data protection – Miscellaneous Details

Facebook’s leaky data problem

Vice have seen a leaked document written by Facebook privacy engineers which sounds the alarm on how they deal with users’ data.

Facebook doesn’t know what it does with your data, or where it goes: Leaked document – Vice
“We’ve built systems with open borders. The result of these open systems and open culture is well described with an analogy: Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere,” the document read. “How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”

An interesting analogy. Stop polluting the lake?

Photo by Jenn Wood

Sending a message to WhatsApp

WhatsApp fined $267 million for breaching EU privacy law – The Verge
Ireland’s Data Protection Commission (DPC) announced the decision in an 89-page summary (PDF), noting that WhatsApp did not properly inform EU citizens how it handles their personal data, including how it shares that information with its parent company.

WhatsApp hit with €225M privacy fine – Politico
Ireland’s data regulator on Thursday fined WhatsApp €225 million for violating Europe’s privacy rules — a more than four-fold increase in the penalty compared to what the watchdog had initially proposed.

Ireland watchdog fines WhatsApp record sum for flouting EU data rules – The Guardian
Four “very serious” infringements violated the core of GDPR, said Dixon. “They go to the heart of the general principle of transparency and the fundamental right of the individual to protection of his/her personal data which stems from the free will and autonomy of the individual to share his/her personal data in a voluntary situation such as this.” The violations affected an “extremely high” number of people, said the watchdog.

Adrian Weckler explains WhatsApp’s €225m fine – Independent.ie: YouTube
The Irish Data Protection Commissioner has imposed a €225m fine on Facebook-owned Whatsapp, Europe’s second largest penalty so far under GDPR privacy laws. However, it did so only after being ordered to raise the amount by an EU data oversight board.

WhatsApp fined €225m for not telling users how it shared data with Facebook – Financial Times
The WhatsApp ruling came after Luxembourg fined Amazon a record €746m in July for breaching GDPR and Ireland fined Twitter €450m in December for not informing regulators about a data leak within 72 hours. The Irish Data Protection Commission has more than two dozen ongoing investigations into big tech companies. Amazon has said it will appeal against its fine.

Facebook: Let us tell you WhatsApp – we don’t want to pay that €225m GDPR fine – The Register
It’s reported to be the heftiest fine ever issued by the DPC and the second-largest handed out under EU data protection laws. It’s also small change for WhatsApp’s parent Facebook, which made a $30bn profit in its latest financial year. The fine is about one per cent of the social network’s annual net income. […]

As well as the fine, the DPC has also ordered WhatsApp to take “a range of specified remedial actions” which some sources claim could make privacy policies even less user friendly.

A horrendous failure

Imagine finally summoning up the courage to start therapy, to disclose your scariest thoughts and feelings, and then this happens.

They told their therapists everything. Hackers leaked it all – WIRED
“If we receive €200 worth of Bitcoin within 24 hours, your information will be permanently deleted from our servers,” the email said in Finnish. If Jere missed the first deadline, he’d have another 48 hours to fork over €500, or about $600. After that, “your information will be published for all to see.”

It’s a story that WIRED’s UK version had covered in a very similar way back in December.

A dying man, a therapist and the ransom raid that shook the world – WIRED UK
After a handful of sessions, Puro’s therapist moved on to find new work, supposedly saying he couldn’t do anything more to help. Puro has managed alone since then, but his story has taken another dark twist – one that has shaken him to the core. A data breach at Vastaamo led to Puro and thousands of other vulnerable people being extorted by criminals who threatened to expose their highly sensitive data.

Here’s The Guardian’s report from October.

‘Shocking’ hack of psychotherapy records in Finland affects thousands – The Guardian
Distressed patients flooded victim support services over the weekend as Finnish police revealed that hackers had accessed records belonging to the private company Vastaamo, which runs 25 therapy centres across Finland. Thousands have reportedly filed police complaints over the breach. Many patients reported receiving emails with a demand for €200 (£181) in bitcoin to prevent the contents of their discussions with therapists being made public.

Devastating for the patients affected as well as the therapy company itself, Vastaamo.

Vastaamo fires CEO, saying he knew about hacking for 18 months – Helsinki Times
The psychotherapy centre has determined that its database was hacked in November 2018. Nixu, a Finnish cybersecurity company, found later in its investigation that the centre was targeted also in another hacking, in March 2019. “It’s very likely that the chief executive has known about the issue at that point,” Kahri stated to Ilta-Sanomat.

