’ which is considerable number.

Recently UK’s prime minister announced that, if elected again, he would block chat messengers that support end-to-end encryption (such as WhatsApp, iMessage, Telegram, Cyberdust, etc.), as part of his plans for new surveillance powers announced in the wake of the Charlie Hebdo shootings in Paris. Seems like the onus is now on the citizens to assist the governments by sacrificing their privacy as opposed to the them putting in more resources to tackle terrorist threats.

And it isn’t just the governments ready to put their hands on any kind of personal information available over the wire, there are other actors involved as well. Cyber theft is escalating and information is being sold on the deep web or darknet for financial gain. Moreover, companies monitor user activity more than ever before to keep track of users and their activities to boost sales.

Such growing interest in personal information for malicious purposes compels us to think more and more about protecting our privacy online in the internet era. This Hindi proverb, in my view, explains it well –

“Shaadi laddoo motichoor ka, jo khaaye pachtaye, jo na khaaye pachtaye”

Which means – Marriage is like a delicious tempting sweet, the one who consumes it suffers as well as the one who doesn’t (unless you absolutely hate sweets)! Which is entirely true if we substitute Internet in place of Marriage in this case. Anyone using the internet needs to be cautious and must take proactive measures to protect their privacy if they want to have a good relationship with it!

There are already complaints being lodged and measures being taken to strengthen the privacy regulations in Europe. Among them is the “Right to be Forgotten” Ruling (C-131/12) that states a search engine will have to delete information, along with the links when it receives a specific request from a person affected.

Some users of the internet, especially the younger generation, might relate to privacy as only changing their twitter or Facebook settings to restrict feeds and pictures to contacts.

However, privacy is more than that.

“Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.” – Marlon Brando

Privacy is a fundamental human right. This is acknowledged by Article 8 of the European Convention on Human Rights, which provides a right to respect for one’s “private and family life, his home and his correspondence”. The Charter of Fundamental Rights of the European Union and Universal Declaration of Human Rights have similar sections on privacy protection.

However, not every fundamental right that a citizen possesses is set out in a country’s constitution. For example, in Ireland, the Constitution does not specifically state a right to privacy but the courts recognize that the personal rights in the constitution imply the right to privacy.

Privacy is an integral element of democratic societies and this applies to the digital world as well. Digital technologies may be designed to protect privacy. Since the 1980s technologies with embedded privacy features have been proposed. During that time, deploying Privacy Enhancing Technologies (PETs) (e.g. encryption, protocols for anonymous communications, attribute based credentials and private search of databases) was seen as the solution as opposed to embedding of privacy into the design of technology. However, apart from a few exceptions such as encryption, PETs haven’t really become a standard or a widely used component in system design.

Most of us may have heard about the relatively newer concept of Privacy by Design (PbD) which has been around for a few years now. It was developed by the former Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, back in the 90’s. Dr. Ann argued that “the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.”

Privacy by Design is believed to be accomplished by practicing its 7 Foundational Principles which have been have been translated into over 30 languages.

  1. Proactive not Reactive; Preventative not Remedial
  2. Privacy as the Default Setting
  3. Privacy Embedded into Design
  4. Full Functionality – Positive-Sum, not Zero-Sum
  5. End-to-End Security – Full Lifecycle Protection
  6. Visibility and Transparency – Keep it Open
  7. Respect for User Privacy – Keep it User-Centric

Privacy is a challenging subject that covers a number of domains, including law, policy and technology. Some believe that the concept of Privacy by Design is too vague and since it does not focus on the role of the actual data holder, but on that of the system designer, it is not applicable in the privacy law.

Despite the criticism, Privacy by Design has been globally recognized and adopted. The U.S. Federal Trade Commission recognized Privacy by Design in 2012 as one of its three recommended practices for protecting online privacy. In addition, a variation of the concept, known as ‘Data protection by Design’ has been incorporated into the European Commission plans to unify data protection within the European Union with a single law – the General Data Protection Regulation. The variation apparently goes beyond mere technical solutions and addresses organisational procedures and business models as well. However, since the proposal does not explicitly define or give references for definitions of either data protection by design or privacy by design, the precise meaning of these concepts is nebulous.

In an effort to encourage adoption and implementation of privacy by design and, provide guidance on privacy engineering practices, several bodies have taken initiatives.

European Commission

In January 2012 the European Commission proposed a regulation on data protection that will replace the existing Data Protection Directive. The proposal for the new regulation in general associates the requirements for data protection by design and data protection by default with data security and contains specific provisions relevant to Privacy by Design and by Default.

