A Practical Look into GDPR for IT – Final Part 3

I have just published here the third and last article of my short series on the EU General Data Protection Regulation 2016/679 (GDPR) for IT.

In this final article I discuss a few points about the managing of data breaches and of the IT measures required to satisfy the citizens’ rights on their personal data managed by IT systems.

A Practical Look into GDPR for IT – Part 2

I have just published here the second article of my short series on the EU General Data Protection Regulation 2016/679 (GDPR) for IT.

In this article I discuss a few points about the risk-based approach requested by the GDPR which introduces the Data Protection Impact Assessment (DPIA), and a few IT security measures which should often be useful to mitigate risks to the personal data.

A Practical Look into GDPR for IT

I have just published here the first article of a short series in which I consider some aspects of the requirements on IT systems and services due to the EU General Data Protection Regulation 2016/679 (GDPR).

I started to write these articles in an effort, first of all for myself, to understand what actually the GDPR requires from IT, which areas of IT can be impacted by it and how IT can help companies in implementing GDPR compliance. Obviously my main interest is in understanding which IT security measures are most effective in protecting GDPR data and which is the interrelation between IT security and GDPR compliance.

Yahoo Breach and GDPR

The Yahoo breach (see here for example) is almost yesterday news (today we are talking about DDoS: in 8 days the record went from 363Gpbs to 620Gpbs, and finally to almost 1Tbps, scary!), but I am now trying to picture such an event in view of the forthcoming European GDPR. My ideas are not too clear about what could be the consequences of the new Regulation (not of the data breach). I expect that in the next year before the Regulation will go into action, we’ll get a better understanding of its consequences.

On the Privacy of Webcams and Security of IoTs

The article ‘“Internet of Things” security is hilariously broken and getting worse’ of ARS Technica shows how, using Shodan , one can find pictures from millions of open Webcams on internet.

The issue is not new but the scale of the problem is threatening. As the article nicely points out:

  • people do not care about the security or privacy features of the devices they buy
  • the important points are cost and easiness to manage (which means it is better if there are no password to access it)
  • only to throw away the device the day they find themselves on Shodan or in a picture on a newspaper and say “never again”.

But who is going to do something about it? Who should defend the privacy of people and the security of Internet? Should the IoT market be regulated or self-regulated or something in between?

Marketing and Internet Surveillance

The blog post “The Internet of Things that Talk About You Behind Your Back” by Bruce Schneier is really creepy. But it isn’t new, it is just getting worse.

In IT Security, the problem of undetected communication covert channels is old and well known. Also the fact that internet marketing adopts approaches and technologies that some times are close to it, is well known.

What it is worrisome is the extent to which we are getting. There are various aspects to it.

One is the legal aspect, that is what the legislations allow and how much they protect citicizens from excesses: it would be interesting to compare current legislations between different countries, from the USA to EU, Canada, Brazil, Russia, India, China, Japan etc.

On the technical side, devices like PCs and some tablets allow the user some choices like use different browsers (even Tor), manage cookies (in particular 3rd party cookies) etc., even if it is usually difficult to really be anonymous on internet unless extra precautions are taken (and many users will not be able to adopt similar precautions).

On smaller devices, like smartphones and “smart” objects like watches etc., choices are much more limited but with a little bit of effort the user can do something to protect him/herself from this kind of surveillance.

On IoT devices at the moment there seems to be nothing that the user can do, it is either use it and be traced, or do not use / buy it at all. For these devices, legislation could be the only way of giving the user some choices.

Finally, how many users are even aware of this kind of Internet Surveillance? How many would object if they knew?

A new dress for my website … and thoughts on net “sociality”

Today I released a new version of the UCCI.IT website: a new, responsive, graphic format which has a nice display on all devices, from the standard desktop PC to the smartphones, and a complete revision and re-organization of the material.

This lead me to think again about what it means to be on-line, to divulge information about ourselves to the internet world, which by now is a big part of the real world.

I do not really know the answer to this question, I just see that we keep changing the way in which we use the internet as a tool to communicate. This is related to the introduction of new or improved technologies, but also to the current trends: a few years ago we were all for websites, then for blogs, after that for social networks (which are still really going strong) but recently I found myself going back to the very old, almost pre-internet, email-list technology. I hear friends say that they have almost closed down their website and/or their blog, others who have left the social networks, others who do not use email anymore but only a chat App on their smartphones. It seems to me that we are confused, or, at least, I am confused.

I close with the following personal notes that I wrote a couple of years ago:

Dilemma: air my ideas on the cyberspace, get friends and followers or keep it all to myself and the occasional (voice) chat?

Where does privacy end and community begin?

Internet, Privacy and Televisions

It seems that television (hardware) makers do not have very clear ideas (or have understood it too well) of which kind of information one can extract from private people when their televisions are connected to internet. Here is a possibly disturbing but not surprising story.

Obviously the televisions will ‘call home’ for a variety of reasons and purposes, and this is part of having the television connected to internet. What it should also be spelled out clearly, is what the television reports back about its owner.

Linkedin Intro-duces Intro

Linkedin has introduced a service called Intro for the moment for Iphone users. Here are some details about it.

I am very puzzled by the “How it works” details, and in particular for all possible kind of issues with the possible use of private, personal or company information. Here there are some relevant arguments against this new service which are worth reading and considering.

Device fingerprinting and user tracking

A recent study by KU Leuven-iMinds researchers points out that device and web-browser fingerprinting is on the raise, in spite of all efforts to limit it like the introduction of the “Do Not Track” HTTP Header.

This does not surprise me since advertisment and marketing are usually at odds with privacy and it is not well understood by most what is the real meaning and breath of the information that it is possible to collect by tracking users on internet.

On the other side, device fingerprinting is a very useful tool for ICT security of web transactions: knowing which device is making the transaction and to which user is (usually) associated, added to the geolocalization of IP addresses and other information, can make the difference between a valid transaction and an attempted fraud.

At the end the most important issue is by whom and how a tool is used, and this holds true in particular for security tools: a gun in the hand of a policeman should be used to a good end, but the same gun in the hand of a thief should be illegal.