Wednesday 23 November 2016

Businesses will have to pay for data protection services

Irish Independent 15th November 2016

Irish businesses will have to cough up for new data protection officers thanks to EU laws coming down the tracks, according to the Irish data protection commissioner.

Speaking to the Irish Independent, Helen Dixon said that the General Data Protection Regulation will be a "wake up call" for Irish organisations which do not currently have such facilities in place
 Ms Dixon said that dozens of foreign-based tech companies had recently been in touch with her office over data compliance responsibilities after a potential move to Ireland.
The GDPR is one of a number of data and security issues to be discussed at Dublin InfoSec 2016 today. The RDS conference, which includes talks by Wikileaks journalist Sarah Harrison and cyber psychologist Mary Aiken, will focus on topics ranging from how to survive being hacked to ransomware attacks and responding to data breaches.

The conference is being held as news of one of the world's biggest data breaches broke last night. Over 400 million email addresses and passwords from the adult-themed dating network 'Adult Friend Finder' were exposed, with tens of thousands of Irish email addresses said to be included in the breach.
Meanwhile, Ms Dixon said that it would be a matter of months before the Irish data regulator's office knows whether, or to what extent, Yahoo can be held accountable for its recent data breach that affected over 500 million email users.
"We're in daily contact and in constant activity," she said.
"That is the subject of significant activity for the office and is in fact a scenario that is changing day by day in terms of the information that we're gathering."

Last week, Yahoo filed a document with US authorities revealing that some staff knew of the data breach as far back as 2014. The company, which only admitted the massive breach in September of this year, has claimed that the meltdown was caused by state-sponsored hackers.

Monday 7 November 2016

Fears of intensified censorship as China passes controversial cybersecurity bill

The Journal 7th November 2016
CHINA HAS PASSED a controversial cybersecurity bill, further tightening restrictions on online freedom of speech, raising concerns that it could intensify already wide-ranging internet censorship.
The ruling Communist Party oversees a vast censorship system – dubbed the Great Firewall – that aggressively blocks sites or snuffs out internet content and commentary on topics considered sensitive, such as Beijing’s human rights record and criticism of the government.
The law, which was approved by the National People’s Congress Standing Committee, bans internet users from publishing a wide variety of information, including anything that damages “national honour”, “disturbs economic or social order” or is aimed at “overthrowing the socialist system”.
National security
The law requires companies to verify a user’s identity, effectively making it illegal to go online anonymously.
It also includes provisions for protecting the country’s networks and private user information.
Early drafts of the legislation drew a wave of criticism from rights groups and businesses, which objected to its vague language.
Foreign companies, in particular, expressed concern about language that would require them to cooperate with Chinese authorities to “protect national security”, broadly-worded language that was included in the final version of the law.
“This dangerous law commandeers internet companies to be de facto agents of the state, by requiring them to censor and provide personal data to the authorities at a whim,” said Patrick Poon, China researcher at overseas-based rights group Amnesty International.
Internet rumours
Chinese authorities have long reserved the right to control and censor online content. But the country stepped up its controls in 2013, launching a wide-ranging internet crackdown that targeted activists and focused on the spread of so-called “internet rumours”.
Hundreds of Chinese bloggers and journalists were detained as part of the campaign to assert greater control over social media, which has seen influential critics of Beijing paraded on state television.
Under regulations announced at the time, Chinese internet users face three years in prison for writing defamatory messages that are re-posted 500 times or more. Web users can also be jailed if offending posts are viewed more than 5,000 times.
Comments posted on social media have been used in the prosecution of various activists, such as human rights lawyer Pu Zhiqiang.
“If online speech and privacy are a bellwether of Beijing’s attitude toward peaceful criticism, everyone – including netizens in China and major international corporations – is now at risk,” said Sophie Richardson, China Director of Human Rights Watch.

“This law’s passage means there are no protections for users against serious charges.

Tuesday 11 October 2016

Private investigator guilty of data protection breach

RTE News, 10th October 2016

The director of a Galway-based private investigation company has pleaded guilty at Tuam District Court to breaches of the Data Protection Act.

Michael Ryan, of Glen Collection Investments Ltd, in Glenamaddy, obtained personal information from the Department of Social Protection when he was working on behalf of AIB and Bank of Ireland.

Today's court proceedings follow an investigation by Assistant Data Protection Commissioner Tony Delaney.

The case arises from a complaint by an individual, Daniel Lannon, that his personal data, including details of a previous address in Louth, had been handed over unlawfully to a private investigator.
Ryan had been carrying out work for Croskerrys Solicitors in Dublin, a firm specialising in debt recovery, that was acting for AIB.

The court heard he obtained personal information from his sister-in-law, Catriona Bracken, who was an employee of the Department of Social Protection in Athlone.