European Union Agency for Network and Information Security (ENISA)

In December 2014, European Union Agency for Network and Information Security (ENISA) published a report to elaborate on how privacy by design can be implemented with the help of engineering methods. According to the ENISA report-

“The principle “Privacy/Data Protection by design” is based on the insight that building in privacy features from the beginning of the design process is preferable over the attempt to adapt a product or service at a later stage. The involvement in the design process supports the consideration of the full life-cycle of the data and its usage.”

The report is intended for data protection authorities, policy makers, regulators, engineers and researchers. It discusses the notion of a privacy design strategy, and how it differs from both a design pattern and a PET. Moreover, the report briefly summarizes the eight privacy design strategies as derived by Hoepman from the legal principles underlying data protection legislation for both data and processes. It also provides a list of privacy implementation techniques.

The report identifies and highlights some limitations of privacy by design too. The predominant ones are – fragility of privacy properties if two systems are combined or one embedded in the other, absence of a general and intuitive metric that allows comparing two systems with the same or similar functionality with respect to a set of privacy properties, increased complexity and reduced utility of the resulting system and different interpretations of privacy by design.

National Institute of Standards and Technology (NIST)

A similar initiative is underway by NIST as well, called the Privacy Engineering initiative which focuses onproviding standards-based tools and privacy engineering practices to help evaluate the privacy posture of existing systems, enable the creation of new systems that mitigate the risk of privacy harm and, address privacy risks in a measurable way within an organization’s overall risk management process. The organization published a draft last year in April – NIST Privacy Engineering Objectives and Risk Model Discussion in which a definition for Privacy engineering was proposed –

“..a collection of methods to support the mitigation of risks to individuals of loss of self-determination, loss of trust, discrimination and economic loss by providing predictability, manageability, and confidentiality of personal information within information systems.”

However, as per our knowledge, this is not the final accepted definition and a meeting to update the draft will be held in February 2015.

Although the requirement for such initiatives was long due, these standards, regulations and guidelines can only take us so far when it comes to protecting our privacy in times of these technological transformations and rising cyber security threats. Nevertheless, using the right means with the right technology and embedding privacy and data protection in the way we design/build solutions could certainly facilitate the protection of our user identities in this crazy world of the internet

Stay Safe!

Today is Privacy and Data Protection Day

Today, the 28th of January 2011, marks the European Privacy and Data Protection Day.  In a time when our online privacy is being eroded by the use of social networks and companies and governments continue to store our personal details in ever increasing databases, today is a day to reflect on how your use of the Internet and social networks impacts on your privacy.

In today’s Irish Times Karlin Lillington has an excellent piece on privacy and the impact various government legislation has on it.  Indeed, earlier this week the Data Protection Commissioner’s office also issued a warning to politicians that they must respect people’s privacy when canvasing and not send unsolicited emails or texts unless they have gained the person’s permission. 

However, the worrying message from the above is that people seem to have little or no awareness of their right to privacy or the impact infringes to that right can have on their lives.  This can be seen by how much personal information people voluntarily give to social media networks such as Twitter and FaceBook.  It is also exemplified by the acceptance of greater and greater government monitoring of people’s activities all in the name of security.

I accept that governments need to be able to access certain information to investigate or prevent illegal activities it much be done in a balanced manner.  It is important the the rights of the individual are not impinged or trod and that appropriate controls and judicial oversight are in place.

Yesterday, saw the release of Privacy International’s European Privacy and Human Rights report for 2010 which highlighted a worrying trend in the increase in surveillance within countries within the EU.  In particular Ireland came under a lot of criticism.

HelpNet Security magazine has an excellent overview of the report together with some of my thoughts on the matter.

It is also worth noting the below privacy map published by the Forrester Group highlighting how different countries respect the privacy of their citizens.

 FaceBook announced this week that they will now provide secure web browsing using HTTPS for all activity within their social network which should protect individuals from having their information compromised by someone monitoring their network traffic.

So on today of all days perhaps you should go and check your privacy settings within your FaceBook user profile and with the upcoming elections you should take the opportunity to quiz your local candidates on their stance regarding our right to privacy.

Discussing Online Privacy – Don't be A Victim Online

You may remember that in 2008 I was challenged by technical journalist Marie Boran to steal her identity using only information I could get online.  I subsequently spoke at a number of conferences on the subject and you can find a copy of that presentation online.