Hacked Finnish therapy business collapses – Computer Weekly
Vastaamo, the Finland-based private psychotherapy practice that covered up a cyber attack on its patient record system in 2018 and then saw its patients directly extorted by cyber criminals, has collapsed into bankruptcy with its services to be acquired by medical services firm Verve.

Hacked psychotherapy centre Vastaamo files for bankruptcy – Yle Uutiset
The firm was placed under liquidation in late January. Lassi Nyyssönen from Fenno Attorneys at Law was appointed as liquidator, but after assessing the situation decided that it was not feasible to carry out liquidation proceedings. “It very quickly became clear that the company’s clear, undisputed debts exceed the amount of its assets. That does not of course include possible damages that it may have to pay due to the data breach,” Nyyssönen told Yle.

A sign of the times?

Vastaamo breach, bankruptcy indicate troubling trend – SearchSecurity
Prior to learning of the Vastaamo hack, Hypponen said he believed that most attackers are motivated by financial information. “If you’re trying to make money with your criminal attacks, medical information is not a very good target for you. Well turns out, I might have been wrong,” he said during the webinar. “It might be now the case that we are seeing the beginning of the next trend — a trend where medical information is becoming a prime target for financially motivated criminals. They might not just be blackmailing the organization with the encryption of data, but the patients themselves.”

BA bargains

A year ago I shared an article about British Airways being fined a record £183,000,000 by the ICO for a data breach in 2018. Here’s an update to that story.

BA fined record £20m for customer data breach – The Guardian
The fine is the biggest ever issued by the Information Commissioner’s Office (ICO), but a fraction of the £183m fine initially announced last year. This was reduced after investigators accepted BA’s representations about the circumstances of the attack; and was reduced further to take into account the dire financial position of BA since the onset of Covid-19.

They’re not having an easy time, to say the least. I wonder how successful this auction was for them.

Hit hard by travel disruptions, British Airways will sell a $1 million Bridget Riley painting and 16 other works at Sotheby’s this month – ArtNet News
The painting, titled Cool Edge, carries no guarantee and is estimated to bring in between £800,000 and £1.2 million ($1 million to $1.5 million) at the July 28 “Rembrandt to Richter” evening sale. It was previously on view in a luxury lounge at Heathrow airport in London. […]
With the exception of Terry Frost’s 1997 painting Colour Down the Side 1968, which is expected to go for £20,000 to £30,000 ($25,000 to $37,000), each work in the online sale is estimated below £15,000 ($19,000).

Well, that Bridget Riley looks to have sold for £1,875,000. That would have helped towards that ICO fine…

Photo Sotherby’s

Cancelled exams and dodgy data

A couple of education news stories to keep an eye on. None of this seems to be getting easier.

Scottish Government confirms National 5 exams won’t take place in 2021 but Highers will go ahead – Daily Record
Swinney continued: “In a normal exam year, National 5s constitute more than half of all exams taken. From a public health point of view, not running these exams significantly reduces risk. National 5 pupils will receive awards based on their coursework and the judgement of their teachers, with robust quality assurance. We have learned lessons from this year’s initial SQA gradings – there will be no algorithm for moderating grades in 2021.”
Scotland’s National 5 exams to be cancelled next year – The Guardian
In England the Department for Education and Ofqual, the exam regulator, are adamant that GCSEs and A-level exams will go ahead in 2021. The education secretary in Westminster, Gavin Williamson, is expected to shortly announce a three-week delay in the exam timetable and other measures.

The DfE’s problems keep coming, it seems.

DfE broke the law on pupil data protection– Tes
The audit found that the department has been in “direct breach” of data protection law, as there is “no clear picture” of what data it holds, and therefore “no Record of Processing Activity (ROPA) in place”. It also found that the DfE “cannot demonstrate accountability to the GDPR”, as there is “no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security” within the department.
Department for Education’s handling of pupil data ruled illegal – The Guardian
Sam Grant, the policy and campaigns manager of Liberty, said: “This report displays a shocking failure of privacy protections, which is dangerous for our rights. The type of data collected by the DfE can reveal a huge amount of sensitive personal information about us, and often about children and young people. The government has routinely misused this data to enforce cruel and oppressive policies like the hostile environment. This cavalier attitude to our personal information puts people, including the most marginalised, at risk.”

Photo Jim Wileman

GDPR is still a thing btw

Remember when GDPR was more popular than Beyoncé (kinda)? That might have been two years ago now, but the subject’s not gone away, however much some organisations might wish it to.

Ireland, Luxembourg need more muscle to police tech giants, EU report says – Reuters
The report said that data protection agencies across the 27-country bloc had increased staff by 42% increase and budgets by 49% between 2016-2019, but the Irish and Luxembourg governments needed to do more.

