Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘security’

privacy-coins-and-bitcoin-dominance-guide

Editorial: Privacy Lessons From Google

December 28, 2018

Thursday, December 27, 2018
Congress is eyeing a federal privacy framework for 2019. But what about the laws already on the books? Demands for an investigation into Google’s marketing of children’s apps in its mobile store could offer legislators some lessons.

Comprehensive privacy rules for the United States are necessary precisely because the current rules cover only information or populations deemed especially sensitive. One of those populations is children, and the Children’s Online Protection Privacy Act was passed in 1998 to prohibit sites from collecting their identifying data without parental consent.

But according to a filing to the Federal Trade Commission by 22 children’s and consumer organizations, many apps gather that data anyway — from ID numbers, to addresses, to location, to the photos on a game-player’s smartphone.

Google is not responsible under COPPA for the actions of untrustworthy apps; the apps themselves are the only ones breaking that law. (The tracking of children on YouTube, which is owned by Google, is another question.) But the complainants allege that, by labeling a section of its store child-friendly and then allowing COPPA violators to appear there, Google is misleading consumers.

They want the FTC to step in, and three Democratic senators have joined in the call. Google says it has removed thousands of noncompliant apps in the past year and has already begun removing those listed in last week’s filing.
This debate should be particularly interesting to lawmakers seeking to craft broader regulations for consumer protection. First, there is the question of Google’s role as a gatekeeper, particularly when its own ad platform is integrated with many of the apps in its stores. Making Google and other software companies, such as Apple, liable for all of the content they host would hurt more than help. But the companies’ conflicting interests are an argument for increased oversight of app stores. And companies should be held to account when they are demonstrably negligent in enforcing their standards.

Last week’s complaint also presents an enforcement issue. The FTC has taken some action against developers in the past for sharing children’s information with advertisers, but the problem persists, and at scale: A study in April found that a majority of the popular apps that researchers surveyed were potentially in violation of COPPA. The FTC has been granted the fining and rulemaking authority under COPPA that many legislators presumably would grant it under a federal privacy law. Still, its efforts so far have not been an effective deterrent, and Congress will have to ask why.

COPPA is two decades old, and it requires modernization that ought to occur alongside Congress’ broader privacy efforts next term. But its provisions nonetheless should remind lawmakers of an important reality: How companies are held to account for violating a law is as important as the law itself.

The Washington Post

Tags: ,

venmo

What’s Wrong With Your Venmo Account, and How to Fix It

December 4, 2018

ILLUSTRATION: RICHARD BORGE

By Katherine Bindley
Dec. 4, 2018 9:02 a.m. ET

Few social-media experiences have made me cringe more than viewing my “friend” list on the peer-to-peer payment app Venmo for the first time. Seeing the names of people I’d been on dates with years ago was jarring. Seeing someone I’d blocked on Facebook was unsettling. Seeing names I didn’t recognize and couldn’t find in my contacts was baffling. But one name horrified me above all others: my former therapist.

I went to her profile, clicked on her friend list and saw another name I recognized, the friend who initially referred me. It hit me that I was scrolling through a list that included a psychologist’s patients.

Venmo does well what it’s supposed to do: let friends exchange money quickly and easily. By default, it posts those transactions in a social-media-style feed—seeing who shared meals and drinks with whom, and which emojis they favor, can make an otherwise boring process mildly entertaining.

Theoretically, Venmo lets users control who sees those posted items. But Venmo has a spotty record on privacy and transparency: In February, the FTC announced a settlement with Venmo’s parent company, PayPal Holdings Inc., after finding Venmo “misled consumers about the extent to which they could control the privacy of their transactions.” PayPal didn’t pay a fine but agreed to make privacy-policy updates and to make sharing controls clearer.

Still, Venmo has so far been unwilling to make privacy adjustments to some of the features many users have issues with. Between the uproar this past summer over the app’s public-by-default settings, the enduring inability to make your “friend” list private, and my feeling like a potential victim of a HIPAA violation, I started wondering if I—or anyone else—should really be using the app. Figuring that out took far more digging than users should reasonably have to deal with.

