The European Commission formally adopted the EU-U.S. Privacy Shield, replacing the Safe Harbor framework for transatlantic...
data flows. According to the EC, the new framework protects the rights of EU residents whose personal data is transferred to the U.S., and provides legal clarity for businesses that depend on transatlantic data transfers.
The new framework became necessary after a lawsuit by Max Schrems, the Austrian privacy activist, brought down the Safe Harbor framework last year. The suit alleged Safe Harbor was not sufficient to prevent large-scale access to data transferred from Europe by U.S. intelligence agencies, and the framework did not offer an adequate level of data protection.
Andrus Ansip, European Commission vice president in charge of the Digital Single Market, said: "We have approved the new EU-U.S. Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the U.S. to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy -- we now have a robust framework ensuring these transfers take place in the best and safest conditions."
"The EU-U.S. Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses," said Věra Jourová, commissioner for justice, consumers and gender equality. "It brings stronger data protection standards that are better enforced, safeguards on government access and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic."
However, issues were raised by the Article 29 Working Party, the EU regulatory body whose members represent the data protection authorities of all EU member states, as well as by the European data protection supervisor and European Parliament. Some of the concerns regarded how national security agencies accessed data, whether Privacy Shield was consistent in terms of data protection rights and whether the ombudsperson could operate sufficiently independently.
In the U.S.: Cyber, cyber, cyber
President Barack Obama said the U.S. needs to improve its cybersecurity and admitted at a press conference in Spain that the White House had been targeted by hackers.
"I am concerned about this throughout the government, in general," the president said, adding he has concerns about cyberattacks and cybersecurity. "We know we've had hacking in the White House."
"I don't think we have it perfectly solved," the president said. "We're going to have to do better."
Just two days after the president's comments, the White House Office of Management and Budget released a memo outlining the government's efforts since October 2015 to add cybersecurity and IT workers.
"The federal government has already hired 3,000 new cybersecurity and IT professionals in the first six months of this fiscal year," the report read. "However, there is clearly more work to do, and we are committed to a plan by which agencies would hire 3,500 more individuals to fill critical cybersecurity and IT positions by January 2017."
Meanwhile, Admiral Michael Rogers, director of the National Security Agency and Cyber Command, said the military's Cyber Mission Force would begin operations by the end of September, despite not being fully staffed until the end of September 2018. When fully staffed, the new force is expected to include 6,200 people divided into 133 teams, and it will be the largest unit to operate exclusively inside computer networks.
In other news
- With no fanfare, Google brings forgetting to the U.S. The new service allows users to review and, if desired, remove, search history, as well as YouTube history, device information and location information. Users can review their activity on all Google products, or they can review their past activity on specific Google products, including Google search, ads, books, image or video search, maps, news and more. Filtering by date or by keyword search is also available.
- SentinelOne researchers discovered "a sophisticated malware campaign specifically targeting at least one energy company." Joseph Landry and Udi Shamir reported the labs team at SentinelOne discovered the malware was being used to target network users and either extract data or insert malware potentially capable of shutting down an energy grid. They wrote: "The exploit affects all versions of Microsoft Windows and has been developed to bypass traditional antivirus solutions, next-generation firewalls and even more recent endpoint solutions that use sandboxing techniques to detect advanced malware." They said biometric readers are irrelevant to the bypass and detection techniques, so the malware will stop if it detects specific biometric vendor software. Landry and Shamir wrote that the malware was likely released in May of this year and is still active. "It exhibits traits seen in previous nation-state rootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable resources." The researchers told Motherboard the malicious code was found on a dark web hacking forum.
- Automaker Fiat Chrysler Automobiles followed Tesla and General Motors in offering a bug bounty program through Bugcrowd. However, bug hunters may be underwhelmed by the payouts: The car-making giant caps their bounties at $1,500 per bug brought in.
- Looking ahead to a world where quantum computers will be able to decrypt data encrypted with traditional public key cryptography, Google is taking steps to experiment with post-quantum cryptography. Announced in a blog post, the experiment adds a post-quantum algorithm -- New Hope -- to the experimental Canary version of the Chrome browser. New Hope will encrypt data already encrypted with elliptical curve cryptography algorithms; this means if the experimental algorithm proves to be inadequate or vulnerable to attack, the decrypted data will still be secured. The plan is to end the experiment after two years, at which time Google said it will look to replace the algorithm with something better.
- Polish data communications firm Exatel S.A. discovered a browser developed by a Chinese publisher has been collecting sensitive data from its users and periodically uploading the encrypted data to China without the knowledge or permission of users. "Maxthon does have an opt-in for users to send some basic data back for analysis," the researchers reported. They said while Maxthon gathers statistics and data "using voluntary and anonymous means in order to help with debugging and performance," they discovered "the sensitive data contained in dat.txt was being sent back to Maxthon regardless of the user's selection to participate." The Maxthon browser, developed by Beijing-based Maxthon Ltd., is estimated to be used by less than 1% of global users. It is more popular in China, where it is estimated to be used by 2% to 3% of users.
Find out more about the development of the U.S. Cyber Command.
Read about some of the challenges facing EU-U.S. Privacy Shield framework.
Learn more about the specific details of the EU-U.S. Privacy Shield.