WTF is GDPR?

https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.

373 Comments

  1. Tomi Engdahl says:

    Michelle Castillo / CNBC:
    Facebook users worldwide are being asked to review their privacy settings, including political and religious affiliations, as GDPR goes into effect in Europe — – Facebook is telling all users to review their privacy settings, including information they share on their profiles and facial recognition preferences.

    Facebook users worldwide are being asked to review their privacy settings as GDPR looms
    https://www.cnbc.com/2018/05/24/facebook-users-get-a-notice-to-review-privacy-settings-ahead-of-gdpr.html

    Facebook is telling all users to review their privacy settings, including information they share on their profiles and facial recognition preferences.
    The alert is related to a European regulation called GDPR that gives users more control over what personal data is shared through online platforms.

    Reply
  2. Tomi Engdahl says:

    As EU Privacy Law Looms, Debate Swirls on Cybersecurity Impact
    https://www.securityweek.com/eu-privacy-law-looms-debate-swirls-cybersecurity-impact

    Days ahead of the implementation of a sweeping European privacy law, debate is swirling on whether the measure will have negative consequences for cybersecurity.

    The controversy is about the so-called internet address book or WHOIS directory, which up to now has been a public database identifying the owners of websites and domains.

    The database will become largely private under the forthcoming General Data protection Regulation set to take effect May 25, since it contains protected personal information.

    US government officials and some cybersecurity professionals fear that without the ability to easily find hackers and other malicious actors through WHOIS, the new rules could lead to a surge in cybercrime, spam and fraud.

    Critics say the GDPR could take away an important tool used by law enforcement, security researchers, journalists and others.

    “The loss of access to WHOIS information will negatively affect law enforcement of cybercrimes, cybersecurity and intellectual property rights protection activities globally,” Redl said.

    Reply
  3. Tomi Engdahl says:

    6 väärää käsitystä kohutusta tietosuoja-asetuksesta: Verotietojen julkaiseminen lopetetaan, saunavuorolistoja ei saa enää pitää ja rappukäytävien nimitaulut häviävät
    https://yle.fi/uutiset/3-10219486

    Reply
  4. Tomi Engdahl says:

    Google and Facebook accused of breaking GDPR laws
    http://www.bbc.com/news/technology-44252327?SThisFB

    Complaints have been filed against Facebook, Google, Instagram and WhatsApp within hours of the new GDPR data protection law taking effect.

    The companies are accused of forcing users to consent to targeted advertising to use the services.

    people were not being given a “free choice”.

    In its four complaints, noyb.eu argues that the named companies are in breach of GDPR because they have adopted a “take it or leave it approach”.

    The activist group says customers must agree to having their data collected, shared and used for targeted advertising, or delete their accounts.

    This, the organisation suggests, falls foul of the new rules because forcing people to accept wide-ranging data collection in exchange for using a service is prohibited under GDPR.

    “The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent,” said noyb.eu in a statement.

    “pushing people to consent is actually forbidden under GDPR in most cases.”

    Some companies based outside the EU have temporarily blocked their services across Europe to avoid falling foul of the new legislation.

    Reply
  5. Tomi Engdahl says:

    GDPR: US news sites unavailable to EU users under new rules
    http://www.bbc.com/news/world-europe-44248448

    Some high-profile US news websites are temporarily unavailable in Europe after new EU data protection rules came into effect.

    All EU citizens now have the right to see what information companies have about them, and to have that information deleted.

    Companies must be more active in gaining consent to collect and use data too, in theory spelling an end to simple “I agree with terms and conditions” tick boxes.

    Companies must also tell all affected users about any data breach, and tell the overseeing authority within 72 hours.

    Each EU member state must set up a supervisory authority, and these authorities will work together across borders to ensure companies comply.

    Millions of email inboxes all over Europe filled in recent weeks with messages from anxious companies seeking explicit permission to continue sending marketing material to and collecting personal data from their customers and contacts.

    Reply
  6. Tomi Engdahl says:

    Jessica Davies / Digiday:
    With the arrival of GDPR, ad platform vendors like DoubleClick warn publishers about steep EU ad volumes declines, at least for the short term — The arrival of the General Data Protection Regulation’s enforcement May 25 has hurled the digital media and advertising industries into a tailspin.