Last Thursday both Marie and I were invited onto the Daily Show to discuss that project and the implications for people’s online privacy.  It was an interesting talk and fun to watch Claire Byrne’s face when I mentioned I had been following her twitter stream.  The interview is now available online (the interview begins 17 minutes and 50 seconds into the show).  Also the tips I gave are available on the Daily Show’s website.

Google WiFi Sniffing SNAFU

Recent investigations by German authorities discovered that the Google street car was recording information about Wireless Access Points it detected during its journeys.  More seriously it was revealed that the system recording that data was also gathering any data being transmitted over any unsecured wireless networks it detected.  Google claims that this was a mistake and has promised to delete all such data.

On Tuesday the 18th May the RTE news covered the story and I was interviewed as part of the piece which is available here.

The Cost of Privacy

I got an email today pointing me to this story in Time magazine, Trying to Escape the Surveillance State, where a journalist tries to live for a month without his privacy being impinged.   It led to a conversation about privacy and whether or not there is privacy on the Internet or will people pay the cost for the amount of personal information that they freely give to various sites such as Facebook, Twitter, LinkedIn etc.

I argue that there is privacy on the Internet depending on the choices you make.  In most cases an online transaction be that purchasing something online, joining a social network or sending emails has privacy as an element built into the cost of that transaction.  In order to buy those goods you surrender your privacy surrounding your personal details to receive those goods, you also probably use a credit card which means that your transactions are noted by your credit card issuer and finally sites may keep track of your activity to suggest recommended goods on your next visit.  This is no different from the physical world where you purchase items by credit card and perhaps use a loyalty card in the store. 

Joining a social network, e.g. Linkedin, also has its privacy transaction costs. You want the benefits of a social network then you need to surrender your personal details to become part of that network. In real life you join social clubs, meet friends in public places where you also trade part of your privacy to take part in the group.

Some will argue that governments monitoring of Internet usage is a breach of privacy, for example your Internet browsing and email history is retained under the EU Data Retention Directive and that your ISP knows all your activity from their system logs recently highlight by the Phorm controversy in the UK.

This is true but you can still take measures to protect your privacy online using various techniques such as anonymous proxies, never using your real name online, never purchasing items online and not joining any social networks or forums.

You can control your privacy on the web, the question needs to be asked, at what cost?

Annual Report from Data Protection Commissioner Released

The 21st annual report from the Data Protection Commissioner’s office has been released.  As usual it makes for some very interesting reading.  The report notes that the number of breaches reported to the office has doubled since the previous year.  Most of these reported breaches are from organisations within the public sector.  While the first reaction may be to say the public sector is not taking due care of the personal data entrusted to it, I would argue that the public sector is no better nor worse than the private sector. 

One of the main reasons for the increased number of reported incidents from the public sector is most likely due to the guidance issued by the Department of Finance in late 2008 “encouraging” government departments to report breaches to the Data Protection Commissioner.  See section 4 on page 23 of the guidance.

In my opinion the Data Protection Commissioner’s report reinforces the argument that Ireland should introduce mandatory data breach disclosure laws.  My own thoughts on that particular issue are in this presentation that I gave at the last NITeS seminar;

I strongly urge that you take the time to read the report and to ask yourself the question, “How effective are my security controls in protecting the personal data entrusted to my organisation?”  If you find it hard to determine how to answer the question there is a very good self assessment checklist available on the commissioner’s site.

Register Now for The 4th Annual Privacy & Data Protection Ireland 2009 Seminar

The 4th Annual Privacy & Data Protection Ireland 2009 seminar is due to be held on the 18th and 19th of February 2009.  I will be giving and Interactive case study on Identity Theft at the seminar.  As a speaker I am happy to be able to pass on a discounted rate to those of you who wish to register and attend the event.  Up until the 1st of December you can register for one or both days of the seminar and achieve significant savings on the normal fees.

If you book early for one day the fee will be €400, after the 1st of December that will rise to €575.  If you book for both days before the 1st of December the cost to you will be €750 instead of the normal €950.  There are some excellent speakers addressing the event and if you have an interest in data protection and/or privacy then you should attend.  Booking forms and more information is available at the seminar’s website.

4th Annual Privacy & Data Protection Ireland 2009

I have been asked to speak at the 4th Annual Privacy & Data Protection Ireland 2009 which is scheduled for next February.  My talk is titled “Identity Theft: An Interactive Study”and I will be using my experience in stealing Marie Boran’s, from the, identity which she wrote up and I posted about earlier.  There are a number of other interesting talks lined up for the event so it should be an interesting seminar.