INF529: Security and Privacy In Informatics International Aspects of Privacy and Security and Jurisdictional Issues

Prof. Clifford Neuman

Lecture 12 5 April 2019 OHE 100C Course Outline

• What data is out there and how is it used • Technical means of protection • Identification, Authentication, Audit • The right of or expectation of privacy • Government and Policing access to data – February15th • Mid-term, Then more on Government, Politics, and Privacy • Social Networks and the social contract – March 1st • Big data – Privacy Considerations – March 8th • Criminal law, National Security, and Privacy – March 22nd • Civil law and privacy – March 29th • International law and conflict across jurisdictions – April 5th • The Internet of Things – April 12th • Technology – April 19th • The future – What can we do – April 26th This Week International Aspects of Security and Privacy

Intro Discussion on Jurisdictional Issues • Mindy Huang • Abdulla Alshabanan • Anupama Sakhalkar • Brianna Tu – Internet of Things

Review and Discussion of Mid-Term Exam Current Events Next Week - Internet of Things • Lance Aaron - Smart Assistants • Yulie Felice - Alexa Security • Sophia Choi – RFID, USN, M2M • Jairo Hernandez – Security&Privacy of NFC • Ann Bailleul – Privacy implication for IoT April 19th Medical IoT and Technology

Security, Privacy and Safety of Medical Devices and technology. • Fumiko Uehara • Joseph Mehltretter • Abdullah Altokhais

Facial Recognition and related technologies • Louis Uuh – Facial Recognition

Security and Privacy in Messaging Technologies • Aaron Howland April 26th – The Future of Privacy

Guest lecture on differential Privacy – Prof. Aleksandra Korolova

Technology, Training, Legislation

– Charlene Chen • Right to be Forgotten and the future of privacy – Kate Glazko International Context and Nexus

• Where does an internet activity take place – And by implication, the laws of which jurisdiction apply • If I run a server in California – It can be accessed from anywhere • If my server runs in the cloud – I might not even know where the computation takes place. • If someone in Europe steals funds from your bank account. – Who will catch him and prosecute? Privacy and Free Speech Implications

• Ability of courts to order disclosure of information – From a company based in the same country but for customers located elsewhere. – When the data is stored in another country. – When the company does business in the country requesting the information. – Laws may conflict – you will end up breaking some of them. • When some countries try to limit the what can be said in forums or publications. – Can they apply those laws against web servers hosted elsewhere? Right to be Forgotten

http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf • In 2010 a Spanish citizen lodged a complaint against a Spanish newspaper with the national Data Protection Agency and against Spain and Google Inc. The citizen complained that an auction notice of his repossessed home on Google’s search results infringed his privacy rights because the proceedings concerning him had been fully resolved for a number of years and hence the reference to these was entirely irrelevant. He requested, first, that the newspaper be required either to remove or alter the pages in question so that the relating to him no longer appeared; and second, that Google Spain or Google Inc. be required to remove the personal data relating to him, so that it no longer appeared in the search results

Consider this in the context of US Law Under FCRA, public record information regarding a bankruptcy can only remain on a credit report for 10 years. – But are news archives, or search results limited by this, when they become “defector” credit reports. – In practice, what becomes public can never be put back in the bottle. Right to Be Forgotten

In its ruling of 13 May 2014 the EU Court said : • On the territoriality of EU rules : • Even if the physical server of a company processing data is located outside Europe, EU rules apply to search engine operators if they have a branch or a subsidiary in a Member State which promotes the selling of advertising space offered by the search engine; • On the applicability of EU data protection rules to a search engine : Search engines are controllers of personal data. Google can therefore not escape its responsibilities before European law when handling personal data by saying it is a search engine. EU data protection law applies and so does the right to be forgotten. Free Speech and Censorship

• In the US, free speech rights dominate. One can speak their opinion and beliefs, and the government can not prevent one from doing so. There are limits such as “shouting fire in a crowded theater”, or speech inciting violence (e.g. telling ones followers to commit a violent crime).

• Other countries have other kinds of specific prohibited speech. – This could be repressive regimes that ban or censor speech that is unflattering of the government or government officials. – It could be prohibitions on “hate” speech, i.e. anything derogatory about particular classes of individuals. – It could be statements or reports on cases pending in the courts. – It could be private information about specific individuals. – Some counties have very specific prohibited topics. – It could be blasphemous speech.

Question: – How can this be handled when the speech in questions occurs outside ones jurisdiction. – Are we reduced to only saying things that are legal in all jurisdictions. Extra-Teritorial Enforcement

What happens when the government, or a private party through a lawsuit, obtains an injunction or ruling against a web site hosted in another country, or a foreign user: – Seizing of domain names – ISP’s forced to block access – Many countries have their own “great” firewalls – Extradition or rendition – Sealed indictments Court Ordered Access to Data

Microsoft Wins Appeal on Overseas Data Searches – New York Times NICK WINGFIELD and CECILIA KANGJULY 14, 2016

For the last few years, American technology giants have been embroiled in a power struggle with the United States government over when authorities get to see and use the digital data that the companies collect.

On Thursday, Microsoft won a surprise victory in one such legal battle against the government over access to data that is stored outside the United States.

In the case, the United States Court of Appeals for the Second Circuit reversed a lower court’s ruling that Microsoft must turn over email communications for a suspect in a narcotics investigation stored in a Microsoft data center in Dublin. The case had attracted widespread attention in the technology industry and among legal experts because of its potential privacy implications for the growing cloud computing business, with implications for internet email and online storage, among other services.

Had the United States government prevailed, Microsoft and others warned, it would set a dangerous precedent that would make it increasingly difficult to resist orders from foreign courts demanding data, such as email from human rights activists or political dissidents. Corporate and government customers abroad also might be unwilling to use cloud services from Microsoft if they thought their data could be seized by American courts, Microsoft said. Nexus for Cyber Crime

Where does a cyber-crime occur, and under who’s laws do we determine what is legal? – Crimes involving victims • Financial crimes • Data theft • Denial of service – Facilitation of activities that are illegal in some jurisdictions • Gambling (free trade issues as well) • Sale/trafficking of illegal goods • What if we don’t know where the server resides – What jurisdictions can issue order for searches, etc. INTERNATIONAL DATA PRIVACY

COMPARISON OF DATA PRIVACY REGULATIONS AROUND THE WORLD

INF 529 MINDY HUANG AGENDA

• US • Canada • EU – GDPR • Compare EU & US (Data Privacy Regulations) • UK • GDPR’s Whitelist • Japan • China • Momentum for the ‘data broker’ debate in the US was particularly fueled by a report from New York Times of June 2012 IT STARTS • Data Broking Companies • In possession of large amounts of data about FROM consumers THE DATA • Not required by law to notify consumers about their BROKER activities DEBATE IN • U.S. Federal Trade Commission • Called on the data broker industry to improve the THE US transparency of its practices • Initiated its own enquiries of data analytics service providers • Found out some companies violate the Fair Credit Reporting Act by United States Code THE DEBATES OCCURRED CONCURRENTLY WITH 4 IMPORTANT INTERNATIONAL DEVELOPMENTS

• UK's Information Commissioner's Office (ICO) • published a paper: ‘Anonymisation: managing data protection risk, code of practice’ (hereafter, ICO Anonymisation Code) • It discussed practices for the de-identification of personal information that may be acceptable to the Information Commissioner • This paper was subsequently endorsed in discussion papers issued by other privacy regulators, including in Australia, Singapore, and (Canada) Ontario. CANADA

• Report to: Office of the Privacy Commissioner (OPC) • Personal Information Protection and Electronic Documents Act (PIPEDA) • Federal privacy law for private sector organization • Similar to others privacy laws • Personal information that is collected under a commercial activity falls under PIPEDA protection • Personal information collected for government or by an employer are not covered. • Penalties are much lighter for PIPEDA than other privacy regulations • May not cover all of Canada • Alberta is governed by the Personal Information Protection Act (PIPA) since 2004 • British Columbia is governed by an act under the same name, implemented in 2003 • Ontario has its own privacy act, the Personal Health Information Protection Act 2004 CANADA

• Many Canadians Unaware of Privacy Efforts • 38% of business respondents were unaware with PIPEDA • 59% said they store customer information • 40% had suffered a cybersecurity attack • Only 54% provide cybersecurity training to their employee • A lot of personal consumer information is going to at risk • Catching Up with Other Countries • A report from the privacy commissioner has called for more transparency and accountability around personal data • And a stronger privacy laws • Trade partnerships between the U.S. and Canada • Privacy protection law is going to be normal • PIPEDA can provide another layer of security to the U.S. privacy behaviors EU – GENERAL DATA PROTECTION REGULATION

