Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘security’

images-1

US legal eagle: Well done, you bought privacy compliance tools. Doesn’t mean you comply with anything

February 25, 2019

From California state regs to Europe’s GDPR: It’s all just a ‘veneer of protection’

By Rebecca Hill 25 Feb 2019 at 14:44 13
Much-lauded privacy laws risk being undermined as compliance is outsourced to tech vendors and “toothless trainings, audits and paper trails” are confused for genuine protections, a New York Law School professor has said.

In a paper in the Washington Law Review, published online last week, Ari Ezra Waldman argued that recently strengthened privacy laws actually offer “false promises” for consumers.

He said that laws like the European Union’s GDPR or California’s state privacy rules are failing to deliver on their promised protections partly because of the “booming market” in tech vendors hawking privacy compliance tools.

“The responsibility for fulfilling legal obligations is being outsourced to engineers at third-party technology vendors who see privacy law through a corporate, rather than substantive, lens,” he wrote.

“Toothless trainings, audits, and paper trails, among other symbols, are being confused for actual adherence to privacy law, which has the effect of undermining the promise of greater privacy protection for consumers.”

The problem is heightened because, as they fear increasing fines under the new laws, organisations – particularly those without the cash to build tools in-house or hire in experts – are more likely to look for a quick fix.

However, Waldman warned that this could have knock-on effects for not only because organisations buying honky kit risk non-compliance, but also for both the long-term outlook of the vendors and consumers.

“Not all innovation is good innovation,” Waldman said. “Companies that develop shoddy products may lose out in the market in the long term, but in the short and medium term, they risk putting millions of persons’ data at risk.”

‘Symbols of compliance standing in for real protections’
The paper aimed to emphasise the importance of privacy laws by pointing to Facebook’s “cavalier” approach to data protection, mobile app platforms that “routinely sweep in user data” because they can, and even academics’ interest in hoovering up personal info as part of studies.

As the implications of such mass data hoarding, harvesting and hawking have come to light, a set of comprehensive international privacy laws have been drawn up – but Waldman said that, in reality, the law’s “veneer of protection is hiding the fact that it is built on a house of cards”.

He pins much of this on the burgeoning “privacy outsourcing market” and the idea that third-party tech vendors “instantiate their own vision of the law into their services” to fling at organisations desperate to avoid whopping fines.

The argument is based on a socio-legal principle of “legal endogeneity”, first mooted by academic Lauren Edelman. This is when the law is shaped by ideas emerging from the space it seeks to regulate, rather than constraining or guiding those organisations’ behaviour.

It occurs when “ambiguously worded legal requirements” allow compliance professionals on the ground to define what the law means in practice – and in the case of privacy laws, much of this comes down to tech vendors and compliance professionals.

Some of the law’s most important premises – like privacy by design or consent – “are so unclear that professionals on the ground have wide latitude to frame the law’s requirements, kicking endogeneity into high gear”.

Tech can’t save you – but everyone wants it to
Mixed in with this is the fact that both private and public bodies have (misplaced) faith in technology to solve their problems; meanwhile the threats of financial penalties make organisations “uniquely susceptible to promises that vendors can make their troubles disappear”.

This opens the door to vendors selling compliance, and Waldman said that there are 200-plus firms that “instantiate their own interpretations of privacy law into the designs of automated tools, often marketing themselves as one-stop compliance shops”.

The author – hoping to see off any “not all vendors!” comebacks – emphasised that he isn’t saying every firm is part of the problem, nor that they alone are responsible for undermining the promise of privacy law.

Instead, Waldman said that the impact of privacy tech vendors on the legal frameworks is “both significant and under-explored” – and aimed to probe this by assessing the claims made by 165 companies listed in a 2018 report (PDF) from the International Association of Privacy Professionals.

He found that, at some point, almost three-quarters had at some point positioned their products and services as achieving GDPR compliance – when most are designed to meet just two or three of the GDPR’s requirements, “if that”.

‘Privacy law can’t be broken down into code-able pieces’
A further issue described in the paper is that, by promoting these tools for compliance, vendors are attempting to reduce the law into “code-able pieces” when the law is about more than just paper trails and data maps.

