14.1 C
Thursday, November 23, 2017
Home Tags EU Privacy

Tag: EU Privacy

Looming, increasingly strict EU privacy regulations are pushing privacy spending to the top of IT priorities and budgets.
Exploring the legality of the international business-to-business sharing of IP addresses within the cyber threat intelligence community.
Whitehall can't even convince UK it's not watching everything we do UK surveillance laws could be an obstacle to the creation of a US-Europe Privacy Shield-style arrangement post-Brexit.…
EnlargeGetty Images/Urich Baumgartgen reader comments 4 Share this story Online messaging services such as WhatsApp, Skype, and Gmail face a crackdown on a "void of protection" that allows them to routinely track the data of EU citizens without regulatory scrutiny—and it could be bad news for ad sales. On Tuesday, officials in Brussels proposed new measures to curb Silicon Valley players who—up until now—have been largely immune from the ePrivacy Directive, which  requires telecoms operators to adhere to the rules on the confidentiality of communications and the protection of personal data. As part of its planned overhaul, the European Commission, the executive wing of the European Union, said that it planned to beef up the measures by switching from a directive to a "directly applicable regulation" to ensure that the bloc's 500 million citizens "enjoy the same level of protection for their electronic communications." It claimed that businesses would also benefit from "one single set of rules." Over-The-Top services such as Facebook's WhatsApp and Google's Gmail can all but ignore the EU's existing rules.

The commission said that this needed to change: Important technological and economic developments took place in the market since the last revision of the ePrivacy Directive in 2009.

Consumers and businesses increasingly rely on new Internet-based services enabling inter-personal communications such as Voice over IP, instant messaging, and Web-based e-mail services, instead of traditional communications services... Accordingly, the Directive has not kept pace with technological developments, resulting in a void of protection of communications conveyed through new services. The EC is also planning to kill the heavily ridiculed cookies consent pop-up system.
It said, in an embarrassing—if long overdue—climbdown that users would be given more control to allow or prevent websites from tracking them depending on "privacy risks." Last summer, a big coalition of tech firms lobbied for the cookie law to be scrapped. Under the new proposal, the commission said: "no consent is needed for non-privacy intrusive cookies improving Internet experience (e.g. to remember shopping cart history).

Cookies set by a visited website counting the number of visitors to that website will no longer require consent." But it could also hit the bottom line of Facebook, Google, and chums because tracking consent may be harder to obtain if lots of users reject third party cookies.

The commission said that, following public consultation on the issue, 81.2 percent of citizens agreed that obligations should be imposed on "manufacturers of terminal equipment to market products with privacy-by-default settings activated." It also warned that "additional costs" could hit some Web browser makers because they would be required to develop software with privacy settings built in. The new proposals also call on consent to process electronic communications metadata, such as device location data to allow for the "purposes of granting and maintaining access and connection to the service," the commission said.
It means that telcos "will have more opportunities to use data and provide additional services." Translation: new ways to make more cash. Companies that flout confidentiality of communications rules face fines of up to four percent of their global annual turnover, under the commission's planned e-privacy measures—the same penalty that will be dished out to firms that violate the EU's General Data Protection Regulation, which comes into action in April 2018. "The European data protection legislation adopted last year sets high standards for the benefit of both EU citizens and companies," said EC justice chief Věra Jourová. "Today we are also setting out our strategy to facilitate international data exchanges in the global digital economy and promote high data protection standards worldwide." But the latest proposals cannot become law until the bloc's 28 member states and the European Parliament agree to wave them through—leaving plenty of wiggle room for industry lobbying. Separately, the commission is seeking views from the public on how to best tackle data mining as part of its Digital Single Market strategy. This post originated on Ars Technica UK
Privacy Shield, the new international framework allowing companies to transfer customer data between the EU and the U.S., is getting good reviews so far, but some companies aren’t betting on it for the long term. Companies using Privacy Shield worry that it may face the same fate as long-used predecessor the Safe Harbor Framework, which was overturned by the European Court of Justice in October 2015 after revelations of mass surveillance by the U.S National Security Agency.  Digital Rights Ireland and French civil liberties group La Quadrature du Net have also challenged Privacy Shield in court, saying the new framework doesn’t adequately protect Europeans’ privacy. While U.S. companies are embracing Privacy Shield, many European businesses are “still concerned that Privacy Shield will not hold up under court scrutiny, and they will find themselves in the same scenario as they were in October 2015, when the Safe Harbor agreement was struck down,” said Deema Frei, global privacy officer at Intralinks, a New York cloud-based content collaboration provider. Some European companies see Privacy Shield certification as a “tick box” compliance exercise, she added. With some doubts about its long-term viability, companies should also consider other data transfer agreements, such as EU model clauses or binding corporate rules, she recommended. However, if companies can get certainty about Privacy Shield’s future, and if it won’t be “attacked in the long term by data privacy activists trying to discredit it and challenge its validity, I believe it will work in the long run,” Frei added.  More than 1,100 users As of early December, about five months after Privacy Shield went into effect, about 1,150 U.S. companies had signed up to handle European customer data under Privacy Shield, up from about 500 at the end of September.