• Enforced on May 2018, organizations fail to meet critical compliance will face heavy fines • Replaced the Data protection Directive • Enforceable law in all member states and for anyone with EU data subjects • Designed to fit today’s technology while remaining general to protect the fundamental rights of individuals throughout future waves of innovation • Harmonize data privacy laws across Europe • Protect and empower all EU citizens data privacy • Reshape the way organizations across the region approach data privacy • 3 European authorities are responsible for the legislative process • European Commission, European Parliament, and Council of Ministers of the European Union EU VS US

• EU - GDPR • US - Data Protection Regulations • The Health Insurance Portability and Accountability Act (HIPAA) • NIST 800-171 • Aimed tat protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations • The Gramm-Leach-Bliley Act (GLB Act or GLBA) • Financial Modernization Act • The Federal Information Security Management Act (FISMA) • Required for federal agencies to develop, document, and implement an information security and protection program EU VS US

• EU • US • GDPR aims to harmonize data privacy • Some may be up to GDPR standards, laws across Europe while others may not • Protect EU citizens’ sensitive data and • Addresses data security and data empower them to better control their protection data • Privacy is separated and segmented • Cements EU citizens’ right to request to privacy laws the deletion of their data • Enforced through government • Stricter controls over cross-border data • Federal Communication Committee transfers (FCC) • American Civil Liberties Union (ACLU) • Electronic Frontier Foundation (EFF) EU VS US

• EU • US • Broad considerations and at times • Accustomed to compartmentalized vague definitions data protection • Firmly put individual rights before the • Concerned with integrity of data as a interest of businesses commercial asset EU-US PRIVACY SHIELD FRAMEWORK

• Designed by the European Commission & the US Department of Commerce • To facilitate transatlantic exchanges of personal data for commercial purposes between the EU and the US • An Agreement, not a regulation • Under monitor of the US Department of Commerce • FTC support the monitoring and enforcement of the Privacy Shield • Fails to address the individual privacy rights vouchsafed by the GDPR GDPR AND BREXIT

• UK will still need to comply with GDPR • Cross-over period between the GDPR coming into force and the UK exiting the EU • Extraterritorial reach of GDPR • International companies across the globe UK – BESIDES GDPR

• ICO – Information Commissioner’s Office • The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

• The Data Protection Act • Requires fair processing of personal data, which means that you must be transparent about why you’re collecting personal data and how you’re going to use it • if you use browser cookies, you need to clearly explain what they do and why you’re using them, and gain the informed consent of your users. • Fines of up to £500,000 depending upon the severity of the breach • imposed on data controllers • While for GDPR, fines of £10,000,000 or in the case of undertakings, 2% of worldwide turnover (whichever is higher) may be imposed for breaches UK ICO – YOUR RIGHT

• Your right to be informed if your personal data is being used • Get copies of your data • Get your data corrected • Get your data deleted • Limit how organizations use your data • Data portability • Object to the use of your data • Your rights relating to decisions being made about you without human involvement • Access information from a public body • Raise a concern GDPR’S WHITELIST – ADEQUACY DECISION

• Some countries are exempted from the privacy law based on “adequacy decision” • Purpose: personal data can flow from the EU to that third country without any further safeguard being necessary • 10 countries and territories are in the GDPR’s whitelist: • Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the United States (limited to the Privacy Shield framework) • Ongoing with South Korea • Not cover the “Police Directive” GDPR’S - ADEQUACY DECISION PROCESS

• The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection. • The adoption of an adequacy decision involves • a proposal from the European Commission • an opinion of the European Data Protection Board • an approval from representatives of EU countries • the adoption of the decision by the European Commission DATA PROTECTION IN JAPAN

• Japan and the EU agreed to recognize each other’s data protection regimes as providing adequate protections for personal data. • From a EU perspective, Japan will be recognized as having “adequate safeguards” in place for data protection, meaning that specific transfer agreements with Japanese entities may no longer be required • Items to be aligned • Scope of “personal information requiring careful consideration” • Access right • Succession of purpose of use • Re-transfer of EU data subjects’ personal data from Japan to foreign countries • Anonymously processed information (that is exempt from certain protections) CHINA

• January 2, 2018, the Standardization Administration of China (“SAC”) released the final version of the national standard on personal information protection • Information Technology – Personal Information Security Specification (the “Specification”) • Contains more strenuous requirements than the GDPR • Contains provisions related to transparency, personal right over data and consent THE STANDARD & GDPR

• Similarities • Differences • Regulates the use of “personal • Defining “sensitive” personal information” information • Requires transparency, specificity and • If lost or misused, is capable of fairness of processing purpose endangering persons or property e.g. national identification card numbers, • Purpose limitation banking and credit details, • The rights of individuals information on a person’s real estate holdings • Derogates consent requirements • By including non-=consensual grounds for collecting and processing personal The data portability right arises in a wider range of situations, but is limited to certain information, such as health, education or occupational information. information CONCLUSION

• Data privacy regulations around the world rests on distinctly different theoretical foundations, yet the regulatory analysis as to re-identification risk, and the management and mitigation of that risk through implementation of appropriate safeguards, is remarkably convergent

• Managing privacy will be the new normal, like securing data or paying taxes CITATION

• https://academic-oup-com.libproxy2.usc.edu/idpl/article/4/1/53/772996 • Elif Küzeci, Beril Boz, The new Data Protection Act in Turkey and its potential implication for E-commerce, International Data Privacy Law, Volume 7, Issue 3, August 2017, Pages 219–230, https://doi- org.libproxy2.usc.edu/10.1093/idpl/ipx007

• Peter Leonard, Customer data analytics: privacy settings for ‘Big Data’ business, International Data Privacy Law, Volume 4, Issue 1, February 2014, Pages 53–68, https://doi-org.libproxy2.usc.edu/10.1093/idpl/ipt032

• https://uk.practicallaw.thomsonreuters.com/Document/Ic860dcf942ba11e89bf199c0ee06c731/View/FullText.html? transitionType=CategoryPageItem&contextData=(sc.Default)&navId=9C5F42F63FB697ED935D49EB61F3E48B&co mp=pluk

• https://asia.nikkei.com/Politics/International-relations/EU-moves-to-add-Japan-to-data-transfer-white-list • https://www.csis.org/analysis/new-china-data-privacy-standard-looks-more-far-reaching-gdpr • https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection- personal-data-non-eu-countries_en CITATION

OAIC Privacy business resource 4: De-identification of data and information https://www.oaic.gov.au/privacy-law/privacy-archive/privacy-resources-archive/privacy-business-resource-4-de- identification-of-data-and-information

Singapore – PDPC https://www.pdpc.gov.sg/About-Us/Who-We-Are

Canada https://securityboulevard.com/2018/11/canadas-new-data-privacy-law-now-in-effect/

EU https://eugdpr.org/ https://www.endpointprotector.com/blog/eu-vs-us-how-do-their-data-protection-regulations-square-off/ https://www.privacyshield.gov/welcome https://www.csis.org/analysis/new-china-data-privacy-standard-looks-more-far-reaching-gdpr https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal- data-non-eu-countries_en Compliance, Issues and Concerns GDPR and the Middle East Abdulla Alshabanah GDPR Overview

GDPR Compliance

•Saudi Arabia •Qatar Outline •Bahrain •UAE, Oman and Kuwait

Current Privacy Policies in Saudi Arabia

Issues and Concerns a) it is processed fairly, lawfully and transparently b) it is collected and processed for specific reasons and stored for specific periods of time, and that it is not used for reasons beyond its original purpose c) only the data necessary for the purpose it is intended is collected, and not more d) it is accurate and that reasonable steps are taken to ensure it remains accurate e) it is kept in a form that allows individuals to be identified only as long as is necessary f) it is kept securely and protected from unlawful access, accidental loss or damage

GDPR: Data Processing Principles GDPR: Data Processing Principles a) Lawfulness, Fairness and Transparency b) Purpose Limitation c) Data Minimization d) Accuracy e) Storage Limitation f) Integrity and Confidentiality GDPR: Who should comply

• Organizations that have representative in EU • Offer goods or services to data subjects in the EU • Airlines, Hotels, Banks • Monitor the online behavior of data subjects in the EU • Government agencies, ex visa issuance Compliance with GDPR Saudi Arabia, Qatar ,Bahrain, Kuwait, Oman, and the United Arab Emirates Compliance: Saudi Arabia

• There is no specific regulation addressing the protection of personal data • Data related regulations: • Anti-Cyber Crime Law: Accessing personal devices, bank or credit information and interrupting data transmission • Healthcare Practice Code • Telecommunications Law • There are no specific requirements related to collection, registration or export of personal data in the legislation Compliance: Qatar