“Such under-inclusive compliance technologies may then have the effect of increasing corporate exposure to administrative fines if in-house constituencies confuse purchasing a compliance technology that does a few things with actually solving a problem,” Waldman wrote.

He also posits the idea that this could lead to an imbalance between firms that have to outsource because they lack the money or time to recruit legal experts or build their own tools in-house, and those that can afford to do this.

Meanwhile, consumers are being disempowered because they are increasingly faced with tech-driven conversations about compliance based on black box algorithms. This also risks “erasing” traditional safeguards that sees the law interpreted in the open and on the public record.

Waldman proposed lawmakers edge away from “transactional visions of privacy law that are susceptible to symbolic structures”, as well as calling on the US Federal Trade Commission to be “more active vendor regulators” with better audits.

For vendors, he called for “more modest approaches” that include hiring lawyers and professionals and establishing a closer relationship with regulators, possibly including certification.

Possible products and services include summaries and comparisons of legislation, training courses and tools that scan the data a company has to seek out personal information.

He also called for further research that puts vendors in an ecosystem of social forces that influence the implementation of privacy law on the ground, as well as work on the problem of privacy education for engineers. ®

Tags: , ,

fb featured image

Privacy Problems Mount for Tech Giants

January 21, 2019

By Sam Schechner
Jan. 21, 2019 6:30 a.m. ET

Big tech companies have taken a public lashing in the past year over their handling of users’ personal information. But many of their biggest privacy battles have yet to be fought—and the results will help determine the fate of some of the world’s largest businesses.

So far, tech giants like Facebook Inc. and Alphabet Inc.’s Google have proved relatively resilient against a growing backlash over possible abuse of their users’ personal privacy. Tech companies’ stocks may have swooned, but advertisers are continuing to cut them checks, and their profits are still growing at double-digit rates that would earn most CEOs a standing ovation.

This year may be stormier. Growing discontent among users over privacy and other issues—such as the widespread feeling that mobile devices and social media are addictive—could damp profit growth, discourage employees or chase away ad dollars. In Europe, regulators are slated to make major rulings about tech companies’ privacy practices, likely setting off high-stakes litigation. In the U.S., revelations about allegedly lax privacy protections are raising political pressure for federal privacy regulation.

At risk are tens of billions of dollars that marketers spend every year in online advertisements targeted at users with the help of personal information about individuals’ web browsing, mobile-app usage, physical location and sometimes other data, like income levels.

The behavior of tech giants is likely to be a major topic at the World Economic Forum this week in Davos, Switzerland. While the yearly meeting of world leaders and company executives normally celebrates how businesses can solve the world’s problems, tech companies were on the defensive last year against complaints that ranged from fomenting political polarization to building artificial intelligence that will displace millions of workers.

Since then, the pressure has increased. Facebook executives have been dragged before legislators on both sides of the Atlantic, after the company said data related to as many as 87 million people may have been improperly shared with Cambridge Analytica, a political analytics firm. And in September, Facebook said hackers had gained access to nearly 50 million accounts.

Google, meanwhile, has faced criticism of its privacy practices from political leaders, including flak after The Wall Street Journal reported that the company had exposed the private data of hundreds of thousands of users of its Google+ social network and opted initially not to disclose it.

Some tech executives have raised alarms, too. Apple Inc. Chief Executive Tim Cook, speaking in October before a privacy conference organized by the European Union, called for tighter regulation in the U.S. along the lines of a strict new privacy law in the EU, saying that some companies had “weaponized” users’ personal information in what he described as a “data-industrial complex.”

Facebook and Google both say that they have been investing heavily in improving how they protect user privacy and that they welcome tighter privacy rules; both companies support passage of a U.S. federal privacy law. Tech-industry lobbyists say they are planning to support U.S. privacy legislation over the coming year, in part to avoid contending with a patchwork of laws like one passed last year in California.

“Our industry strongly supports stronger privacy protections for consumers,” says Josh Kallmer, executive vice president for policy at the Information Technology Industry Council, which represents Facebook, Google and other tech companies. Mr. Kallmer says consumers “benefit incredibly from these technological innovations,” but adds that “alongside that are some very legitimate concerns about how data is being handled.”

What impact will stricter privacy rules have? There are two theories.

One school of thought says that stricter rules and tighter enforcement will benefit big, incumbent companies that already have access to large amounts of user data and can spend more heavily on legal-compliance efforts. The other argues that rules like those in the EU’s new General Data Protection Regulation, if strictly applied, will force significant changes to how the biggest tech companies collect and analyze individuals’ personal information—undercutting their advertising businesses and weakening their advantage over existing or potential new competitors.

“Both are reasonable claims. But it is far too early to tell which will turn out to be true,” says Alessandro Acquisti, a professor at Carnegie Mellon University who studies the behavioral economics of privacy.

At issue, in part, is the distinction between short-term and long-term effects. There are signs that Google, for one, benefited at least initially from the transition to the GDPR in May, in part because advertisers shifted money to the bigger firms, which were able to show they had users’ consent to display targeted ads.

In Europe, Google saw a 0.9% increase in the share of websites that include its advertising trackers two months after the GDPR went into effect compared with two months before, according to Cliqz, which makes antitracking tools for consumers. Facebook’s share declined 6.7%. The share for the other top 50 online-ad businesses fell more than 20%.

The longer-term impact on big firms is harder to predict. One study of nearly 10,000 online display advertising campaigns showed that users’ intent to purchase products was diminished after earlier EU laws restricted advertisers’ ability to collect data in order to target those ad campaigns. But more research is needed to determine what impact tighter rules would have on consumer spending more broadly, Prof. Acquisti says.

How the laws are enforced by regulators and courts will play an important role. Ireland’s Data Protection Commission, which is the EU’s lead regulator for Facebook and Google, is investigating complaints from privacy activists that the consent companies sometimes request for the processing of individuals’ data is a condition of using a service and so is not “freely given,” as the law requires.

In Germany, the federal antitrust enforcer says it will issue early this year a final decision regarding its preliminary finding that Facebook uses its power as the most popular social network in the country to strong-arm users into allowing it to collect data about them from third-party sources. A German decision wouldn’t involve fines, but could include orders to change business practices.

Both Facebook and Google say they comply with privacy laws.

Initial decisions could come this year, but whichever way the watchdogs come down, their actions are likely to end up reviewed in court. Those cases will end up determining how new privacy standards will be applied. And that will determine how profound their impact is.

“There is active litigation in a couple of places that could become hugely important,” Mr. Kallmer says. “It’s uncertainty that our industry thinks it’s on the right side of.”

Mr. Schechner is a Wall Street Journal reporter in Paris. Email sam.schechner@wsj.com.

Tags: , ,

apple

Apple is portraying itself as the defender of privacy in the tech world, but it’s one slip away from embarrassment

January 10, 2019

Analysis: Apple has continued to ratchet up its criticism of competitors in a bid to differentiate itself as the “most secure” tech company.
The move is a risky one, as Apple is exposed on several fronts to possible privacy and security leaks and breaches, putting it one step removed from a significant reputation dent that could further hurt sales.
Kate Fazzini

CNBC.com
Tim Cook, Chief Executive Officer of Apple Inc., takes a selfie with a customer and her iPhone as he visits the Apple Store in Chicago, Illinois, U.S., March 27, 2018.
John Gress | Reuters
Tim Cook, Chief Executive Officer of Apple Inc., takes a selfie with a customer and her iPhone as he visits the Apple Store in Chicago, Illinois, U.S., March 27, 2018.
Apple ramped up its efforts this week to differentiate its business on the basis of privacy and security, a risky move given risks to its cloud-based backup service and a challenging privacy environment globally, particularly in China, where the company says it is struggling.

Apple took a high-profile swipe at Google, Amazon and Facebook at this year’s Computer Electronics Show, with a full-building ad touting “What happens on your iPhone, stays on your iPhone.” CEO Tim Cook has criticized competitors for their privacy practices and their willingness to share data with third parties.

Apple is now also reportedly hiring ex-Facebook engineer Sandy Parakilas, who called Facebook a “living, breathing crime scene” because of its misuse by Russian hackers in the 2016 election. (Parakilas is reportedly taking an internal spot as a privacy product manager at Apple, a role not likely to include public-facing statements like these in the future).

For sure, Apple’s core business is different from Facebook’s and Google’s. Apple makes the bulk of its money selling iPhones and other computing devices, and charging consumer subscriptions for things like Apple Music. That means Apple has little reason to compile detailed information about users, and even less incentive to sell that information to third parties. But Facebook and Google make the vast majority of their money from advertising.

But putting such a big stake in privacy as a differentiator may be a risky business move.

First, Apple is just one iCloud breach away from an embarrassing incident that could damage its “what happens on your iPhone, stays on your iPhone” claims.

Scandals in the past years involving major celebrities who have had nude photographs stolen from their iCloud archives have been dangerously close. Apple has said these incidents involved username and password theft, giving criminals access to iCloud files through the celebrities’ password information, not a breached iCloud database.

But iCloud relies on the same cloud-based network architecture most companies rely on, including Amazon Web Services, Google’s cloud platform and Microsoft Azure. No database is impenetrable, and that includes those iCloud uses. A single instance of leaked data or an insider theft could put the company at serious reputational risk.

Third-party applications are also a potential sticking point. From a security point of view, Apple’s app store has stringent safeguards in place that make it more resilient to security issues like application spoofing than competitors such as Google’s Play store.

But independent iPhone apps still have the capacity to misuse data. The company routinely removes applications from the store for providing user information to unauthorized third parties. The New York Times reported earlier this year that numerous free iOS apps track detailed user information and provide it to third parties.

So Apple may also be one data-tracking scandal away from significantly denting the idea that data necessarily “stays on your iPhone.”

Tags: , ,

privacy-coins-and-bitcoin-dominance-guide

Editorial: Privacy Lessons From Google

December 28, 2018

Thursday, December 27, 2018
Congress is eyeing a federal privacy framework for 2019. But what about the laws already on the books? Demands for an investigation into Google’s marketing of children’s apps in its mobile store could offer legislators some lessons.

Comprehensive privacy rules for the United States are necessary precisely because the current rules cover only information or populations deemed especially sensitive. One of those populations is children, and the Children’s Online Protection Privacy Act was passed in 1998 to prohibit sites from collecting their identifying data without parental consent.

But according to a filing to the Federal Trade Commission by 22 children’s and consumer organizations, many apps gather that data anyway — from ID numbers, to addresses, to location, to the photos on a game-player’s smartphone.

Google is not responsible under COPPA for the actions of untrustworthy apps; the apps themselves are the only ones breaking that law. (The tracking of children on YouTube, which is owned by Google, is another question.) But the complainants allege that, by labeling a section of its store child-friendly and then allowing COPPA violators to appear there, Google is misleading consumers.

They want the FTC to step in, and three Democratic senators have joined in the call. Google says it has removed thousands of noncompliant apps in the past year and has already begun removing those listed in last week’s filing.
This debate should be particularly interesting to lawmakers seeking to craft broader regulations for consumer protection. First, there is the question of Google’s role as a gatekeeper, particularly when its own ad platform is integrated with many of the apps in its stores. Making Google and other software companies, such as Apple, liable for all of the content they host would hurt more than help. But the companies’ conflicting interests are an argument for increased oversight of app stores. And companies should be held to account when they are demonstrably negligent in enforcing their standards.

Last week’s complaint also presents an enforcement issue. The FTC has taken some action against developers in the past for sharing children’s information with advertisers, but the problem persists, and at scale: A study in April found that a majority of the popular apps that researchers surveyed were potentially in violation of COPPA. The FTC has been granted the fining and rulemaking authority under COPPA that many legislators presumably would grant it under a federal privacy law. Still, its efforts so far have not been an effective deterrent, and Congress will have to ask why.

COPPA is two decades old, and it requires modernization that ought to occur alongside Congress’ broader privacy efforts next term. But its provisions nonetheless should remind lawmakers of an important reality: How companies are held to account for violating a law is as important as the law itself.

The Washington Post

Tags: ,

venmo

What’s Wrong With Your Venmo Account, and How to Fix It

December 4, 2018

ILLUSTRATION: RICHARD BORGE

By Katherine Bindley
Dec. 4, 2018 9:02 a.m. ET

Few social-media experiences have made me cringe more than viewing my “friend” list on the peer-to-peer payment app Venmo for the first time. Seeing the names of people I’d been on dates with years ago was jarring. Seeing someone I’d blocked on Facebook was unsettling. Seeing names I didn’t recognize and couldn’t find in my contacts was baffling. But one name horrified me above all others: my former therapist.

I went to her profile, clicked on her friend list and saw another name I recognized, the friend who initially referred me. It hit me that I was scrolling through a list that included a psychologist’s patients.

Venmo does well what it’s supposed to do: let friends exchange money quickly and easily. By default, it posts those transactions in a social-media-style feed—seeing who shared meals and drinks with whom, and which emojis they favor, can make an otherwise boring process mildly entertaining.

Theoretically, Venmo lets users control who sees those posted items. But Venmo has a spotty record on privacy and transparency: In February, the FTC announced a settlement with Venmo’s parent company, PayPal Holdings Inc., after finding Venmo “misled consumers about the extent to which they could control the privacy of their transactions.” PayPal didn’t pay a fine but agreed to make privacy-policy updates and to make sharing controls clearer.

Still, Venmo has so far been unwilling to make privacy adjustments to some of the features many users have issues with. Between the uproar this past summer over the app’s public-by-default settings, the enduring inability to make your “friend” list private, and my feeling like a potential victim of a HIPAA violation, I started wondering if I—or anyone else—should really be using the app. Figuring that out took far more digging than users should reasonably have to deal with.

Here’s what I learned, and what you can do to protect yourself on Venmo:

1. Venmo Transactions Are Public by Default

Because Venmo’s default privacy setting is Public—allowing all transactions to be seen by Venmo users—you should go in and change it to Friends or, better yet, Private.
Because Venmo’s default privacy setting is Public—allowing all transactions to be seen by Venmo users—you should go in and change it to Friends or, better yet, Private. PHOTO: VENMO
Venmo’s social feed is populated by transactions between users. All these posts are publicly visible by default. That means unless you change your settings, anyone (researchers included) can see whom you paid.

To change that, tap the three lines in the app’s top left corner, select settings and then hit Privacy. You can choose Friends or Private, which means a transaction will be visible only to you and the person you exchanged money with. To change who can see your old posts, go to Privacy > Past Transactions.

2. Contact Syncing Isn’t Mandatory (But Appears to Be)

When signing up for a Venmo account, you have the option to skip Facebook friend syncing by tapping Not Now, but there is no similar button for phone-contact syncing.
When signing up for a Venmo account, you have the option to skip Facebook friend syncing by tapping Not Now, but there is no similar button for phone-contact syncing. PHOTO: VENMO
When users create a Venmo account, they’re asked to sync their contacts. You can go back or forward, but there’s no Skip or Not Now button.

If iPhone users select Next, they see an iOS popup asking for contact access. You might assume you have to click Allow, but you can hit Decline and still create an account.

I don’t normally sync contacts, but when I signed up for Venmo in 2015, I enabled syncing. To check your syncing status—and switch it off—go to Settings > Friends & Social.

3. Your Friend List Is Always Visible

Venmo friend lists are visible to other users and can’t be made private. Don’t feel bad if you didn’t know this: The company didn’t mention it in its privacy policy until September.

Venmo’s definition of “friends” is very loose, as evidenced if you sync your contacts. Unlike Facebook or LinkedIn, which search your phone book and give you the option to add connections, Venmo automatically adds to your friend list any saved contacts who also sync their phone books with the app.

If you have contact syncing turned on, the app checks your phone book regularly—every 28 days for iOS, every week for Android. Venmo adds any new contacts, but won’t remove phone contacts you’ve deleted. That’s why some “friends” might look like strangers.

You can’t hide your friend list, regardless of your privacy settings. This means that you’re publishing your phone book. It won’t show everyone, but it will include anyone in your phone who also synced contacts on Venmo. That might include your boss or, well, your therapist.

Why can’t we make this private? “Because Venmo was designed for sharing experiences with your friends in today’s social world, we try to make it as easy as possible to connect with other Venmo users,” a spokeswoman said.

4. You Can Cull Your Friend List

Additional ways to make your Venmo account more private: Turn off Facebook Connect and contact syncing, change the privacy settings of past transactions, and unfriend anyone you don’t want to share information with.
Additional ways to make your Venmo account more private: Turn off Facebook Connect and contact syncing, change the privacy settings of past transactions, and unfriend anyone you don’t want to share information with. PHOTO: VENMO
What you can do is unfriend people—but you’ll have to find your friend list first! Clicking on your profile won’t display it to you. Instead, tap the three lines and go to Search People. Scroll past Top People to see them all. Remove people by tapping their profiles and unchecking the friend icons.

It’s important to review your friend list if you’re sharing transactions with friends, since that list may be longer than you realize. If you never synced contacts, the list could be virtually empty.

5. There’s a Difference Between Facebook Connect and Facebook Contacts

Go to Settings > Friends & Social and you’ll see Facebook Connect and Facebook Contacts.

The first creates a link between your two accounts. I suggest disabling this. Facebook recently had a security breach, and like many apps, when you agree to connect, you’re sharing information in both directions that may not be apparent. No, thanks.

The second simply adds Venmo-using Facebook friends to your account who’ve also synced. Like contacts, they’ll stay in your Venmo friend list even after you unfriend them on Facebook.

6. Bank Account Syncing Isn’t Mandatory, Either

In a fairly recent addition to its privacy policy, Venmo says, “If you connect your Venmo account to other financial accounts…we may have access to your account balance and account and transactional information, such as purchases and funds transfers.”

Given that Venmo is a payment app, it makes sense that the company would need to access some financial information to facilitate payments and confirm you have the funds to cover your transactions. Venmo’s spokeswoman told me the company doesn’t actually access users’ transaction information.

It’s a small relief. The company has privacy issues and has framed the social aspect of the app as core to its existence. Meanwhile, that FTC complaint alleged that Venmo “misrepresented the extent to which consumers’ financial accounts were protected by ‘bank-grade security systems.’” (The company said it made “appropriate changes” in response.) And lately, Venmo has been grappling with a spike in fraud.

If you’re really concerned, you could unsync your bank account. The app won’t be as functional, and you’ll have to use incoming funds to pay for things. But if Venmo is just a pizza-and-beer slush fund for you, that might be all you need.

Venmo’s hold on its users is pretty strong. So strong that I don’t feel like I can stop using it yet, because no one has ever asked me to “Square” or “Zelle” them. But I’ll be happy to jump ship if and when a more privacy-minded app comes along.

For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter. And don’t forget to subscribe to our Instant Message podcast.

Write to Katherine Bindley at katie.bindley@wsj.com

Tags: , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
4000
Wikipedia co-founder slams Mark Zuckerberg, Twitter and the ‘appalling’ internet
July 8, 2019

Elizabeth Schulze Wikpedia Co-Founder Larry Sanger said in an interview social media companies ...

Read more
venmo_pub_priv
Why America Needs a Thoughtful Federal Privacy Law
June 26, 2019

More than a dozen privacy bills have been introduced in this Congress. Here’s what it needs to do....

Read more
privacy-coins-and-bitcoin-dominance-guide
9 Important Privacy Settings for Windows 10
June 3, 2019

Matt Powell On Jun 3, 2019 At first glance, the Digital Age may seem like a wonderful thing. And ...

Read more
apple
Apple exec dismisses Google CEO’s criticism over turning privacy into a ‘luxury good’
May 29, 2019

By Jacob Kastrenakes@jake_k May 27, 2019, 12:18pm EDT Apple’s software chief, Craig Federigh...

Read more
telegram-3m
Your Privacy Is Our Business
April 30, 2019

Let us reassure you: You’re worried only because you don’t understand anything about anything. ...

Read more