    GDPR mayhem: Programmatic ad buying plummets in Europe
    https://digiday.com/media/gdpr-mayhem-programmatic-ad-buying-plummets-europe/

    Reply
  7. Tomi Engdahl says:

    Adam Satariano / New York Times:
    Head of European Data Protection Board, responsible for GDPR application, criticizes US sites limiting access from EU, says there was plenty of time to prepare — LONDON — American news outlets including The Chicago Tribune, The Los Angeles Times and The Arizona Daily Star abruptly blocked access …
    http://www.nytimes.com/2018/05/25/business/media/europe-privacy-gdpr-us.html

    Reply
  8. Tomi Engdahl says:

    BBC:
    Some US news sites like the LA Times and the Chicago Tribune restrict access from EU as GDPR goes into effect
    http://www.bbc.com/news/world-europe-44248448

    Reply
  9. Tomi Engdahl says:

    David Meyer / Fortune:
    Digital privacy activist Max Schrems files official GDPR complaints against Google, Facebook, WhatsApp, and Instagram over forced consent
    http://fortune.com/2018/05/25/google-facebook-gdpr-forced-consent/

    Reply
  10. Tomi Engdahl says:

    Andrew Allemann / Domain Name Wire:
    ICANN files for injunction against German domain registrar who said it will stop collecting WHOIS data because of GDPR — Domain name overseer hopes to get clarification about data collection for domain name registrations. — ICANN has filed injunction proceedings against EPAG …

    ICANN files legal action against Tucows registrar over GDPR
    https://domainnamewire.com/2018/05/25/icann-files-legal-action-against-tucows-registrar-over-gdpr/

    Domain name overseer hopes to get clarification about data collection for domain name registrations.

    ICANN has filed injunction (PDF) proceedings against EPAG, a domain name registrar owned by Tucows (NASDAQ:TCX), in a challenge meant to get clarity on the European Union’s General Data Protection Regulation (GDPR). EPAG is a German registrar that Tucows acquired in 2011.

    While many registrars have stopped publishing personal information in Whois, EPAG has told ICANN that it will no longer collect administrative and technical contact details because it believes doing so will violate GDPR.

    In a release, ICANN stated:

    “We are filing an action in Germany to protect the collection of WHOIS data and to seek further clarification that ICANN may continue to require its collection. It is ICANN’s public interest role to coordinate a decentralized global WHOIS for the generic top-level domain system. ICANN contractually requires the collection of data by over 2,500 registrars and registries who help ICANN maintain that global information resource,”

    https://www.icann.org/en/system/files/files/litigation-icann-v-epag-request-prelim-injunction-redacted-25may18-en.pdf

    Reply
  11. Tomi Engdahl says:

    Jessica Davies / Digiday:
    With the arrival of GDPR, ad platform vendors like DoubleClick warn publishers about steep EU ad volume declines, at least for the short term — The arrival of the General Data Protection Regulation’s enforcement May 25 has hurled the digital media and advertising industries into a tailspin.

    GDPR mayhem: Programmatic ad buying plummets in Europe
    https://digiday.com/media/gdpr-mayhem-programmatic-ad-buying-plummets-europe/

    The arrival of the General Data Protection Regulation’s enforcement May 25 has hurled the digital media and advertising industries into a tailspin.

    Since the early hours of May 25, ad exchanges have seen European ad demand volumes plummet between 25 and 40 percent in some cases, according to sources. Ad tech vendors scrambled to inform clients that they predict steep drops in demand coming through their platforms from Google. Some U.S. publishers have halted all programmatic ads on their European sites.

    Google contacted DoubleClick Bid Manager clients over the last few days to warn them that until it has completed its integration into the Interactive Advertising Bureau Europe and IAB Tech Lab’s GDPR Transparency & Consent Framework that publishers, ad tech vendor partners and advertisers should expect a “short-term disruption” in the delivery of their DoubleClick Bid Manager campaigns on third-party European inventory, starting May 25.

    “Revenues and [ad demand] volumes [are] expected to fall dramatically across the board,” said one publishing executive, under condition of anonymity.

    Reply
  12. Tomi Engdahl says:

    Google and Facebook accused of breaking GDPR laws
    http://www.bbc.com/news/technology-44252327

    Complaints have been filed against Facebook, Google, Instagram and WhatsApp within hours of the new GDPR data protection law taking effect.

    The companies are accused of forcing users to consent to targeted advertising to use the services.

    Privacy group noyb.eu led by activist Max Schrems said people were not being given a “free choice”.

    If the complaints are upheld, the websites may be forced to change how they operate, and they could be fined.

    ‘Huge fines’

    Some companies based outside the EU have temporarily blocked their services across Europe to avoid falling foul of the new legislation.