“Given that the largest big tech multinationals are established in Ireland and Luxembourg, the data protection authorities of these countries act as lead authorities in many important cross-border cases and may need larger resources than their population would otherwise suggest,” the report said.
Commission pushes UK for ‘high degree of convergence’ in GDPR review – EURACTIV.com
The European Commission will tomorrow (24 June) highlight the importance of the UK abiding by EU data protection rules as part of a future relationship between the two parties, in the first review of the landmark general data protection regulation, obtained by EURACTIV.

Earlier this year, Prime Minister Boris Johnson said that the UK would seek to diverge from EU data protection law following its withdrawal from the bloc. […]

More recently, European parliamentarians took a stand against the UK’s data regime, adopting a report that said the EU’s move to grant the UK access to the bloc’s fingerprint data for law enforcement purposes “would create serious risks for the protection of fundamental rights and freedoms of individuals”.

In February Johnson said that as the UK nears the end of the post-Brexit transition period, it will “develop separate and independent policies” in a range of fields, including data protection, adding that the government would seek to maintain high standards.

Brexit’s still a thing too, in case you were wondering.

Brexit set to cost the UK more than £200 billion by the end of the year – The London Economic
Bloomberg research shows that Brexit is set to have cost the UK more than £200 billion in lost economic growth by the end of this year. This is a figure that almost eclipses the total amount the UK has paid into the EU budget over the past 47 years (£215 billion) since joining in 1973.

Research by Bloomberg Economics estimates that the economic cost of Brexit has already hit £130 billion ($170 billion), with a further £70 billion set to be added by the end of this year. The British economy is now 3 per cent smaller than it could have been EU membership had been maintained.

Patient confidentiality? Don’t count on it

I think, whatever else is happening, there’s always one thing you can rely on to keep going. Data breaches.

Babylon Health data breach: GP app users able to see other people’s consultations – The Guardian
Babylon allows its members to speak to a doctor, therapist or other health specialist through a video call on a smartphone. It has more than 2.3 million registered users in the UK.
Babylon user Rory Glover told the BBC when he logged onto the app there were about 50 videos in the consultation replays section of the app that did not belong to him. “You don’t expect to see something like that when you’re using a trusted application. It’s shocking to see such a monumental mistake made,” he said.
Glover said he would not use the Babylon app again. “It’s an issue of doctor-patient confidentiality,” he said. “You expect anything you say to be private, not for it to be shared with a stranger.”

Don’t worry, though. The government’s on it.

Matt Hancock clueless about confidentiality breach at his own GP surgery – The Guardian
Speaking at the virtual CogX festival, the health secretary, Matt Hancock, said he was unaware of the data breach, but that it did not affect his views on the value of private partnerships within the NHS. “What I care about is getting results,” Hancock said, “when companies will come and help in the middle of a pandemic. The honest truth is there is no way we would be able to deal with this without the support of the tech companies.”
After the panel had ended, the audio of Hancock’s conversation with his interviewer, the Telegraph’s Harry de Quetteville, continued to broadcast.
“[The] Babylon thing, I should have [known],” Hancock could be heard saying, “especially since they’re my GP.” After De Quetteville told him that the breach meant that someone may have been given access to his medical consultations, Hancock joked: “Honestly, they know more about my bunion than anybody.” The audio of the broadcast then cut off.

Flying high with stolen data

The last post I shared about data theft was back in October (that seems like years ago now), but the subject’s not gone away, of course.

EasyJet says hackers stole data of 9 million customers – Bloomberg
Cyber-attacks against businesses and their employees have surged this year as hackers take advantage of the disruption caused by the coronavirus pandemic. While the EasyJet breach was discovered in late January, predating the disease’s flare-up across Europe, the company is alerting those whose exposure was limited to email and travel details to guard against a rising number of so-called phishing attempts, a person familiar with the situation said.

It wasn’t just a few credit cards: Entire travel itineraries were stolen by hackers, Easyjet now tells victims – The Register
It also warned victims to be on their guard against phishing attacks by miscreants using the stolen records, especially if any “unsolicited communications” arrived appearing to be from Easyjet or its package holidays arm.

You’d think the Information Commissioner’s Office would be busier than ever.

It looks like the UK’s data regulator has given up, blaming coronavirus – Wired UK
In April, the ICO said it would focus on the most serious cases during the pandemic and consider the impact of the wider situation on companies under investigation, but called for organisations to continue to report breaches as it was still operating. But in reality, observers claim, it has almost completely stopped operating.

But it’s worth noting that that article was subsequently updated to, in effect, completely contradict its own headline.

[F]ollowing the publication of this story, an ICO spokesperson said it “is not true” that the body has stopped work on complaints and investigations. “Since the Covid-19 pandemic started, we have only paused under ten per cent of cases and investigations,” the spokesperson said. “These are specific cases where progressing regulatory activity may not be possible or appropriate during a global public health emergency.” The spokesperson added that it continues to “look into” all complaints and data breach reports it receives. It is “focusing on the information rights issues that are likely to cause the most harm or distress to people and organisations”.

Don’t hit them when they’re down

I know that the coronavirus has dominated articles I’ve shared on this blog recently, but that’s pretty much all I can find to read. I’ve not posted anything about data protection in a while, so here’s something from the USA—albeit still about that virus. (via Boing Boing)

Small businesses seeking loans may have had personal data exposed – CNBC
The SBA notified nearly 8,000 business owners of the potential inadvertent disclosure of information, which included names, Social Security numbers, tax identification numbers, addresses, dates of birth, email, phone numbers, marital and citizenship status, household size, income, disclosure inquiry and financial and insurance information, according to a letter sent to business owners, which CNBC obtained. […]

If the user attempted to hit the page back button, he or she may have seen information that belonged to another business owner, not their own. The official said that 4 million small business owners applied for $383 billion in aid via the EIDL program and emergency grants. The two programs are funded for just $17 billion.

The affected businesses have been offered identity theft protection services for a year.

Leave us alone

Hot on the heels of Robot Day is Data Protection Day, initiated by the Council of Europe in 2007.

On 28 January, member states of the Council of Europe & EU institutions celebrate #DataProtectionDay. It marks the anniversary of “Convention 108”. The first binding international law concerning individuals’ rights to protection of their personal data. Happy Data Protection Day! pic.twitter.com/dcPlIxkSZJ

— EDPS (@EU_EDPS) January 28, 2020

Data Protection Day – Council of Europe
The Council of Europe is celebrating this year the 14th edition of Data Protection Day. This initiative aims to raise the individuals awareness about good practices in this field, informing them about their rights and how to exercise them.

Joint statement by Vice-President Jourová and Commissioner Reynders ahead of Data Protection Day – European Commission
Data is becoming increasingly important for our economy and for our daily lives. With the roll-out of 5G and uptake of the Artificial Intelligence and Internet of Things technologies, personal data will be in abundance and with potential uses we probably can’t imagine. While this offers amazing opportunities, some cases show that robust rules are needed to address clear risks for individuals and for our democracies. In Europe we know that strong data protection rules are not a luxury, but a necessity. […]

20 months after the entry into application of the landmark General Data Protection Regulation, we see that the GDPR has acted as a catalyst to put data protection at the centre of many of the on-going policy debates. It is a cornerstone of the European approach underpinning several political priorities of the new Commission promoting a human centric approach to Artificial Intelligence and other digital technologies. European Data Protection rules will therefore be a foundation and inspiration for the success of key initiatives in artificial intelligence, health or mobility to name just a few.

Part of me wants to find out how our leaving the EU on Friday will affect this, but a larger part of me is too fed up with the whole stupid act of national self-harm to bother.

Happy “Data Privacy Day” – Now read The New York Times privacy project about total surveillance – Forbes
The shocking thing about the obvious and growing loss of privacy is how unconcerned everyone is. Technologists started “snooping” around servers, desktops and data bases years ago to understand the status of hardware and software and how they should be managed. Enterprise snooping is still a best practice. But snooping is now central to entire national and global business models, and has emerged with a scary name: surveillance capitalism. No one predicted how pervasive snooping would become. No one predicted just how much profit snooping would generate, and no one predicted how entire populations would essentially shrug their shoulders about how they’re stalked each and every day – to make someone else money!

I’ve shared a number of articles about surveillance before, including one from The New York Times Privacy Project mentioned above, but there are many more to worry over.

Surprisingly (not really), Google doesn’t seem to be celebrating the day with a Google Doodle, although there is a prompt to complete a privacy check-up.

I quite like Protect Internet health and privacy with Mozilla’s internet health initiative, on the other hand.

Data detox: Five ways to reset your relationship with your phone – The Firefox Frontier
We use our phones for everything from hailing rides to ordering in, and even to track our literal steps. All that convenience at our fingertips comes at a cost: our personal data and our mental health. It’s hard to be present in the moment when push notifications and texts are enticing us to look down. Meanwhile, the amount of personal data we share, many times without even realizing, can be alarming.

But not all hope is lost! Here are five simple steps you can take to protect your data and sanity.

A day without Brexit news? Nope.

I thought I had found some interesting news about the government today.

No 10 request for user data from government website sparks alarm
While officials insist the move to share user data from the Gov.uk website is simply intended to improve the service and that no personal details are collected, campaigners raised concern about the urgency of the task, and the personal involvement of Boris Johnson and his chief adviser, Dominic Cummings.

But then something else caught my eye.

Brexit: Scottish judges rule Parliament suspension is unlawful
[T]he Court of Session judges were unanimous in finding that Mr Johnson was motivated by the “improper purpose of stymieing Parliament”, and he had effectively misled the Queen in advising her to suspend Parliament.

Scottish judges decide Boris Johnson misled the Queen
In effect, though not in express terms, the Scottish court has held that Mr Johnson lied to the Queen. Not only was the advice false, but it was known by the prime minister to be false. Mr Johnson acted in bad faith.

‘This is a huge thing’: Labour Brexit chief Keir Starmer reacts to parliament suspension being ruled unlawful after being told of news while live on stage
He told delegates: “It was obvious to everybody that not only was shutting down parliament at this crucial time obviously, the wrong thing to do, we should be sitting each and every day to resolve this crisis.

Brexit latest news: Downing Street criticised for calling into question impartiality of Scottish judges

Huge thanks to all our supporters & our fantastic legal team who have achieved the historic ruling that #prorogation is #unlawful #Cherrycase #Brexit #StopTheCoup

— Joanna Cherry QC MP (@joannaccherry) September 11, 2019

I wonder if this turn of events has been considered in these already mind-boggling charts.

These Brexit flowcharts show just how messy UK politics is
Overall, these Brexit charts range from professional-looking diagrams by media outlets and commentators, to, in some cases, non-linear cosmoses that move in a mystifying range of directions.

But for most of us, I think, this is all starting to get a little tedious.

Brexit: how the people are using ‘news avoidance’ to escape the post-truth world of politics
The term “news avoidance” suggests that these people are avoiding reality. The underlying principle of public journalism is that readers are also citizens whose actions in the real world are based on the reality they have come to know from the news. While acknowledging that this “reality” is put together by journalists, in line with the Frankfurt School’s concept of the “culture industry”, many academics accept that “not to know” is to retire from reality.

Yet this way of thinking about journalism and its role in society fails to address the recent experience of Harris’ interviewees and millions more. For them, journos and politicos have combined to produce the “unreal”, distant world of the “Westminster Village”, a world that many ordinary people feel disconnected from, the “post-truth” world. Seen from this perspective, avoiding the news may be an attempt to escape the unreality concocted exclusively by residents of that gated community.

xkcd hackd

I’ve been a fan of the web comic xkcd for a while, so it was sad to read of their recent security troubles.

Hackers breach forum of popular webcomic ‘XKCD’
“The xkcd forums are currently offline. We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration,” the forum administrators wrote.

It does give us the opportunity to share one of their comic strips again, though.

Security advice

See also: password strength, security question, morning news, right click, and of course the big hitters Earth temperature timeline and time.

Not even banks are safe

How many more of these stories will we read? Is someone keeping a list?

PIN the blame on us, says Monzo in mondo security blunder: Bank card codes stored in log files as plain text
Trendy online-only Brit bank Monzo is telling hundreds of thousands of its customers to pick a new PIN – after it discovered it was storing their codes effectively as plain-text in log files. As a result, 480,000 folks, a fifth of the bank’s customers, now have to go to a cash machine, and reset their PINs.
Major breach found in biometrics system used by banks, UK police and defence firms
The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.

Struggling with GDPR, or just ignoring it?

It’s been over a year now, but are we all still feeling our way with GDPR?

PwC’s data practices rejected in GDPR rebuke
With enforcement of the EU’s General Data Protection Regulation (GDPR) still in its infancy, companies may be floating trial balloons to see which arguments resonate with authorities. PriceWaterhouseCoopers (PwC) recently tested the air currents in Greece, but was shot down by the Hellenic Data Protection Authority in a case involving the processing of employee data.

PwC will have to work to rebuild trust after shock GDPR fine
The Greek representative of PwC is the first of the “Big 4” to be fined under the GDPR. Moreover, it’s the first consultancy that has actually helped many of its clients with GDPR compliance over the last year. It seems astounding that a company of PwC’s size and reputation that’s making a lot of money on giving advice on the GDPR has been burned by the very fire they help clients to avoid on a daily basis.

Or perhaps we’re just ignoring it completely. Research just out has shown what we already know to be the case — most of those cookie notices everywhere aren’t following the EU privacy-first GDPR regulations. At all.

Most EU cookie ‘consent’ notices are meaningless or manipulative, study finds
Their industry snapshot of cookie consent notices found that the majority are placed at the bottom of the screen (58%); not blocking the interaction with the website (93%); and offering no options other than a confirmation button that does not do anything (86%). So no choice at all then.

A majority also try to nudge users towards consenting (57%) — such as by using ‘dark pattern’ techniques like using a color to highlight the ‘agree’ button (which if clicked accepts privacy-unfriendly defaults) vs displaying a much less visible link to ‘more options’ so that pro-privacy choices are buried off screen.

And while they found that nearly all cookie notices (92%) contained a link to the site’s privacy policy, only a third (39%) mention the specific purpose of the data collection or who can access the data (21%) …

This is an important finding because GDPR is unambiguous in stating that if an Internet service is relying on consent as a legal basis to process visitors’ personal data it must obtain consent before processing data (so before a tracking cookie is dropped) — and that consent must be specific, informed and freely given.

Yet, as the study confirms, it really doesn’t take much clicking around the regional Internet to find a gaslighting cookie notice that pops up with a mocking message saying by using this website you’re consenting to your data being processed how the site sees fit — with just a single ‘Ok’ button to affirm your lack of say in the matter.

In the way that those US academics highlighted the dark patterns used with shopping sites, there needs to be a way of reporting and highlighting these non-compliant cookie notices, or they’ll just get away with it.

Re-thinking supposedly anonymous data

This is a little alarming.

Anonymised data isn’t nearly anonymous enough – here’s how we fix it
We developed a machine learning model to assess the likelihood of reidentifying the right person. We took datasets and we showed that in the US fifteen characteristics, including age, gender, marital status and others, are sufficient to reidentify 99.98 per cent of Americans in virtually any anonymised data set.

Some more examples.

The simple process of re-identifying patients in public health records
In late 2016, doctors’ identities were decrypted in an open dataset of Australian medical billing records. Now patients’ records have also been re-identified – and we should be talking about it.

‘Anonymous’ browsing data can be easily exposed, researchers reveal
A journalist and a data scientist secured data from three million users easily by creating a fake marketing company, and were able to de-anonymise many users …

“What would you think,” asked Svea Eckert, “if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’? How would you think we got it: some shady hacker? No. It was much easier: you can just buy it.”

Lancaster University’s student data stolen

University application processes are in full swing, but here is some reputationally damaging news from Lancaster University.

Lancaster University hit by cyber attack, hundreds of students’ personal data stolen
The full scale of the cyber attack was revealed yesterday (July 22), when university chiefs confirmed that hackers had breached IT systems and accessed student records … It said it regretted that the breach has led to fraudulent invoices being sent to some undergraduate applicants demanding large sums of money.

Two days later, and the police have arrested someone for it.

Man arrested over UK’s Lancaster University data breach hack allegations
Names, addresses, email addresses and phone numbers were among the categories of data visible to the hackers. Fraudulent invoices were sent to some, the university admitted. With overseas applicants (of which Lancaster had 575 last year from non-EU countries and 375 from other EU countries) paying fees measured in the tens of thousands of pounds per year, the potential for high returns is great.

Our sources added that around half a dozen students had paid these fraudulent invoices. The highest undergraduate fees for overseas (non-EU) students is Lancaster’s Bachelor of Medicine, Bachelor of Surgery (MBChB) course at £31,540.

It’s more than a little embarrassing, as Lancaster University is one of a number of universities offering degrees in cyber security…

Cyber Security MSc – Lancaster University
In addition to the taught modules, you will also work on an individual research project, supervised by two academics from two of the four departments. Through this project, you will obtain an in-depth understanding of the theoretical and practical aspects of cyber security and technology. You will put the skills and knowledge you have developed throughout the year into practice and gain experience of tackling real-world cyber security issues.

Well, there’s a ‘real-world cyber security issue’ for you.

More data breach fines

Flying off to a nice hotel somewhere?

British Airways gets hammered with a record £183m fine for data breach
The incident came to light last September, when British Airways revealed that a sophisticated hack had led to 380,000 customer accounts being compromised, although that initial figure turned out to be an underestimation, with some 500,000 people actually affected, the ICO reckons.

Those folks had the likes of names, addresses, emails, credit card numbers and expiry dates – as well as the security codes on the rear of cards – stolen over a two-week period beginning on August 21, we were told at the time. Although the ICO claims that the thefts began occurring as early as June 2018.
Marriott to face £99 million GDPR fine from ICO over November 2018 data breach
The breach revealed in November 2018 involved the leak of 500 million customer records from the guest reservation database of Marriott’s Starwood Hotels and Resorts division. The attackers – who are unknown but believed to have links with China’s Ministry of State Security – appear to have had access to the system since 2014.

The organisation only became aware of the compromise in September 2018 following an alert from an internal security tool over an attempt to gain access to the reservation system. The company claims that it “quickly engaged” a group of security experts to investigate the apparent attack and “learned during the investigation that there had been unauthorised access to the Starwood network since 2014”.

Meanwhile.

Facebook’s $5 billion FTC fine is an embarrassing joke
Facebook’s stock went up after news of a record-breaking $5 billion FTC fine for various privacy violations broke today. That, as The New York Times’ Mike Isaac points out, is the real story here: the United States government spent months coming up with a punishment for Facebook’s long list of privacy-related bad behavior, and the best it could do was so weak that Facebook’s stock price went up. […]

From some other perspectives, that $5 billion fine is a big deal, of course: it’s the biggest fine in FTC history, far bigger than the $22 million fine levied against Google in 2012. And $5 billion is a lot of money, to be sure. It’s just that like everything else that comes into contact with Facebook’s scale, it’s still entirely too small: Facebook had $15 billion in revenue last quarter alone, and $22 billion in profit last year. […]

That’s actually the real problem here: fines and punishments are only effective when they provide negative consequences for bad behavior. But Facebook has done nothing but behave badly from inception, and it has only ever been slapped on the wrist by authority figures and rewarded by the market. After all, Facebook was already under a previous FTC consent decree for privacy violations imposed in 2011, and that didn’t seem to stop any of the company’s recent scandals from happening. As Kara Swisher has written, you have to add another zero to this fine to make it mean anything.

MI5’s poor surveillance data handling

It’s not often a data protection or records management news story gets this much press attention.

MI5 accused of unlawful handling of surveillance data
MI5 has been accused of “extraordinary and persistent illegality” for holding on to data obtained from members of the public. The human rights organisation Liberty has taken the security service to court over the way that it gathers and stores information under the Investigatory Powers Act.

MI5 ‘unlawfully’ handled bulk surveillance data, lawsuit reveals
“The documents show extraordinary and persistent illegality in MI5’s operations, apparently for many years,” said civil liberties organisation Liberty, which is bringing the case. “The existence of what MI5 itself calls ‘ungoverned spaces’ in which it holds and uses large volumes of private data is a serious failure of governance and oversight, especially when mass collection of data of innocent citizens is concerned.”

MI5’s use of personal data was ‘unlawful’, says watchdog
The security service MI5 has handled large amounts of personal data in an “undoubtedly unlawful” way, a watchdog has said. The Investigatory Powers Commissioner said information gathered under warrants was kept too long and not stored safely. Civil rights group Liberty said the breaches involved the “mass collection of data of innocent citizens”. The high court heard MI5 knew about the issues in 2016 but kept them secret.

Liberty’s challenge to UK state surveillance powers reveals shocking failures
The challenge, by rights group Liberty, led last month to an initial finding that MI5 had systematically breached safeguards in the UK’s Investigatory Powers Act (IPA) — breaches the Home Secretary, Sajid Javid, euphemistically couched as “compliance risks” in a carefully worded written statement that was quietly released to parliament.

This was first reported last month…

MI5 slapped on the wrist for ‘serious’ surveillance data breach
Home Secretary Sajid Javid has confessed to Parliament that MI5 bungled the security of “certain technology environments used to store and analyse data,” including that of ordinary Britons spied on by the agency. In a lengthy Parliamentary statement made last week, Javid obliquely admitted that spies had allowed more people to help themselves to its treasure troves of data on British citizens than was legally allowed.

Sajid Javid admits MI5 committed serious safeguard breaches
In a written statement to parliament last week that was not widely noticed, Javid said he was notifying MPs of “compliance risks MI5 identified and reported within certain technology environments used to store and analyse data, including material obtained under the Investigatory Powers Act”.

… but now the story has been picked up by everyone, including the Middle East Eye…

UK’s MI5 spy agency handled surveillance data unlawfully, court hears
An internal agency review warned more than three years ago that storage systems may have become “ungoverned spaces”, which would mean that they were operating in breach of both UK and European law. Despite this, MI5 continued to build new electronic storage systems which did not allow the agency to review its contents and decide what material should be deleted, as the law requires. The problems were withheld from the official watchdog, the Investigatory Powers Commissioner, until earlier this year, the High Court was told.

… and even Russia Today and Sputnik News are getting in on it.

‘Extraordinary & persistent illegality’: UK’s MI5 accused of mishandling bulk surveillance data
MI5 has no control of its storage of vast volumes of people’s calls, messages, web browsing history, as well as other personal data that the agency has managed to obtain on the basis of surveillance warrants, which were often issued under false pretext, the High Court heard on Tuesday in a legal challenge brought by the human rights organization Liberty.

Outcry as High Court finds MI5 engaged in ‘unlawful’ storage, handling of bulk surveillance
Ten internal documents from senior MI5 officials, including an 11 March letter from director Sir Andrew Parker, revealed significant non-compliance issues in how citizens’ data had been kept and used, including a subsequent cover-up of internal failures and that “data might be being held in ungoverned spaces in contravention of our policies”.

Let’s hope some good comes from all this.

Setting precedents for privacy: the UK legal challenges bringing surveillance into the open
These debates highlight the importance of collective efforts to assert respect for privacy and other rights as a core part of public life. We are on the cusp of a positive shift in power towards open public debate and accountability about data and the way it is used against us.

Google’s GDPR probe

A year on from GDPR Day, and Irish eyes are staring in Google’s direction.

Irish regulator opens first privacy probe into Google
Google’s lead regulator in the European Union, Ireland’s Data Protection Commissioner, opened its first investigation into the U.S. internet giant on Wednesday over how it handles personal data for the purpose of advertising.

The probe was the result of a number of submissions against the company, the Irish Data Protection Commissioner said, including from privacy-focused web browser Brave which complained last year that Google and other digital advertising firms were playing fast and loose with people’s data.
Ireland’s Data Protection Commissioner launches investigation into Google’s advertising and compliance with GDPR
Dr Ryan [Chief Policy Officer at Brave] said his evidence to the DPC “revealed a massive and ongoing data breach” in which Google’s DoubleClick/Authorized Buyers “leaks intimate data about the people visiting these websites to thousands of companies every day”.

I noted The Register’s footnote on this story, about that “privacy-focused web browser Brave”.

Irish data cops are shoving a probe right into Google’s ads
There is some irony in Brave being built on Chromium, the browser engine built and maintained by – who else? – Google. Ryan told us that Brave had “certainly not” seen any pushback from Googlers involved in the Chromium project.

It could be an extremely expensive problem for Google though, as all the reports are keen to point out, although I can’t imagine it would come to that.

Google is facing its first GDPR probe from Irish privacy regulators
If found guilty, the potential penalties for Google would be enormous. The GDPR authorizes fines as high as four percent of global annual revenue, which would total $5.4 billion in Google’s case. Even more damaging, the company would have to fundamentally reshape its ad system in order to avoid future fines.

There’s quite a lot of attention on Ireland’s Data Protection Commission already.

Ireland sits idly by as GDPR goes unenforced
Politico shares an investigation into why the GDPR’s lead regulator Ireland has failed to bring a single enforcement action against the big tech companies it is supposed to watchdog.

These are hugely complex cases, that will be setting precedents that may redefine how these companies operate.

Irish data official defends tech investigation record: ‘They’re not overnight’
Helen Dixon said the reality is it will take time to produce results from the 18 major technology investigations her office is pursuing — 11 of which involve Facebook or its platforms WhatsApp and Instagram.

“These aren’t matters where we can take in a complaint today and tomorrow make a conclusion on it,” Dixon, Ireland’s data protection commissioner, said during an interview at POLITICO’s Washington-area headquarters. “They’re not overnight, and anyone who understands anything about the process understands it takes time.”

Others agree.

Is Ireland too soft with GDPR enforcement, or just being prudent?
Jules Polonetsky, CEO of the Future of Privacy Forum (FPF), comes down on the side of patience. In fact, he argues that while fines tend to get most of the headlines, they aren’t as important as the major precedents that regulators will be setting – precedents that will “redefine business models.” That, he said, takes time to be done right. […]

Danny O’Brien, international director of the Electronic Frontier Foundation (EFF), an aggressive privacy advocacy group, also isn’t troubled – at least not yet – about GDPR enforcement taking some time to get in gear. “There’s a lot about how the whole system was going to be organized that was left unsaid in the GDPR, so I think it’s fair to say that no-one was expecting anything to happen very quickly,” he said. “It’s not necessarily the Irish DPC’s fault.”

Let’s wait and see, then.