STE WILLIAMS

What’s that you say? A critical vulnerability in Flash?

Why yes.

In news that will surprise nobody, all versions of Flash prior to 28.0.0.161 are harbouring a critical vulnerability that crooks could use to sneak malware on to your computer. Adobe lists this as a priority 2 update, meaning that it hasn’t seen any attacks against this vulnerability in the wild.

Don’t let that assessment, or Flash vulnerability fatigue, be an excuse not to act – it’s not safe to use version 28.0.0.161 of Flash so update it now or, better yet, ditch it entirely.

To understand why urgency is important you need to understand how Flash vulnerabilities can be used against you.

Adobe warns that successful exploitation of the vulnerability could lead to “arbitrary code execution in the context of the current user”. Remote Code Execution (RCE) flaws like this allow hackers to force your computer into running malware.

In the case of a Flash vulnerability like this one, all you have to do is look at the wrong booby-trapped website. Looking at the site is as good as actually downloading a virus and double clicking on it to run it, as far as your computer is concerned.

And we aren’t talking about a danger posed by one or two sites. Cybercriminals are in the business of compromising as many websites as they can.

It’s a numbers game. The danger to you isn’t that you’ll be targeted specifically (unless you’re a high value target), it’s that you’ll be caught in a cybercriminal’s drift net.

To target website visitors in this way the criminals need bugs in browsers or browser plugins that lots and lots of us use. Flash is a perfect candidate because it’s widely deployed and as leaky as a sieve.

And, oh my, are Flash vulnerabilities popular.

The last time we warned you about a critical Flash vulnerability being exploited in the wild was just last month. There was another 0-day in the wild four months before that, in October 2017.

It wasn’t so long ago that Adobe had to bandaid four 0-day patches in four months, releasing critical updates in March, April, May and June of 2016.

That’s not to be confused with the run of 0-days at the start of 2015 when Adobe’s 14 January patch Tuesday was followed by three more emergency updates on 23 January, 24 January and 3 February.

And those are just the lowlights.

What to do?

Adobe advises that users of Google Chrome will get the update automatically, as will users of Microsoft Edge or Internet Explorer 11 on Windows 10 and Windows 8.1

For everyone else they suggest:

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right- click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system…

…Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 29.0.0.113 via the update mechanism within the product or by visiting the Adobe Flash Player Download Center.

My advice? Sticking with Flash is what the cybercriminals most want you to do.

Adobe is calling time on Flash at the end of 2020. History suggests it’ll be a lively three years for Flash holdouts. The best way to protect yourself? Don’t be one of them.

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/x77TqvrlQyE/

What’s that you say? A critical vulnerability in Flash?

Why yes.

In news that will surprise nobody, all versions of Flash prior to 28.0.0.161 are harbouring a critical vulnerability that crooks could use to sneak malware on to your computer. Adobe lists this as a priority 2 update, meaning that it hasn’t seen any attacks against this vulnerability in the wild.

Don’t let that assessment, or Flash vulnerability fatigue, be an excuse not to act – it’s not safe to use version 28.0.0.161 of Flash so update it now or, better yet, ditch it entirely.

To understand why urgency is important you need to understand how Flash vulnerabilities can be used against you.

Adobe warns that successful exploitation of the vulnerability could lead to “arbitrary code execution in the context of the current user”. Remote Code Execution (RCE) flaws like this allow hackers to force your computer into running malware.

In the case of a Flash vulnerability like this one, all you have to do is look at the wrong booby-trapped website. Looking at the site is as good as actually downloading a virus and double clicking on it to run it, as far as your computer is concerned.

And we aren’t talking about a danger posed by one or two sites. Cybercriminals are in the business of compromising as many websites as they can.

It’s a numbers game. The danger to you isn’t that you’ll be targeted specifically (unless you’re a high value target), it’s that you’ll be caught in a cybercriminal’s drift net.

To target website visitors in this way the criminals need bugs in browsers or browser plugins that lots and lots of us use. Flash is a perfect candidate because it’s widely deployed and as leaky as a sieve.

And, oh my, are Flash vulnerabilities popular.

