18 April 2014


Posts relating to the category tag "privacy" are listed below.

18 April 2014

Data Subject Breach Notification and Privacy Impact

The EC Article 29 Working Party has published an opinion offering guidance to data controllers to help them to decide whether to notify data subjects in case of a personal data breach.

Photograph of a large crowd of people

Opinion 03/2014 on Personal Data Breach Notification provides advice to telecomms companies subject to mandatory breach notification under Directive 2002/58/EC. Whilst most readers of this blog will not work in this sector, the guidance itself is useful for consideration in any sector.

The opinion recommends organisations should be proactive and plan appropriately. It illustrates the effects of confidentiality, integrity and availability effects on personal data and the impact upon individuals.

The document recommends that all the potential consequences and potential adverse effects on individuals should be examined, and that data breaches should be notified to the data subjects in a timely manner, if the breach is likely to adversely affect the personal data or the privacy of the data subjects.

See also the Information Commissioner's Office (ICO) guidance on Incidents and breach notification.

Posted on: 18 April 2014 at 08:43 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 April 2014

Third-Party Tracking Cookie Revelations

A new draft paper describes how the capture of tracking cookies can be used for mass surveillance, and where other personal information is leaked by web sites, build up a wider picture of a person's real-world identity.

Title page from 'Cookies that give you away: Evaluating the surveillance implications of web tracking'

Dillon Reisman, Steven Englehardt, Christian Eubank, Peter Zimmerman, and Arvind Narayanan at Princeton University's Department of Computer Science investigated how someone with passive access to a network could glean information from observing HTTP cookies in transit. The authors explain how pseudo-anonymous third-party cookies can be tied together without having to rely on IP addresses.

Then, given personal data leaking over non-SSL content, this can be combined into a larger picture of the person. The paper assessed what personal information is leaked from Alexa Top 50 sites with login support.

This work is likely to attract the attention of privacy advocates and regulators, leading to increased interest in cookies and other tracking mechanisms.

The research work was motivated by two leaked NSA documents.

Posted on: 09 April 2014 at 10:02 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 March 2014

Web Security Incident Records and Classifications

I just went through the list of recent enforcement actions taken by the ICO.

Screen shot of the submitted response that reads 'Would it be possible for the ICO to classify the vulnerabilities/weaknesses related to software (e.g. websites) in monetary penalty notices, enforcement actions and undertakings? i.e. any published vulnerabilities (CVEs), misconfigurations (CCEs) or software weaknesses (CWEs) that were exploited. Where an incident involves a mis-directed email or fax, or an unencrypted laptop, the root cause is easily identified, but in software-related incidents, there is not the same degree of clarity from the ICO. This information would be invaluable for research, help raise awareness, and assist other organisations to focus their efforts. References https://cve.mitre.org/ http://cce.mitre.org/ http://cwe.mitre.org/ http://scap.nist.gov/'

Periodically I collect information from there and submit incidents to the Web Hacking Incident Database (WHID) using their submission form.

It was disappointing to note the lists of monetary penalty notices, enforcement actions and undertakings on the ICO web site have been truncated and there is no archive. The site's search can be used for some, but I still had to access the helpful Breach Watch to access some past ICO documents. I submitted website feedback about this to the ICO.

The WHID incident submission form asks for the attack method, weakness exploited and outcomes. In many cases this will be unknown, but this prompted me to make a request to the ICO that they classify incidents to raise awareness and help others and help the prioritisation of risk reduction measures. There wasn't an appropriate place on the main ICO web site to do this, so I submitted the suggestion (see image above) on the latest blog post by their Group Manager, which also mentions the recent British Pregnancy Advice Service data breach (BPAS). Awaiting moderation.

Update 9th April 2014: Just noticed, my comment has been published.

Posted on: 27 March 2014 at 11:24 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 March 2014

OWASP Top Ten 2013 A9 and Principle 7 (Security) of the Data Protection Act

The UK Information Commissioner's Office (ICO) has made a clear statement that it believes unpatched software is no longer acceptable.

30% of PCs still use Microsoft XP. If your business does after 8 April 2014 it may be breaching #DPA

The ICO does not provide much prescriptive guidance about Principle 7 of the Data Protection Act (DPA) 1998 concerning security, and data controllers and processors have to read all the guidance and enforcement actions to get a feel for what is expected. Thus for example, for many years the ICO has taken a very dim view of losing mobile devices that have unencrypted storage media.

It seems the time has come for addressing published software vulnerabilities in a timely manner is also to be included in the bare minimum controls the ICO expects to be in place to protect personal data.

In a tweet and referenced post on the ICO's blog Simon Rice, Group Manager for the ICO's technology team, has highlighted how having unpatched vulnerabilities, that are not mitigated in any other way, in software and infrastructure could be considered a breach of the DPA 7th principle.

Read more about vulnerabilities in software components from OWASP, and also how one UK charity was fined last week by the ICO after a data breach involving a vulnerability in a website content management system (CMS).

Posted on: 13 March 2014 at 12:21 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

08 March 2014

The Cost of Privacy Breaches

Yesterday, the UK's privacy regulator Information Commissioner's Office (ICO) announced that the British Pregnancy Advice Service (BPAS), a UK registered charity, has been fined £200,000 for losing personal data relating to 9,900 individuals from its web site in March 2012.

[BPAS] bpas has robust systems of governance in place for both clinical and general management

The Monetary Penalty Notice, issued on 28th February 2014, describes how someone found vulnerabilities in the BPAS web site content management system (CMS) using a scanning tool. It seems they did not have to resort to manual application penetration testing. They exploited this to deface the website and also take personal data from people who had submitted an advice call back form on the site. Each record contained the name, date of birth, address and telephone number of the person. Although no other sensitive data was stored, the individuals were probably asking for advice about one of the services offered by the charity: contraceptive advice, abortion, counselling, STI screening, sterilisation, vasectomy and treatment for erectile dysfunction.

[ICO] Some of the call back details were from individuals whose ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker.

The perpetrator threatened to publish the names of the individuals. Fortunately he was identified, an injunction was obtained from the High Court to prevent him from publishing any information, the data was recovered and the he was arrested by the police, and apparently subsequently received a prison sentence of 32 months. Even though the web site was allegedly not meant to be storing the call back information, it was still BPAS's responsibility to ensure this was the case, and also to secure its assets more generally. But the charity has published a press release stating surprise and shock at the level of the fine.

[BPAS] we are horrified by the scale of the fine, which does not reflect the fact that bpas was a victim of a serious crime by someone opposed to what we do. ... This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime.

This would seem to be a likely attack. There will be individuals who will want to harm BPAC and its reputation. We do not know the method of exploitation, although a vulnerability found by simple scanning of the CMS suggests so perhaps it could relate to perhaps:

  • SQL injection via the CMS log in form
  • Theft of admin credentials or session identifiers using cross-site scripting
  • Authentication bypass

BPAS suggests that the data was lost because it was being stored without their knowledge. But if the web site can be compromised it could be as easy for the attacker to capture the information in transit even if it is not stored on the server.

The real victims could so easily have been the people whose data was stolen not BPAS. Is a £20 fine per individual affected actually enough? Also, the data might have been taken previously by someone else who neither defaced the website and nor contacted BPAS about their success. If an organisation thinks it cannot afford a fine of this level, it should take action to reduce the likelihood of it occurring. The disruption and effort dealing with this sort of event is also very great. In the event of data not being recovered and prevented from being distributed more widely as in this case, the cost of identity monitoring might exceed the fine issued by the ICO.

[me] is a £20 fine per individual affected actually enough?

The ICO also recently announced a new Conducting Privacy Impact Assessments (PIAs) Code of Practice, developed after a consultation about how PIAs have been working. In that announcement, Steve Wood ICO Head of Policy said:

[ICO] The development of projects involving the processing of large amounts of personal information is no longer the preserve of the public sector and large businesses. Today even an app developer can be developing a product in their bedroom that involves using thousands of people's information.

Same for non-bedroom developed websites. Charities and professional services organisations take note.

Posted on: 08 March 2014 at 18:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 January 2014

Security, Privacy and Usability of Online Seals

The European Union Agency for Network and Information Security (ENISA) has published a report about marks, seals, logos, icons, badges, etc displayed to provide information to users about the trustworthiness of web sites and web applications.

Partial view of the title page from ENISA's 'On the Security, Privacy and Usability of Online Seals - An Overview'

On the Security, Privacy and Usability of Online Seals examines the European policy context, security and privacy requirements for seals, the communication issues, verification issues and economic aspects.

Three challenges are described:

  • Users are beginning to make trust decisions about seal issuers (rather than just the web site or application)
  • Users have to judge the range of evaluation methods to determine if the seal is adequate for themselves
  • It is difficult and maybe impossible for users to check the evaluated web site / application is the same as the one they want to use.

The report provides some recommendations, which of course includes "further research".

See also the related Mobile App Privacy Labelling, Privacy and Terms of Use Labelling, A Software Security Kitemark, Privacy, Labelling and Legislation, Trust and E-commerce Trustmarks, and older posts referenced from those.

Posted on: 17 January 2014 at 09:37 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 November 2013

It's Not Just Cookies!

Shock horror! It is possible to track users without using cookies!

Cookie-replacement tracking technology would be subject to same 'cookie law' rules

It is news to some people apparently. There is a good write-up on Out-Law.com. Unsurprisingly the people who insisted on calling it a "cookie law" feel threatened; the concern is tracking of course, not what method is used.

Hopefully this is not news to readers of the posts here about the relevant legislation, guidance and issues.

Posted on: 09 November 2013 at 08:56 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 August 2013

Colourful Range of Mobile App Risks for Developers

Veracode, who publish the excellent State of Software Security reports, has created a security awareness diagram for mobile app developers.

Partial screen capture of Risk 5 - Sensitive Data Leakage from Veracode's Developer's Guide to Building Secure Mobile Applications Infographic

Developer's Guide to Building Secure Mobile Applications in an infographic which summarises some phone theft/loss data, and the prevalence of sensitive data exposure. It then goes on to highlight five "top risks to mobile apps", which it lists as:

  1. Unsafe sensitive data storage
  2. Hardcode password/key
  3. Unauthorized dialing/SMS/payments
  4. Unsafe sensitive data in transmission
  5. Sensitive data leakage.

In this context "sensitive data" is identified as banking and payment system PINs, credit card numbers, online service passwords/keys and personal data.

The risks are based on Veracode's own Mobile App Top Ten [Malicious Functionality and Vulnerabilities], and other sources such as the OWASP Top Ten Mobile Risks and the ENISA Smartphones: Information Security Risks, Opportunities and Recommendations for Users. The five included in the infographic appear to be biased towards the impact on users (consumers, citizens, employees, etc) rather than the more common ranking of impact on organisations (company, educational/professional body, charity, etc). And I quite like that approach.

The infographic promotes and links to a document called Understanding The Risks of Mobile Applications which is rather short, and weaker in content than expected. It is free to download after providing contact information and a valid email address.

As an awareness tool, it would be good to have a higher-resolution version of the infographic to print out and paste up in developer meeting areas, or alternatively remake it into coasters (for coffee and/or beer) so that the messages reach, and stay on, developers' desks.

Posted on: 16 August 2013 at 07:46 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 August 2013

Consultation on Conducting Privacy Impact Assessments

The UK Information Commissioner's Office (ICO) is consulting on a revised code of practice for privacy impact assessments.

One of the pages from the ICO's draft code of practice for privacy impact assessments

The new draft code of practice is intended to streamline the guidance and process currently defined in the ICO's PIA Handbook.

Responses to the consultation should use the template provided and can be returned by post of email by 5th November 2013.

The ICO has also just issued version 2 of their Data Protection Regulatory Action Policy .

Posted on: 13 August 2013 at 08:21 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 July 2013

Personal Information from US and EU Perspectives

A recent paper discusses the differences in privacy law between the United States and Europe, and how personally identifiable information (PII) is defined in US and EU privacy law.

Partial view of a page from the paper 'Reconciling Personal Information in the United States and European Union'

In the paper Reconciling Personal Information in the United States and European Union, Paul M. Schwartz and Daniel J. Solove discuss and evaluate the EU Data Protection Directive and the proposed new regulation, both of which treat privacy as a fundamental right. This is contrasted with and the range of approaches in the United State where consumer protection and balancing privacy with efficient commercial transactions. The authors point out the difficulties these different approaches raise in transfers of data.

The paper moves on to discuss the concept of "PII 2.0" with there categories for regulation — information about an identified, or identifiable, or non-identifiable person. The authors argue that PII 2.0 is consistent with the underlying philosophies of both US and EU privacy law regimes, bridging the current gap between the these.

Posted on: 09 July 2013 at 18:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Privacy : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/privacy
Requested by on Wednesday, 23 April 2014 at 20:32 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com