The personal data of 61 individuals had been accessed on behalf of the two main banks in this investigation.

Ms Bracken, AIB and Bank of Ireland were not represented in court as the prosecution related solely to Ryan and his company. The court heard the company was not registered with the Data Protection Commissioner and had no authorisation to process personal information on databases.

The court heard that while it is not against the law for solicitors and banks to hire private investigators, it remains a serious breach of the Data Protection Act to obtain personal information unlawfully.

It was the tactics and methodology used that were of serious concern in this case.

Judge Conal Gibbons said that by publicising prosecutions of this nature, citizens would have their rights protected and vindicated in the courts.

He also expressed concern that banks did not take greater care to ensure the people they were hiring to help recover debt were fully compliant with rules and regulations.

The judge took into account the guilty plea and the financial circumstances of Ryan when he imposed a fine of €7,500.

The court heard the 47-year-old father of five was in mortgage arrears.

He had no previous convictions and received modest fees of between €45 and €100 for each 'trace' he carried out illegally.

Today's successful prosecution was welcomed by the State's data protection watchdog.

Assistant Commissioner Delaney said private investigators acting unlawfully would continue to be vigorously pursued.

Friday 23 September 2016

Data Protection Commissioner seeking answers after massive Yahoo privacy breach

The Journal, 23rd September 2016
YAHOO HAS SAID that a massive attack on its network in 2014 allowed hackers to steal data from half a billion users and may have been “state sponsored.”
The Data Protection Commissioner here has been notified of the data breach by the multinational, which has its European HQ based in Dublin.
“Yahoo have notified us of the breach,” a spokeswoman told
Our office has raised a number of issues for which we’re seeking clarification on, and are waiting for a response from Yahoo.
Helen Dixon was appointed as Data Protection Commissioner for Ireland in September 2014, heading up the office in Portharlington, Co Laois.
Yahoo, which confirmed details of the breach last night, months after reports of a major hack, said its investigation concluded that “certain user account information was stolen” and that the attack came from “what it believes is a state-sponsored actor.”
“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen,” said a statement by the US internet giant in what is likely the largest-ever breach for a single organization.
The comments come after a report earlier this year quoted a security researcher saying some 200 million accounts may have been accessed and that hacked data was being offered for sale online.
Yahoo said the stolen information may have included names, email addresses, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims’ other online accounts.
While there is no official record of the largest breaches, many analysts have called the Myspace hack revealed earlier this year as the largest to date, with 360 million users
Ammunition for hackers
Computer security analyst Graham Cluley said the stolen Yahoo data “could be useful ammunition for any hacker attempting to break into Yahoo accounts, or interested in exploring whether users might have used the same security questions/answers to protect themselves elsewhere on the web.”
He noted that while Yahoo said that it believes the hack was state-sponsored, the company provided no details regarding what makes them think that is the case.
“If I had to break the bad news that my company had been hacked… I would feel much happier saying that the attackers were ‘state-sponsored,’” rather than teen hackers, Cluley said in a blog post.
University of Notre Dame associate teaching professor and data security specialist Timothy Carone told AFP that the Yahoo hack fit the “big picture” when it comes to cyberattacks launched by spy agencies in Russia, China, North Korea or other countries.
“It just smacks of traditional trade craft,” Carone said.
It is a broad sweep of getting information on people and building up profiles on those who may be of use to them.
Carone described Russia, China and North Korea as the usual three suspects in state-sponsored hacks, but cautioned that allies are not above cyber snooping as well.
“People have to realize that anything they put out there is fair game,” he said, stressing a need for internet users to remain wary.
Unprotected passwords
It appeared that looted Yahoo data did not include unprotected passwords or information associated with payments or bank accounts, the Silicon Valley company said.
Yahoo is asking affected users to change passwords, and recommending anyone who has not done so since 2014 to take the same action as a precaution.
Users of Yahoo online services were urged to review accounts for suspicious activity and change passwords and security question information used to log in anywhere else if it matched that at Yahoo.
“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,” Yahoo said in a statement.
Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account.
$4.8 billion
Confirmation of the major cyber breach comes two months after Yahoo sealed a deal to sell its core internet business to telecom giant Verizon for $4.8 billion, ending a two-decade run as an independent company.
It was not immediately clear if the data breach could impact the closing of the deal or the price agreed by Verizon.
“Frankly, the timing couldn’t be worse for Yahoo,” Cluley said.
The telecom firm said it was reviewing the new information.
“Within the last two days, we were notified of Yahoo’s security incident,” Verizon said in a statement.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”

Wednesday 14 September 2016

Austrian court refers Max Schrems’s Facebook case to ECJ

Irish Times 14th September 2016
 Austrian student Max Schrems’ high-profile class action case over Facebook’s privacy rules has been referred to the European Court of Justice by Austria’s highest court.
The court in Luxembourg will now have to decide whether Max Schrems can bring a class action suit on behalf of European or even worldwide users of the social network.
Mr Schrems launched a class action suit against Facebook on behalf of 25,000 other people in 2014, accusing it of having invalid privacy policies and processing customer data illegally.
Facebook argued that the Austrian court did not have jurisdiction over the case, which slowly worked its way up the Austrian legal system before being referred to the EU’s top court. The company argues that Mr Schrems is not a consumer but an activist and so cannot legally represent other consumers.
Mr Schrems said he hoped the European court would be “consumer friendly” when it decided the jurisdiction question, praising it for having been so in previous cases. “Filing thousands of individual lawsuits before thousands of courts would be an absurd exercise,” he said.

Procedural questions
A spokeswoman for Facebook said: “Mr Schrems’s claims have twice been rejected on the grounds that they cannot proceed as ‘class action’ on behalf of other consumers in Austrian courts. We look forward to addressing the procedural questions presented to the [European Court of Justice] to resolve these claims.”
The referral is the latest twist in a five-year dispute between Facebook and Mr Schrems, which began when he was a student and has already upturned data protection law in the EU. Mr Schrems founded the organisation Europe v Facebook, which he is funding from small donations from “many concerned citizens” across Europe.
In a landmark judgment last year, the European Court of Justice struck down a crucial data transfer deal that allowed the likes of Facebook and Amazon to transfer personal data easily from the EU to the US, following a complaint from Mr Schrems.

The court ruled that the deal was invalid because the data of EU citizens were not sufficiently protected from US spies. Edward Snowden, the US National Security Agency whistleblower, praised Mr Schrems at the time, saying he had changed the world for the better.

A separate legal method of transferring data across the Atlantic – known as model contract clauses – is also under question in a related case in Ireland, again involving Mr Schrems. These clauses are relied on by 80 per cent of companies that transfer data from the EU to the US, lawyers estimate.

Monday 15 August 2016

Cyclists may breach data laws with on-board cameras

Irish Examiner 02-08-2016
If a cyclist or homeowner uses footage from these cameras, beyond a personal capacity, then they may be in breach of data-protection law.
“If an individual is using CCTV or a body-worn camera and processing personal data beyond what is a ‘personal or household activity’ then they may assume the role of a data controller and as such they would be required to comply with data protection legislation,” a spokesperson from the DPC’s office said.
The issue came up in the commissioner’s annual report for 2015, published in June, listing it as one of three major data protection matters that arose.
The spokesperson from the commissioner’s office stated however, that where an individual processes data from such cameras for their own personal affairs or keeps it for recreational purposes, this is exempt from the data protection law.
However, even if the activity is exempt a person such as a neighbour might object to it and take a civil action.
“Though outside the remit of this office, it may be the case that even where this exemption does apply, an individual who objects to the recording, for example a neighbour who objects to images of his or her property being recorded, may be able to take a civil action based on the constitutional and common law right to privacy,” said the spokesperson.
The commissioner’s report also made an audit finding on the excessive use of body-worn cameras.

“Our general guidance in this area is that we would consider that body-worn cameras should only be activated in extreme cases in response to specific pre-defined criteria, where it could be justified for security and safety purposes,” reads the report.

Friday 5 August 2016

Tinder violates data protection rules: EU lawmaker

Tinder violates data protection rules: EU lawmaker
The Indian Times, 4th August 2016

An EU lawmaker says dating app Tinder breaches the bloc's data protection rules because it uses personal data without explicit consent and should be investigated by the European Commission.

The dating app, owned by website operator Match Group Inc, imposes unlawful conditions on users, pushing them to consent to unclear clauses that allow the company to use their data even after they close their accounts, socialist lawmaker Marc Tarabella said in a statement.

"Once you subscribe, the company can do whatever it wants with your data. It can show them, distribute them to whomever or even modify them. The lack of transparency cannot be the rule," Tarabella said.

The Belgian politician , who in 2014 was among the leading European parliament members calling for a break-up of Google 's search engine from its commercial services, also accused dating app Happn and jogging app Runkeeper of violating EU data protection rules.

Tinder representatives were not immediately available for comment.

A Commission spokeswoman said it was up to national authorities to enforce EU rules on data and consumer protection. However, the Commission has conducted such investigations in the past.

"The problem is always the lack of transparency and the notion of consent," Tarabella said, adding that companies often sell users' data to third parties without consumers being aware or having explicitly consented to it.

EU rules protect consumers who no longer want their data to be used. Companies are also required to provide "easy-to-understand information" and to obtain an explicit consent from users to process personal data.