Privacy: search for it and claim it!

Once again, E-Crime Expert has to post a special edition on this blog due to the importance of the discussions between policymakers and advertisers with regards to profiling and targeted advertising. Tomorrow E-Crime Expert will resume to its regular topics: awareness, educational programs.

It is evident that privacy and protection of personal data becomes increasingly important and the European regulators and data protection authorities are more and more successful in drawing the line on how online advertising, targeted advertising, tracking and profiling should or could be used by the main actors of the Digital Age (Google, Facebook, Yahoo, etc).

On September 13, 2011 Google announced that it would provide the owners of wifi residential routers the option to remove their device from a registry that Google uses to locate cell phone users. A wifi router could broadcast the location, name and identities of the portable devices connected to that particular router, which is against the EU data protection legislation.

Not just Google but Facebook too, has taken the European data protection legislation more seriously and is trying to comply with it as it recently hired several experts on public policy, lobbyists and spokesperson for the EU Institutions, those experts coming from the highest level (White House, the EU Parliament).

Further concerns are related to how consumers’ private information and personal data are protected from these commercial activities (targeted advertising, profiling). On September 14, 2011 regulatory advisers and the advertisers’ representatives (IAB) have met in Hague (Netherlands) to discuss this issue.

For both parties there are important issues at stake: the regulators are concerned about citizens’ fundamental right to data protection, the advertisers are concerned about how important profiling and targeted advertising are for their multi-billion dollar businesses.

The advertisers came with a solution, which is a do-not-track icon on the webpage where the users could either give their consent of continuing to browse without being monitored or profiled, or continue having a better online experience, tailored on their needs, in one word: profiling!

Quiz:

In the above picture, can you see where that icon/button is?

Correct answer:

After a user “successfully passed” this level and identified the icon, he/she has to read a long and technical explanation where they are presented with how much the advertisers do for their users for free, rather than how much users actually do for the advertiser by providing their most valuable resource: private/personal information, which apparently seems to be the new currency of the Digital Age.

See here:

In order to opt-out, the user should read the whole information press another opt-out icon and there again the user will be asked if he/she opts out just from Yahoo, Google or Microsoft advertising or from any other advertising companies:

Due to its size and almost camouflage-like appearance, users rarely acknowledge/see/click on this icon as demonstrated in the research done by media6degrees.com/blog (here) which states:

“To date, we’ve served almost a billion impressions that included the icon. People who see the icon click through to expand the overlay at a rate of less than 0.005%. The overall opt-out rate is 0.0001%. Of the people who clicked on the icon to expand it, 3% eventually choose to opt-out”.

Besides the fact that this icon is almost invisible or inefficient, there are problems with the websites who voluntarily adopt this icon on their pages. To date, only a few websites have adopted this icon (Google, Microsoft and Yahoo).

In the light of the EU Data Protection legislative framework, there are also problems because this icon does not meet the requirement to obtain the aforementioned informed consent as long as the user has to express the consent to opt-out of advertising and/or profiling rather than opting-in as is the case with this icon, because tracking and serving ads takes place unless people exercise the objection.

As could be seen, privacy and personal data are hot topics nowadays as the main actors: providers, advertisers and policymakers are deeply involved and trying to find a compromise between their multi-billion businesses and the citizens’ fundamental rights. However, fundamental rights should not be a matter of compromise. They are taking a step in the right direction, but the step isn’t big enough yet.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Have you noticed that icon on your webpage before? What do you think about the current privacy “battles” of the Digital Age? Do you feel protected on the Internet? Do you mind being profiled by default?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

The Privacy platform

On Wednesday 7th September 2011, the European Parliament, in Brussels hosted the PRIVACY PLATFORM: “The Transatlantic Dimension of Data Protection“.

E-crime Expert attended this meeting where the presentations were given by: Mrs. Francoise Le Bail, European Commission, Mr. Gus Hosein, Privacy International, Mr. Caspar Bowden former Microsoft Chief privacy Officer, Mr. Jan Philipp Albrecht, Member of European Parliament (Greens/EFA), Mr. Richard Allan, Facebook and Honorable Ambassador William E. Kennard, US Mission to the European Union. The Chair of this meeting was MEP Sophie In’t Veld.

The Privacy Platform started with Mr. Hossein’s presentation from where we can highlight the following:

-The US Privacy Act applies just to US citizens.

-Of course in US are limitations regarding privacy for non US citizens but there are looking for redressing the situation

-As he can observe, in US privacy by design is not yet working properly

-In 2007 a new Privacy Body (Privacy Oversight Court) was created in order to better protect privacy

The second presenter was Mr. Bowden who mentioned that he never seen enforcement of the Safe Harbor Agreement so far in relation to the EU Data Protection legislation.

-In US , privacy is granted by the Constitution to their citizens

-As per his acknowledgment, the risks of the Patriot Act have not been assessed since 2008 in regards to non US citizens

-He said that first it should be clarified what data is subject to the Patriot Act

-Some policy circles in US think that private data should be collected just as necessary

-The Passenger Name Record (PNR) Agreement does not give any guarantees regarding privacy as a former US politician noticed

Further, it was Mr. Allan’s intervention where he mentioned that Facebook operates on a global level and that Facebook is not just a sharing place but also it is a global platform which is widely operated in EU as well. The aim of Facebook is to be a socializing network where people socialize and share information, otherwise would be consider an anti-socializing environment.

-Facebook is still experiencing, trying to find their way

-Facebook is part of the Safe Harbor Agreement

-Facebook has its European Headquarter in Ireland and many subsidiaries in Europe such as Germany, etc

-Facebook recognize the Irish Data Protection legislative framework and the Irish Data Protection Supervisory Authority

-Facebook has consultations with the Irish Data Protection Supervisory Authority in order to follow their Data Protection legislative framework

-Facebook is trying to offer the best level of Data Protection for its European users

-To note that Facebook is still establishing in Europe

-Facebook does not want to be like Google and to experience the market but they want to see and follow a clear business framework in Europe, framework which will allow businesses to operate and develop in EU, offering protection to their clients but also to their business

-Facebook recognizes that there are several issues of jurisdiction as well, quite complicated in regards to data portability, cloud computing, etc.

Next on the list was Mrs. Le Bail who said that the Commission mandate is to protect the EU citizens’ personal data

-But the actual system is less clear and less effective so far

-For this reason the current system (Directive 95) is under review and we will see what is going to happen next after this review will come to an end

-She knows about an initiative in the US Congress with regards to privacy protection, seeking for better protection

-The current EU legislative framework tries to be in control of its EU citizens’ data to offer better privacy protection

-She calls for stopping the EU Data Protection legislative fragmentation among the 27 Member States as when the Directive was transposed into the national law there were 27 ways of transposing and interpreting it

-She is seeking for more simplification and consistency

-She mentioned that the revision of this Directive is looking also to offer protection of data when it comes to police and judicial cooperation, as this issue is not yet covered in the current Data Protection legislation

-EU has a real interest to solve the Data protection issue and they are seeking in the US a reliable and serious partner of discussion and collaborator

-Sophie In’t Veld the Chair of this meeting asked Mrs. LeBail what is the jurisdiction of the data stored under EU soil? Does it come under the US Patriot Act?

-Mrs. Le Bail answered that they are not yet engaged in this matter but she thinks that US authorities when it comes to EU companies with US subsidiary, they have to use dialog and legal ways (under the EU Data Protection legislation) of accessing the EU Data rather than using the Patriot Act. This is an undergoing negotiation item between US and EU

-Unfortunately, the current situation allows US to access EU data under the Patriot Act if a EU business has even just a mailbox in US, falling under US legislation.

After this presentation it was the turn of Honorable Mr. Kannard to present his points and opinions which stated that this issue is very complex due to its technical features

-He mentioned also that mutual assistance between US and EU it is already in place on this matter

-The current PNR Agreement is under negotiation which is aiming to replace the 2007 Agreement between US and EU. This new Agreement it is an extremely elaborated one in regards to offering a better Privacy protection

-He explained that the Safe Harbor Agreement refers to the transfer of corporate data between US and EU

-The revision of the EU Data protection Directive takes place in the same time, in parallel with the revision of the US Consumer Data Protection Act and US is watching with interest the progress and news this new EU Data Protection revision brings

-The Commissioner Reding pointed out the great opportunity of collaboration between US and EU in regards to these legislative revisions

– The US Federal Trade Commission issued a state report having several recommendations regarding privacy by design and do not track concept as central point

-New legislation proposed by US Senators which is endorse by the Obama Administration aims to offer very specific consumer privacy rights in the new consumer privacy rights bill. Also, this bill presents very substantial and innovating systems of offering consumer privacy along with a new code of conduct

-In the US Congress other similar very important bills have passed with regards to Children Privacy Protection, geo location similar with the new proposed text of the EU Data Protection Directive

-The US revision has as central points the consumer rights, accountability also trying to consult with their EU partners, to find new ways in order to protect their citizens from the new privacy issues emerging from the new technological developments

-He points out that in both side of the Atlantic, EU and US are going in the same direction with regards to privacy and data protection

-Sophie In’t Veld asked if both US and EU want to make a good privacy standard document

Last but not least it was the presentation of Mr. Albrecht where he said that developments such as globalization and digitalization bring new challenges such as those regarding to privacy. On the Internet is not any sovereign state anymore, sovereignty does not exist anymore on the online world

-Privacy and the Internet show us many challenges for the next years to come. Maybe those challenges could be dealt with thorough common regulation among US and EU, if they both chose to collaborate

-EU wants to collaborate with US and also to encourage the competition in this online environment because just fair competition could bring further technological development. In this regards, US and EU should come out with common regulations  and rules which will foster trust for our consumers and citizens

-Unfortunately, he observed companies, which disregard the Safe Harbor Agreement or the EU Data Protection Directive, especially when those companies are not located on the EU territory

-The transatlantic collaboration should be based on sovereignty and respect of the citizens from both worlds.

Sophie In’t Veld the Chair of this meeting concluded that privacy should be a non-negotiable issue and in this regard neither US nor the EU should negotiate it.

In E-crime Expert‘s  opinion this is a very emotional and politically concluding statement, which coming from a politician it is not unusual. But also, besides these very motivating statements we should also ensure that the lawmakers and politicians completely understand the reality behind the new technological developments and how those actually work in practice. I am mentioning this with reference to the new Directive 2009/136/EC and its implementation among the 27 EU member states (MS) because there are already discussions regarding what consent is and how/when this could be obtained.

For example, in France consent with regards to this new Directive, is when a user did not change his/her browser settings to block cookies. In UK, contrarily, the consent has to be obtained prior to the cookie installation on the user’s browser, and so are many differences in interpretation within the next 25 MS. This applicability of the Directive 2009/136/EC aka “Cookie Directive” is related also to the “Transatlantic dimension of the Data Protection” as the major players on the Internet field such as Google, Facebook, eBay, booking.com, LinkedIn, YouTube, etc are all located in US. They all you use cookies for delivering their services and those cookies can track, transfer and use EU citizens’ data if installed on a browser or machine. The consent issue is crucial for delivering and assuring an adequate protection for their personal data and privacy.

I think the legislation should include, from its conception, a central point in the technical features of what it tries to regulate (i.e. cookies, browser, the Internet). When the legislation is made, the law makers should know how to make the legislation fit the technology because otherwise when the legislation is implemented the enforcement authorities have room for their own interpretations of the law, which leads to poor applicability and higher chances for loopholes.

Any questions can be submitted to:  dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about this Data Protection panel? What do you know about your Data Protection rights? Do you know where to make a complain in regards the violation of your personal data?

Cookie monitoring?! No way…just a “coincidence”

Yesterday, E-Crime Expert presented some privacy risks associated with the Internet usage here. Today, it is presented how one could be monitored through a cookie, regardless that starting with May 31, 2011, a cookie in order to be installed on a user’s machine or browser should have first his/her explicit consent and acknowledgment as per the Directive 2009/136/EC requirements. Unfortunately, this Directive does not specify that such consent should be obtained “prior” to that particular cookie instalation on the user’s machine or browser.

Recently, while reading the news on the Internet (Yahoo Canada news), I was surprised to see on the bottom of the page (see Fig. 1), the name of one of my Facebook contacts where the news titles are usually summarized (as she likes that particular article and through association I should “like” it too). I thought that she was in the news so I clicked through to read it. But instead, there was a field named: “Friend’s activities”. What fiends? Yahoo friends? This was not possible as this contact does not have my Yahoo email address, so what is this about? In fact, there was a new field with updates of my Facebook friends regarding information they shared with their connections on Facebook. Why would I want to see on Yahoo Canada News a link that I could see on my Facebook? How would that be possible? Simply, the link was there. I had to figure it out, as I never clicked the famous Facebook “Like” button on any of my websites or during my browsing activity, nor on Yahoo Canada news.

 

 

 

 

 

 

 

Figure 1:

The only way that it was possible for my Facebook friends’’ updates to appear on the Yahoo Canada News homepage is because the email I use for my Facebook account is actually my Yahoo email address. If I am logged in to Yahoo and browsing the Internet and also logged on to Facebook on the same computer but not necessarily having them open in separate tabs (aka webpages) simultaneously, or even have Facebook opened at all, Facebook through my log in username (Yahoo email address), is “following” me anywhere I go over the Internet. I also never imported my Yahoo contacts to Facebook or any other email client contacts. In this case, regardless of whether I expressed or not my consent to be delivered friends’ updates or links outside my Facebook platform, I am getting them anyways.

This represents information that I never requested nor authorized to be delivered to me outside of Facebook (in this case the Yahoo News). Furthermore, this is strong proof of the fact that users are being monitored outside the Social Networking platform’s walls and being delivered advertising. In fact, just the Facebook wall post referring to a commercial activity was linked to my yahoo News page (not a regular daily activity like walking the dog for example), which will bring further audience to that particular business. What is disturbing here is that neither me the receptor of the information nor the person who posted that information, were informed about this advertising practice: to appear on an electronic News page as news. Every user will be provided with different content than other users regardless if they read the same electronic newspaper and the same news. This content will be individually tailored for each user based on his/her personal preferences and characteristics.

Technically, this was made possible through a cookie(s) uniquely connected to my user name (e.g. my Yahoo address). The Article 29 Working Party[1] through its February 2010 opinion, specifies that: “placing cookies or similar devices on users’ terminal equipment or obtaining information through such devices is only allowed with the informed consent of the users”. Furthermore, another Article 29 Working Party’s opinion from January 2008, specifies that:

“When a cookie contains a unique user ID, this ID is clearly personal data. The use of persistent cookies or similar devices with a unique user ID allows tracking of users of a certain computer even when dynamic IP addresses are used. The behavioural data that is generated through the use of these devices allows focusing even more on the personal characteristics of the individual concerned“.

In my case, my unique user id (Yahoo address, which is assigned as a Facebook log in), has a designated unique cookie. That cookie is “following” my Internet activity on my computer, and later transmits data back to Facebook. All these are happening without my acknowledgment or consent.

Last but not least, let’s assume that a father is sharing the same computer with his teenage daughter, and his daughter comes to use their shared computer, then she will have access to her father’s personal Facebook contacts and account content without his consent, as there under his Yahoo page, links from his Facebook account will be displayed. Also, his daughter by clicking on that Facebook link under the Yahoo News page (mistaken as a yahoo news item), could easily get into her father’s Facebook account which is his private space. As Facebook in my opinion, is a communication platform, this will be a real intrusion into someone else’s communication and private life. If there were contacts’ personal details, this would qualify as a breach of personal data by being exposed to unauthorized persons (the daughter).

Any questions can be submitted to:
dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Have you ever felt monitorized on the Internet? Did this happen to you? Would you be interested in checking the new Facebook privacy settings?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Creating a strong password video tutorial

For the past few days, by E-Crime Expert presented a series of posts that is summarizing the “Cybersecurity in Europe” Workshop. You could read the first blog post here, the second post here, the third one here and the fourth one here. The First presenter in the series was CERT (Computer Emergency Response Team), followed by ENISA and, CERT Hungary and PricewaterhouseCoopers’s.

As requested by an increased number of readers of this Blog with regards to “Tips for a better, stronger password” post available here, E-Crime Expert presents to you today a new video tutorial on how to create a stronger password.

The video titled “Creating a strong password” is part of a series developed by E-Crime Expert, which aims to combat cybercrime and cyber-threats by offering advice and tutorials. Stronger passwords are important to better protect your online activities and personal data.

To download the presentation please click here.

Any questions can be submitted to:
 dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What did you think about this video? Do you use a strong password, or an “easy-to-guess” one? Do you think these tips help you having a stronger password? Did you know any of these tips? Do you know other tips that you would like to share with us?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Tips for a better, stronger password

Strong passwords are important protections to help you have safer online activities.

Regarding stronger passwords which will better protect your online activities and personal data, I can suggest the following tips: 

– use a combination of Caps, digits, letters like: PassWord2010. Mix letters, numbers and symbols, and use case sensitivity (upper and lower case letters). This mixture is known as “pseudo-random alpha-numeric combination”;

– use a password made up by at least 8 letters (as long the password is, as less chances to brake it);

– remove the spaces between the words in the sentence such as: removethespacebetweenwords.

– find a good way to remember. A good way to do this is to choose the first letters of a sentence that you will remember: such as I was born in Bucharest on Garibaldi street, district one, so: B(born)BU(Bucharest)G(Garibaldi1(district) and so on;

– DO NOT use info available into your email address, or birth of date, or spouse/child name, id number, home address, social security number as this info is easy for one to figure it out from publicly available info;

– one could use a pattern on the keyboard such as: the password itself does not make sense but on the keyboard when typed is like letter V. For example on my QWERTY keyboard: rgnko you could see that is the letter v on the keyboard. Although, do not use adjacent letters on your keyboard such as: qwerty for example;

– use a telephone keypad or 10 character phrase (i.e. blackstump) to encode numbers as letters or vice versa;

-use just numbers, but with an algorithm such as: I weight 85 kg, I was born on January 1, 2010 like this 8+5=13, 1+1=2. The password could be: 13 2 and so one with a similar algorithm;

-use a password that is a word transposed into letters such as: Brussels 27877357;

– change the password regularly every few months (at least alternate them);

-use passwords based on the level of security you want for a particular account: use a generic one for less important accounts such as subscription to a newsletter and very customized ones for banking.

-Avoid creating passwords that use:

• Dictionary words in any language.
• Words spelled backwards, common misspellings, and abbreviations.
• Sequences or repeated characters. Examples: 12345678, 222222, abcdefg, or adjacent letters on your keyboard (qwerty).

If you have any question, please contact: dan@e-crimeexpert.com or visit: www.e-crimeexpert.com