The last time we warned you about a critical Flash vulnerability being exploited in the wild was just last month. There was another 0-day in the wild four months before that, in October 2017.

It wasn’t so long ago that Adobe had to bandaid four 0-day patches in four months, releasing critical updates in March, April, May and June of 2016.

That’s not to be confused with the run of 0-days at the start of 2015 when Adobe’s 14 January patch Tuesday was followed by three more emergency updates on 23 January, 24 January and 3 February.

And those are just the lowlights.

What to do?

Adobe advises that users of Google Chrome will get the update automatically, as will users of Microsoft Edge or Internet Explorer 11 on Windows 10 and Windows 8.1

For everyone else they suggest:

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right- click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system…

…Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 29.0.0.113 via the update mechanism within the product or by visiting the Adobe Flash Player Download Center.

My advice? Sticking with Flash is what the cybercriminals most want you to do.

Adobe is calling time on Flash at the end of 2020. History suggests it’ll be a lively three years for Flash holdouts. The best way to protect yourself? Don’t be one of them.

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/x77TqvrlQyE/

Former boss at Brit electronic spy agency GCHQ, Robert Hannigan, has called for the application of “unexplained wealth orders” and economic sanctions against Russia rather than cyber attacks.

Appearing on Radio 4’s flagship Today programme this morning (Tuesday from 2:20-2:25), Hannigan said starting a cyber-conflict against Russia would play into Russian President Vladimir Putin’s narrative – and would in any case be ineffective as a lever to apply political pressure to the Kremlin.

Hannigan damped down talk in the UK media that cyber attacks against Russia might form part of the response to poisoning of Russian-born double agent Sergei Skripal and his daughter in the medieval cathedral city of Salisbury in southern England last week.

He cited UK government statements to explain this was either a state-run operation or that Russia had lost control of a chemical weapons agent. This follows Russia’s highly contentious annexation of Crimea back in 2014.

Reprisals should work to “contain Russia”, he said, and show it what the consequences of acting as a “rogue nation” would be. As well as the expulsion of diplomats “on a scale we haven’t seen since the Cold War” there should be economic consequences, targeting wealthy individual Russians and their assets in London as well as investments in Russia.

“Everybody is looking around for something dramatic to do,” Hannigan said. “But starting a cyber conflict – which of course we could do, we could do destructive things in cyberspace because we have great capabilities – would benefit no one. It would put us in the wrong place

“These overseas adventures are his [Putin’s] way of wrapping himself in a nationalist flag,” Hannigan said. “We shouldn’t play to that narrative: we should just firmly, with other nations, start to push back.”

Asked about possible cyber reprisals, Hannigan argued these were not a good option.

“Everybody is looking around for something dramatic to do,” he said. “But starting a cyber conflict – which of course we could do, we could do destructive things in cyberspace because we have great capabilities – would benefit no one. It would put us in the wrong place.”

It’s possible to do “great damage” to anything that’s networked, at the most destructive end of cyber-attacks options, Hannigan said. “I don’t think we should be going there because that would play to the Russian narrative – we are not outside the international rules of civilised nations and we don’t want to be,” the former spy chief said, adding: “We play by the rules that most nations do”.

Asked about the possibility that covert cyber action was already ongoing, Hannigan said that it would be “unwise” for him to talk about covert actions. “The covert work is going to be targeted at individuals and organisations that are responsible for this terrible crime,” Hannigan said. “The idea of launching some large scale cyber conflict against Russia makes no more sense than launching a military conflict against Russia.”

Russia is prepared to switch off domestic power in Ukraine as part of its campaign but Western countries aren’t prepared to do that against Moscow because we are “ethical” and “play by different standards,” Hannigan concluded. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/14/russia_cyberwar_speculation/

Former boss at Brit electronic spy agency GCHQ, Robert Hannigan, has called for the application of “unexplained wealth orders” and economic sanctions against Russia rather than cyber attacks.

Appearing on Radio 4’s flagship Today programme this morning (Tuesday from 2:20-2:25), Hannigan said starting a cyber-conflict against Russia would play into Russian President Vladimir Putin’s narrative – and would in any case be ineffective as a lever to apply political pressure to the Kremlin.

Hannigan damped down talk in the UK media that cyber attacks against Russia might form part of the response to poisoning of Russian-born double agent Sergei Skripal and his daughter in the medieval cathedral city of Salisbury in southern England last week.

He cited UK government statements to explain this was either a state-run operation or that Russia had lost control of a chemical weapons agent. This follows Russia’s highly contentious annexation of Crimea back in 2014.

Reprisals should work to “contain Russia”, he said, and show it what the consequences of acting as a “rogue nation” would be. As well as the expulsion of diplomats “on a scale we haven’t seen since the Cold War” there should be economic consequences, targeting wealthy individual Russians and their assets in London as well as investments in Russia.

“Everybody is looking around for something dramatic to do,” Hannigan said. “But starting a cyber conflict – which of course we could do, we could do destructive things in cyberspace because we have great capabilities – would benefit no one. It would put us in the wrong place

“These overseas adventures are his [Putin’s] way of wrapping himself in a nationalist flag,” Hannigan said. “We shouldn’t play to that narrative: we should just firmly, with other nations, start to push back.”

Asked about possible cyber reprisals, Hannigan argued these were not a good option.

“Everybody is looking around for something dramatic to do,” he said. “But starting a cyber conflict – which of course we could do, we could do destructive things in cyberspace because we have great capabilities – would benefit no one. It would put us in the wrong place.”

It’s possible to do “great damage” to anything that’s networked, at the most destructive end of cyber-attacks options, Hannigan said. “I don’t think we should be going there because that would play to the Russian narrative – we are not outside the international rules of civilised nations and we don’t want to be,” the former spy chief said, adding: “We play by the rules that most nations do”.

Asked about the possibility that covert cyber action was already ongoing, Hannigan said that it would be “unwise” for him to talk about covert actions. “The covert work is going to be targeted at individuals and organisations that are responsible for this terrible crime,” Hannigan said. “The idea of launching some large scale cyber conflict against Russia makes no more sense than launching a military conflict against Russia.”

Russia is prepared to switch off domestic power in Ukraine as part of its campaign but Western countries aren’t prepared to do that against Moscow because we are “ethical” and “play by different standards,” Hannigan concluded. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/14/russia_cyberwar_speculation/

Former boss at Brit electronic spy agency GCHQ, Robert Hannigan, has called for the application of “unexplained wealth orders” and economic sanctions against Russia rather than cyber attacks.

Appearing on Radio 4’s flagship Today programme this morning (Tuesday from 2:20-2:25), Hannigan said starting a cyber-conflict against Russia would play into Russian President Vladimir Putin’s narrative – and would in any case be ineffective as a lever to apply political pressure to the Kremlin.

Hannigan damped down talk in the UK media that cyber attacks against Russia might form part of the response to poisoning of Russian-born double agent Sergei Skripal and his daughter in the medieval cathedral city of Salisbury in southern England last week.

He cited UK government statements to explain this was either a state-run operation or that Russia had lost control of a chemical weapons agent. This follows Russia’s highly contentious annexation of Crimea back in 2014.

Reprisals should work to “contain Russia”, he said, and show it what the consequences of acting as a “rogue nation” would be. As well as the expulsion of diplomats “on a scale we haven’t seen since the Cold War” there should be economic consequences, targeting wealthy individual Russians and their assets in London as well as investments in Russia.

“Everybody is looking around for something dramatic to do,” Hannigan said. “But starting a cyber conflict – which of course we could do, we could do destructive things in cyberspace because we have great capabilities – would benefit no one. It would put us in the wrong place

“These overseas adventures are his [Putin’s] way of wrapping himself in a nationalist flag,” Hannigan said. “We shouldn’t play to that narrative: we should just firmly, with other nations, start to push back.”

Asked about possible cyber reprisals, Hannigan argued these were not a good option.

“Everybody is looking around for something dramatic to do,” he said. “But starting a cyber conflict – which of course we could do, we could do destructive things in cyberspace because we have great capabilities – would benefit no one. It would put us in the wrong place.”

It’s possible to do “great damage” to anything that’s networked, at the most destructive end of cyber-attacks options, Hannigan said. “I don’t think we should be going there because that would play to the Russian narrative – we are not outside the international rules of civilised nations and we don’t want to be,” the former spy chief said, adding: “We play by the rules that most nations do”.

Asked about the possibility that covert cyber action was already ongoing, Hannigan said that it would be “unwise” for him to talk about covert actions. “The covert work is going to be targeted at individuals and organisations that are responsible for this terrible crime,” Hannigan said. “The idea of launching some large scale cyber conflict against Russia makes no more sense than launching a military conflict against Russia.”

Russia is prepared to switch off domestic power in Ukraine as part of its campaign but Western countries aren’t prepared to do that against Moscow because we are “ethical” and “play by different standards,” Hannigan concluded. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/14/russia_cyberwar_speculation/

WhatsApp has agreed not to share users’ data with parent biz Facebook after failing to demonstrate a legal basis for the ad-fuelling data slurp in the EU.

The move comes after a years-long battle between the biz and European data protection agencies, which argued that changes to WhatsApp’s small print hadn’t been properly communicated and didn’t comply with EU law.

An investigation by the UK’s Information Commissioner’s Office, which reported today, confirmed the biz has failed to identity a legal basis for sharing personal data in a way that would benefit Facebook’s business. Moreover, any such sharing would have been in breach of the Data Protection Act.

In response, WhatsApp has agreed to sign an undertaking (PDF) in which it commits not to share any EU user data to any other Facebook-owned company until it can comply with the incoming General Data Protection Regulation.

The ICO celebrated the deal as a “win for the data protection of UK customers” – a statement that Paul Bernal, IP and internet law expert at the University of East Anglia, said he agreed with only up to a point.

“This is indeed a ‘win’, but a limited one,” he told The Register. “It’s only a commitment until they believe they’ve worked out how to comply with the GDPR – and I suspect they’ll be working hard to find a way to do that to the letter rather than to the spirit of the GDPR.”

Using consent as the lawful basis? No dice

At the heart of the issue is consent. In summer 2016, a privacy policy update said that, although it would continue to operate as a separate service, WhatsApp planned to share some account information, including phone numbers, with Facebook for targeted advertising, business analysis and system security.

Although users could withhold consent for targeted advertising, they could not for the other two purposes – any users that didn’t like the terms would have to stop using WhatsApp.

The EU data protection bodies have previously said that this “like it or lump it” approach to service use doesn’t constitute freely given consent – as required by EU rules.

Similarly, they felt that WhatsApp’s use of pre-ticked boxes was not “unambiguous” and that the information provided to users was “insufficiently specific”.

The ICO has also noted that matching account data might lead to “privacy policy creep”, with further uses of data slipping into the TsCs unnoticed by users.

The investigation – which looked only at situations where WhatsApp wanted to share information with Facebook for business interests, not service support – confirmed concerns that the policy wasn’t up to scratch.

Information commissioner Elizabeth Denham said WhatsApp had not identified a lawful basis for processing, or given users “adequate fair processing information” about any such sharing.

“In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained,” she said.

She added that if the data had been shared, the firm “would have been in contravention of the first and second data protection principles” of the UK’s Data Protection Act.

WhatsApp has maintained that it hasn’t shared any personal data with Facebook in the EU, but in a letter to the biz’s general counsel Anne Hoge, Denham indicated that this had not been made clear at the outset.

Denham wrote that the initial letter from WhatApp had only stated data sharing was paused for targeted ads. It was, she said, “a fair assumption for me to make” that WhatsApp may have shared data for the other two purposes, “but have at some point since that letter decided to pause” this too.

However, she said that since WhatsApp has “assured” the ICO that “no UK user data has ever been shared with Facebook”, she could not issue the biz with a civil monetary penalty and had to ask WhatsApp to sign the undertaking instead.

Next up: Legitimate interests

Denham’s letter makes it clear that the companies will be working to make sure that data sharing can go ahead in a lawful way, particularly for system security purposes, for which it may consider using the “legitimate interests” processing condition.