    However, others such as Twitter have introduced granular controls that let people opt out of targeted advertising.

    Companies that fall foul of GDPR can be – in extreme cases – fined more than £17m.

    Facebook said in a statement that it had spent 18 months preparing to make sure it met the requirements of GDPR.

    Google told the BBC: “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation.”

    WhatsApp has not yet responded to the BBC’s request for comment.

    Reply
  13. Tomi Engdahl says:

    Email Leakage – An Overlooked Backdoor to GDPR Failure
    https://www.securityweek.com/email-leakage-overlooked-backdoor-gdpr-failure

    On May 25, 2018, two years after it was adopted by the European Union, the General Data Protection Regulation (GDPR) came into force. For two years companies have been bombarded with offers for GDPR solutions from security firms; and publications have been bombarded with surveys claiming that only n% of firms are ready or even understand GDPR.

    In truth, however, the ‘data protection’ element in GDPR is little different to pre-existing European laws. The GDPR changes come in the way user data is gathered, stored, processed, and made accessible to users; in breach disclosure; and in the severity of non-compliance fines.

    That said, companies can learn from last year’s data protection non-compliance incidents to gain insight into next year’s potential GDPR non-compliance fines. One source is the statistics available from the Information Commissioner’s Office (ICO — the UK data protection regulator).

    The ICO’s latest ‘Data security incident trends’ report was published on 14 May 2018. During Q4, the ICO levied just a single fine: £400,000 on Carphone Warehouse Ltd “after serious failures put customer data at risk.” There were, however, a total of 957 reported data security incidents. The ICO defines these as “a major concern for those affected and a key area of action for the ICO.”

    An analysis of those incidents is revealing. Healthcare — a major worldwide criminal target for extortion and theft of PII — reported a total of 349 data security incidents in Q4. The most common incidents were not technology-related: 121 incidents involved data posted or faxed to the wrong recipient, or the loss or theft of paperwork.

    Reply
  14. Tomi Engdahl says:

    EU’s New Data Protection Rules Come Into Effect
    https://www.securityweek.com/eus-new-data-protection-rules-come-effect

    - Explicit consent -

    The law establishes the key principle that individuals must explicitly grant permission for their data to be used.

    The new EU law also establishes consumers’ “right to know” who is processing their information and what it will be used for.

    People will be able to block the processing of their data for commercial reasons and even have data deleted under the “right to be forgotten”.

    Parents will decide for children until they reach the age of consent, which member states will set anywhere between 13 and 16 years old.

    The case for the new rules has been boosted by the recent scandal over the harvesting of Facebook users’ data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election.

    The breach affected 87 million users, but Facebook said Wednesday it has found no evidence that any data from Europeans were sold to Cambridge Analytica.

    Facebook chief Mark Zuckerberg said in a hearing at the European Parliament on Tuesday that his firm will not only be “fully compliant” with the EU law, but will also make huge investments to protect users.

    Zuckerberg said he was “sorry” for the Cambridge Analytica breaches, but also for its failure to crack down on election interference, “fake news” and other data misuses.

    Reply
  15. Tomi Engdahl says:

    Natasha Singer / New York Times:
    Big tech industry groups claim EU’s new ePrivacy Regulation will limit growth online; the law has been delayed after being slated to go into effect this month — The new European data privacy legislation is so stringent that it could kill off data-driven online services and chill innovations …
    https://www.nytimes.com/2018/05/27/technology/europe-eprivacy-regulation-battle.html

    Reply
  16. Tomi Engdahl says:

    Tony Romm / Washington Post:
    Europe, where there’s still a wariness of its secret police and surveillance past, is now Silicon Valley’s most powerful privacy regulator with GDPR, not the US — Europe implemented a sweeping overhaul of digital privacy laws on Friday that has reshaped how technology companies handle customer data …
    http://www.washingtonpost.com/business/technology/europe-not-the-us-is-now-the-most-powerful-regulator-of-silicon-valley/2018/05/25/f7dfb600-604f-11e8-8c93-8cf33c21da8d_story.html

    Reply
  17. Tomi Engdahl says:

    Email Leakage – An Overlooked Backdoor to GDPR Failure
    https://www.securityweek.com/email-leakage-overlooked-backdoor-gdpr-failure

    On May 25, 2018, two years after it was adopted by the European Union, the General Data Protection Regulation (GDPR) came into force. For two years companies have been bombarded with offers for GDPR solutions from security firms; and publications have been bombarded with surveys claiming that only n% of firms are ready or even understand GDPR.

