Every month, we dig through cybersecurity and data protection research, trends, advice and news for our readers. This month: T&Cs, stronger security in Europe, and a birthday with bitter memories.
Policing policies to protect privacy
One of the greatest lies on the internet is “I have read the terms and conditions”. But maybe most people aren’t to blame when those same policies read like “an incomprehensible disaster”. That’s what a New York Times investigation found after reviewing 150 privacy policies. The European Commission came to a similar conclusion after surveying 27,000 citizens on their attitudes to data protection. Commissioner Věra Jourová noted that 60 per cent of Europeans read their privacy statements, but only 13 per cent read them fully. “This is because the statements are too long or too difficult to understand,” she said.
But not reading T&Cs could have unwitting consequences; like turning your phone into a spying tool. Spain’s Liga app activated a user’s smartphone audio function when it knew they were in a bar. Spain’s football administrators said the app’s terms made it clear this was to identify places that were streaming matches illegally. The Spanish data protection authority took a different view and slapped the league with a €250,000 fine.
In other privacy news, the UK Information Commissioner’s Office has published guidance providing clarity and certainty on correct cookie use. Cookie rules technically fall under the Privacy and Electronic Communications Regulations, but some of that regulation’s concepts derive from GDPR. As well as a reader-friendly myth-busting blog, there’s also more comprehensive guidance in a longer document.
Strengthening security across Europe
The EU Cybersecurity Act came into force on 26 June. For the first time, it introduces EU-wide cybersecurity certification rules for digital products, services and processes. It also strengthens the mandate for ENISA. The Union’s cybersecurity agency will set up the certification framework and it now has a remit to help Member States to handle cyber incidents.
BH Consulting is a contributor to ENISA and our CEO Brian Honan recently gave a presentation on threat intelligence at an ENISA industry event. The meeting also covered cybersecurity, internet regulation and Europe’s position in the race to a competitive ICT global industry. Brian also spoke to the Irish Times for a feature article about steps under way to improve security. Meanwhile Ireland’s second national cyber security strategy is expected in the coming weeks, as the Irish Examiner reports.
Déjà vu all over again
If working in information security can sometimes feel like Groundhog Day, then you might want to pause before reading further. Consider the following sentences, then guess when they were written (no peeking). “Paradoxically, the drive for business efficiency and globalism serves only to increase the potential damage which computer viruses and other malicious programs can cause… the more streamlined and interconnected computers become, the greater will be the penalties resulting from carelessness, recklessness and vandalism… no-one knows when or where a computer virus will strike. They attack indiscriminately. Virus writers, whether or not they have targeted specific companies or individuals, must know their programs, once unleashed, soon become uncontrollable.”
So how old is that text? Five years? Ten? Fifteen, at a push? Actually, it’s double that number. Edward Wilding penned them in the summer of ’89, for the very first edition of Virus Bulletin (PDF). Brain, the world’s first computer virus, appeared just three years before then.
It says a lot that Wilding could write these words and, without knowing, still have them resonate three decades later. The same issues he identified then have not gone away. (Side note: the same is true of attacks like SQL injection. Even today, they account for two-thirds of all web app attacks, according to new findings from Akamai.) The industry’s progress, or lack of it, is a point to ponder while security professionals (hopefully) enjoy some deserved downtime this summer.
Links we liked
NIST guidance on understanding and managing security risks with IoT devices. MORE
Demand for cybersecurity jobs in Ireland is growing, but supply can’t keep up. MORE
Controversial: you should think about paying to get data back from ransomware. MORE
An open letter to the security profession, from a privacy practitioner. MORE
You know that ‘padlock’ icon in your web browser? It could be a fake. MORE
The Irish privacy champion on a mission to clean up dirty adtech. MORE
A sceptical take on Facebook’s planned move into cryptocurrency. MORE
When BGP goes wrong, the whole internet feels it. MORE
How a trivial cell phone hack is ruining lives. MORE