She noted that there would be “a range” of legitimate interests – such as fighting spam or for business analytics – but that in all cases it would need to show that processing was necessary to achieve it, and balance it against individuals’ rights.

Bernal said that if the biz had any plans to use the consent condition for processing, it “will need huge scrutiny”.

“It’s almost impossible for most users to understand what they’re really consenting to,” he said. “And if ordinary users can’t understand, how can they consent?”

Jon Baines, data protection adviser at Mishcon de Reya, also noted that the fact WhatsApp had held its ground on what he described as a “key point” could put the ICO in a difficult position down the line.

“It’s very interesting that the ICO is classing this as a ‘win’, because – although on the surface it seems like a success – it’s notable that WhatsApp have reserved their position on a key point, which is whether the processing in question falls under the UK’s remit by virtue of the fact that it takes place in the UK on users’ devices,” he said.

“Normally the effect of an informal undertaking will be to encourage a data controller voluntarily to take or cease action, to avoid the need for legal enforcement which would otherwise be available.

“Here, should WhatsApp subsequently fail to perform the undertaking, the ICO might be compromised if there is no clear basis on which it can follow up with enforcement action.”

In a statement sent to The Register, WhatsApp emphasised the pause it had put on data sharing. “As we’ve repeatedly made clear for the last year we are not sharing data in the ways that the UK Information Commissioner has said she is concerned about anywhere in Europe.”

It added that it “cares deeply” about users’ privacy and that “every message is end-to-end encrypted”. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/14/whatsapp_facebook_user_info/

WhatsApp has agreed not to share users’ data with parent biz Facebook after failing to demonstrate a legal basis for the ad-fuelling data slurp in the EU.

The move comes after a years-long battle between the biz and European data protection agencies, which argued that changes to WhatsApp’s small print hadn’t been properly communicated and didn’t comply with EU law.

An investigation by the UK’s Information Commissioner’s Office, which reported today, confirmed the biz has failed to identity a legal basis for sharing personal data in a way that would benefit Facebook’s business. Moreover, any such sharing would have been in breach of the Data Protection Act.

In response, WhatsApp has agreed to sign an undertaking (PDF) in which it commits not to share any EU user data to any other Facebook-owned company until it can comply with the incoming General Data Protection Regulation.

The ICO celebrated the deal as a “win for the data protection of UK customers” – a statement that Paul Bernal, IP and internet law expert at the University of East Anglia, said he agreed with only up to a point.

“This is indeed a ‘win’, but a limited one,” he told The Register. “It’s only a commitment until they believe they’ve worked out how to comply with the GDPR – and I suspect they’ll be working hard to find a way to do that to the letter rather than to the spirit of the GDPR.”

Using consent as the lawful basis? No dice

At the heart of the issue is consent. In summer 2016, a privacy policy update said that, although it would continue to operate as a separate service, WhatsApp planned to share some account information, including phone numbers, with Facebook for targeted advertising, business analysis and system security.

Although users could withhold consent for targeted advertising, they could not for the other two purposes – any users that didn’t like the terms would have to stop using WhatsApp.

The EU data protection bodies have previously said that this “like it or lump it” approach to service use doesn’t constitute freely given consent – as required by EU rules.

Similarly, they felt that WhatsApp’s use of pre-ticked boxes was not “unambiguous” and that the information provided to users was “insufficiently specific”.

The ICO has also noted that matching account data might lead to “privacy policy creep”, with further uses of data slipping into the TsCs unnoticed by users.

The investigation – which looked only at situations where WhatsApp wanted to share information with Facebook for business interests, not service support – confirmed concerns that the policy wasn’t up to scratch.

Information commissioner Elizabeth Denham said WhatsApp had not identified a lawful basis for processing, or given users “adequate fair processing information” about any such sharing.

“In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained,” she said.

She added that if the data had been shared, the firm “would have been in contravention of the first and second data protection principles” of the UK’s Data Protection Act.

WhatsApp has maintained that it hasn’t shared any personal data with Facebook in the EU, but in a letter to the biz’s general counsel Anne Hoge, Denham indicated that this had not been made clear at the outset.

Denham wrote that the initial letter from WhatApp had only stated data sharing was paused for targeted ads. It was, she said, “a fair assumption for me to make” that WhatsApp may have shared data for the other two purposes, “but have at some point since that letter decided to pause” this too.

However, she said that since WhatsApp has “assured” the ICO that “no UK user data has ever been shared with Facebook”, she could not issue the biz with a civil monetary penalty and had to ask WhatsApp to sign the undertaking instead.

Next up: Legitimate interests

Denham’s letter makes it clear that the companies will be working to make sure that data sharing can go ahead in a lawful way, particularly for system security purposes, for which it may consider using the “legitimate interests” processing condition.

She noted that there would be “a range” of legitimate interests – such as fighting spam or for business analytics – but that in all cases it would need to show that processing was necessary to achieve it, and balance it against individuals’ rights.

Bernal said that if the biz had any plans to use the consent condition for processing, it “will need huge scrutiny”.

“It’s almost impossible for most users to understand what they’re really consenting to,” he said. “And if ordinary users can’t understand, how can they consent?”

Jon Baines, data protection adviser at Mishcon de Reya, also noted that the fact WhatsApp had held its ground on what he described as a “key point” could put the ICO in a difficult position down the line.

“It’s very interesting that the ICO is classing this as a ‘win’, because – although on the surface it seems like a success – it’s notable that WhatsApp have reserved their position on a key point, which is whether the processing in question falls under the UK’s remit by virtue of the fact that it takes place in the UK on users’ devices,” he said.

“Normally the effect of an informal undertaking will be to encourage a data controller voluntarily to take or cease action, to avoid the need for legal enforcement which would otherwise be available.

“Here, should WhatsApp subsequently fail to perform the undertaking, the ICO might be compromised if there is no clear basis on which it can follow up with enforcement action.”

In a statement sent to The Register, WhatsApp emphasised the pause it had put on data sharing. “As we’ve repeatedly made clear for the last year we are not sharing data in the ways that the UK Information Commissioner has said she is concerned about anywhere in Europe.”

It added that it “cares deeply” about users’ privacy and that “every message is end-to-end encrypted”. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/14/whatsapp_facebook_user_info/

WhatsApp has agreed not to share users’ data with parent biz Facebook after failing to demonstrate a legal basis for the ad-fuelling data slurp in the EU.

The move comes after a years-long battle between the biz and European data protection agencies, which argued that changes to WhatsApp’s small print hadn’t been properly communicated and didn’t comply with EU law.

An investigation by the UK’s Information Commissioner’s Office, which reported today, confirmed the biz has failed to identity a legal basis for sharing personal data in a way that would benefit Facebook’s business. Moreover, any such sharing would have been in breach of the Data Protection Act.

In response, WhatsApp has agreed to sign an undertaking (PDF) in which it commits not to share any EU user data to any other Facebook-owned company until it can comply with the incoming General Data Protection Regulation.

The ICO celebrated the deal as a “win for the data protection of UK customers” – a statement that Paul Bernal, IP and internet law expert at the University of East Anglia, said he agreed with only up to a point.

“This is indeed a ‘win’, but a limited one,” he told The Register. “It’s only a commitment until they believe they’ve worked out how to comply with the GDPR – and I suspect they’ll be working hard to find a way to do that to the letter rather than to the spirit of the GDPR.”

Using consent as the lawful basis? No dice

At the heart of the issue is consent. In summer 2016, a privacy policy update said that, although it would continue to operate as a separate service, WhatsApp planned to share some account information, including phone numbers, with Facebook for targeted advertising, business analysis and system security.

Although users could withhold consent for targeted advertising, they could not for the other two purposes – any users that didn’t like the terms would have to stop using WhatsApp.

The EU data protection bodies have previously said that this “like it or lump it” approach to service use doesn’t constitute freely given consent – as required by EU rules.

Similarly, they felt that WhatsApp’s use of pre-ticked boxes was not “unambiguous” and that the information provided to users was “insufficiently specific”.