• The first country out of the 6 to enact a comprehensive data protection law (DPL) • The law comply with GDPR requirements in general and goes into details about Individuals’ Rights • Article 4: Unless the processing is necessary to meet a Controller’s Legitimate Purpose or a Legitimate Purpose of a receiving third party, the Controller may only process Personal Data after obtaining the Individual's consent • Article 5: An Individual may at any time Withdraw their previously given consent to processing the Personal Data, object to processing the Personal Data, request omission or erasing of the Personal Data and Request corrections to the Personal Data Compliance: Bahrain

• The Personal Data Protection Law was issued in July 2018 and will be enforced in August 2019 • In addition to complying with GDPR, the law is more restricted when it comes to who it applies to • It applies to individuals not normally residing or working in Bahrain and companies without a place of business in the country, that process personal data by using means available in Bahrain • This is all as Bahrain plans to to be data center hub and a host for Amazon Web Services (AWS) in the region Compliance: United Arab Emirates, Kuwait and Oman

• Similar to Saudi Arabia, there is no specific regulation addressing the protection of personal data • They all have several data protection related regulations that are embedded in other laws • In UAE there two free zones that comply with GDPR • Abu Dhabi Global Market: DATA PROTECTION REGULATIONS enforced in 2015 and had amendment in 2018 • Dubai International Financial Centre: DATA PROTECTION LAW enforced in 2007 and had amendment in 2018 Current Privacy Policies Saudi Arabia Current Privacy Policies: NIC

• Provides IT solutions and services to the Ministry sectors and other government agencies • One of its key roles is taking responsibility for national data protection and enhancing sharing of such data Current Privacy Policies: NIC

• If you choose to make an on-line application or send the Ministry of Interior an e-mail via the Portal for which you provide us with personally identifiable data, we may share necessary data with other Government agencies, so as to serve you in a most efficient and effective way. We will not share your personal data with non- Governmental entities, except where such entities have been authorized to do so by competent authorities. By submitting your personal information and data through the Ministry of Interior Portal you fully agree on the storage, process and use by the Saudi authorities. We reserve the right at all times to disclose any information to the competent authorities as necessary to satisfy any law, regulation or governmental request. Current Privacy Policies: NIC

• You are solely responsible for the comprehensiveness, correctness and truthfulness of the data you send on this Portal. • To safeguard your personal data, all electronic storage and transmission of personal data are secured with appropriate security technologies. • This Portal may contain links to sites or portals whose data protection and privacy practices may differ from ours. We are not responsible for the content and privacy practices of these other websites and advise you to consult the privacy notices of those sites. Current Privacy Policies: Aramco

• Aramco Overseas is a subsidiary of Saudi Aramco the state-owned oil company of the Kingdom of Saudi Arabia • It has branches in France, Italy and the Netherlands Current Privacy Policies: Aramco

• What Personal Information do we collect about you? • Information you provide directly • Information about your use of the website or other services we provide • We may collect certain information during your visit to an AOC website when you accept our cookie • Information from third party sources • We may collect information about you from publicly and commercially available sources (as permitted by law), which we may combine with other information we collect when you visit an AOC site. • How do we use your Information? • You have a right to withdraw your consent, in which case we will no longer use your information Current Privacy Policies: Aramco

• To whom do we disclose your Information? • Service providers • Other Parties When Required by Law or as Necessary to Protect Our Services • Other Parties in Connection With Corporate Transactions • Other Parties With Your Consent or At Your Direction • What do we do to keep your Information secure? • International Transfers • We have put in place appropriate contractual protections to keep your data confidential • Rights into your Personal Information • You have the right to request details about the Personal Information we collect on you, and to access, correct, restrict, block, erase and port this information • Data Retention • We retain your Personal Information only for so long as is necessary for the purpose for which it was collected Current Privacy Policies: Aramco

• Please note that users in the European Union have the right to lodge a complaint with the Supervisory Authority for data protection in their country if they believe that AOC violates EU data protection laws • European Union has been mentioned 4 times in the privacy policy Issues and Concerns Middle East Countries have regulation that are less strict than GDPR

Increasing connectivity means more data collection Data Governance Implementing lower level of data governance won’t help in the long term

Local firm operating on local costumers will need at some point to comply with the global privacy standards Data Breach Containment

Considered the highest in the Under GDPR, a company is world, the Middle East takes an required to reveal a breach in 72 average of 260 days to identify hours and contain a data breach

lack of skilled security Money is spent on future professionals demand for technology rather than outsourcing security services infrastructure and professionals • Misunderstanding the scope of the regulation • Inability to interpret the requirements Lack of Awareness • GDPR awareness campaigns are being sponsored by financial and consulting companies What if a Middle Eastern company doesn’t comply with GDPR References

• https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation- gdpr/principles/ • https://www.al-mirsal.com/2017/05/16/why-should-qatari-saudi-and-uae-organizations-care-about-the- european-unions-new-general-data-protection-regulation/ • https://www.lw.com/presentations/Data-Protection-in-the-Kingdom-of-Saudi-Arabia • https://qatarlaw.com/wp-content/uploads/2017/05/Personal-Data-Privacy-Law-No.-13-of-2016.pdf • http://www.legalaffairs.gov.bh/146182.aspx?cms=q8FmFJgiscJUAh5wTFxPQnjc67hw%2bcd53dCDU8XkwhyDqZ n9xoYKj%2bwKjH8MwskD8zKV4oL8QNchAeJU7Z6zGg%3d%3d#.XKbwty-ZNhD • https://www.endpointprotector.com/blog/data-protection-regulations-middle-east/ • https://www.moi.gov.sa/wps/portal/static/privacy-policy • https://www.aramcooverseas.com/site-tools/privacy-policy/ • https://gdpr.report/news/2017/08/31/gdpr-summit-middle-east-middle-east-set-data-governance-comparison- gdpr/ • https://gulfnews.com/technology/middle-east-averages-260-days-to-contain-a-data-breach-1.2292614 • https://www.aig.ae/content/dam/aig/emea/uae/documents/aig-nrf-gdpr-infographic-final-31oct.pdf • https://www.mckinsey.com/business-functions/risk/our-insights/tackling-gdpr-compliance-before-time-runs- out Data Privacy - International law

Anupama Sakhalkar INF 529 April 5, 2019 OUTLINE

● Overview of privacy laws around the world ● GDPR ● International laws governing data transfer and privacy - EU-US Privacy Shield Framework ● Future data privacy changes - India’s Personal Data Protection Act Privacy laws around the world Privacy legislation in different countries

● Over 100 countries around the world now have data protection laws in place ● Legislation present - Australia and New Zealand, EU, 19 countries in Africa, 15 countries in Asia, 17 countries in North and Latin America ● Drafting legislation - 4 countries in Asia, 4 in North and Latin America ● Non-EU states - GDPR accepted by Iceland and Norway, Serbia and Macedonia have fully harmonized their laws with GDPR Continent-wide privacy legislation

● Convention on Cyber Security and Personal Data Protection in African continent ● Asia Pacific Economic Cooperation Privacy Framework in Asia Pacific ● EU-US Privacy Shield Framework ● Ibero-American Data Protection Network in Latin America

Illustration of data protection laws around the world - https://www.dlapiperdataprotection.com/ GDPR Overview

● The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 ● Prior to GDPR, data privacy laws for Europe were defined in the Data Protection Directive of 1995 ● How is GDPR an upgrade from Data Protection Directive? ❏ For the consumer - strengthened rights ❏ For regulators - Harmonization ❏ For businesses - More accountability “This will impact every entity that holds or uses European personal data both inside and outside of Europe” - PWC Overview

● Audit trail ● Right to be forgotten ● Data portability ● Transparency of data collection and transmission ● Accessing data ● Mandatory breach notification ● Data Protection Officer ● Childrens’ data Potential Problems

● Confusion around implementing GDPR compliance for organizations - 40% of respondents have inaccurate knowledge of all 10 provisions considered; none accurately describe all 10 provisions; the lack of understanding persists for companies that hold over 100,000 records of personal data ● Study by London School of Economics showed that a majority of businesses(>80%) were unable to reliably quantify expected costs of compliance for GDPR ● An organization that is a public authority or engages in systematic monitoring of people or processes sensitive personal data on a large scale will need to appoint a permanent and appropriately qualified Data Protection Officer for a minimum of two years ● Some organizations will need to invest in better technology solutions to compliably respond to requests for data deletion, retention or portability – all of which is cost that will no doubt soon be passed on to their customers. EU-US Privacy Shield Framework Overview