    In truth, however, the ‘data protection’ element in GDPR is little different to pre-existing European laws. The GDPR changes come in the way user data is gathered, stored, processed, and made accessible to users; in breach disclosure; and in the severity of non-compliance fines.

    Reply
  18. Tomi Engdahl says:

    Tech PR people are weirdly okay with GDPR
    https://thenextweb.com/tech/2018/05/29/tech-pr-people-are-weirdly-okay-with-gdpr/

    GDPR has an impact on virtually every industry that deals with personal data. Take, for example, the PR industry.

    Publicists rely on the personal information of journalists, editors, and tastemakers, in order to build the public image of their clients. It’s fair to say that, as an industry, PR is as equally driven by data as it is relationships.

    But most PR people are pretty sanguine about GDPR — the good ones, at least. In fact, they welcome it, as they believe it’ll weed out the bad actors from the industry.

    You know, the ones that’ll buy a list of email addresses, and use it to broadcast an irrelevant, unwelcome pitch. These are the people reporters whinge about on Twitter. And these are the people who stand to lose out from the EU’s new data protection legislation.

    James Hennigan, Head of Campaigns for Manchester-based PR agency Galibier PR, said:

    “GDPR can only be a good thing for the PR industry in that it will raise industry standards particularly during the ‘selling in’ process. The traditional “spray and pray” approach – spamming a list of unwilling journalists with a barely relevant press release and hoping some cover the story – will actually become legislated against and hopefully die out. We aren’t worried, as we only contact individual journalists with a targeted, tailored approach, so there won’t be a massive culture shock for us. The legislation will force PRs to think more carefully about who they approach and why. Relevance is so important in our line of work.”

    Another upside to GDPR is that it legally prevents publicists from sharing the private details of journalists with clients, as Hennigan explained.

    “The second benefit of GDPR is it protects us from partners that ask us for the phone numbers and emails of the media. Our relationships with journalists are a large part of the value we deliver and we’ve never passed on their contact details, but we do get people asking us to share them. Now, we legally can’t, giving us another safeguard when people ask.”

    James Hennigan, Head of Campaigns for Manchester-based PR agency Galibier PR, said:

    “GDPR can only be a good thing for the PR industry in that it will raise industry standards particularly during the ‘selling in’ process. The traditional “spray and pray” approach – spamming a list of unwilling journalists with a barely relevant press release and hoping some cover the story – will actually become legislated against and hopefully die out. We aren’t worried, as we only contact individual journalists with a targeted, tailored approach, so there won’t be a massive culture shock for us. The legislation will force PRs to think more carefully about who they approach and why. Relevance is so important in our line of work.”

    Another upside to GDPR is that it legally prevents publicists from sharing the private details of journalists with clients, as Hennigan explained.

    “The second benefit of GDPR is it protects us from partners that ask us for the phone numbers and emails of the media. Our relationships with journalists are a large part of the value we deliver and we’ve never passed on their contact details, but we do get people asking us to share them. Now, we legally can’t, giving us another safeguard when people ask.”

    “A total nightmare for PR people”

    That said, there were some bears amongst the bulls, most notably Ed Zitron — who is one of the most vocal (and funniest) commentators on the PR industry. He thinks GDPR has the potential to open a world of hurt.

    “Article 17 is going to, depending on the interpretation, be a total nightmare for PR people,” he said.

    This part of the GDPR legislation lays out the scenarios for when data should be deleted. It states that if personal data is no longer required for the purpose for which it was collected or processed, companies are obligated to delete it.

    According to Zitron, if this applies to an email address or a phone number, then PR people will “have a very, very tough time justifying keeping media lists.”

    This isn’t the only potential pitfall in article 17. Other conditions when data should be deleted is if “the data subject objects to the processing and there are no legitimate grounds for processing.”

    According to Zitron, this “likely won’t cover ‘we like to send the same email to 100 reporters.’”

    But having interviewed several professionals, a few things are clear:

    PR people are prepared for the new legislation, and for the most part, know it back to front. They’ve spent a lot of time getting ready for GDPR.
    Broadly speaking, they regard it as an opportunity.
    They think it’ll weed out the worst practices of the industry.

