You may be hearing about EU-US Safe Harbor discussion in the news. At risk is the multinational companies ability to store and process EU data in the US. Companies like Apple, Facebook, and Google provide EU services through computers located in the US. Data is sent from EU to the US under the auspices of the EU-US Safe Harbor agreement.
October 6, 2015 the Court of Justice for the European Union (ECJ) ruled the Safe Harbor agreement invalid which places all EU data sent to the US in jeopardy.
“…the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country”  Court of Justice of the European Union
The ECJ recommended where protections cannot be guaranteed, “suspending the contested transfer of data”. The only way US businesses can guarantee adequate protections for EU data is for the US government to develop laws protecting EU data from US government warrantless surveillance programs. Without such transparency measures the only choices for Internet bellwethers are, develop new data centers within the EU for EU data, or pull the plug on the EU. Either option is not very tenable for US multinationals or citizens of the EU.
Even if Internet bellwethers underwrote efforts to build EU data centers it’s not clear EU data will be safe from US government overreach. In a developing case between Microsoft and the US government, the government contends it has the right to demand the email of anyone in the world so long as the provider is headquartered within the US . Presumably, the legal precedent established for email would apply more broadly to all data. I have been covering developments in this area over the last couple of years  for interested readers.
 Securitycurmudgeon.com, Balkanization of US Products and Service Technology Accellerates
 Securitycurmudgeon.com, A Crisis of Confidence Costs Real Money
 The Register, US tries one last time to sway EU court on data-slurping deal
 Politico.eu, Court of Justice of the European Union, PRESS RELEASE No 117/15, Luxembourg, 6 October 2015 [pdf]
 Reuters, Europe-U.S. data transfer deal used by thousands of firms is ruled invalid
 Guardian, Microsoft case: DoJ says it can demand every email from any US-based provider
Image: Wikipedia, EU Flag
Today Google announced limited HTTPS support for Blogspot. HTTPS support is critical for banking and other areas where online trust is required. HTTPS is also important for viewing web site content to ensure it’s authentic and free from tampering. Without HTTPS support, web site content is easily modified in transit. Google explains their decision to offer HTTPS support is based on their HTTPS Everywhere strategy. HTTPS is not enabled by default but can be enabled via configuration by the site Administrator. Custom domains like securitycurmudgeon.com are not supported via HTTPS on Blogspot. Google notes, “blogs with custom domains are not supported in this first version” and implies Blogspot will offer HTTPS support for custom domains sometime in the future. More than likely Blogspot users will be able to load a custom certificate generated popular Certificate Authority’s in the future. This small improvement is a really big deal for many bloggers! +1 Google security team!
* Image: Blogger configuration settings. New HTTPS Settings option.
It’s interesting that public sentiment around drone privacy incursion is far different than sentiment around Internet bellwethers like Google, FB, Apple, AT&T, etc. The underlying social theme, as long we don’t see the spy, or the spy does also does something good for us, then spying is tolerable. It’s my view, a DJI Phantom is less of an incursion on my privacy than a smartphone. A DJI Phantom flying over my property is likely a nosey neighbor – only one spy. On the other hand, a smartphone is a virtual Panopticon into my personal life. At the very minimum, smartphone monitoring includes: smartphone makers, telcos, social media, government, and law enforcement. Many constituencies are involved. My point is not to stir passions on privacy incursion but the difference in public perception about privacy threats. As a more tangible and compelling example, let’s pick on Amazon and their foray into dronespace.
Most American’s are anxiously awaiting Amazon Prime Air and 30-minute product delivery. I have found little in the way of tech specs for Amazon’s proposed drone aircraft but imagine for a moment, thousands upon thousands of drones combing the sky each day. What will be the disposition of drone sensor data? My bet is that gathering drone data along delivery routes will be too tempting for business to ignore. Although don’t install camouflage netting over your home just yet. There will be a initial greenfield period of data feasting but it seems likely privacy will find a balance.
Incidentally, shooting down a drone, even over your own property, is considered as an attack on an aircraft. Today NTSB investigates aircraft crashes of aircraft with tail numbers. Drones have no registration of any kind and investigation of drone crash incidents remains unclear. Laws around drones are evolving. Point being, work out your disputes peaceably if possible or contact law enforcement.
I typically receive a few people a week outside of security that send me invitations to connect. More regularly, the people that connect with me work in the application security and software development. This week was unusual, I received ten connection requests from individuals employed by a company called Selling Simplified. I had a sneaking suspicion my profile was being mined but I like to give everyone the benefit of the doubt.
To begin I thought I would investigate the companies home page. The company does have a web page online. I wanted to get some idea if this was a real company or not. I checked out the jobs page. I didn’t notice many job openings but there were a few. Then I review their leadership page. Several company leaders are listed with bios. There are also many blog posts. My initial impression is that it’s a legitimate business. Next, I opened a couple of the Selling Simplified profiles.
Photo 2 is one of the LinkedIn profiles expanded. There’s a name, a position, some skill endorsements, but as I scroll down the screen no employment history. I serious doubt this is a real LinkedIn profile belonging to a person. It’s likely part of an automated tool to mine contact data. I have about 2800 contacts but I don’t share them.
The company focus appears to be “lead generation”. Apparently, my friends and I are targets to bolster Selling Simplified lead generation database. I’m betting mining with bots like this is against LinkedIn’s terms of service. Still there is no guarantee this activity is sanctioned by the company or the work of a script savvy sales agent. In the event your profile gets minded, protect your professional contacts by adjusting the setting as shown in Photo 3.
You can also protect your contacts by only allowing your closest friends to join; however, I find this an impractical strategy. I receive many connection requests from people I don’t know very well but like to follow security news. If a close friend desires to be introduced to one of your contacts they can ask. The lesson here is to be aware of your contact requests, follow your hunches, and keep contact sharing turned off on your profile.