Here’s what I learned, and what you can do to protect yourself on Venmo:

1. Venmo Transactions Are Public by Default

Because Venmo’s default privacy setting is Public—allowing all transactions to be seen by Venmo users—you should go in and change it to Friends or, better yet, Private.
Because Venmo’s default privacy setting is Public—allowing all transactions to be seen by Venmo users—you should go in and change it to Friends or, better yet, Private. PHOTO: VENMO
Venmo’s social feed is populated by transactions between users. All these posts are publicly visible by default. That means unless you change your settings, anyone (researchers included) can see whom you paid.

To change that, tap the three lines in the app’s top left corner, select settings and then hit Privacy. You can choose Friends or Private, which means a transaction will be visible only to you and the person you exchanged money with. To change who can see your old posts, go to Privacy > Past Transactions.

2. Contact Syncing Isn’t Mandatory (But Appears to Be)

When signing up for a Venmo account, you have the option to skip Facebook friend syncing by tapping Not Now, but there is no similar button for phone-contact syncing.
When signing up for a Venmo account, you have the option to skip Facebook friend syncing by tapping Not Now, but there is no similar button for phone-contact syncing. PHOTO: VENMO
When users create a Venmo account, they’re asked to sync their contacts. You can go back or forward, but there’s no Skip or Not Now button.

If iPhone users select Next, they see an iOS popup asking for contact access. You might assume you have to click Allow, but you can hit Decline and still create an account.

I don’t normally sync contacts, but when I signed up for Venmo in 2015, I enabled syncing. To check your syncing status—and switch it off—go to Settings > Friends & Social.

3. Your Friend List Is Always Visible

Venmo friend lists are visible to other users and can’t be made private. Don’t feel bad if you didn’t know this: The company didn’t mention it in its privacy policy until September.

Venmo’s definition of “friends” is very loose, as evidenced if you sync your contacts. Unlike Facebook or LinkedIn, which search your phone book and give you the option to add connections, Venmo automatically adds to your friend list any saved contacts who also sync their phone books with the app.

If you have contact syncing turned on, the app checks your phone book regularly—every 28 days for iOS, every week for Android. Venmo adds any new contacts, but won’t remove phone contacts you’ve deleted. That’s why some “friends” might look like strangers.

You can’t hide your friend list, regardless of your privacy settings. This means that you’re publishing your phone book. It won’t show everyone, but it will include anyone in your phone who also synced contacts on Venmo. That might include your boss or, well, your therapist.

Why can’t we make this private? “Because Venmo was designed for sharing experiences with your friends in today’s social world, we try to make it as easy as possible to connect with other Venmo users,” a spokeswoman said.

4. You Can Cull Your Friend List

Additional ways to make your Venmo account more private: Turn off Facebook Connect and contact syncing, change the privacy settings of past transactions, and unfriend anyone you don’t want to share information with.
Additional ways to make your Venmo account more private: Turn off Facebook Connect and contact syncing, change the privacy settings of past transactions, and unfriend anyone you don’t want to share information with. PHOTO: VENMO
What you can do is unfriend people—but you’ll have to find your friend list first! Clicking on your profile won’t display it to you. Instead, tap the three lines and go to Search People. Scroll past Top People to see them all. Remove people by tapping their profiles and unchecking the friend icons.

It’s important to review your friend list if you’re sharing transactions with friends, since that list may be longer than you realize. If you never synced contacts, the list could be virtually empty.

5. There’s a Difference Between Facebook Connect and Facebook Contacts

Go to Settings > Friends & Social and you’ll see Facebook Connect and Facebook Contacts.

The first creates a link between your two accounts. I suggest disabling this. Facebook recently had a security breach, and like many apps, when you agree to connect, you’re sharing information in both directions that may not be apparent. No, thanks.

The second simply adds Venmo-using Facebook friends to your account who’ve also synced. Like contacts, they’ll stay in your Venmo friend list even after you unfriend them on Facebook.