    Reply
  19. Tomi Engdahl says:

    Activists hate them! One weird trick Facebook uses to fool people into accepting GDPR terms
    You (actually may not) have a new message waiting for you
    https://www.theregister.co.uk/2018/05/29/facebook_messages_trick/

    Facebook has been accused of purposefully misleading netizens into accepting its GDPR-friendly privacy policy – by tricking them with fake notifications.

    Folks are shown the social network’s updated terms and conditions to agree to, with what appears to be pending notifications from friends in the top right corner – such as unread messages and other alerts. Netizens have to agree there and then to hand over their personal data to see the awaiting texts and notices, even though none may actually be waiting for them.

    Under the European law, companies are required to gain consent before they are allowed to use individuals’ personal data – a situation that put info-hoarding Facebook and other tech giants into a difficult bind.

    Reply
  20. Tomi Engdahl says:

    USA needs law ‘a lot like GDPR’ says Salesforce CEO Marc Benioff
    As his company smashes Q1 2019
    https://www.theregister.co.uk/2018/05/30/salesforce_q1_2019/

    Salesforce CEO Marc Benioff thinks the USA needs “a national privacy law … that probably looks a lot like GDPR.”

    “This is going to help our industry,” he said on an earnings call for Salesforces Q1 2019 results. “It’s going to set the guardrails around trust, around safety. It’s going to provide the ability for the customers to interact with great next generation technologies in a safe way.”

    Reply
  21. Tomi Engdahl says:

    GDPR, China and data sovereignty are ultimately wins for Amazon and Google
    https://techcrunch.com/2018/05/29/gdpr-and-the-cloud-winners/?utm_source=tcfbpage&sr_share=facebook

    The Great Privacy Policy Email Deluge of 2018 may have finally petered out, but we are just starting to build an understanding of who the winners and losers will be in this newly regulated data economy.

    To me, it’s clear that the complexity around these data sovereignty laws ultimately benefits highly scaled service providers who can manage the nuanced regulations around these laws in an automated fashion. That means, ironically, that Google likely will win long-term on its cloud side, along with other major cloud providers like Amazon and Microsoft Azure.

    Reply
  22. Tomi Engdahl says:

    How will dApps built on ETH deal with the requirements of GDPR?
    https://ethereum.stackexchange.com/questions/49680/how-will-dapps-built-on-eth-deal-with-the-requirements-of-gdpr

    GDPR expects it’s citizens to have the ‘right to be forgotten’. A company failing to fulfill this obligation is expected to pay a hefty fine. How will decentralized autonomous communities who store immutable data on the blockchain about its users deal with such a legal obligation?

    Let’s take the case of an alternative that ETH developers build for Facebook. They ought to store the users’ names and other identifiable information on the blockchain, correct? What measures do they have to take to be compliant with the law? Should the founders remain anonymous so that nobody is held liable? Please talk about how social DACs can grow in such conditions.

    With the GDPR, and the actual blockchain researching stage on where we are now, two things can be said.

    DAPPS won’t let users to post any personal info (on identity terms talking) because: With GDPR, an user can obligate to the DAPP owner to remove all of it’s data (users collected data) from the database (the blockchain), and nowadays that’s impossible, because that info will be always stored on the blocks that contain requester user’s info.
    One possible solution will be to separate the data. The identity part of the blockchain will be stored on a normal server, and the transactions info on the blockchain. We can relationate the user with it’s transactions with ERC identity tokens.

    Reply
  23. Tomi Engdahl says:

    Egnyte releases one-step GDPR compliance solution
    https://techcrunch.com/2018/06/04/egnyte-releases-one-step-gdpr-compliance-solution/?utm_source=tcfbpage&sr_share=facebook

    You can start by simply telling Egnyte that you want to turn on “Identify sensitive content.” You then select which sets of rules you want to check for compliance including GDPR. Once you do this, the system goes and scans all of your repositories to find content deemed sensitive under GDPR rules (or whichever other rules you have selected).

    Reply
  24. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    Europe’s top court rules that administrators of fan pages on Facebook are jointly responsible with Facebook for the processing of users’ data

    Europe’s top court takes a broad view of privacy responsibilities around platforms
    https://techcrunch.com/2018/06/05/europes-top-court-takes-a-broad-view-on-privacy-responsibilities-around-platforms/

    An interesting ruling by Europe’s top court could have some major implications for data mining tech giants like Facebook and Google, along with anyone who administers pages that allow platforms to collect and process their visitors’ personal data — such as a Facebook fan page or even potentially a site running Google Analytics.

    Passing judgement on a series of legal questions referred to it, the CJEU has held that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of the data of visitors to the page — aligning with the the Advocate General’s opinion to the court, which we covered back in October.

    In practical terms the ruling means tech giants could face more challenges from European data protection authorities. While anyone piggybacking on or plugging into platform services in Europe shouldn’t imagine they can just pass responsibility to the platforms for ensuring they are compliant with privacy rules.

    The CJEU deems both parties to be responsible (aka, ‘data controllers’ in the legal jargon), though the court also emphasizes that “the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data”,

    The original case dates back to 2011, when a German education and training company with a fan page on Facebook was ordered by a local data protection authority to deactivate the page because neither it nor Facebook had informed users their personal data was being collected.

    “The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data,” the court writes today, handing down its judgement.

    “In those circumstances, the recognition of joint responsibility of the operator of the social network and the administrator of a fan page hosted on that network in relation to the processing of the personal data of visitors to that page contributes to ensuring more complete protection of the rights of persons visiting a fan page, in accordance with the requirements of Directive 95/46.”

    Facebook unsurprisingly expressed disappointment at the CJEU’s decision when contacted for a response.

    Reply
  25. Tomi Engdahl says:

    GDPR—General Data Protection Regulation. GDPR is part of the European Union’s data protection reform and is a strict set of regulations that gives data protection and security policies a new level of priority. While EU countries must comply, any organization collecting or processing data for individuals within the EU should also be developing their compliance strategy.

    Data centers in particular will need to be able to demonstrate examples of “preventing unauthorized access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”

    GDPR is slated to take effect in May 2018.

    Source: https://www.cablinginstall.com/articles/print/volume-26/issue-5/features/data-center/understanding-data-security-concerns-in-remote-data-centers.html?cmpid=enl_cim_cim_data_center_newsletter_2018-06-05&pwhid=6b9badc08db25d04d04ee00b499089ffc280910702f8ef99951bdbdad3175f54dcae8b7ad9fa2c1f5697ffa19d05535df56b8dc1e6f75b7b6f6f8c7461ce0b24&eid=289644432&bid=2127371

    Reply
  26. Tomi Engdahl says:

    The Future of GDPR – Dead, Diluted, Detested or Accepted?
    https://www.securityweek.com/future-gdpr-dead-diluted-detested-or-accepted

    “GDPR Day” (May 25th, 2018) has brought a flood of activity. For example, most of us have experienced an overload of updated privacy statements in our inboxes, which can induce privacy fatigue (call it “privapathy”) that ultimately results in ignored or deleted emails.

    Meanwhile, law firms have already filed suit with multiple regulators in Austria, France, Belgium and Germany – Facebook and Google were hit with $8.8B in lawsuits on the first day. Why so many different regulators? While there is one European Data Protection Board (EDPB), it acts only as a coordinator of the independent EU member states “Supervisory Authorities” (SAs), which will each handle GDPR governance in their own countries. Multi-national companies are supposed to have a single “lead authority”, but the chance of multi-jurisdiction legal complications should be cause for concern.

    Other companies have attempted to opt-out of compliance with the new regulations by blocking European Union (EU) internet addresses.

    Will GDPR do more harm than good?

    The costs paid (and ongoing) are necessary for the “fundamental human right to privacy”, according to the architects of GDPR. But how extensive should that privacy really be?

    On May 25th, Gartner analyst Dr. Anton Chuvakin published a blog post titled, “My GDPR-Inspired Rant: Privacy, WTF!!!” One of his points is that GDPR defines personal data or personally identifying information (PII) too broadly. Certain information such as name, email address, phone number and physical address have been public information for decades or even centuries. He also makes the case there is a social benefit to shared data, such as a pharmaceutical company that pools data from healthcare records to spot a cure for cancer. Having lived in Russia, he also equates “the right to be forgotten” with Stalin-level evil.

    So what is the future of GDPR?

    In observing this activity and conflict, GDPR will either become dead, diluted, detested or accepted, as other regulations before it.

    Dr. Chuvakin’s final conclusion is that “GDPR will either die a slow bureaucratic death or will destroy Europe’s chance to be a part of the digital future.” This is the “dead” scenario, which we have seen historically in legislation such as the Glass-Steagall Act.

    But more commonly, legislation is modified. GDPR itself is an evolution of the Data Protection Directive, superseding and extending it to companies outside of the EU who conduct business with EU residents or companies. In the case of GDPR, though, given the flood of activity and costs, it would seem unlikely that further strengthening is in the future. More likely, it would be diluted

    Finally, many regulations that begin with similar levels of resistance fade into general acceptance. The Sarbanes-Oxley Act of 2002 (SOX) hardly gets mentioned anymore, as companies have adapted to the compliance routines and costs that it introduced. Will GDPR fade into the background in a similar way?

    Reply
  27. Tomi Engdahl says:

    Woodrow Hartzog / Medium:
    Privacy policies are useful governance documents, but users should be protected regardless of what a tech company’s policies say or how long or clear they are

    User Agreements Are Betraying You
    There’s a better way for us to interact with tech companies
    https://medium.com/s/trustissues/user-agreements-are-betraying-you-19db7135441f

    The user agreement has become a potent symbol of our asymmetric relationship with technology firms. For most of us, it’s our first interaction with a given company. We sign up and are asked to read the dreaded user agreement — a process that we know signifies some complex and inconveniently detrimental implications of using the service, but one that we choose to ignore. Our privacy hangs in the balance, yet we skim to the end of those tedious terms and conditions just so we can share that photo, or send a group message, or update our operating system…

    It’s not our fault. These agreements aren’t designed in a way that would allow us to properly consider the risks we’re taking. Tech companies have no incentive to change them. Lawmakers don’t seem to know what the alternatives are. But that doesn’t change the reality: User agreements are a legal and ethical trap, and they betray the trust of users from the very start.

    Reply
  28. Tomi Engdahl says:

    GDPR panic may spur data and AI innovation
    https://techcrunch.com/2018/06/07/gdpr-panic-may-spur-data-and-ai-innovation/?sr_share=facebook&utm_source=tcfbpage

    If AI innovation runs on data, the new European Union’s General Data Protection Regulations (GDPR) seem poised to freeze AI advancement.

    Although the enforcement deadline has passed, the technical infrastructure and manpower needed to meet these requirements still do not exist in most companies today

    Reply
  29. Tomi Engdahl says:

    Inside the Legislative and Regulatory Minefield Confronting Cybersecurity Researchers
    https://www.securityweek.com/inside-legislative-and-regulatory-minefield-confronting-cybersecurity-researchers

    Legislation – especially complex legislation – often comes with unintended consequences. The EU’s General Data protection Regulation (GDPR), which came into force May 25, 2018, is an example of complex legislation.

    GDPR, and other cybersecurity laws, are designed to protect privacy and property in the cyber domain. There is, however, concern that many of these laws have a common unintended consequence: in protecting people from cybercriminals, the laws also protect cybercriminals from security researchers.

    The question is whether security research an unintended but inevitable collateral damage of cybersecurity legislation. While focusing on GDPR, this examination will also consider other legislation, such as the CLOUD Act, the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act (CMA).

    The WHOIS issue

    One immediate example involves GDPR, the Internet Corporation for Assigned Names and Numbers (ICANN) and the WHOIS database/protocol. ICANN maintains a global database of internet domain registrations that has been readily available to security vendors and security researchers.

    Researchers with one known malicious domain have been able to cross-reference details via WHOIS to locate, at speed, potentially thousands of other malicious domains registered at the same time or by the same person or with the same contact details.

    However, registrant details of EU residents is now protected data under GDPR. ICANN can no longer share that data with third parties – effectively meaning that researchers can no longer access WHOIS data to discover potentially malicious domains and protect the public from spam or phishing campaigns involving those domains.

    Reply
  30. Tomi Engdahl says:

    https://www.tivi.fi/Kaikki_uutiset/totaalisen-vaarin-hs-tietosuojavaltuutettu-moittii-gdpr-konsultteja-rahastamisesta-ja-harhaanjohtamisesta-6731072

    Yrityksiä ja yhteisöjä on peloteltu EU:n uuden tietosuoja-asetuksen gdpr:n maksimikorvaussummilla. Tietosuojavaltuutettu Reijo Aarnio kritisoi Helsingin Sanomille, että jättikorvauksilla pelotelleet konsulttiyritykset ovat rahastaneet ja johtaneet harhaan organisaatioita.

    Reply
  31. Tomi Engdahl says:

    GDPR forgive us, it’s been one month since you were enforced…
    … and we still aren’t accepting EU users
    https://www.theregister.co.uk/2018/06/25/gdpr_fails/

    A month after the enforcement date of the General Data Protection Regulation – a law that businesses had two years to prepare for – many websites are still locking out users in the European Union as a method of compliance.

    To celebrate the milestone, El Reg is casting a vulture’s eye over the sites that are giving a new meaning to the phrase “barrier protection”.

    Another retailer that failed to get its house in order is posh homeware store Pottery Barn, whose notice says that “due to technical challenges caused by new regulations in Europe” it can’t accept orders from the EU.

    “The pace of global regulations is hard to predict,” the shop complains about the legislation, which was adopted on 14 April 2016. “But we have the ultimate goal of being able to offer our products everywhere.”

    There are also a whole host of local media outlets that are shying away from dealing with the matter,

    Less understandable – though not vastly unsurprising – is the news that major US publisher Tronc, which owns a number of the US’s top-selling outlets such as The LA Times, the Chicago Tribune and the New York Daily News, remains blocked for those on the wrong side of the Pond.

    Although its redirect message still states that the firm is “engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market”, the blocking might hint that its efforts either haven’t been in earnest or the firm isn’t that bothered about EU readers

    Outside of traditional publishing, Twitter also ran into hot water thanks to over-eager attempts to comply with rules in the GDPR that say kids must be 13 in order to be able to consent to using online services.

    Reply
  32. Tomi Engdahl says:

    IETF: GDPR compliance means caring about what’s in your logfiles
    Don’t log too much, nor keep the files for too long, to stay on right side of Euro privacy rules
    https://www.theregister.co.uk/2018/04/24/ietf_gdpr_compliance_advice/

    Sysadmins: while you’re busy getting ready for the GDPR-regulated world, don’t forget what your servers are storing in their logfiles.

    That advice comes courtesy of a draft mulled by the Internet Engineering Task Force’s Internet Area Working Group (IETF’s INTAREA).

    The document, here, offered a handy checklist as a set of updates to RFC6302, “Logging Recommendations for Internet-Facing Servers.”

    The IETF suggests sysadmins adopt a data minimisation approach to configuring their server logs:

    Full IP addresses should only be stored for as long as needed to provide a service;
    Logs should otherwise only include the first two octets of IPv4 addresses, or first three octets of IPv6 addresses;
    Inbound IP address logs shouldn’t last longer than three days;
    Unnecessary identifiers should not be logged – these include source port number, timestamps, transport protocol numbers, and destination port numbers; and
    Logs should be protected against unauthorised access.

    Why three days, by the way? Because that lets logging cover a weekend before it’s flushed.

    The draft also suggested that if service providers plan to, or think they need to, store more than the data listed, they would probably need users’ permission.

    The advice stretches beyond the purely European providers, since anybody offering services to anyone in the EU needs to comply with GDPR.

    Reply
  33. Tomi Engdahl says:

    Seb Joseph / Digiday:
    Sources: programmatic ad spending, which saw steep declines after GDPR, has started to recover, with some publishers’ audience opt-in consent rates hitting 75% — Programmatic ad spending has started to recover a month after the arrival of the General Data Protection Regulation caused it to nosedive.

    A month after GDPR takes effect, programmatic ad spend has started to recover
    https://digiday.com/marketing/month-gdpr-takes-effect-programmatic-ad-spend-started-recover/

    Reply
  34. Tomi Engdahl says:

    Catalin Cimpanu / BleepingComputer:
    Norwegian agency report: Facebook and Google manipulate users to share personal data using “dark patterns” despite GDPR; Windows 10 gets a more favorable rating

    Facebook, Google Manipulate Users to Share Personal Data Despite GDPR
    https://www.bleepingcomputer.com/news/technology/facebook-google-manipulate-users-to-share-personal-data-despite-gdpr/

    Despite the new GDPR regulation entering into effect across Europe, Facebook and Google are manipulating users into sharing personal data by leveraging misleading wording and confusing interfaces, according to a report released today by the Norwegian Consumer Council (NCC).

    In its 44-page report, the Norwegian agency accuses Google and Facebook of using so-called “dark patterns” user interface elements into “nudging” users towards accepting privacy options.

    These dark patterns include misleading privacy-intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy-friendly option requires more effort for the users.

    DECEIVED BY DESIGN
    https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf

    Reply
  35. Tomi Engdahl says:

    Ransomhack; a new attack blackmailing business owners using GDPR
    https://www.digitalmunition.me/2018/06/ransomhack-new-attack-blackmailing-business-owners-using-gdpr/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+digitalmunition%2FUHtl+%28DigitalMunition%29

    Hackers Are Threatening Companies To Leak Stolen User Data Online To Hurt Them Through GDPR Regulations – In Return They Are Demanding Ransom Money.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*