Security

  • French Customs censured for illegal retention of personal data

    CNIL logoFrench IT news site Le Monde Informatique reports that the French Customs authorities have been sent a formal notice by the CNIL, France’s data privacy regulator, in respect of an illegal data file containing the details of more than 45,000 people, including copies of identity documents and records of criminal offences.

    French Customs logoBusinesses are not the only organisations with which the CNIL has found fault for holding illegal files containing personal data. Public sector organisations can also fall foul of the law.

    The French Customs authorities, which come under the control of the Ministry for the Economy have been caught red-handed following a report in respect of Customs’ file used for recording information about vessels and their crews which is known as SIRENE. Intended to identify all the people checked at sea or in port in order to combat fraud, this system was in fact developed and implemented with no legal basis and not in accordance with the law, according to the CNIL

    Checks were carried out by Customs’ Channel-North Sea-Atlantic coastguard service and inspections revealed that recourse to this system did not comply with France’s Data Protection Act. This data system actually lists information about the vessels checked and their passengers, including personal information such as marital status, address, occupation and copies of identity documents, as well as criminal convictions (drug trafficking, counterfeiting, off-the-books employment, failure to co-operate, sexual assault, possession of illegal weapons, intentional homicide and murder).

    6 months to comply or be fined

    All told, the details of 45,793 persons – including 392 minors – are included in the SIRENE file. “The creation and use of the SIRENE file are not provided for by any legislation (for example a law or a decree). In addition, the CNIL has not received a request for an opinion concerning its implementation, in violation of the Data Protection Act (articles 87 and 89, the CNIL explained. Other grievances have also been lodged against the Ministry for the Economy, such as the failure to send an impact assessment in respect of the protection of personal data and the lack of a clear distinction between the data of the different categories of persons concerned. or the fact that the latter were not made aware that their data had been included.

    Following the CNIL’s formal notice, the Ministry for the Economy and Customs have 6 months to comply otherwise a penalty could be issued.

  • Seriously

    The language used in official responses to news stories seems to have been rigid and formulaic in recent times, particularly amongst those organisations within or linked to the public sector.

    Today’s edition of The Register reports that ACRO, the UK’s Criminal Records Office was taken offline due to a security breach. The site currently displays a holding page blaming ‘technical issues‘, a fine example of misleading bureaucratic language.

    This is the site’s holding page as this post is published.

    Text reads Thank you for your patience as we work through our technical issues. To obtain an application form for a POLICE CERTIFICATE, send the applicant name and date of birth to: Policecertificateapp@acro.police.uk. To obtain an application form for INTERNATIONAL CHILD PROTECTION CERTIFICATE, send the applicant name and date of birth to: icpcapplication@acro.police.uk. Please do not send an email to the above addresses if you have already submitted a form. Someone will contact you to take payment. For future updates on this matter please see our customer services Twitter account:   https://twitter.com/ACRO_Police_CST

    El Reg notes that manages ACRO people’s criminal record information, running checks as needed on individuals for any convictions, cautions, or current prosecutions. It with British police and businesses, as well as exchanging this data with other countries, particularly where people wish to move or emigrate to another country and a certificate of good behaviour is required from the British police. ACRO has access to data from the Police National Computer via an information sharing agreement with the Cabinet Office.

    The data typically handled by ARCO includes name and address history, extended family information, a new foreign address, legal representation, passport information, photo and data PIN cautions, reprimands, arrests, charges or convictions.

    Earlier this week, ACRO emailed users to inform them that it had “recently been made aware of a cyber security incident affecting the website between 17th January 2023 and 21 March 2023“, adding that “we have no conclusive evidence that personal data has been affected by the cyber security incident; however it is only right that we inform you of the situation. We are very sorry that because of your interaction with ACRO your data could have been affected, and we are working tirelessly to resolve this matter.”

    Anonymous generic hacker complete with hoodie

    The message went on to say that “robust measures” had been taken as soon as the breach was discovered. It won’t be the first time that pulling the plug on a website has been described by a public sector organisation spokesperson as “robust”, If your systems were truly “robust”, taking the site offline would not have been necessary.

    After intoning the “robust” mantra, ARCO then goes on to say: “We take data security very seriously and will ensure that the matter is fully investigated…. Translating this into plain English, this means “Oh dear! We’ve been caught out!”