6. Bank Account Syncing Isn’t Mandatory, Either

In a fairly recent addition to its privacy policy, Venmo says, “If you connect your Venmo account to other financial accounts…we may have access to your account balance and account and transactional information, such as purchases and funds transfers.”

Given that Venmo is a payment app, it makes sense that the company would need to access some financial information to facilitate payments and confirm you have the funds to cover your transactions. Venmo’s spokeswoman told me the company doesn’t actually access users’ transaction information.

It’s a small relief. The company has privacy issues and has framed the social aspect of the app as core to its existence. Meanwhile, that FTC complaint alleged that Venmo “misrepresented the extent to which consumers’ financial accounts were protected by ‘bank-grade security systems.’” (The company said it made “appropriate changes” in response.) And lately, Venmo has been grappling with a spike in fraud.

If you’re really concerned, you could unsync your bank account. The app won’t be as functional, and you’ll have to use incoming funds to pay for things. But if Venmo is just a pizza-and-beer slush fund for you, that might be all you need.

Venmo’s hold on its users is pretty strong. So strong that I don’t feel like I can stop using it yet, because no one has ever asked me to “Square” or “Zelle” them. But I’ll be happy to jump ship if and when a more privacy-minded app comes along.

For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter. And don’t forget to subscribe to our Instant Message podcast.

Write to Katherine Bindley at katie.bindley@wsj.com

Tags: , , ,

private

Private Blockchains Could Be Compatible with EU Privacy Rules, Research Shows

November 12, 2018

Private blockchains, such as interbanking platforms set to share information on customers, could be compatible with new E.U. privacy rules, according to research published Nov. 6. The study was conducted by Queen Mary University of London and the University of Cambridge, U.K.
The General Data Protection Regulation (GDPR) act, a recent legislation that regulates the storage of personal data for all individuals within the European Union, came into effect this May. According to the law, all data controllers have to respect citizens’ rights in terms of keeping and transferring their private information. In case a data controller fails to do so, the potential fines are set as €20 million (about $22 million) or four percent of global turnover/revenues, whichever is higher.

The recent U.K. study, published in the Richmond Journal of Law and Technologies, views blockchain and its nodes through the length of GDPR. According to the researchers, crypto-related technologies could fall under these rules and be treated as “controllers,” given that they publicly store private information about E.U. citizens in the chain and allow third parties to operate it. This, the study reveals, might slow down technology implementation in EU:

“There is a risk that this legal uncertainty will have a chilling effect on innovation, at least in the EU and potentially more broadly. For example, if all nodes and miners of a platform were to be deemed joint controllers, they would have joint and several liability, with potential penalties under the GDPR.”

However, the researchers emphasize that blockchain operators could be treated like “processors” instead, the same as the companies behind cloud technologies who act on behalf of users rather than control their data. This, the study continues, is mostly applicable for Blockchain-as-a-Service (BaaS) offerings, where a third party provides the supporting infrastructure for the network while users store their data and control it personally.

As an example for such type of blockchain platform, the researchers cite centralized platforms for land registry and private interbanking solutions that set up “a closed, permissioned blockchain platform with a small number of trusted nodes.” Such closed systems could effectively comply with GDPR rules, the report continues.

To meet the privacy law, blockchain networks might also store personal data externally or allow trusted nodes to delete the private key for encrypted information, thus leaving indecipherable data on the chain, the researchers state.

However, the GDPR rules are extremely difficult to comply with for more decentralized nets, such as those concerned with mining and cryptocurrency. In this case, the nodes, operating with the data of E.U. citizens, might agree to fork a new version of the blockchain from time to time, thus reflecting mass requests for rectification or erasure. “However, in practice, this level of coordination may be difficult to achieve among potentially thousands of nodes,” the study reads.

As a conclusion, the researchers urge the European Data Protection Board, an independent regulatory body behind GDPR, to issue clearer guidance on the application of data protection law to various common blockchain models.

As Cointelegraph wrote earlier, the GDPR could both support and harm blockchain. Despite the fact that current E.U. legislation partially has the same goals as crypto-related technologies, such as decentralizing data control, blockchain companies could also face extremely high fees as data controllers.

