Panel: U.S. government sending mixed encryption messages

Privacy professionals are saying the U.S. government is sending mixed encryption messages to technology companies. They build privacy and security by design in products and services, but leave them open to backdoor access by default. This issue became more prominent after an argument whether the Federal Bureau of Investigation (FBI) can force Apple, Inc. to unlock an iPhone used by one of the shooters involved in the San Bernardino terrorist attack.

On Feb. 16th, a federal judge ordered Apple to provide the FBI with software to disable the security feature that auto-erases the phone’s data after multiple incorrect attempts to enter the pass code. Demetrios Eleftheriou, Symantec Corp. global privacy director said, “It just seems like there’s a bit of an inconsistent message from the government. We have law enforcement on the one end saying you build back doors, they want broken by design.”  On the other end are “the regulators saying you have to incorporate security by default, privacy by default in the product,” he said.

Eleftheriou asserts that the U.S. government needs to consider if their ambivalent stance on consumer encryption is compatible with the new European Union General Data Protection Regulation requirements for privacy by design and security by default. “A weakness is a weakness. It can be exploited by anybody.”

Will DeVries, Google Inc. privacy counsel said companies “want the process to be really clear, really defined and based on principles that we can apply globally to our services that actually make sense and keep us all safe.”DeVries believes the argument against accessing a terrorist’s phone is just one “red herring”. “We’re actually worried about the precedent of saying can you ask a tech company to undermine the security of devices that’s out in the public, not just for the device they’re talking but a security flaw that then can be used on any device,” DeVries said.

Companies can be ordered to assist with law enforcement to get at some data, Chris Jay Hoofnagle, member of the advisory board of Bloomberg BNA’s Privacy & Data Security Law Report, said. “Obviously, what makes this situation so dangerous and difficult is that the work the government would like Apple to do could be used prospectively and could be used to erode privacy and security in devices generally,” Hoofnagle said. The technology industry is at this point in time now where the devices can outsmart these forensic appliances so whatever happens paves the way for the future of device security.

Hoofnagle sees that this tinkers with the Fourth Amendment. “We might come to a world in the U.S. where we basically have different Fourth Amendment standards for the terrorism case where maybe we do feel as though the phone should be unlocked versus other types of crimes that aren’t as serious.”

Article via Bloomberg BNA, February 19, 2016

Photo: System Lock via Yuri Samoilov


Nation divided over Apple decision

Apple’s decision to refuse the FBI order requiring the company to unlock a phone used by Syed Farook, one of the terrorists in the San Bernardino shooting, has divided the nation into two camps. Those who support the company believe that the FBI order jeopardizes individual privacy. Others argue that Apple’s challenge threatens national security.

In order to unlock Syed Farook’s iPhone, Apple would have to design a new software that would provide a backdoor through the phone’s security features. That software does not yet exist, and Apple argues it should stay that way.

“The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices,” states Tim Cook’s response posted on the Apple website.

The non-profit advocacy group Fight for the Future organized demonstrations across the nation following the Apple decision in order to show solidarity with the company. Evan Greer, the organization’s campaign director, spoke about the importance of encryption in protecting public facilities like hospitals and airports, as well as in assuring the safety of individuals.

“For myself as a member of the LGBT community, I know there are a lot of people that have heightened needs for security. A breach is not just inconvenient or embarrassing, but can put people in threat of physical violence,” Greer said.

Henry Nickel, a San Bernardino city councilman, has the opposing opinion that Apple’s decision is an obstruction of justice. He likens Apple’s refusal to access the contents of Farook’s phone to a landlord’s refusal to unlock a suspect’s door in the face of a search warrant.

“I do not feel that digital data is in any way subject to additional protection from search or seizure than any other aspects of our lives,” Nickel said. “Apple is simply wrong if it believes digital information is somehow more sacred than any other type of information.”

San Bernardino Mayor R. Carey Davis felt similarly. “The attacks on December 2nd was the deadliest terrorist attack in the US since 9/11, and law enforcement officials continue to follow up on leads related to the case… It is my hope that Apple cooperates given the circumstances of this investigation,” he said.

Article via: The Washington Post, 19 February, 2016

Photo: Laughing Squid iPhone Webclip Icon by Scott Beale [Creative Commons Attribution-NonCommercial-NoDerivs]


Safe Harbor 2.0 in the making

The United States and the European Union have reached a new agreement in replacement of Safe Harbor, as announced on February 2. Safe Harbor originally outlined the rules for electronic data transfers between the U.S. and the EU, until it was nullified by a European court for jeopardizing the privacy of European citizens. According to negotiators, the new deal will create a “Privacy Shield” in order to protect European data. Whatever the new agreement might entail, it will affect e-discovery—electronic evidence used in litigation or government investigations—as well as social media and business-related data transfers between the U.S. and the EU.

The European court decision on Safe Harbor’s validity is a result of fundamental differences in the way that Americans and Europeans view privacy. The 1995 EU Data Protection Directive established data protection requirements in the European Union that are far more comprehensive than current laws in the U.S. One of the stipulations of the 1995 law is that citizens’ personal data cannot be transferred to countries lacking sufficient data protection, such as the United States. When the Patriot Act was passed in 2001, the divergence between European and American privacy laws widened even further.

The Safe Harbor framework was considered to be a loophole to the European law. It allowed any individual company with EU privacy certification to transfer data between the U.S. and EU, even though the U.S. as a nation did not comply with the 1995 EU data Protection Directive. Moreover, American companies were only required to self-certify—essentially, a company had only to state that they were abiding by European privacy standards in order to transfer any amount of data.

Max Schrems, an Austrian law student, created an organization called “Europe versus Facebook” (EvF) in order to fight Safe Harbor in court. Although he lost his case before the Irish Data Protection Authority, the European Court of Justice held on October 6, 2015 that “There is no general privacy law or other measures enacted in the U.S. that shows the U.S offers ‘an adequate level of protection’ for personal data relating to European data subjects.”

Some call the new agreement “Safe-Harbor 2.0.” Until more information is provided, it’s impossible to know whether the deal includes real improvements, or just more loopholes.

Article via: Legaltech News, 11 February 2016

Photo: European Union Colours by Tristam Sparks  [Creative Commons Attribution-NonCommercial-NoDerivs]

 


EU to pass comprehensive privacy law

In June of 2012, the European Council approved the European Union’s General Data Protection Regulation draft. The soon-to-be-approved final law is an updated version of the EU’s 1995 data protection rules, intended to bolster online privacy rights. The EU’s effort to consolidate privacy laws stands in contrast to the U.S.’s consistent battles with mass data collection by big business and government agencies.

Privacy—a broad and nebulous term—is treated differently in the European Union than it is in the U.S. According to Brian Kudowitz, commercial product director for privacy and data security at Bloomberg Law, privacy is “essentially a human right” in the EU. Whereas the EU has comprehensive law protecting privacy in all its forms—especially with the GDPR initiative—the U.S. deals with the protection of information in a series of laws that regulate different sectors.

The EU’s focus on privacy can be explained in historical terms, Kudowitz added. “You go back to all of the different things that have occurred in Europe over the last 70 years, it’s very easy to see how that perspective developed.”

In a recent Eurobarometer survey, 67 percent of Europeans said they were concerned about not having control over what information was provided about them on the Internet, and 70 percent expressed concern about how companies used their information.

Beyond what everyday citizens think of privacy, businesses and government agencies operate differently in the U.S. than in the EU as well. Organizations protect data proactively in the EU, whereas breaches of privacy are dealt with retroactively in the U.S.

According to Phil Lee, a representative at the multinational law firm Fieldfisher, “[t]his is partially because class action regimes aren’t well developed in the EU. EU countries don’t have a concept of punitive damages in the same way that you do in the U.S.”

Article via Legaltech News, December 22, 2015

Photo: Croatia welcomed to the EU via European Parliament [Creative Commons Attribution-NonCommercial-NoDerivs]


Brazil suspends Whatsapp for 100 million users

Brazil’s government recently banned the Facebook-owned communication service Whatsapp for 48 hours after the company refused to hand over user data to authorities. Whatsapp is used by 100 million Brazilians, many who prefer the app to standard texting and calling. As a result, the ban was met with outrage. Some called for the impeachment of Brazil’s president Dilma Rousseff; others immediately switched to an alternative messaging service, Telegram.

Law enforcement has been in conflict with Whatsapp for months due to Facebook’s refusal to hand over user data from a suspected drug user. The irony, however, is that Brazil condemned the NSA in 2013 after Edward Snowden exposed the surveillance agency’s data collection practices.

In a 2013 speech to the U.N., President Rousseff asserted, “My government will do everything within its reach to defend the human rights of all Brazilians, and to protect the fruits borne from the ingenuity of our workers and our companies.”

Following Snowden’s leak, Brazil even committed to a $185 million project to construct a fiber optic cable transporting data to and from Portugal while bypassing the United States, so that U.S. authorities could not intercept information. U.S. businesses were prohibited from participating in the project.

In response to the suspension of Whatsapp, Facebook CEO Mark Zuckerberg said: “I am stunned that our efforts to protect people’s data would result in such an extreme decision by a single judge to punish every person in Brazil who uses WhatsApp.”

Article via Washington Post, December 17, 2015

Photo: Visita de Dilma Rousseff via La Moncloa Gobierno de Espana

[Creative Commons Attribution-NonCommercial-NoDerivs]


Legal firms remain concerned about cloud privacy

Lawyers are a conservative group when it comes to adopting new technology. This continue to hold true for the ever popular cloud technologies. Concerns about privacy and security related to data breaches are holding some firms back from transitioning over to cloud storage and services. In a 2015 Cloud Security Survey released Netwrix reveals the concerns around cloud adoption among lawyers include: security and privacy of data (26 percent), migration costs (22 percent) and loss of physical controls (17 percent). Moreover, security risks include unauthorized access (32 percent), insider misuse (18 percent) and account hijacking (18 percent.)

Alex Vovk, CEO and co-founder of Netwrix, told Legaltech News “Legal departments will be reluctant to entrust their valuable data and customers’ sensitive information, until they are absolutely sure that cloud providers can offer better security than the company can ensure on-premises.” Although data security is a privacy issue for all industries, legal departments are less likely to adopt technologies that do not guarantee full protection for their data.

Law firms may be cautious, but that doesn’t mean that they are uninterested in cloud technologies. According to the survey, 44 percent of the respondents indicated they their firms were in a stage of evaluation and discovery concerning cloud services. “This indicates that [law firms] are potentially ready to invest more in additional cloud security and consider various cloud options,” Vovk said. In fact, when it comes to hybrid cloud models, legal entities have the same interest in making the transition as private companies. In addtion, 37 percent of those surveyed favor a private cloud model.

Vovk summed up by stating that “… as soon as cloud providers are ready to provide additional security measures and to some extent ease the compliance burden …lawyers would become less skeptic[al] about cloud adoption.”

Article via Legaltech News, 3 December 2015

Photo: Cloud Solutions via NEC Corporation of America [Creative Commons Attribution-NonCommercial-NoDerivs]