Another 600 U.S. companies had applications under review. Those numbers compare to more than 4,500 U.S. companies that had participated in the Safe Harbor data-transfer program, according to the U.S.

Department of Commerce. Like Intralinks, cloud security firm CipherCloud is worried about the legal challenges to Privacy Shield, said David Berman, senior product marketing manager there. “If a European Court decision does invalidate Privacy Shield, there will be another period of uncertainty” similar to what happened after the Safe Harbor agreement was struck down, he said. “If the new framework can withstand legal challenges it should continue to attract companies that want an overarching mechanism to transfer EU data to the U.S.” Small and medium-size businesses, as well as cloud providers, seem to be embracing Privacy Shield, but the new data transfer rules impose more obligations than the old agreement, Berman said.  “Privacy Shield has more privacy protections for individuals than Safe Harbor, so firms will have to be more diligent and ensure they are complying with the new privacy principles or risk public disclosure of a violation by the U.S.

Department of Commerce,” he said. “Some firms may find the increased oversight, additional requirements, and sanctions for non-compliance under Privacy Shield a barrier to adoption.” Compliance and surveillance With the number of Privacy Shield companies still lagging behind those that used Safe Harbor, this could indicate that Privacy Shield is more difficult to comply with, added Elodie Dowling, corporate vice president and general counsel for Europe, the Middle East, and Africa at BMC Software. In addition to the legal challenges, some EU data privacy regulators have suggested that Privacy Shield “does not do enough to curtail U.S. surveillance,” Dowling added.

EU privacy regulators will review the agreement in 2017. The legal challenges may be only beginning, she added. Max Schrems, the Austrian man who led the fight against Safe Harbor, has questioned how 500 companies received certification in the first month Privacy Shield was available. “This is undoubtedly showing that there are serious concerns around ... Privacy Shield and its ability to indeed protect EU citizen’s fundamental right of privacy when their personal data is being transferred to the U.S.,” Dowling said. BMC has not yet signed up for Privacy Shield, instead deciding to “rely on another mechanism to safely and legally transfer personal data outside of the EU anywhere in the world”—through binding corporate rules. For Privacy Shield to succeed, it needs support from the EU, including the data protection authorities in each member state, added David Hoffman, Intel’s associate general counsel and global privacy officer. Intel supports the new agreement but wants to keep other mechanisms, such as binding corporate rules, in place as well, he said. If data transfers are between subsidiaries of the same company, companies can use binding corporate rules to define the data responsibilities.

As an alternative to Privacy Shield, companies can protect external transfers through model contract clauses restricting what the receiving company may do with the data.  But companies are concerned about the future of those alternate data transfer methods as well, Hoffman said. While Privacy Shield and alternative transfer methods are in place for now, the future is uncertain. “Some of the same arguments about Safe Harbor and Privacy Shield can be made about alternative transfer methods,” he said. “If there are concerns about law enforcement and national security agencies accessing information, then there would be the same concerns about alternative methods because those agencies can also access it when it’s transferred by other means.”
With the current Windows Insider cycle previewing the Creators Update for Windows 10, Microsoft has started talking about what it’s going to mean for the enterprise.

There’s a lot in the new release beyond the headline 3D features, with a strong focus on improving enterprise security and management. The current threat landscape is complex, with regular revelations of significant data breaches and an ever-evolving set of attacks and attackers.
It’s good to see Microsoft making a commitment to helping businesses deal with the aftermath of a network intrusion, with support for a new release of its Windows Defender Advanced Threat Protection (ATP) tool as part of the next major enterprise release of Windows 10, due sometime in the first half of 2017. What is Windows Defender ATP? There’s some confusion about the role of Windows Defender ATP, partly because it shares elements of its name with Windows’ Defender antivirus tools.

Although ATP is part of your overall security tools, alongside Defender, the Edge browser’s SmartScreen download manager, and the spam and malware filters built into Office 365, ATP is specifically a post-attack tool, using telemetry from managed PCs to track the path of an attacker through your network. Modern network security is about layering responses and having effective tools that work to prevent, detect, and clean up after breaches.

ATP won’t stop your network being breached, but it will help identify them after they’ve occurred and give you more understanding as to how they happened and what information might have been compromised.

That’s an important distinction from other security tools, one that makes ATP an increasingly important tool in a rapidly changing regulatory environment. Businesses with customers in the European Union will already be aware of the requirements of the U.S.-EU Privacy Shield agreement and the upcoming implementation of the EU’s General Data Protection Regulation breach notification rules—along with the possibility of heavy fines. Understanding what happened during an attack and any resulting breaches is a key component in any active security process. You can’t be prepared for every instance, not when zero-day attacks sell for more than the available security vulnerability bounties.

That means it’s not a matter of if but of when you’re attacked. ATP’s afterbreach analysis Tools like ATP analyze the behavior of possibly compromised systems to give you a picture of what happened and how it happened.

That’s key to developing your response to attacks, working out what policies must be implemented to prevent a reoccurrence, and figuring out what needs to be done to ensure that attackers no longer have access to your systems and you have as complete as possible trace of their actions. A set of endpoint sensors built into Windows 10 delivers behavioral information to Microsoft’s cloud services, which use machine learning to interpret the signals from your devices.

By understanding what the behavior of a normal PC looks like, ATP can then identify the signature of a compromised device—before drilling down to see what had been compromised and how.

The Windows 10 Creators Update version of ATP updates the existing sensors to handle a new generation of attacks, so it can detect in-memory malware, kernel-level attacks, and cross-process code injections. Note that when attack information is shared outside Microsoft, it’s anonymized and only used to build improved detection and response tools. One important consideration: These sensors aren’t delivering telemetry to Microsoft all the time.

They’re only accessed when you suspect you’ve been breached and are using Windows Defender ATP to respond to the attack. ATP is also “a backstop for when threat prevention fails,” says David Weston, the head of research at the Windows Defender ATP group. Using ATP to quarantine infected systems allows deeper forensic analysis, as well as the opportunity to remove malware and close down exploits.

The ability to quickly isolate suspected breaches is key, especially as it’s handled from outside your network, using a cloud service, which reduces the risk of attackers seeing your response to their intrusion because you are using uncompromised systems to manage your response. IT systems management in the cloud Windows 10 Creators Update’s ATP release will build on the cloud-based security tools released with the Windows 10 Anniversary Update, giving system administrators a single portal for examining the security state of all their managed devices, the Windows Security Center. Here, you get access to security intelligence from Microsoft and partners like FireEye, as well share details from your own forensic analysis to improve the ATP machine learning models. You can then pivot from Windows Defender ATP to Office ATP; once you’ve determined what PCs and users have been compromised, it’s then possible to track down the malware or phishing techniques that were used to gain the initial foothold. It’s all part of a renewed focus on Microsoft’s part of moving device management away from on-premises tools to the cloud.

Although that approach may seem to be at odds with traditional device management, it’s an approach that makes a lot of sense with changes in how PCs are deployed and used.

Cloud-based tools and analytics work nicely when used by distributed and remote staff, as well as with BYOD deployments. The days of the regularly replaced fleet of on-premises PCs are long gone, and cloud-based management makes it possible to manage devices wherever they are, as long as they are connected to the internet.
The Privacy Shield framework establishes a new mechanism for U.S. companies to prove compliance with EU data privacy laws, the company said. Google has officially adopted the United States and European Union's Privacy Shield framework governing the tra...
europe-vs-facebookThe US government has asked to be joined as a party in the Irish High Court case between the Austrian privacy activist and lawyer Max Schrems, and the social network Facebook.
In a press release, Schrems called this "an unusual move." He told Ars that there are no documents relating to the "amicus curiae"—friend of the court—request yet. "The US government simply appeared via a barrister at the first (administrative) hearing today," he said. "They will be able to file the documents until the 22nd." Schrems speculated that the US government has made this move because it wanted to defend its surveillance laws before the European Courts. "I think this move will be very interesting," he told Ars. "The US has previously maintained that we all misunderstood US surveillance." The Court of Justice of the European Union struck down the Safe Harbour agreement between the EU and the US largely because of fears that personal data sent from the EU to the US would be subject to US surveillance without sufficient safeguards.

The latest move seems to be an attempt by the US government to convince European courts that personal data is adequately protected when it is transferred to the US. But as Schrems notes in his press release, the US government's bold approach carries risks. "Compared to diplomatic talks with the EU and EU member states, as well as public statements in the United States, it will not be protected by US laws on confidentiality and be placed under oath," he wrote. "The party that gives evidence on behalf of the US government could therefore face severe consequences, if he does not truthfully answer all questions raised on US mass surveillance." Schrems told Ars that he hopes to use this unexpected opportunity to grill the US government to the maximum. "Now they have every chance to make their point, but we also have every chance to ask questions they have previously not had to respond to." The pivotal nature of the case between Schrems and Facebook is underlined by the fact that three other organisations have also asked to be joined.

According to Schrems, "The American Chamber of Commerce, Business Software Alliance, and the Irish Business and Employers Confederation also asked to join the procedure, as these organisations’ members use the same legal basis to transfer data to the United States as Facebook." Since the invalidation of the Safe Harbour framework, many companies have turned to so-called "model contracts" as a way of ensuring that the data transfers across the Atlantic comply with EU privacy laws. However, as Schrems points out, "this shift in the legal basis does not remedy the fact that Facebook is still subject to US mass surveillance laws and programs, which the CJEU already found to be conflicting with EU law." The current action in the Irish High Court will play a major role in establishing whether that is the case, which no doubt partly explains the US government's unusual intervention. This post originated on Ars Technica UK
In its October transparency report, the search firm says it evaluated almost a half million URLs under the European Union's rule for privacy, pulling down 170,000. A woman from Italy requested that Google remove links to her husband's murder resulting from searches for her name. A German citizen asked that more than 50 links to an embarrassing exchange be removed from searches for his name. In both cases, Google complied with the requests under the European Court of Justice's May 2014 ruling supporting citizens' right to be forgotten. Since the ruling, Google has fielded almost 150,000 requests to remove search results from specific queries, encompassing almost a half million URLs, according to an update to its Transparency Report posted by the company on Oct. 10. Google removed links to almost 42 percent, approximately 170,000, of the URLs, the company said. The company denied requests by a doctor to remove search results about a botched procedure and by a financial professor for results about his conviction for financial crimes, Google said. "In evaluating a request, we will look at whether the results include outdated or inaccurate information about the person," Google stated in its explanation of its procedure. "We'll also weigh whether or not there's a public interest in the information remaining in our search results—for example, if it relates to financial scams, professional malpractice, criminal convictions or your public conduct as a government official, elected or unelected." The Court of Justice's landmark ruling on May 13, 2014, has held Google, and other search providers, responsible for the results that appear upon searching a person's name. The ruling is based on Article 12 of the EU's Data Protection Directive adopted in 1995. While the ruling upholds strong support for personal privacy, it arguably removes important information from the Internet and burdens search firms with additional work to evaluate takedown requests and remove requested links content. Google did not give any information on how costly or how scalable the process of removing search results has become. The company wanted to give users an idea of how much information it had removed from searches, according to Jess Hemerly, Google's manager of public policy. "We believe it's important to be transparent about how much information we're removing from search results while being respectful of individuals who have made requests," Hemerly stated in a blog post on Google's Europe blog. "Releasing this information to the public helps hold us accountable for our process and implementation." Most requests came from citizens in France, Germany, the United Kingdom, Spain and Italy, Google stated. "We hope to find ways to share even more information about the impact of 'the right to be forgotten' in the near future, and continue to work on updating other sections to make them easier to use and more interesting to explore," Hemerly stated in her post.  
An Austrian court has given Facebook four weeks to respond to a class action that claims Facebook Ireland is in breach of European law on the use of personal data. The class action, led by Austrian privacy activist and law student Max Schrems, claims Facebook violates user rights by tracking internet use on external sites, including the use of “like” buttons. The class action, which has attracted the support of more than 60,0000 users of the social network, also attacks Facebook’s analysis of users through what it calls “big data” systems. Schrems believes Facebook supports the US Prism surveillance programme revealed by whistleblower Edward Snowden. The Vienna Regional Court issued the deadline to Facebook after reviewing the class action, according to an update on the Europe vs Facebook campaign website. “The first step in the legal procedure is hereby taken,” the update said. According to the campaign led by Schrems, Facebook Ireland could apply for an extension, but if it fails to submit a counterstatement, the court will be able to make a judgment based on the lawsuit. More than 25,000 Facebook users from outside the US and Canada have signed up as part of the class action, and a further 35,000 have registered their support on the campaign website. A week after launching the class action, Schrems announced he would limit the number official claimants to 25,000 because every claim had to be verified. In June, another case brought by Schrems to force data protection authorities to investigate allegations that Facebook passes personal data to the US National Security Agency was  referred to the European Court of Justice (ECJ) in Luxembourg by the high court in Dublin. On launching the class action in Austria, Schrems said: “Our aim is to make Facebook finally operate lawfully in the area of data protection.” The class action applies to injunctions under EU data protection law and seeks damages of a token amount of €500 per user. “We are only claiming a small amount as our primary objective is to ensure correct data protection,” said Schrems. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
In the latest round of Google’s privacy battles in Europe, the Italian data protection watchdog has given the company 18 months to change the way it processes and stores user data. In January 2014, France’s privacy watchdog, CNIL, fined Google €150,000 for failing to conform to local law regarding tracking and storing user information within the three-month deadline it had set. The Rome-based Italian Data Protection Authority (DPA) said in a statement that Google must ask users for permission to use personal data and make it clear this data may be used for commercial profiling. Profiling is typically used by advertisers to target individuals with specific offers tailored to browsing and purchasing patterns. The watchdog said Google also has to honour requests to delete data within two months, but the firm will have up to six months to remove the content from backups. Google's disclosure to users remains inadequate, despite the steps it has taken to follow local law, the statement said. A Google spokesman said: "We've engaged fully with the Italian DPA throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services, and we'll continue to do so. We'll be reading their report closely to determine next steps." Google has also agreed to present a roadmap to the Italian DPA by the end of September, showing how the company will comply with privacy requirements. The Italian DPA order follows a pan-European investigation that found that Google was in breach of the EU’s privacy laws. The investigation was prompted by Google’s January 2012 consolidation of 60 of its privacy policies into one policy that covered a broad range of services without giving users the ability to opt out. Privacy groups are concerned that personal data is being stored in the US, reducing the control that European citizens have over their personal information. These concerns have increased in the wake of claims by whistleblower Edward Snowden that US intelligence services have access to material stored in US-based cloud services. The EU investigation concluded that Google was in breach of European privacy laws, and in July 2013, the UK’s privacy watchdog joined data protection authorities in France, Spain, Germany, Italy and the Netherlands in demanding a rewrite of Google’s privacy policy. The Italian DPA said that while Google has made some progress towards complying with EU privacy laws, it is does not yet fully comply in areas such as seeking prior consent in profiling for commercial purposes or how long personal data is stored. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
A US Judge has ordered Microsoft to give the District Court access to the contents of one of its customer’s emails stored on a server located in Dublin. Microsoft challenged the decision but the judge disagreed and rejected its challenge. US Magistrate Judge James Francis in New York said internet service providers, such as Microsoft, will have to hand over information and emails stored in datacentres outside the US if they are issued with a valid search warrant from US law enforcement agencies. The search warrant was issued in December 2013 but Microsoft challenged it. “The US government doesn’t have the power to search a home in another country, nor should it have the power to search the content of email stored overseas,” said the company.  But the Azure cloud provider’s move to quash the search warrant has been denied by the judge.   Last week, on the TechNet blog, Microsoft’s corporate vice-president & deputy general counsel, David Howard said: “We filed a formal legal challenge to the US search warrant seeking customer email content that is located exclusively outside the United States. Today we received an initial decision that maintains the status quo.” It’s generally accepted that a US search warrant in the physical world can only be used to obtain materials that are within the territory of the US, Howard explained. “We think the same rules should apply in the online world, but the government disagrees.” The search warrant covered search and seizure of contents of all emails stored in one user account, including copies of emails sent from the account as well as other information in the email account such as address books, contact lists, pictures, and files. Microsoft's €480m European datacentre in Dublin, catering to its Azure cloud users, opened in 2009. Judge Francis quoted the American Stored Communications Act (SCA) and explained that the law authorises the government to seek information – including content of an email – by way of subpoena, court order, or warrant. “Microsoft’s argument is simple, perhaps deceptively so,” Judge Francis said in an official document. “Government’s view is that the SCA does not implicate principles of extraterritoriality. It has long been the law that a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information,” he said. “Even when applied to information that is stored in servers abroad, an SCA Warrant does not violate the presumption against extraterritorial application of American law. Accordingly, Microsoft's motion to quash in part the warrant at issue is denied,” the judge concluded. This conclusion will be seen as a significant blow to users of cloud computing services, such as Microsoft Azure, AWS or Google’s enterprise cloud services. We’re not trying to frustrate any government investigations David Howard, Microsoft To allay users’ fears around data privacy and security on cloud services in the wake of the Prism scandal, Microsoft said it is taking steps to ensure governments use “legal process rather than technological brute force to access customer data”. It also took cloud data security steps, such as expanding encryption across its services, reinforcing legal protections for customers’ data, and enhancing the transparency of its software code, making it easier for customers to understand its data rules. “We respect the critical role law enforcement plays in protecting all of us. We’re not trying to frustrate any government investigations,” Howard said. “But we’ll continue to pursue this issue because we believe we’re right on the law and because our customers have told us they value our privacy commitments.” The blow to data privacy on cloud products comes just two weeks after Microsoft confirmed its enterprise cloud services – including Microsoft Azure, Office 365, Dynamics CRM and Windows Intune services – were approved by the standards of EU privacy laws. The approval means that enterprise customers using Windows Azure or Office 365 can move data freely through Microsoft’s cloud from Europe to the rest of the world without worrying about compliance. “Customers will entrust their information to the cloud only if they have confidence that it will remain secure there. The approval by the European data protection authorities is another important step in ensuring customers trust Microsoft’s cloud services,” Brad Smith, general counsel and executive vice president of legal and corporate affairs at Microsoft said at that time. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK