EU-US Safe Harbor Ruled Invalid

EU-Flag.jpgYou may be hearing about EU-US Safe Harbor discussion in the news.  At risk is the multinational companies ability to store and process EU data in the US.  Companies like Apple, Facebook, and Google provide EU services through computers located in the US.  Data is sent from EU to the US under the auspices of the EU-US Safe Harbor agreement.

October 6, 2015 the Court of Justice for the European Union (ECJ) ruled the Safe Harbor agreement invalid which places all EU data sent to the US in jeopardy.

“…the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country” [4] Court of Justice of the European Union

The ECJ recommended where protections cannot be guaranteed, “suspending the contested transfer of data”[4].  The only way US businesses can guarantee adequate protections for EU data is for the US government to develop laws protecting EU data from US government warrantless surveillance programs.  Without such transparency measures the only choices for Internet bellwethers are, develop new data centers within the EU for EU data, or pull the plug on the EU.  Either option is not very tenable for US multinationals or citizens of the EU.

Even if Internet bellwethers underwrote efforts to build EU data centers it’s not clear EU data will be safe from US government overreach.  In a developing case between Microsoft and the US government,  the government contends it has the right to demand the email of anyone in the world so long as the provider is headquartered within the US [6].  Presumably, the legal precedent established for email would apply more broadly to all data.  I have been covering developments in this area over the last couple of years [1][2] for interested readers.

[1] Securitycurmudgeon.com, Balkanization of US Products and Service Technology Accellerates
[2] Securitycurmudgeon.com, A Crisis of Confidence Costs Real Money
[3] The Register, US tries one last time to sway EU court on data-slurping deal
[4] Politico.eu, Court of Justice of the European Union, PRESS RELEASE No 117/15, Luxembourg, 6 October 2015 [pdf]
[5] Reuters, Europe-U.S. data transfer deal used by thousands of firms is ruled invalid
[6] Guardian, Microsoft case: DoJ says it can demand every email from any US-based provider

Image: Wikipedia, EU Flag

Please follow and like us:

HTTPS Party at Blogspot

blogger-https.png

Today Google announced[1] limited HTTPS support for Blogspot.  HTTPS support is critical for banking and other areas where online trust is required.  HTTPS is also important for viewing web site content to ensure it’s authentic and free from tampering.  Without HTTPS support, web site content is easily modified in transit.  Google explains their decision to offer HTTPS support is based on their HTTPS Everywhere strategy.  HTTPS is not enabled by default but can be enabled via configuration by the site Administrator.   Custom domains like securitycurmudgeon.com are not supported via HTTPS on Blogspot.  Google notes, “blogs with custom domains are not supported in this first version” and implies Blogspot will offer HTTPS support for custom domains sometime in the future.  More than likely Blogspot users will be able to load a custom certificate generated popular Certificate Authority’s in the future.  This small improvement is a really big deal for many bloggers!  +1 Google security team!

[1] HTTPS support coming to Blogspot

* Image: Blogger configuration settings.  New HTTPS Settings option.

Please follow and like us:

LinkedIn API’s Hold Members Hostage

LinkedIn-Share-Obfuscated.pngI think it’s great that LinkedIn prompts members using LinkedIn API enabled applications about the type of information requested.  This is the minimum amount of transparency all cloud applications should present to their users but what information is included in a connection?  Sure, “1st and 2nd degree connections”  but what does that mean?  Only a members relationship to another member?  Or the connection relationship along with other profile information?  Asking a LinkedIn member to share profile information for another is like asking my Mom if it’s ok for me to come out and play.  It should be each members choice what they want to share about their profile.  I’m open with my information but some are very private and connect only to their closest colleagues.  An easy area of future improvement is to clean up the connection sharing description to users.  A future suggestion, if the type of information can’t be clearly communicated to members don’t do it.
Another area of improvement in this message dialog is provide members some options about the type of information they are willing to share.  Today the choice is all or nothing.  Members can choose to “Allow access” or not use the application.  Essentially many applications hold you hostage on this screen.  You either hand over all your member data or you don’t get access the application.  My concern is that often applications request much more information than the application requires.  I’m not against software developers asking but the user should have some choices.  If LinkedIn is concerned about their members privacy they should provide a checkbox next to each type of information requested.  This allows members to turn off information they don’t want to share (like personal connections) while sharing other types of information.
Please follow and like us:

Spy in Sky vs Spy in Pocket

drone-munition.jpg

It’s interesting that public sentiment around drone privacy incursion is far different than sentiment around Internet bellwethers like Google, FB, Apple, AT&T, etc. The underlying social theme, as long we don’t see the spy, or the spy does also does something good for us, then spying is tolerable. It’s my view, a DJI Phantom is less of an incursion on my privacy than a smartphone. A DJI Phantom flying over my property is likely a nosey neighbor – only one spy. On the other hand, a smartphone is a virtual Panopticon into my personal life. At the very minimum, smartphone monitoring includes: smartphone makers, telcos, social media, government, and law enforcement. Many constituencies are involved. My point is not to stir passions on privacy incursion but the difference in public perception about privacy threats. As a more tangible and compelling example, let’s pick on Amazon and their foray into dronespace.
Most American’s are anxiously awaiting Amazon Prime Air and 30-minute product delivery. I have found little in the way of tech specs for Amazon’s proposed drone aircraft but imagine for a moment, thousands upon thousands of drones combing the sky each day. What will be the disposition of drone sensor data? My bet is that gathering drone data along delivery routes will be too tempting for business to ignore. Although don’t install camouflage netting over your home just yet. There will be a initial greenfield period of data feasting but it seems likely privacy will find a balance.

Incidentally, shooting down a drone, even over your own property, is considered as an attack on an aircraft. Today NTSB investigates aircraft crashes of aircraft with tail numbers. Drones have no registration of any kind and investigation of drone crash incidents remains unclear. Laws around drones are evolving. Point being, work out your disputes peaceably if possible or contact law enforcement.

Please follow and like us:

Ders Gold in Dem Dar Profiles

IMG_2487.pngI typically receive a few people a week outside of security that send me invitations to connect.  More regularly, the people that connect with me work in the application security and software development.  This week was unusual, I received ten connection requests from individuals employed by a company called Selling Simplified.  I had a sneaking suspicion my profile was being mined but I like to give everyone the benefit of the doubt.
To begin I thought I would investigate the companies home page.  The company does have a web page online.  I wanted to get some idea if this was a real company or not.  I checked out the jobs page.  I didn’t notice many job openings but there were a few.  Then I review their leadership page.  Several company leaders are listed with bios.  There are also many blog posts.  My initial impression is that it’s a legitimate business.  Next, I opened a couple of the Selling Simplified profiles.

linkedin-profile.png
Photo 2: LinkedIn profile detail

Photo 2 is one of the LinkedIn profiles expanded.  There’s a name, a position, some skill endorsements, but as I scroll down the screen no employment history.  I serious doubt this is a real LinkedIn profile belonging to a person.  It’s likely part of an automated tool to mine contact data.  I have about 2800 contacts but I don’t share them.

profile-change.png
Photo 3: LinkedIn protecting contacts

The company focus appears to be “lead generation”.  Apparently, my friends and I are targets to bolster Selling Simplified lead generation database.  I’m betting mining with bots like this is against LinkedIn’s terms of service.  Still there is no guarantee this activity is sanctioned by the company or the work of a script savvy sales agent.  In the event your profile gets minded, protect your professional contacts by adjusting the setting as shown in Photo 3.

You can also protect your contacts by only allowing your closest friends to join; however, I find this an impractical strategy.  I receive many connection requests from people I don’t know very well but like to follow security news.  If a close friend desires to be introduced to one of your contacts they can ask.  The lesson here is to be aware of your contact requests, follow your hunches, and keep contact sharing turned off on your profile.

Please follow and like us: