The future of the newly agreed to EU-U.S. Privacy Shield framework is still up in the air this week. Since the...
agreement for privacy protection on transatlantic data flows was announced on Feb. 2, transfers using the old Safe Harbor mechanisms could be deemed illegal and subject to enforcement penalties on privacy grounds. But uncertainty remains, as details of the new framework have yet to be worked out.
Some parts of the agreement are beginning to fall into place. On the U.S. side, the Judicial Redress Act, which would give non-U.S. citizens access to U.S. courts for cases involving data privacy -- a key component of the Privacy Shield agreement -- awaits President Barack Obama's signature. The act was approved months ago in the U.S. House before making it through the Senate with an amendment, which required that a successor to the Safe Harbor framework be in place with the European Union before its citizens are granted rights under the bill.
Meanwhile, the European Commission has until the end of February to deliver details of the Privacy Shield agreement to the Article 29 Working Party (WP29), the data protection advisory group within the EU that's comprised of a representative from each EU state's data protection authority. WP29 will assess whether the U.S. legal framework is sufficient to protect non-U.S. citizens' rights to privacy, according to a statement released last week after the agreement was reached on Privacy Shield, and plans to announce its results by the end of March.
EU privacy guarantees require that there be clear rules over data collection, that data collection balances national security or other needs with the personal right to privacy, that there be an effective and independent oversight mechanism for data privacy and that there be effective remedies for any person who believes their privacy rights have been infringed.
"The WP29 stresses that these four guarantees should be respected whenever personal data [is] transferred from the EU to the United States and to other third countries, as well as by EU member states."
Acceptance of the U.S. efforts by the EU is not guaranteed. "Even though the WP29 certainly recognizes the efforts of the U.S. in 2014 and 2015 to improve the protection of the data of non-U.S. persons, it still has concerns on the current U.S. legal framework as regards the four essential guarantees, especially regarding scope and remedies," the group stated. The WP29 said it needed to determine whether the U.S. protections were enough to fulfill EU data privacy guarantees.
Facebook faces the French music on privacy
Facebook was the first big firm to face the EU data privacy music, as France's data protection authority, CNIL, gave the social media giant formal notice to clean up its act.
CNIL charged that Facebook is collecting protected personal information, including political and religious affiliations, as well as sexual orientation, both from Facebook members and nonmembers. In addition, they charged, Facebook is still transferring personal data of members outside of France under the old Safe Harbor framework. Even though some of the data in question was transferred to another EU member nation -- Ireland -- under French data protection law, that is not sufficient. CNIL has given Facebook two months to comply with French data privacy regulations, or face enforcement penalties.
"The situation in France involves two different, but very important aspects. The first is the actual collection of data belonging to nonusers, and in particular, information such as religious affiliation," according to Neil Stelzer, general counsel for cybersecurity firm Identity Finder LLC, based in New York. "This is very much against France's secularism. The second is the transferal of the data back to the U.S.," Stelzer said, adding that the final version of Privacy Shield "will almost certainly address the latter, however, it remains to be seen how both the collection of nonuser data and the types of data will be governed."
Fear, uncertainty and doubt over Safe Harbor framework replacement
Although some Internet companies, including Microsoft and Amazon, have opened data centers within the EU -- in part to avoid transferring sensitive data to the U.S. -- uncertainty will continue for now.
"One of the remaining challenges with the new framework, as with other data localization regulations, is that compliance is typically thought of from only a data residence perspective," said Dave Allen, senior vice president and general counsel for Internet performance management company Dyn, based in Manchester, N.H. "Some Internet companies, for instance, have already begun to construct in-region data centers, and use localized cloud and content delivery services. However, that only addresses part of the challenges posed by the Privacy Shield and similar regulations. Businesses need to also understand the actual paths data travels, which is a much more complex undertaking. Traffic patterns reveal that data consistently exits country borders before coming back to reach its users."
"It's not surprising that there's continued, heated debate around Privacy Shield," said Jamie Barnett, vice president of market data at Netskope, based in Los Altos, Calif. "Ensuring data privacy has emerged as a foremost concern for legislators on both sides of the Atlantic, but businesses are still largely not grasping its significance to their own operations."
"Firms have a number of options, ranging from legal to technical solutions," said Kapil Raina, vice president at HyTrust Inc., based in Mountain View, Calif. "However, except for the largest of companies, the legal options are challenging and expensive. The current scenario is only temporary and may change again, and thus may require a country-by-country agreement."
"At the moment, Privacy Shield is still mostly general statements outlining the principle aspects of the agreement," Stelzer said, and will likely be contested by privacy advocacy groups, but, "ultimately, an agreement will have to be struck."
In other news:
- Google put another nail in the coffin for buggy Adobe Flash when it announced a timetable this week for phasing out Flash from all display ads in favor of HTML5. Display ads built in Flash will no longer be accepted by Google AdWords or DoubleClick Digital Marketing after June 30, 2016. Flash display ads will stop running on the Google Display Network or through DoubleClick after Jan. 2, 2017. Google's advice to advertisers: Create new content with Google's HTML5 Toolkit, or use some other method to create HTML5 ads. Google's Swiffy utility for converting Flash content to HTML5 will not be available after July, according to a response from the Google AdWords team on the announcement page.
- Kaspersky Lab researchers reported this week on a targeted attack group, which they call the Poseidon Group, a "custom-tailored malware implants boutique" that specializes in global espionage, and has been active since at least 2005 and possibly before. According to the researchers, the group has persisted over the years not by avoiding detection so much as by custom tailoring their malware implants, so security researchers have been unable to identify that their campaigns come from a single source. "This approach entails crafting campaigns components on-demand and sometimes fabricating entirely unique malicious artifacts," they wrote. The researchers claimed Poseidon is the first ever Portuguese language threat group. And while their identified targets have skewed toward Brazil, they identified at least 35 victim companies in Brazil, U.S., France, Kazakhstan, United Arab Emirates, India and Russia. "They are dedicated to running targeted attacks campaigns to aggressively collect information from company networks through the use of spear phishing packaged with embedded, executable elements inside office documents and extensive lateral movement tools. The information exfiltrated is then leveraged by a company front to blackmail victim companies into contracting the Poseidon Group as a security firm. Even when contracted, the Poseidon Group may continue its infection or initiate another infection at a later time, persisting on the network to continue data collection beyond its contractual obligation."
- Oracle patched a Java vulnerability this week that, if successfully exploited, could produce "a complete compromise of the unsuspecting user's system," although Oracle said the vulnerability would be "relatively complex to exploit." According to Oracle, the vulnerability can be exploited when Java SE 6, 7 or 8 is installed on Windows, and to be successful, the user must be tricked into visiting a malicious website and downloading files before Java SE is installed. "Because the exposure exists only during the installation process, users need not upgrade existing Java SE installations to address the vulnerability. However, Java SE users who have downloaded any old version of Java SE prior to 6u113, 7u97 or 8u73 for later installation should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later."
- In a direct response to state legislators who proposed banning the sale of smartphones capable of doing end-to-end encryption in New York and California, four members of Congress have introduced the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act of 2016. "The legislation would preempt state and local government encryption laws to ensure a uniform, national policy for the interstate issue of encryption technology," the two Democrat and two Republican sponsors said in a press release. "A patchwork of 50 different encryption standards is a recipe for disaster that would create new security vulnerabilities, threaten individual privacy and undermine the competitiveness of American innovators," Congressman Ted Lieu said. "It is bad for law enforcement, bad for technology users and bad for American technology companies. National issues require national responses. The ENCRYPT Act makes sure that this conversation happens in a place that does not disrupt interstate commerce."
- The Dridex botnet appears to have had its distribution channel hacked, so that instead of delivering the dreaded Dridex banking Trojan, victims are getting a signed and up-to-date version of the Avira antivirus software installer. "The content behind the malware download URL has been replaced; it's now providing an original, up-to-date Avira Web installer instead of the usual Dridex loader," according to Avira malware expert Moritz Kroll. "We still don't know exactly who is doing this with our installer and why -- but we have some theories," Kroll said. "This is certainly not something we are doing ourselves." Two possible theories for the inclusion of the AV installer, raised in the blog post, were that the criminals were attempting to use it as a way to interfere with Avira and other antivirus vendors' software detection process -- but Kroll denied that was likely. "We don't think that the malware guys would provide the Avira installer -- they wouldn't want to improve the protection level on their victims' machines," Kroll said. The other possibility suggested a white hat hacker had attacked the botnet and subverted it to a more positive use. This has happened before; Kroll said that Avira had been added to both the Tesla and CryptoLocker ransomware programs in the past. Also, last year saw hackers admitting to infecting as many as 300,000 devices with hardening software.
Read more about how Privacy Shield stacks up for European privacy campaigners.
Find out more about the man who broke Safe Harbor, Max Schrems.
Learn more about how the EU Data Protection Directive protects EU citizens' data privacy.