    The fact that ARCO had not taken data security “very seriously” is clearly highlighted by two facts:

    • Firstly, ARCO did not notice crooks were gaining access to its computer systems for more than two months; and
    • Secondly, it has now freely admitted that it is going to take steps to find out how the breach happened and prevent its reoccurrence. A clear case of that old adage of shutting the stable door after the horse has bolted.

    The public sector relies heavily on public trust to do its work. If it really does want to be taken seriously, tough measures need to be taken and implemented, not just for IT security, but in connection a very ancient and fundamental idea: that of honesty.

  • Czech government using open source web analytics

    Czechia coat of armsJoinup, the EU’s open source news site, reports that the Czech Republic is to begin using the Matomo open source web analytics tool on the Czech citizen portal and gov.cz websites, where it will replace Google Analytics.

    This change will ensure that the data by the sites collected will stay within the EU and, as the Czech administration will be using its own instance of Matomo, it will retain full control of the records.

    The change was triggered by an open letter sent by the Czech the digital freedom watchdog luridicum Remedium after it noticed the Czech state vaccination system website was using Google Analytics during the COVID-19 crisis. The Czech Data Protection Authority and public sector strategic partner NAKIT then pursued the matter and replaced Google Analytics with Matomo on Czechia’s Ministry of Health website. This move later led to further action and the country will continue following this trend on public sector websites.

    Previously named Piwik, Matomo has been in development since 2007 and is presently deployed on 1.4 million websites, including those of NASA, the European Commission, the United Nations and Amnesty International.

    The Czech decision to choose Matomo follows those of other European countries seeking to keep control of their citizens’ data. Last year the French and Austrian data protection authorities determined that Google Analytics was not compliant with EU data privacy standards, in particular because Google’s data transfers to the United States are contrary to the EU’s General Data Protection Regulation (GDPR).

  • LibreOffice & Nextcloud for EU Institutions

    EU flagEU data protection authorities have negotiated a contract for the use of Nextcloud and LibreOffice Online in EU institutions. They are now testing the solutions, German IT news heise reports.

    Data protection-friendly alternatives

    It was announced last Wednesday that the European Data Protection Supervisor Wojciech Wiewiórowski and his team have begun testing both solutions this month. In coming months they want to examine “how these can tools support EU day-to-day work“. This pilot phase is part of a larger IT reflection process that the EDPS already started last year aimed at encouraging EUIs to consider alternatives to large-scale service providers to ensure better compliance with Regulation (EU) 2018/1725.

    By procuring the Open Source Software from one single entity in the EU, the use of sub-processors is avoided. In doing so, the EDPS avoids data transfers to non-EU countries such as the USA and allows for more effective control over the processing of personal data.

    According to Mr Wiewiórowski, “Open Source Software offers data protection-friendly alternatives to commonly used large-scale cloud service providers that often imply the transfer of individuals’ personal data to non-EU countries. Solutions like this may therefore minimise reliance on monopoly providers and detrimental vendor lock-in. By negotiating a contract with an EU-based provider of cloud services, the EDPS is delivering on its commitments, as set out in its 2020-2024 Strategy, to support EUIs in leading by example to safeguard digital rights and process data responsibly“.

    Microsoft Office in the sights

    Mr Wiewiórowski has already examined the contracts which EU institutions have with Microsoft and reached the conclusion in 2020 that the data processing purposes when using Windows or Microsoft Office had been defined far too openly. Processing contractors were not adequately audited and data could be transferred too easily by EU institutions to countries outside the Union. At the time, he demanded that Microsoft should only retain user information within the EU. The roles of all those involved with all their rights and obligations must be clearly regulated. Furthermore, Users should look around for alternatives that “enable higher data protection standards“.

    The EDPS started further investigations into the use of Microsoft and Amazon cloud services by EU institutions. These entailed the use Microsoft Office 365 by the EU Commission. According to Wiewiórowski many contracts were concluded prior to the “Schrems II Judgment” and had to be examined in the light of the European Court of Justice case law.

  • Germany – photographing illegal parking is lawful

    German newspaper <a href="https://www.welt.de/regionales/bayern/article241937155/Urteil-Buerger-duerfen-Falschparker-fuer-Anzeige-fotografieren.html".Die Welt states that it’s so obvious: people wanting to report an illegal parker just pull out their smartphone and then send the picture to the police. However, two men in Bavariahad trouble with the state’s data protection authorities. A court has now decided who acted corrected.

    A Ferrari parked on the footway being booked in Munich. Image courtesy of Wikimedia Commons
    A Ferrari parked on the footway being booked in Munich.
    Image courtesy of Wikimedia Commons

    Anyone who sends photos of illegal parkers as part of a report to the police does not normally violate data protection legislation. This emerged on Thursday from two landmark rulings published by the Ansbach Administrative Court. With these the court agreed with two men who corroborated their reports of parking infringements on footways and cycleways with photos. For using this they received a warning and a fine of €100 each from the Bavarian State Data Protection Office (LDA). Both objected and went to court with the support of Deutsche Umwelthilfe e.V. (DUH)

    The administrative court combined the two procedures in a joint hearing because of the identical questions and ultimately ruled that the procedure involved lawful data processing. However, the actual statement of is not available. The verdicts are of fundamental significance from the legal point of view, but are still not absolute.

    The DUH, which supported one of the two plaintiffs in a test case, welcomed the verdict. “Illegal parking is no trivial offence, but endangers people who are travelling by bike, wheeled walking frame, wheelchair or pram”, commented Jürgen Resch, its Federal director. “The authorities should not take action against civil society commitment, but rather take consistent measures against blocked footpaths and cycle paths, illegal parking in front of dropped kerbs or at junctions; and do so not just in Bavaria, but nationwide.»

    The crux of the proceedings was the question of whether digital transmission of the photos constituted lawful data processing within the meaning of the General Data Protection Regulation since there must be a legitimate interest in forwarding the image files. On the other hand, data transmission and processing must be necessary.

    Accordingly, the parties to the proceedings before the court argued about whether the plaintiffs had to be personally affected by the parking violations and whether a written or telephone description of the facts including the vehicle registration number, was not sufficient. In addition, the LDA pointed out that other data such as other cars with registration plates and people can often be seen in the pictures. In reply, the plaintiffs stressed that the police had asked them to document the parking situation as accurately as possible with photos as evidence.

    The LDA stated that once the judgment’s statement of grounds was available, it would examine whether the decision was an individual case or whether a reassessment of the use of photos in public places that was critical for data protection had been initiated. In addition, it wants to agree clear and uniform guidelines with the police regarding which information is required when reporting illegal parking and which communication channel should be used.

  • Chrome’s incognito mode is anything but – allegedly

    Google Chrome iconGoogle Chrome is a cross-platform web browser first introduced in 2008. Based largely on the open source Chromium browser, perhaps the best description for it is proprietary freeware.

    French IT news website Le Monde Informatique reports that a federal judge in California is examining complaints against Google alleging that the company is tricking users into believing that their private life is protected when using the browser’s incognito mode. The lawsuit which was initiated before the North California District Court more than 2 years ago by 5 users is now awaiting a more recent petition from these plaintiff in a class action. One of the complaints concerns Chrome users with a Google account who accessed a non-Google website containing Google tracking or advertising code and who were browsing in incognito mode; a second covers all users of Safari, Edge and Internet Explorer with a Google account who accessed a non-Google website containing Google tracking or advertising code in private browsing mode. According to legal documents first disclosed by Bloomberg, Google employees joked about the browser’s incognito mode and the fact that it was not really private. They also took the company to task for not having done more to provide users with the privacy they though they were enjoying.

    Judge Yvonne Gonzalez Rogers, who presides over the United States District Court for the Northern District of California, will decide whether the tens of thousands of users of Chrome’s incognito mode can be grouped together to seek statutory damages of $100 to $1,000 per violation, which could potentially increase the fine to over $5 bn. The definition of the word incognito is to disguise or conceal one’s identity. The confidentiality settings of web browsers are intended to delete local traces of sites visited by a user, as well as web searches and information provided when filling in online forms. Simply put, private modes such as incognito are not supposed to track and record data from web searches and sites visited by users. Google is also facing proceedings linked to user confidentiality from the justice ministers and public prosecutors of several federal states including Texas, the District of Columbia and Washington. Earlier this month Google settled a lawsuit filed by the attorney general of Arizona for $85 mn. Initially filed in June 2020, the class action was asking for at least $5 bn., accusing Google of surreptitiously collecting data on what people were viewing online and where they were browsing despite using private browsing mode. Lawyers for the plaintiffs say they have a large number of internal Google emails proving that managers have known for years that private browsing mode does not do what it claims. When a user chooses to use this incognito mode, Google’s browser is supposed to delete browsing history and cookies automatically at the end of a session.

    Data sold for advertising purposes in auctions

    The plaintiffs, who are Google Account holders, alleged that the search engine collected their data, distributed it and sold it for targeted advertising through a real-time auction system (RTB). LThe plaintiffs allege that even in incognito mode, Google can see what sites Chrome users are visiting and collect data by means which include Analytics, digital fingerprinting techniques, concurrent applications and processes on a user’s device and AdManager. The latter is a Google service enabling businesses to distribute and create web, mobile and video advertising reports for a company.

    According to one report, more than 70% of all website use one of more of Google’s services. More specifically, the plaintiffs allege that every time a user with private browsing mode active visits a website running Analytics or AdManager, the search giant’s software scripts on the site surreptitiously order the user’s browser to send a secret separate message to its servers in California. “Google learns exactly what content the user’s browser software was asking the website to display, and it also passes a header containing the URL information of what the user viewed and requested online. Device IP address, geolocation data and user ID are all tracked and logged by Google”, according to one report in the lawsuit. “Once collected, this mountain of data is analyzed to build digital records on millions of consumers, in some cases identifying us by name, gender, age, and medical conditions and political issues we researched online”, the lawsuit claims.

    Truly private browsing results in loss of revenue

    In March 2021, a California judge denied 82 motions by Google’s attorneys to end the lawsuit and ruled against the company, allowing it to proceed. In July that year the company was sentenced to pay almost one million dollars in legal fees and expenses as a penalty for not having disclosed evidence concerning the lawsuit in a timely manner.

    This week a spokesperson for Google told the Washington Post it had been frank with users about what its incognito mode offers in terms of privacy and that the plaintiffs “deliberately misrepresented our statements”. Jack Gold, senior analyst at J. Gold Associates, said the company makes the majority of its revenue by tracking everyone and selling ad space. “If they’re really creating a completely private browsing experience, then the revenue stream is gone,” he said. “So, I suspect there is a ‘balancing act’ going on internally as to where the borders are around privacy vs. tracking. No company builds a free browser without being able to generate revenues somehow”. The plaintiffs in the case said they chose “private browsing mode” to prevent others from learning what they’re viewing on the internet. When it comes to using Google Chrome and other browsers, “let the user beware,” Gold said. “You have to trust the maker to take care of your privacy, but it’s not always in their best interest to do so”.

  • Introducing Ubuntu Pro beta

    Ubuntu logoCanonical is currently offering a public beta version of Ubuntu Pro, giving Ubuntu Linux users extended maintenance and security compliance for software packages ranging from the Node.js runtime to Python 2 and Rust. Security cover will be extended for average and high common vulnerabilities and exposures (CVE) for thousands of applications and toolchains including Ansible, Apache Tomcat, Apache Zookeeper, Docker, Drupal, Node.js, Puppet, Python 2, Rust and others.

    A free thirty days trial is available for businesses. Ubuntu Pro is available for data centres and workstations. A free level is being offered for small-scale personal use (up to 5 machines).

    Since the launch of Ubuntu LTS with 5 years support for the main operating system, businesses have asked the supplier to cover a larger area of the open source landscape under private commercial agreements. These benefits are now offered free of charge to anyone with a free personal subscription to Ubuntu Pro. This may also be combined with 24/7 enterprise level for the Ubuntu operating system.

    Ubuntu Pro is available for all Long Term Support (LTS) versions of Ubuntu from version 16.04 LTS upwards. The standard Ubuntu Pro subscription covers security updates for all Ubuntu packages. In addition, Canonical’s Ubuntu Advantage for Infrastructure subscription has been renamed Ubuntu Pro (Infra-only) with no change in its price or range. The Infra-Only subscription covers the base operating system and the private cloud components required for large-scale and bare metal and excludes wider cover for applications. Subscribing to Ubuntu Pro costs US $25 dollars per year excl. tax for one workstation or US $500 dollars per year for a server. On public clouds Ubuntu Pro costs some 3.5% of the average cost of the underlying processing environment.

  • Family matters

    There are some writers whose importance does not diminish with their demise. Take, for example, the ancient Athenian playwright Aristophanes; his plays are still being staged nearly two and half millennia after his death; then there’s that genius in understanding human emotions and the human condition, William Shakespeare.

    George Orwell press card photoTo these giants of literature, your ‘umble scribe would add the name of George Orwell. Even though he died in 1950, his works still seem startlingly relevant to life in the 21st century and its politics in particular. The major annual prize for political writing in the English Empire (which some still call the United Kingdom. Ed.) is named after him.

    Nineteen Eighty-Four (in words, not numerals. Ed.), which was written in 1948 and published in 1949, was intended as a warning against authoritarianism and oppression. However, successive twenty-first century governments seem to have used it as a manual for the implementation of mass surveillance of the population and the removal of their right to privacy, particularly as regards the use of information technology (via e.g. the Regulation of Investigatory Powers Act 2000); and all in the name of so-called security.

    What has been exercising your correspondent this morning is a particular passage from The Lion and the Unicorn: Socialism and the English Genius. This was an essay written in 1941 during World War 2 relating to the state of the English, as opposed to the British. In particular, it highlights the outdated English class system as a major impediment in the mid-20th century, as exemplified below.

    England is not the jewelled isle of Shakespeare’s much-quoted message, nor is it the inferno depicted by Dr Goebbels. More than either it resembles a family, a rather stuffy Victorian family, with not many black sheep in it but with all its cupboards bursting with skeletons. It has rich relations who have to be kow-towed to and poor relations who are horribly sat upon, and there is a deep conspiracy of silence about the source of the family income. It is a family in which the young are generally thwarted and most of the power is in the hands of irresponsible uncles and bedridden aunts. Still, it is a family. It has its private language and its common memories, and at the approach of an enemy it closes its ranks. A family with the wrong members in control – that, perhaps, is as near as one can come to describing England in a phrase.

    Looking at the cupboards bursting with skeletons, one only has to look at the colonial oppressors and crooks that our Victorian forebears sought to elevate to figures of admiration, such as Robert ‘Lord Vulture’ Clive, who used his position in the East India Comp;any for personal enrichment and the likes of Waterloo hero Thomas Picton, formerly a sadistic and cruel governor of Trinidad. Both Clive and Picton have featured in the recent statue wars where the right wing, including government ministers, sought to deny the brutality of empire and its legacy. Sorry, but introducing the system of common law and the game of cricket are not adequate compensation for centuries of plunder, expropriation, conquest, repression and genocide.

    Looking at the deep conspiracy of silence about the source of the family income, there has yet to be any official acknowledgement that the family income from the late 16th century onwards was based upon piracy and then increasingly upon slavery, for which some former British Caribbean colonies are clamouring increasingly for reparations.

    Elizabeth Mary Truss, alleged Prime Minister of the English EmpireFinally, let’s come to that family with the wrong members in control. They don’t come more wrong than the current occupant of Number 10 Downing Street, one Elizabeth Mary Truss.

    Truss is clearly an admirer – and blatant imitator – of her Tory predecessor Margaret Thatcher, who did so much to destroy the British economy and society in the 1980s. However, what really grates with many people is the manner in which Truss was elevated to the premiership, i.e. elected to the leadership of her party by its 160,000 strong membership which is mainly elderly, white, male and racist (occasionally referred to as a ‘selectorate‘. Ed.), and thus hardly representative of the country.

    If England truly is akin to a family, it is one that is deeply dysfunctional.

  • DuckDuckGo blocks Microsoft trackers

    French IT news site Le Monde Informatique reports that DuckDuckGo has decided to block Microsoft’s trackers in its mobile browser applications and browser plug-ins in an effort to extend its approach to privacy protection. It had already been criticised at the start of the year on the matter.

    Screenshot of DuckDuckGo search engine

    Protecting internet users from tracking and protecting their anonymity is not simple. DuckDuckGo is part of this move and was very upset to find out that as part of its agreement with the Bing search engine, Microsoft had given the green light for user tracking. This is no longer the case since from that date onwards DuckDuckGo’s CEO, Gabriel Weinberg, has stated that blocking the loading of scripts on websites by the browser was extended to Microsoft’s scripts in DuckDuckGo browser applications for iOS and Android and browser extensions (Chrome, Firefox, Safari, Edge and Opera) and that beta applications will follow next month.

    DuckDuckGo is attempting to block tracking scripts from search engines and sites such as Facebook, as well as other types of tracking scripts or software. It uses what it calls third-party tracking loading protection to prevent these third-party scripts or cookies from being loaded into the browser. If they did, they could track movements on the web and build a profile of the user, their preferences, etc. If other browsers and browser plug-ins also enable users to protect their privacy, DuckDuckGo has made privacy its priority.

    Delayed neutralising

    Mr Weinburg’s decision was taken after the discovery at the start of the year by security researcher Zach Edwards that DuckDuckGo was blocking trackers from Google and Facebook, but was allowing some of Microsoft’s trackers via Linkedin and Bing. The discovery was then reported by BleepingComputer. “Previously, we were limited in how we could apply our third-party tracker download protection to Microsoft tracking scripts due to policy requirements related to our use of Bing as the source of our private search results,” Weinberg explained, adding that, “We’re glad that’s no longer the case. We didn’t have and don’t have similar restrictions with any other company.”

    DuckDuckGo still has an advertising relationship with Microsoft, which it will maintain. Clicking through on advertisements on DuckDuckGo is anonymous and Microsoft has undertaken not to profile DuckDuckGo users. If Microsoft continues to save the user’s link, it will not associate them with a profile. On an updated support page, DuckDuckGo has provided a summary of everything which its its browser authorises and does not authorise, as well as providing details of web tracking protection.

  • Prying Google is not your friend

    The Irish Council for Civil Liberties (ICCL) is pointing its finger at Google for spying on users, French IT news website Le Monde Informatique reports. A real-time bidding (RTB) system which is actively used by the company enables it to follow and share what everyone is looking at or doing online and note down this activity’s location. RTB is the technology underpinning all online advertising and it relies on sharing of personal information without user consent, according to the ICCL.

    Google’s troubles are far from over. Widely singled out for its actions in terms of the use of personal data, the company is now in the spotlight for its tracking and advertising targeting activity. A report (PDF) published by the ICCL on 16 May accuses the search giant of an unprecedented data breach. The report sheds light on the RTB system, which works in the background on websites and in applications. “It tracks what you are looking at, no matter how private or sensitive, and it records where you go. Every day it broadcasts this data about you to a host of companies continuously, enabling them to profile you,” the report states.

    The ICCL report claims it presents the scale of this data breach for the first time.

    This data breach takes place throughout the world. The RTB system “tracks and shares what users are viewing online with their location in real time 294 bn. times in the USA and 197 bn. times in Europe each day”, it states. On average a person in the USA has their online activity and location tracked 747 times a day by those using RTB. In Europe, RTB exposes personal data 376 times a day. In Germany alone, Google sends 19.6 million broadcasts about German Internet users’ online behaviour every minute that they are online. “Europeans and U.S. Internet users’ private data is sent to firms across the globe, including to Russia and China, without any means of controlling what is then done with the data”. It is a high-earning business generating more than $117 bn. in the USA and Europe in 2021.

    Maps of Europe and USA showing billions of daily Google RTB broadcasts

    Advertising is an indispensable condition of this system as the majority of advertising on websites and in applications is placed there using RTB. Advertisers spend $100 bn. annually in the USA and Europe. The RTB market’s estimated value was $91 bn. in the USA in 2021 and €23 bn. in Europe in 2019. It therefore highlights that Americans’ online activity and their locations is exposed 57% more frequently than that of users in Europe.

    Google is one of the five largest users of this real-time bidding system. No fewer than 4,698 US companies are authorised by Google to receive RTB data on people, whilst in Europe the number drops to 1,058 companies. More specifically, the data collected by Google, like what people are looking at online or doing with an application and their ‘hyperlocal‘ geographical location is broadcast 42 bn. times per day in Europe and 31 bn. times daily in the USA.

    The ICCL is working to end the RTB data breach in Europe and has litigation ongoing in three European courts, as follows:

Posts navigation