Tags: , ,

static2.politico.com

Privacy and security: no simple solution, warns Rachel Dixon

September 18, 2018

The tide is turning when it comes to privacy and security, with Australians gradually becoming more aware of the need to protect their personal data and the risks involved in sharing it.

Rachel Dixon, privacy and data protection deputy commissioner at the Office of the Victorian Information Commissioner, saysthat with public debates over My Health Record and new tech surveillance laws, the public is now more informed about these issues than ever before.

“Not that many years ago there was (a view) that privacy is dead,” she says. “That now sounds quite outdated. In some ways the conversation still does need to get more mature. But this has been a real watershed year for privacy issues making it to the mainstream.
“That’s a very good thing.”

According to Ms Dixon, the theme of the last decade broadly had been to “hoover up as much data as possible”, and that’s now shifting to a theme of “taking the data that is necessary to fulfil the function”.

“There’s been a change in people’s understanding around their privacy,” she says. “Increasingly they’re more concerned, and are less willing to hand over data in certain circumstances. A lot of the use of data now is looking at the risks involved.

“Humans historically have not been very good at calculating risk. That’s been terrific in the past, it’s allowed us to sail across oceans and go into space. But we’re not very good at it. So I want us to move to having a risk-based framework, and change the culture around assessing risk.”

Debate is currently raging as to whether Australian law enforcement agencies should have the right to decrypt smart devices to prevent and solve criminal activity, with ferocious opinions coming on both sides of the debate.

For former FBI agent Ed Stroz, the founder and co-president of Stroz Friedberg, the ability to thwart terrorist attacks is more important overall than the right to an individual’s privacy.

“You can see both sides of the issue. And it comes down to, ‘Do people have the right to privacy?’ I’m a little more sympathetic to the law enforcement side,” he says.

“People do value their privacy now, but if you have an encrypted phone held by a criminal, that creates a sacred category of evidence we’ve never had in our judicial system before. Out of the box, this engineering empowers adverse behaviour and that has big social effects.

“If we didn’t have that many adversaries around, it probably wouldn’t matter that much. But I weigh that aspect of it more heavily than valuing privacy overall. That’s a personal view that I have.”

Ms Dixon said encryption was a complex issue, and that there was no simple, obvious, single solution to the balance between privacy and security.

“If there was, we would have done it by now,” she says. “Chances are, the solution here is a combination of things. But the debate is definitely going to be messy. At least the discussion has raised some really good points. I would caution against looking for a ­simple answer or seeing the issue as binary. It’s not, these are healthy tensions between privacy, data protection and freedom of information.”

Marcin Kleczynski is chief executive of Malwarebytes, a security company he started as a 16-year-old. He saidthat while users had become more savvy about their own security and privacy, they were still generally the weak link when it comes to viruses and other attacks. “It takes a lot to always be patching your systems and keeping everything up to date,” he says. “There are so many damn security companies, I could name 60 or 70, but an attack still comes and no-one’s ready.

“I’m fairly pessimistic about this stuff. I think we still haven’t solved a lot of the basics when it comes to security. We need a lot more user awareness training about security and storing your own information, there needs to be a lot more basic hygiene in place. We’re slowly getting there.”

Tags: , ,

venmo_pub_priv

SECURITY NEWS THIS WEEK: MAYBE GO AHEAD AND MAKE YOUR VENMO PRIVATE

July 25, 2018

THIS WEEK STARTED with a controversial, widely derided meeting between President Trump and Russian leader Vladimir Putin, and ended with… an invite for round two! And yes, all manner of craziness managed to happen in between.

That includes yet more denials on Trump’s part that Russia interfered—and continues to—with US democracy, a stance that has serious repercussions, however many times he walks it back. The Putin press conference performance also prompted concern across the aisle, as senators Marco Rubio and Mark Warner cast it as a major setback in efforts to safeguard the election. For what it’s worth, here’s what special counsel Robert Mueller’s been up to lately, and where he’ll likely go next.

The week wasn’t a total Trumpapalooza. RealNetworks offered a new facial recognition tool to schools for free, introducing a host of privacy-related concerns. And a company called Elucd is helping police better gauge how their precincts feel about them by pushing surveys out through apps.

Good news could be found as well! We talked to the Google engineers who built Secure Browsing, a suite of technologies that underpin security for a huge amount of the modern web. We profiled Jonathan Albright, the academic who has shined the brightest spotlight on Russian influence campaigns in the 2016 election and beyond. And we took a look at two tools Amazon has tested that could help its leaky cloud problem.

There’s more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

Venmo’s Public Defaults Start to Cause Problems
Privacy advocate and designer Hang Do Thi Duc this week brought attention to payment app Venmo’s lack of built-in privacy. Her site, Public by Default, taps into Venmo’s API to show the latest transactions taking place on the platform. In fact, the nearly 208 million public Venmo transactions that took place in 2017 can all be viewed at this URL. But while Public by Default explores the inherent privacy issues with Venmo’s opt-in privacy in largely anonymized fashion, a bot emerged Thursday that tweets the usernames and photos of any users that appear to be buying drugs. Not ideal!

Ideally, Venmo would go ahead and make transactions private by default. But because it’s structured as something of a social network—peeping other people’s emoji transaction descriptions is part of the appeal—that’s unfortunately unlikely. Instead, to better protect yourself, open the app, tap the hamburger menu in the upper left corner, tap Privacy, and select Private. You’re welcome!

The DOJ Will Make Foreign Interference Public
In a departure from current policy, deputy attorney general Rod Rosenstein Thursday said that the government will let American groups and individuals know when they are the subject of an effort to subvert US democracy. The Obama administration notably didn’t do so in 2016, fearing that going public with Russia’s actions would appear politically motivated. It’s unclear exactly how the new policy will play out in practice, given that those sorts of disclosures will require a “high confidence” in attribution—tricky, especially in the digital sphere—and that the DOJ presumably won’t make any disclosures that would threaten ongoing investigations. Still, it would at least presumably prevent the current administration from trying to downplay or cover up any intrusions in the 2018 midterms and 2020 presidential campaigns.

Ransomware Attacks Plague Medical Companies
A pair of high-profile attacks hit sensitive health care targets this week. Ontario-based CarePartners got hit with ransomware that locked out medical histories and contact info for as many as tens of thousands of patients, and apparently credit card numbers and other sensitive information as well. And the same SamSam malware that hobbled Atlanta struck LabCorp, a major lab services provider. Hackers apparently demanded $52,500 to free up the affected machines, but LabCorp appears inclined to simply replace them instead. Either way, it’s a good reminder that ransomware targets hospitals and other health care targets disproportionally, precisely because the stakes are so much higher.

A Robocall Firm Exposed Data of Thousands of US Voters
As if the scourge of robocalls weren’t bad enough already, a company called Robocent left hundreds of thousands of voter records, spread across 2,600 files, exposed on the open web. The data appears to have comprised mostly addresses and demographic information, but if nothing else it’s a reminder that the cloud needs better tools to keep this sort of thing from happening basically every week.

Tags: , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
telegram-3m
Your Privacy Is Our Business
April 30, 2019

Let us reassure you: You’re worried only because you don’t understand anything about anything. ...

Read more
pr
Coffee with Privacy Pros: Three Constants of Privacy
April 23, 2019

A look behind the career and privacy theology of the law-lovin’ CPO of Uber, Ruby Zefo Jared Cose...

Read more
privacy-coins-and-bitcoin-dominance-guide
We’ve Stopped Talking And Searching About Privacy
April 15, 2019

Kalev Leetaru Contributor AI & Big Data I write about the broad intersection of data and soci...

Read more
private
Rebiton Allows You to Buy Bitcoin and Keep Your Privacy
April 8, 2019

by Kai Sedgwick Purchasing bitcoin ought to be quick and easy, but over the years, encroaching KY...

Read more
20190323_fbd001
Big tech faces competition and privacy concerns in Brussels
March 25, 2019

And the sector may be the better for it Print edition | Briefing Mar 23rd 2019 | PARIS Around 19 ...

Read more