Roger's Security Blog : Privacy

Data Protection Day 2009

rhalbh — Wed, 28 Jan 2009 19:16:02 GMT

In early December I blogged about the Privacy Video Competition of the Data Protection Day.

Today is the day: The winners just were announced. If you want to look at the videos (they are actually pretty cool):

Watch all entries: http://eskills.eun.org/web/dprotection/gallery
Watch all shortlisted entries: http://www.dataprotectionday.eu/jury/
Watch the winning entries:

Congratulations to all the winners and a big “thank you” to all the participants. They all would deserve to win!

Roger

Privacy Video Competition

rhalbh — Fri, 12 Dec 2008 00:07:17 GMT

On January 28th the European Union is holding the Data Protection Day. To prepare for that, they are holding a competition for young people from 15 to 19 to express their views about online privacy. Here is the teaser:

Surf the net – Think privacy!

So, please spread the word!

Roger

Important Privacy Announcement

rhalbh — Tue, 09 Dec 2008 09:54:40 GMT

I wanted to make you aware of a very important announcement we made earlier today. As you know, Trustworthy Computing is all about Security, Reliability and Business Practices. Our house has a fourth pillar - Privacy - which we view as extremely important, not only in terms of the way we manage our customers’ data, but more broadly in the way we earn and keep our customers’ trust.

You may have heard about the European Union Article 29 Working Party, which issued a statement in April to search providers concerning search anonymization policies. A major part of their focus is the length of time search companies store customer data. The Article 29 Working Party’s view is that this should be no more than six months.

Earlier today we announced that we support the Article 29 Working Party’s call for a common industry standard for search data anonymization methods and timeframes to help protect users’ privacy. We also said that whilst the timeframe is important, more important still is the adoption of strong data anonymization methods. I am glad we made this commitment and I hope that others will follow our lead and support the standard laid down by the Article 29 Working Party. To truly protect users’ privacy, it is imperative that all search companies adopt the same standard.

If you want to read more, read Peter Cullen’s (our Chief Privacy Strategist) blog post: Microsoft Supports Strong Industry Search Data Anonymization Standards

Roger

Security and Piracy – a Correlation?

rhalbh — Sun, 07 Dec 2008 23:37:40 GMT

I am working on a blog post on Security and Piracy looking into the data I have available. Probably it will be ready next week but what I wanted to know: Is there anybody who did some research about this already? I would appreciate if you could let me know. I will definitely share my view on this in the next few days

Roger

How to circumvent Privacy Laws

rhalbh — Wed, 20 Aug 2008 10:10:54 GMT

As you all know, most jurisdictions allow individuals to ask for data collected by an organization (being it a company or a governmental organization). A lot of countries have Data Protection Commissioners that look into what companies and more often governments do with regards to PII (Personal Identifiable Information). After 9/11 the United States forced airlines to violate the local Privacy Legislation as the airlines had – if they wanted to fly to the US – deliver PII to the US (mainly information in the Passenger Name Record), which then had to be accepted by the Data Protection Commissioners as they would kill the airline business if the airlines would not be allowed to do so. So, the US seems to have the power to make companies violate the laws – the background is the fight against terrorism.

Now they even go a step further by circumventing their own legislation: According to Federal Computer Week (Analysis tool exempt from some privacy laws) the DHS developed a system to collect and analyze data collected by immigration and customs. Even worse, they seem to correlate data from different sources: DHS-internal sources as well as commercial databases. The key point is that they decided to exclude this system from several Privacy Acts. Therefore you will not be able to look into the data they collect and make sure it is accurate. If the article mentioned above is correct, it really scares me. Look at that:

The information contained by ICEPIC can include names, dates of birth, phone numbers, addresses, nationalities, fingerprints, photographs, a person's immigration history and alien registration information, according to DHS. Agents and analysts can also use commercial databases to verify or resolve any gaps in ICEPIC data.

So, they start to analyze and if some data points are inaccurate there is no way for you to know and most probably no way for you to make them correct it – scary, isn't it?

Roger

Microsoft sponsors Privacy Enhancing Technology Awards

rhalbh — Tue, 05 Aug 2008 13:15:33 GMT

It is not really news anymore as it broke during my vacation. However, it is important from my point of view:

We are a proud sponsor (and not for the first time) of the Privacy Enhancing Technology Awards, which recognizes the work of researchers in the area of Privacy Enhancing Technologies. There was a press article published on that: Privacy to the Test - Exploring the Limits of Online Anonymity and Accountability

Roger

Sun and Apple Updates – A Sheer Nuisance!! – Part 2

rhalbh — Tue, 25 Mar 2008 17:28:46 GMT

Quite some of you read my initial post on that – and I like the comments I got. Now, it seems that I am not the only one being angry:

I quote from What Microsoft can teach Apple about software updates

For the record, I think Apple is dead wrong in the way it's gone about using its iPod monopoly to expand its share in another market. Ironically, an excellent model for how this update program should work already exists. It's called Windows Update, and it embodies all the principles that Apple should follow.

And: Apple Software Update (btw John is the CO of Mozilla). It seems that John and me are in agreement:

It's wrong because it undermines the trust that we're all trying to build with users. Because it means that an update isn't just an update, but is maybe something more. Because it ultimately undermines the safety of users on the web by eroding that relationship. It's a bad practice and should stop.

[I'll make 2 points that I want to make very clear: (1) this is not a criticism of Safari as a web browser in any way, and (2) I have no objections to the basic industry practice of using your installed software as a channel for other software. This is specifically a criticism of the way they're using the updating system. I'd much prefer to be writing about Firefox, but this practice hurts everyone and is important to note.]

A comment to this blog post: If Microsoft did the identical action, install some non-user-selected software using their software update channel, there would be cacophony across the Internet.

Roger

New Privacy-Technology enables new (private) Business Models

rhalbh — Fri, 14 Mar 2008 15:49:00 GMT

We announced it recently: Be acquired the U-Prove technology by a company called Credentica and quite some key members of Credentica have joined us. When we announced it, my excitement was – well – limited. It was another company we bought. But when I started to look into it, I started to understand the potential of the technology.

Think about the following scenario: You want to offer a chartroom for teenagers. Typical problem of this scenario is, how do you make sure that the teen can come in and the perverts stay out and leave the teens alone? What you usually do is, collecting all kinds' o information (name, address etc) in trying to find a way proving the age. With that, you just created a privacy problem and probably not, what I would like to see as a parent. So, U-Prove now allows you to verify an attribute of the identity (in this case the age) without revealing the whole identity. If you think it through, this gives you all new ways of creating tailored services without having to care about the privacy problems as you do not collect any PII anymore – cool isn't it?

If you want to read more, read Brand's blog (one of the founders of Credentica): http://idcorner.org/2008/03/06/microsoft-acquires-credenticas-u-prove-technology/

Or Kim Cameron's blog: http://www.identityblog.com/blog.php#post-934

I am looking forward seeing this integrated e.g. into CardSpace and then you adopting it.

Roger