“The EU-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce” ---www.privacyshield.gov Why is this important? ● Transatlantic commerce is of the order of $5 trillion every year, a lot of which requires data to be collected across international borders ● EU has very strict rules governing access to personal data whereas the US as a country does not have such strict rules ● Need a mechanism to ensure EU users’ data privacy is protected even when that data leaves the EU History ● In July 2016, European Commission deemed the EU-US Privacy Shield Framework adequate to enable data transfer between EU- US under EU law ● Privacy Shield was needed to replace the void created by ECJ declaring the previous EU-US Safe Harbor Framework invalid ● Safe Harbor was already under intense scrutiny because of Edward Snowden’s revelations ● Final nail in the coffin for Safe Harbor was the Max Schrems case Max Schrems case

● Max Schrems - an Austrian citizen and Facebook subscriber ● Filed a complaint against Facebook for not providing adequate protection for his data privacy ● Complaint was based on the potential loss to his data privacy since US authorities could access his personal data off Facebook servers in the US ● ECJ acknowledged Max’s concerns and declared Safe Harbor invalid Problems with Safe Harbor

● ECJ found that the United States is not able to provide an adequate level of protection for data under Safe Harbor because Safe Harbor had too many loopholes Example loophole - Safe Harbor may not apply if “national security, public interest or law enforcement requirements” are at stake. ● EU law for access to personal data is stricter than US law so ECJ found Safe Harbor to be inadequate for protecting the privacy of EU users’ personal data Privacy Shield principles

● Notice ● Choice ● Accountability for Onward Transfer ● Security ● Data Integrity and Purpose Limitation ● Access ● Recourse, Enforcement and Liability How does Privacy Shield work?

● Joining Privacy Shield is voluntary for a US based organization - then why would anyone bother to join? ● To join, an organization must self-certify to the Department of Commerce and publicly commit to comply with the framework’s requirements ● The public commitment then becomes enforceable under US law Privacy Shield weaknesses

● Participation is not mandatory ● Does not protect US organizations from government data requests ● Remains to be seen if a US organization could be penalized under Privacy Shield for complying with a federal government or law enforcement data request Future Data Privacy Changes India - Personal Data Protection Act

● Act introduced in 2018, to be tabled in Indian Parliament in 2019 ● Attempts to establish a legal framework similar to GDPR ● Consequence of Indian Supreme Court ruling in 2017 that privacy is a fundamental right of Indian citizens ● Ruling emerged in Indian Supreme Court due to the Aadhar card introduced by Government of India as a unique identifier for all citizens India - Aadhar

● Aadhar is a platform which provides a person with a unique 12 digit identification number ● This ID is linked to a person’s demographic and biometric information including fingerprints and iris scans ● Initially introduced as a way of improving welfare delivery services, later made mandatory by government ● World’s largest biometric ID system - data of more than 1 billion people Aadhar - Problems

● Is data stored in Aadhar database secure? ● Does the government have a right to mandate citizens to provide biometric data - violation of data privacy? ● Mandating linkage of Aadhar to all services forces citizens to give up personal data in exchange for services - violation of right to privacy? Aadhar - Supreme Court Ruling

● Aadhar was found to be legal, but the Supreme Court declared that it was not mandatory for citizens to provide their Aadhar number to get services ● Ruling was a little too late - many people had already provided it to service providers ● In an attempt to save Aadhar, government challenged that privacy was not a fundamental right of citizens since it was not stated in the Constitution ● Supreme Court upheld privacy as a fundamental right Personal Data Protection Act - Overview

● Notice requirements and restrictions on processing data ● Restriction on processing childrens’ data ● GDPR style rights ● Stringent Data Residency Requirements ● High Risk Data Controllers ● Data Breach Notification Requirements ● GDPR style penalties for violations Personal Data Protection Act - Problems

● Data localization - increased costs to businesses ● Law enforcement access to data - government spying on citizens? India has weak safeguards against state surveillance References

● https://www.consumersinternational.org/media/155133/gdpr-briefing.pdf ● https://www.dlapiperdataprotection.com/ ● https://www.privacyshield.gov/ ● https://www.impact-advisors.com/security/eu-us-privacy-shield-framework/ ● http://www.infolaw.co.uk/newsletter/2016/05/is-the-privacy-shield-adequate/ ● https://www.americanbar.org/groups/business_law/publications/blt/2016/05/09_alvarez/ ● https://www.ftc.gov/news-events/press-releases/2017/11/ftc-gives-final-approval-settlements-companies-falsely-claimed ● https://privacylaw.proskauer.com/2015/10/articles/european-union/us-eu-safe-harbor-invalidated-what-now/ ● https://iapp.org/news/a/understanding-indias-draft-data-protection-bill/# ● https://www.cfr.org/blog/three-problems-indias-draft-data-protection-bill ● https://www.bakermckenzie.com/en/insight/publications/2018/09/india-releases-draft-personal-data-protection ● https://www.analyticsindiamag.com/indias-data-protection-bill-in-june/ ● https://ico.org.uk/media/about-the-ico/documents/1042341/implications-european-commissions-proposal-general-data- protection-regulation-for-business.pdf ● https://globaldatahub.taylorwessing.com/article/eu-us-privacy-shield-two-years-on ● https://www.synopsys.com/blogs/software-security/dpd-vs-gdpr-key-changes/ Questions? Thank you Global Smart Cities Internet of Things

INF 529 BRIANNA TU APRIL 5 TH, 2019 Agenda

Introduction to Internet of Things ◦ IoT and how it is being used today ◦ Privacy Concerns in IoT Global Smart Cities ◦ What defines a “smart city” ◦ International Standards ◦ Privacy Concerns in Smart Cities ◦ Studies and Comparisons of Smart Cities today ◦ The Future of IoT in Smart Cities Conclusion/Q&A What is the Internet of Things (IoT)?

The Internet of Things is a network of connected devices and machine-to-machine (M2M) communications. Characteristics and Architecture of IoT

Interconnectivity Application and Things-related services Management Layer Heterogeneity Dynamic changes Network / Communication Enormous scale Layer Safety Smart Device / Connectivity Sensors Layer How is IoT being utilized today?

Consumer Applications

Commercial Applications

Industrial/ Manufacturing

Infrastructure Privacy Challenges with IoT

Securing Privacy of growing amounts of data ◦ More data, more to manage ◦ Struggles of big data trends that generalize The “right to know” and who really owns the data anymore Use of data for social or political control More regulations and legal framework to take into account the variety of Internet of Things ◦ Areas like “social media” and corporations are easier to target Smart City

A smart city is an urban area that uses different types of electronic data collection sensors to supply information which is used to manage assets and resources efficiently. Uses information technologies like ICT to: ◦ Build physical and urban infrastructure ◦ Encourage communication and participation to provide better government services ◦ Innovate to make the community more intelligent and creative Framework IEC 30141 – International Standard

A new international standard has been produced for the Internet of Things, signifying the growing use of connected technology and the need for a global commonality of practice for the various types of emerging technologies. The new standard is ISO/IEC 30141, Internet of Things (IoT) – Reference architecture, and it sets out to provide an internationally standardized IoT Reference Architecture using a common vocabulary, reusable designs and industry best practice. ASEAN Smart Cities Network

The ASEAN Smart Cities Network (ASCN) is a collaborative platform where ASEAN Member States work towards the common goal of smart and sustainable urban development with technology as an enabler. 26 cities from the 10 ASEAN countries have been named pilot cities for this network, including Singapore, Johor Bahru, Phuket, Yangon, Phnom Penh and Vientiane. Singapore’s Smart Nation

Singapore's Smart Nation initiative was officially Technology in Place launched by Prime Minister Lee Hsien Loong on Transportation and Urban Mobility November 24, 2014 ◦ ONE.MOTORING ◦ “Serving Citizens and Businesses Better Through Technology” ◦ Land Transport Authority (LTA) ◦ Parking Guidance System Energy and Water Management Healthcare ◦ HealthHub 1. Digital Economy 2. Digital Government 3. Digital Society Singapore’s Smart Nation

Strategy & Roadmap Concerns e-Governance Platform Over-governance and control ◦ “Digital to the Core, and Serves with Heart Maximize the value of data in a trusted Ubiquitous surveillance and monitoring environment Less improvisation, thoughts, and ◦ Implementing policies innovations ◦ Reviewing legislation Technology advances over privacy Build a digital ready community ◦ Programs (e.g. TeSA) and capability centers (ICT&SS) available to all citizens London

The Smarter London Together roadmap is a non-statutory document adopted by the Mayor of London. The roadmap builds on the last Smart London Plan in 2013 (updated in 2016) and is a new approach based on collaborative missions. It calls for the city's 33 local authorities and public services to work and collaborate better with data and digital technologies, and helps to realize the seven statutory Mayoral strategies in: • transport, • the environment, • health inequalities, • housing, • culture, • economic development • the London Plan. London – Strategy & Roadmap

“Make London smarter” Concerns Engagement Political entities and elections ◦ Local Government Digital Service Standard disturbing the completion of these roadmaps Boosting Connectivity ◦ Through new technology such as 5G ◦ Launch the London Office for Data Analytics (LODA) Smart City Infrastructure ◦ Lampposts as mentioned in the European Horizon 2020 Sharing Cities program Other Smart Cities

New York Barcelona India Tokyo Amsterdam Many more! Visitors vs. Citizens

Visitors Citizens Enjoy the conveniences of the technologies The “co-creators” and sensors of the smart ◦ Helps shape their experience touring these cities international cities Directly benefiting from the city’s Indirectly being monitored by visiting these technological advancements cities Privacy of Personal Information

“The smart cities of tomorrow engage governments, citizens, visitors, and businesses in an intelligent, connected ecosystem. ” Privacy in Smart Cities

Big Data collection and analytics can lead to incorrect predictive policing. ◦ Mass surveillance With e-Governments on the rise and lack the physical interaction and proximity it provides if it were Citizens (and visitors) can’t really “opt out” of smart cities like they can with other technologies in the world. ◦ Who owns the data? The Future of Smart Cities / Takeaways

Security by Design is very important when it comes to creating new technology. Building trust amongst citizens is important to the development of these cities. ◦ City data + smart citizens = better city decisions. People are more distracted by the conveniences that smart cities are providing rather than worrying about privacy concerns. Regulations need to be solidified as IoT technology advances. Artificial Intelligence and Machine Learning are well on their way to contributing to Big Data collection. References https://iiot-world.com/smart-cities/smart-cities-using-internet-of-things-practical-applications/ https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/249397/bis-13-1216-global- innovators-international-smart-cities.pdf http://www.digitaljournal.com/tech-and-science/technology/new-international-standard-for-the-internet-of-things/article/537586 https://en.wikipedia.org/wiki/Ubiquitous_computing https://en.wikipedia.org/wiki/Smart_city https://iiot-world.com/smart-cities/building-trust-in-the-smart-city-think-beyond-cybersecurity-and-privacy/ https://iiot-world.com/smart-cities/smart-cities-using-internet-of-things-practical-applications/ https://www.iotforall.com/what-is-iot-simple-explanation/ https://www.iotforall.com/five-reasons-privacy-iot-incompatible/ https://www.tandfonline.com/doi/full/10.1080/10630732.2018.1558387 https://www.hitachi-systems-security.com/blog/an-introduction-to-smart-city-privacy/ http://tarjomefa.com/wp-content/uploads/2016/07/5009-English.pdf http://www.icri-sc.org/fileadmin/user_upload/Group_TRUST/PubsPDF/SnPinIoT.pdf https://www.dhi.ac.uk/san/waysofbeing/data/governance-crone-weber-2015c.pdf https://www.techrepublic.com/article/smart-cities-the-smart-persons-guide/ https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/smart-cities-whats-in-it-for-citizens.pdf https://www2.deloitte.com/insights/us/en/focus/smart-city/overview.html http://ijesc.org/upload/8e9af2eca2e1119b895544fd60c3b857.Internet%20of%20Things- IOT%20Definition,%20Characteristics,%20Architecture,%20Enabling%20Technologies,%20Application%20&%20Future%20Challeng es.pdf https://www.smartnation.sg/docs/default-source/default-document-library/smart-nation-strategy_nov2018.pdf Questions? Mid-Term Exam Discussion Q1

1. How did they get my data? (30 points) Privacy breaches involve inappropriate access to or use of personally identifiable information. Such inappropriate access typically takes one of two forms. Either data held legitimately is disclosed through the actions of criminals that breach the security of a system, or alternatively, the holder of the information gives the data to someone that should not have access or uses the data in ways that are not authorized or collects data they shouldn’t be collecting to begin with. a) List the three primary ways that adversaries can get hold of your personally identifiable data in the systems that you use. (10 points) b) Explain the role that malware, malicious apps, or apps that exceed their legitimate authority play in mis-use or release of our PII. (10 points) [Hint, it can play a role in any of the three ways covered in 1a, but you must explain how it does so] c) If you were designing a system that used PII, what are some of the steps you would take to minimize the risk of inappropriate disclosure of PII to others. (10 points) Mid-Term Exam Discussion Q2

2. Much of the information collected about us has been collected and stored for many years. The first photograph was taken around 1827, the first video (moves) were recorded in 1888. The earliest transaction receipts (records of goods traded) go back at least as far as the Mesopotamian civilizations. Given that such data has been recorded for years, what has changed about our technology that makes things different in terms of its impact on our privacy? (10 points) Mid-Term Exam Discussion Q3

3. The primary focus in class for our discussion on expectations of privacy was on access to our private data by our government (e.g. search and seizure, wiretaps, our encrypted data, messages, email, as well as transaction records, information from security cameras, and even D.N.A.). The discussion was very much focused on the expectations of individuals within the United States. There are equally legitimate arguments on both sides of the issue regarding what kind of access is to be permitted and what should be the conditions under which the data may be used. These arguments attempt to balance potential rights of privacy with the need of government to stop crime and protect its citizens. These arguments have been made for and against proposals in the United States, and they have been made in other countries as well, sometimes resulting in different outcomes in terms of the laws that apply.

• In this question you are to make arguments in favor of the rights of individual privacy over the need for governments to have access to significant private information for the purpose of public safety. You are ALSO to make arguments in favor of the need for government to have access to private information, even at the cost of diminishing individual privacy. I want you to make equally compelling arguments on each side of this issue, and you should provide example scenarios or real world examples that support each of the opposing arguments. (30 points) Mid-Term Exam Discussion Q4

You have been hired by a joint commission comprising the FTC in the United States, and investigators from the E.U. to analyze the security and privacy practices of Facebook, Google, Apple, and similar data brokers In particular, you are asked to check whether the practices of these organizations are consistent with the terms and conditions / privacy policies of the organizations, and with applicable law in Europe and the U.S. a) List some of the actions (and inaction) by these three organizations that have come under fire by regulators for demonstrating a lack of concern for the privacy of individuals. [hint, most of these items were the subject of multiple current event discussions] (10 points) b) Discuss policy, technical, and procedural recommendations that you have for these three organizations, and other organizations that process this kind of PII, that will help them to address these concerns. (10 points) c) Discuss your recommendations for elements that you feel should be part of a comprehensive U.S. privacy law in order to address the potential misuse of our PII by these and other private organizations. (10 points) Additional Relevant Topics

• Tools for “protection of privacy.” • Discussion of issues surrounding use of those tools. • The Dark Side of those tools. Tools – A Sampling

• Communication – Email communication – Website “secure email” – PGP / S/MIME – SSL / TLS – Virtual Private Networks • Anonymization – Proxies • Storage Encryption – TOR – Truecrypt • Messaging Apps – Wickr Email – Normal Protections

• Basic email protocol – Unencrypted – Relayed, Store and Forward • Email can be viewed – On servers – On users device – In transit Email – Better Alternatives

• For Transactional Websites – Financial, account management – Often use “secure email” hosted on site • Certain messages accessible only by logging in to customer portal • External emails alert users to new “secure messages” – Why? • Liabilities? What is within their control? Encrypting Electronic Mail

• Mail can be encrypted in many places: • Use of SSL/TLS to connect to gmail, yahoo, etc • Use of SSL/TLS when downloading messages via POP/IMAP. • Use of SSL/TLS between mail transport agents. • Mail is in the clear on servers.

• PGP provides end to end encryption and digital signatures for email messages. • Users obtain “certificates” which certify a public key. • Users use corresponding “private” key to decrypt messages sent to them, or to digitally sign messages they send. • Other services provided in toolkit, to support file encryption, etc. Email – Secure Email

• PGP or S/MIME (two different representations) – May encrypt message for confidentiality – May apply signature for integrity – The difficulty is: • Deployment • Key Management – How to know who you are encrypting a message for? • Encryption/Privacy Debate? – Key escrow? Same problems as with backdoors. Email – Ad Hoc Approaches

• Attachment encryption – Zip – PDF’s • Issues – Still a key management issue – Users don’t know how to deal with it. Internet Communication

• SSL and TLS (HTTPS:) – Encrypts data sent on network • Confidentiality and Integrity – Key Management for Server • Optional for client, but infrequently used – Authenticates name of server • But not if you are connecting to right place – Man in the middle issues based on weak PKI (Certification Hierarchy) More on TLS

• You need to be using it – If anything is sensitive – If you use passwords • Many sites now turning on by default – Search ranking may also be influenced Problems with TLS

• Many vulnerabilities – Often key choice – Often negotiation • Usually one way authentication and no “authorization”. • Man in the middle attacks – Superfish – Lenovo • Data in open on client and server – Heartbleed Virtual Private Networks

• Problem – Lots of internet communication not protected by SSL/TLS or other means of encryption. – Network traffic in general is easily intercepted and read or modified. – Especially from Open Wifi, or hotel networks, but taps possible even from home or businesses. – Even SSL/TLS communications can be vulnerable depending on how connection initiated. Virtual Private Networks

• Potential Solution – Create a tunnel from device to more central location in network • Devices Business network • Devices Home Network • Third party network • Issues – Traffic still unprotected once dumped onto primary network – But it protects traffic at the less secure endpoint. • Other advantages – IP Address is not indicative of device location Messaging Apps

• Whats Ap – Now owned by facebook – Uses SSL encryption to communicate with server – Concerns – availability of data through the server? Brazil Facebook head arrested for refusing to share WhatsApp data • WICKR – A messaging app – Data is encrypted from device to device so not present on central servers. Communication – Messaging, IM services

• Message boards (phpBB) or Chat/IM servers are central components through which all communication and endpoints are visible. • These tools provide means of disseminating messages to groups of readers. Internet Relay Chat

• IRC was created in 1988 as a distributed chat system. • It support channels (similar to Twitter hashtags today) to which users (or processes) can subscribe. • IRC is distributed in a tree like fashion meaning that an IRC server can subscribe to other servers. • Reduces overall traffic and makes system harder to shut down. • Often used programmatically to provide anonymous commands to compromised machines (e.g. botnets). • Repudiablity of subscribers. SnapChat and ephemeral messaging

• SnapChat and similar ephemeral messaging apps imply that you can send a message that will dissapear after it is viewed, or shortly thereafter.

• FTC recently took them to task for such claims. • One is dependent on ones trust in the provider of the service. • One can always videotape and take a photo of their own screen (using a second camera, etc). Wikr is a better alternative Video and Audio Conferencing Tools

• There are many audio and video conference tools available that allow two party video and or audio communication, and in some cases multi-party conferencing: • Skype • ooVoo • Google Hangouts • Involve central server to coordinate connection between endpoints. • In some cases communication is through central server. • May be used like phones to coordinate with conspirators but content may be encrypted. • Not the best tools to use for illegal content. Anonymization

• Even if contents are protected, traffic analysis is still possible, providing information about what sites one visits. • Tools are available that will hide your addresses – Proxies – Networks of Proxies – Onion Routing and TOR Anonymizer and similar services

• Some are VPN based and hide IP addressed. • Some of proxy based, where you configure your web browser. • Need the proxy to hide cookies and header information provided by browser. • You trust the provider to hide your details. • Systems like TOR do better because you don’t depend on a single provider. TOR

From Engadget, 7/28/2014 Russia offers a $110,000 bounty if you can crack Tor Countries that have less-than-stellar records when it comes to dissenting voices must really, really hate Tor. Coincidentally, Russia's Interior Ministry has put out a bounty of around $110,000 to groups who can crack the US Navy-designed privacy network. After the country's vicious crackdown on dissenting voices back in 2012, protestors who hadn't escaped or been jailed began using anonymous internet communication as their first line of defense against the Kremlin. If you're considering taking part in the challenge (and earning yourself a tidy stack of cash to quell your conscious), be warned -- the bounty is only open to organizations that already have security clearance to work for the Russian government. TOR - Fundamentals

Source Node T T

T T

T

Destination Node TOR - Fundamentals

• Origin node accesses list of TOR nodes and creates the packet: • Starts by creating a packet consisting of payload and header – header contains desired destination node and final TOR node in zigzag route • Now treats the above packet as a payload and creates a header with origin and destination consisting of two TOR nodes • This is repeated until final packet contains a header with original source node and first TOR node identified • …Hence the term “Onion Routing” TOR - Fundamentals

• List of TOR nodes periodically changes • Zigzag route is periodically changed

• Not totally fool proof: • If non-TOR browser opened within TOR browser, security measures are void – basically going back to “direct routing” • Someone monitoring source and destination node may note synchronization of packets being sent/received. • …to avoid: increase TOR traffic Storage Encryption

• File Sharing (not necessarily encrypted) • TrueCrypt • PGP File Sharing • Freenet, bitTorrents, and related protocols and applications support the decentralized storage and distribution of files on the internet. • Originally intended to provide repositories for data that could not be “silenced”, the content of files are spread across many servers, with duplicate pieces. These pieces are reassembled when users request access to the files. • They are often used to share protected content in violation of copyright. Bittorrent (figure from Wikipedia) • Dangers to users of file sharing services: • Most are configured by default to make your machine a distribution point. Download a file, and other may get that file from you. • Or worse, files you never requested can be loaded onto your computer and retrieved by others. • Comparison with TOR File Encryption

• There are many tools and packages available to encrypt individual files or entire drives. Among these are the whole drive encryption discussed in the intro class, but software tools are also available. • PGP file encrypt – part of the PGP package discussed earlier allows encryption of files or folders using the public key of an intended recipient (or yourself). • TrueCrypt was for some time the best option for file encryption, but the last release removed the ability to encrypt files, and was accompanied by statements urging that it not be used. It is widely believed that the previous version is safe. Current Events - Google

Thousands of Reddit users are trying to delete Google from their lives, but they're finding it impossible because Google is everywhere - Business Insider 3/23/19 The article talks about how a large group of users on reddit are trying to break away from google services but it is difficult as a majority of services are engrained in everyday usage/lack of alternatives. Services such as spotify, pokemon go, and uber utilize the company's servers/api's, and thus are rendered broken if you block access to google servers. The amount of data that is being collected harms privacy and as a simple example the google translate app doesn't work on android without access to your contacts. No matter how hard someone tries with the amount of reach that google has it is impossible to stay out of its grasp. -Ahmed Qureshi https://www.cpomagazine.com/data-privacy/the-new-privacy-threat-airplane-cameras-and-google-nest-microphones/ Passengers aboard a Singapore Airlines flight discovered cameras in the INE systems, which raised concerns regarding the privacy of travelers. The airline claims that the cameras were merely installed by the manufacturer, but were not actually activated, and that there are no plans for activation in the future. A similar situation occurred with the Google Nest device, in which a hidden microphone was discovered. The company claimed to have installed it for future use, but that they had forgotten to mention it in the product spec. -- Ann Bailleul

Android users' security and privacy at risk from shadowy ecosystem of pre-installed software, study warns - TechCrunch 3/25/19 According to a recent study, researchers have found security and privacy concerns in pre-loaded software (e.g. Facebook app) on Android devices. There is a lack of transparency of what the software is doing and unless you are an expert Android user, you are completely unaware of personal information tracking and are unable to delete this software. These could potentially be creating backdoors as information is spread to third party software companies without user consent or awareness. - Brianna Tu

149 Current Events - Facebook

Why the Debate Over Privacy Can't Rely on Tech Giants Electronic Frontier Foundation 3/15/2019 Even though tech giants such as Google and Facebook were targeted by users and privacy advocates for privacy violations and for being negligent, no steps seem to be taken by those companies in terms of privacy enhancements. There have been many cases such as the Cambridge Analytica case along with many continuous violations of privacy by Facebook that seem to be intentional. Users had hope when congress questions Facebook's CEO and thought that this might change something; however, with respect to all efforts, users should never rely on tech giants when it comes to privacy - Faris Almathami

Former Facebook exec: 'Zuckerberg is sitting on more data about what people want to do online than anyone else in the world’ – CNBC 3/27/19 Christina Farr | Salvador Rodriguez Alex Stamos, who left Facebook in 2018, spoke on stage at Washington Post's technology and policy conference. He had an explanation of why his former boss, Mark Zuckerberg's, decisions can seem insane at the time, but make sense with the benefit of hindsight. He cited the acquisitions of private messaging WhatsApp in 2014 for $19 billion, and photo- sharing service Instagram in 2012 for $1 billion, as examples of bets "that people think are insane but turn out to be prophetic because he knows the direction the world is going," Stamos said. Both deals have turned out to be highly valuable for the company. Instagram now boasts more than 1 billion active users per month and is popular among the younger audiences who are tuning out the core app. WhatsApp has more than 1.5 billion users and will probably form the basis of the company's new focus on private messaging, which Zuckerberg announced earlier this month. -- Gene Zakrzewski

150 Current Events - Facebook

Researchers find 540 million Facebook user records on exposed servers - Techcrunch Extract: A cyber security firm found that a hundreds of Millions of records on Facebook users were stored on public Amazon servers and available for anyone to download. UpGuard discovered that `Cultura Colectiva`, a digital platform featuring stories about celebrities and culture and which targets a Latin American audience, stored some 540 million records on Facebook users on public Amazon servers without even a password, for anyone to access, including records on comments, likes and account names. Facebook has contacted Amazon to pull the data offline but the damage could have already been done. One after other, these facebook issues continue to highlight the problems which plague companies that depend on mass data collection. -- Kavya Sethuraman

Mark Zuckerberg: The Internet needs new rules. Let’s start in these four areas. | Washington Post | March 30, 2019 | This opinion provided by Mark Zuckerberg proposes to update the rules for the internet to include a more active role for government and regulators. He proposes four key areas - harmful content, election integrity, privacy and data portability. A key current dynamic within Facebook is the aspiration for independent third party bodies within the industry (very similar to self-regulatory organizations). For elections, he proposes better identity verification to enable political ads, while advocating for a global privacy framework rather than based upon geography. He indicates GDPR is a good framework to adopt. Regulation should guarantee the principle of data portability, highlighting new open source project called the Data Transfer project. He states “The rules governing the Internet allowed a generation of entrepreneurs to build services that changed the world and created a lot of value in people’s lives. It’s time to update these rules to define clear responsibilities for people, companies and governments going forward.” - Arjun Raman

Facebook backs stronger laws : NBCNews - 03/31/2019 Facebook CEO Mark Zuckerberg on Saturday called for governments to play a greater role to protect society from harmful content, ensure election integrity, protect people's privacy and to guarantee data portability. Facebook has been under fire for its lax policies on hate speech. Zuckerberg proposed regulating harmful content by setting up independent bodies to set standards for what is considered terrorist propaganda and hate speech and is therefore prohibited. --Anupama

151 Current Events - Facebook

Facebook’s Data Deals Are Under Criminal Investigation Federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest technology companies, intensifying scrutiny of the social media giant’s business practices as it seeks to rebound from a year of scandal and setbacks. A grand jury in New York has subpoenaed records from at least two prominent makers of smartphones and other devices, according to two people who were familiar with the requests and who insisted on anonymity to discuss confidential legal matters. Both companies had entered into partnerships with Facebook, gaining broad access to the personal information of hundreds of millions of its users. – Helena Salimi

We can't believe WhatsApp didn't have these new group privacy settings before, but here we are - Mashable, 04/04/19 WhatsApp previously did not have the privacy setting to be able to block certain users from adding you to groups. Now it is allowing you to choose if "My Contacts," "Everyone," or "Nobody" can invite you to groups, but still allows anyone to invite you to groups through a direct message. This makes it so that it is less likely for harmful and malicious content to spread through the platform, although strangers can still direct message you and you could still accept them if you would like. - Chloe Choe

152 Current Events - Apple

Apple wants to be the only tech company you trust - The Verge Apple is releasing a new credit card and is making privacy a huge focus. It is partnered with Goldman Sachs and clearly stated that Goldman Sachs will never sell purchase data to third parties. The card is linked with Apple Pay along with various other Apple applications and all have the same privacy pitch of not selling data to third parties. - Chloe Choe

Apple embracing Privacy as a Selling Point - GeekWire 3/26/2019 Apple had an event on Monday where they revealed multiple services, including a new news subscription service, a credit card, and more. However, heavy emphasis was made by Tim Cook and each of the presenters about how these new services were designed “with privacy in mind”. Article explores how companies such as Apple are now utilizing privacy as a selling point. - Lance Aaron See

Here's The Real Reason Apple Claims To Care About Your Privacy - 03/26/2019 Forbes An article that discusses why Apple has been emphasizing a lot on privacy since the Cambridge Analytica scandal. Apple in its recent launch of a couple of products clearly stated that privacy is at the heart of its products and included a statement in one of the iPhone Ads saying: "what happens on your iPhone, stays on your iPhone". For Apple, this is only a move to fill a gap in the market that was created after the US increasing concerns about privacy and the announcement of GDPR. - Abdulla Alshabanah

Privacy Tip #183 – Apple Announces Privacy-Protecting Credit Card JDSUPRA March 28, 2019 Apple announces that Apple will issue credit cards that does not track what users are buying. The credit card uses Apple Pay so that users manage their account. -- Fumiko Uehara

153 Current Events - Apple

How Apple Privacy Policy Could Unlock A Big Health Care Market-Investor's Business Daily 3/4/19 Apple has branded itself as the privacy-savvy tech giant, and the company may also be gaining ground in the healthcare market. Nearly 120 U.S. health care institutions trust Apple's EHR platform using the Fast Healthcare Interoperability Resources (FHIR) standard, which allows patients to download medical records on their cell phones. No health-care related information goes to Apple's servers directly nor is Apple considered a business associate under HIPAA, but like all the tech giants, it has skirted the compliance issues of collecting health-related data. With reduced growth in iPhone sales, Apple has the golden opportunity to partner in high profile projects and sell anonymized health data. -Jacqueline Dobbas

154 Current Events - Europe

EU Council Adopts Protocol for Responding to Major Cyberattacks - Europol 03/18/2019 The Council of the European Union has adopted an EU Law Enforcement Emergency Response Protocol to help EU member countries better respond to large scale cyberattacks, like NotPetya and WannaCry. The protocol is a tool to support the EU law enforcement authorities in providing immediate response to major cross-border cyber-attacks through rapid assessment, the secure and timely sharing of critical information and effective coordination of the international aspects of their investigations. - Sevanti Nag

EU Parliament Approves Controversial Copyright Law – 3.27.19 infosecurity This article explains that the EU Parliament just approved a copyright law. The article points to 3 glaring issues. -Article 13 requires sites to filter uploaded content to make sure it doesn’t contain copyright infringement.-Article 11 requires search engines to pay to feature news on their sites. -The law is to be interpreted by member states potentially leading to inconsistences across the EU. The biggest concern is that this law (in particular Article 13) can lead us towards a path of internet censorship. -Jairo Hernandez

155 Current Events – US Government

FEMA Leaked the Data of 2.3 Million Disaster Survivors - Wired FEMA publicly acknowledged a Homeland Security Department Office of the Inspector General report that the emergency response agency wrongly shared personal data from 2.3 million disaster survivors with a temporary-housing- related contractor. In doing so, the agency violated the Privacy Act of 1974 and Department of Homeland Security policy, and exposed survivors to identity theft. There was no 'hack' here. but the data FEMA should have sent to the contractor to verify survivors’ eligibility for lodging includes full names, dates of birth, eligibility start and end date, a FEMA registration number, and the last four digits of survivors’ Social Security numbers. But the report also found that FEMA additionally shared 20 unnecessary data fields with the contractor, including six that contain particularly sensitive information, like survivors’ full home addresses, bank name, electronic funds transfer number, and bank transit number. - - Kavya Sethuraman

US disaster agency exposed private data of 2.3M hurricane and wildfire survivors - The Guardian 03/22/2019 The US disaster relief agency unnecessarily released sensitive identifiable data, including banking information, of 2.3m disaster survivors to an outside contractor. - Nitya Harve

Border agency warns of privacy risks in web initiative - KCRA 3/27/19 A Privacy Impact Assessment obtained by Hearst Television National Investigative Unit reveals that the U.S. Customs and Border Protection (CBP) agency is requesting to expand its sources of intel to include social media — whether the information is factual or not. This document addresses a CBP Social Media Situational Awareness initiative where the CBP may collect any publicly made information on social media like an individual's name, username, phone number, email address, etc. but warns they may not be able to protect a person's privacy. The assessment also states that CBP personnel can mask their identity when viewing social media data for OPSEC purposes but has received backlash from Facebook based on their requirement to use real identities on the platform. There is also no opt-out option for the initiative as well as no defined process for challenging any false information gathered by the CBP. -- Aaron Howland

156 Current Events – US Government

The FBI Takes Too Long to Alert Victims of Cyberattacks This article discusses processes taken by the FBI after they've become aware of victims affected by a cyber attack. It essentially states that the FBI takes too long to notify victims, as well as provides too little information to benefit the victims. Additionally, it explains how many small groups and companies aren't even aware they've been attacked until they are notified by the FBI; therefore, the delay and lack of information can be very damaging. One major example explained how they were notified 9 months after the FBI detected the attack. -- Joseph Mehltretter

FTC Says It Only Has 40 Employees Overseeing Privacy And Data Security - TheHill The FTC told Congress on Wednesday that they currently only have 40 full-time employees dedicated to privacy and security. Comparing themselves to the UK Informations Commission which has around 500 workers and the Irish Data Commission with 110, the FTC made a request to the government that more workers dedicated to privacy and security are needed as 40 is a shockingly low number of people responsible for the privacy and of security of 320 million. There are various budget amounts that could help bring on new people; one of the lowest being an additional 50 million dollars to hide 160 individuals. -- Kate Glazko

157 Current Events – Government

District of Columbia Introduces Legislation on Data Privacy - March 26, 2019 Security Breach Protection Amendment Act of 2019 was introduced in the District of Columbia. The new legislation would expand legal protections to cover additional types of personal information, require companies that deal with personal information to implement safeguards, include additional reporting requirements for companies that suffer a data breach, and require companies that expose consumers' social security numbers to offer two years of free identity theft protection – Mindy Huang.

FTC Demands Broadband Providers Reveal Data Handling Practices ThreatPost 3/27/19 The FTC are requesting information on how 7 broadband companies are using/collecting user data and what they disclose on their privacy policies. These 7 companies include, AT&T, AT&T Mobility, Comcast Cable/Xfinity, Google Fiber, T-Mobile, and Verizon Communications and Cellco Partnership. - Charlene Chen

FTC announces inquiry into the privacy practices of broadband providers 03/26/2019 TheVerge FTC has asked internet service providers like AT&T, Verizon, T-mobile, Xfinity, Google Fiber to hand over non public information describing how they handle consumer data. This includes what kind of data is collected, why it is collected, whether this data is shared with 3rd parties, de-identified and the procedures allowing consumers to make changes to and delete their personal information. --Anupama

Georgia Tech reveals data breach, 1.3 million records exposed - zdnet.com - 4-4-2019 This is a pretty typical data breach, but the article brought an interesting thought to-mind. Georgia Tech is a public university (theoretically, an extension of the government). This data breach could allow the EU (or other countries with similar privacy law) to fine Georgia Tech (a public organization). Not only do far-reaching privacy laws open the door for governments to effectively fine one-another, it also creates an ecosystem where a single data breach may cause the responsible organization to be fined by any number of foreign governments. -- Dewaine Reddish

158 Current Events

Genetic testing firms share your DNA data more than you think - Axios Genetic testing companies that trace customers' ancestry are amassing huge databases of DNA information, and some are sharing access with law enforcement, drug makers and app developers. Why it matters: At-home DNA testing kits are soaring in popularity, but many consumers who take the tests to learn more about their family trees may not realize how that data is being shared for other purposes. – Haleh Salimi

Family Tree DNA offers to trade privacy to catch criminals – engadget 3/28/19 A company that test DNA at home called Family Tree DNA is asking their customers to share their genetic data with law enforcement such as FBI to help solve crimes. The case of the 1979 murder in San Diego could be traced back to the distant relative of the killer who had DNA in the database GEDmatch to identify the source of blood at the crime scene. Family Tree DNA has regularly allowed the FBI to search its database to solve crimes, which privacy critics and bioethicist argue violate civil liberties. -- Sophia Choi

5G is speedy, but does it also raise the stakes on privacy, security, potential abuse? | USA Today | March 27, 2019 5G technology is a whole set of interrelated technologies delivered to consumers all at once. These systems need to be tested for privacy risks prior to deployment - A cyber attacker could intrude at a very personal level with consumers that have not been seen before. The real risk comes not from the network itself but potentially from applications that would not have been possible prior to 5G especially with those tied to IoT devices. - Arjun G. Raman

159 Current Events

HTTPS Isn't Always as Secure as it Seems Wired An analysis of 10,000 HTTPS sites showed about 550 of them are vulnerable to TLS vulnerabilities. However, each of those 550 sites still appears with the green lock indicating it is "safe". While exploitation of the vulnerabilities may be difficult, and not lead to much; it is important to understand because the impression of safety given by general usage of HTTPS can lead to larger issues. This is especially apparent given the desire to have massive web inter-connectivity. -- Joseph Mehltretter

Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers - Motherboard 03/25/19 Researchers at Kaspersky Lab reported that around half a million Windows machine sold by ASUS were getting a malicious backdoor through the company's live update servers. The update was signed with legitimate ASUS digital certificates and was pushed to customers for at least five months before it was discovered. The researchers said that this attack is a supply-chain attack, and that the trust based on known vendor name or digital signature can't prevent such attacks. Abdullah Altokhais

US Says Chinese Ownership of Grindr is a National Security Risk - Independent 3/27/19 The Committee on Foreign Investment in the United States (CFIUS) was concerned about Kunlun, one of Chine's largest mobile gaming companies, owning the dating app Grindr. When Kunlun acquired Grindr, they did not submit the acquisition for CFIUS review, which might be part of the reason why this deal was blocked. Kunlun is now preparing an auction process to sell Grindr. - Charlene Chen

160 Current Events

Possible Toyota data breach affecting 3.1 million customers – Sophos 4/2/19 Several Toyota companies have announced that they might have suffered data breach attempts, with one affecting 3.1 million Toyota and Lexus customers. In a brief account describing the most significant of these, the Japanese parent company said that on 21 March attackers gained “unauthorized access on the network” which led them to customer data belonging to eight sales subsidiaries in the country. "We have not confirmed the fact that customer information has been leaked at this time, but we will continue to conduct detailed surveys, placing top priority on customer safety and security.“ …The information that may have been leaked this time does not include information on credit cards. At least one security analysis has connected these attacks to a single entity, dubbed APT32 (OceanLotus Group), the latest in a line of highly targeted incidents against automotive industries and other sectors dating back to 2011. -- Gene Zakrzewski

2 Million Credit Card Numbers Stolen from Earl Enterprise restaurants in 10-month breach – The Verge 3/31/19 The parent company of restaurants such as Planet Hollywood, Buca di Beppo, and Mixology has confirmed that it experienced a security breach after security researchers found more than 2 million stolen credit card numbers being sold online. The company was contacted in February after it discovered “strong evidence” that customer credit card and debit card numbers were being sold online. Hackers used “malware installed on its point-of-sale systems” to steal 2.15 million credit and debit card numbers, expiration dates, and some cardholder names from restaurant locations in 40 states. Earl Enterprises says that the breach took place between May 23rd, 2018 and March 18th, 2019, and that “the incident has now been contained.” The company recommends that customers examine their statements for suspicious activity, and to notify their issuer if they find fraudulent transactions. -- Gene Zakrzewski

161 Current Events

Toronto’s 'Smart' Neighborhood Sparks Debate - US News 03/15/2019 Sidewalk Labs promised to build Quayside, a smart neighborhood "from the internet up" – incorporating data-collecting sensors into the neighborhood's infrastructure to gather information, say, on travel patterns to coordinate traffic lights. But the proposal met opposition from locals who demanded to know who would own the information that is collected, whether it would be private and who would benefit from its use. - Nitya Harve

Aluminium firm cyber-attack cost at least £25.6m – BBC A cyber attack on a Norwegian company has cost them almost $300m dollars after the company was hit with malware last week. The company posted signs on the doors to employees telling them not to “connect any devices to the Hydro network and to disconnect any devices from the Hydro network.” -- Louis Uuh

Employers Beware: Judge Greenlights Employee’s Privacy Lawsuit Over Dropbox Access - natlawreview.com - 3/28/19 West District of Pennsylvania judge partially denied a public employer's motion to dismiss the case. The plaintiff was forced to resign from her position after nude images were found in her personal DropBox account that was also used for work. She did not access the images from her work computer but she did keep her drop box password stored in an excel spreadsheet co-located with other work passwords on her work computer. -- Dewaine Reddish

162 Current Events

Can you stop your parents sharing photos of you online? - BBC 3/28/2019 Sharenting, which is the act of parents sharing news and pictures of their children online, can make a lot of children feel uncomfortable. One child mentions that we live in a society where all of our pictures need to be flattering, so parents posting embarrassing pictures can make the child feels a little bit betrayed and that a study conducted by a professor of media studies at University of Tartu in Estonia found that there are discrepancies in what children and parents consider as "nice" photos. Sharenting poses risks because contributing more photos online means that tech companies know more about the child without the child's contribution in the data collection and it can also cause "digital kidnapping" where strangers take the photos of the child and use them for fraudulent or sexual purposes. -Yulie Felice

The Landlord wants Facial Recognition in its Rent stabilized Building. Why? - NYtimes 03/26/2019 This story is about a Rent stabilized apartment in Brooklyn.The landlords wanted to replace the key-fob system with facial recognition systems for providing access to the apartment. The fact that the Atlantic complex already has 24-hour security in its lobbies as well as a clearly functioning camera system has only caused tenants to further question the necessity of facial recognition technology. The initiative is particularly dubious given the population of the buildings.Ultimately, a state housing agency will decide whether Nelson Management can install the software or not. -Deepti

Putting data privacy in the hands of users – Science Daily – 2/20/19 MIT Researchers have developed Riverbed, a platform that ensures web and mobile apps using distributed computing in data centers adhere to users' preferences on how their data are shared and stored in the cloud. In Riverbed, a user's web browser or smartphone app does not communicate with the cloud directly. Instead, a Riverbed proxy runs on a user's device to mediate communication. When the service tries to upload user data to a remote service, the proxy tags the data with a set of permissible uses for their data, called a "policy.“ -- Gene Zakrzewski

163