The ICO has also noted that matching account data might lead to “privacy policy creep”, with further uses of data slipping into the TsCs unnoticed by users.

The investigation – which looked only at situations where WhatsApp wanted to share information with Facebook for business interests, not service support – confirmed concerns that the policy wasn’t up to scratch.

Information commissioner Elizabeth Denham said WhatsApp had not identified a lawful basis for processing, or given users “adequate fair processing information” about any such sharing.

“In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained,” she said.

She added that if the data had been shared, the firm “would have been in contravention of the first and second data protection principles” of the UK’s Data Protection Act.

WhatsApp has maintained that it hasn’t shared any personal data with Facebook in the EU, but in a letter to the biz’s general counsel Anne Hoge, Denham indicated that this had not been made clear at the outset.

Denham wrote that the initial letter from WhatApp had only stated data sharing was paused for targeted ads. It was, she said, “a fair assumption for me to make” that WhatsApp may have shared data for the other two purposes, “but have at some point since that letter decided to pause” this too.

However, she said that since WhatsApp has “assured” the ICO that “no UK user data has ever been shared with Facebook”, she could not issue the biz with a civil monetary penalty and had to ask WhatsApp to sign the undertaking instead.

Next up: Legitimate interests

Denham’s letter makes it clear that the companies will be working to make sure that data sharing can go ahead in a lawful way, particularly for system security purposes, for which it may consider using the “legitimate interests” processing condition.

She noted that there would be “a range” of legitimate interests – such as fighting spam or for business analytics – but that in all cases it would need to show that processing was necessary to achieve it, and balance it against individuals’ rights.

Bernal said that if the biz had any plans to use the consent condition for processing, it “will need huge scrutiny”.

“It’s almost impossible for most users to understand what they’re really consenting to,” he said. “And if ordinary users can’t understand, how can they consent?”

Jon Baines, data protection adviser at Mishcon de Reya, also noted that the fact WhatsApp had held its ground on what he described as a “key point” could put the ICO in a difficult position down the line.

“It’s very interesting that the ICO is classing this as a ‘win’, because – although on the surface it seems like a success – it’s notable that WhatsApp have reserved their position on a key point, which is whether the processing in question falls under the UK’s remit by virtue of the fact that it takes place in the UK on users’ devices,” he said.

“Normally the effect of an informal undertaking will be to encourage a data controller voluntarily to take or cease action, to avoid the need for legal enforcement which would otherwise be available.

“Here, should WhatsApp subsequently fail to perform the undertaking, the ICO might be compromised if there is no clear basis on which it can follow up with enforcement action.”

In a statement sent to The Register, WhatsApp emphasised the pause it had put on data sharing. “As we’ve repeatedly made clear for the last year we are not sharing data in the ways that the UK Information Commissioner has said she is concerned about anywhere in Europe.”

It added that it “cares deeply” about users’ privacy and that “every message is end-to-end encrypted”. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/14/whatsapp_facebook_user_info/

What’s This?

Forward-looking organizations should view this as an opportunity to reevaluate their cybersecurity posture and install best practices that should have already been in place.

On the heels of several headline-grabbing data breaches – and greater emphasis on the importance of disclosure in the lead-up to the May 25 General Data Protection Regulation (GDPR) deadline – the US Securities and Exchange Commission (SEC) recently issued a statement that puts more responsibility on executives for data breaches.

This updated guidance calls for public companies to provide investors with more information on all cybersecurity incidents – even just the existence of potential risks – with minimal delay. The statement goes a step farther in attempting to thwart the potential for the exchange of “insider” information, which was a major concern on the heels of the record-shattering Equifax data breach.

Specifically, corporate officers, directors and “other corporate insiders” are prohibited from trading shares if they have knowledge of any unpublicized security incident within the company.

While the overall intent of this latest statement is clear, the guidance is vague in key areas by design. For instance, the second section of the guidance emphasizes that companies must make “timely disclosure of any related material nonpublic information.” It’s unclear what the SEC explicitly means by “timely disclosure,” as the SEC doesn’t provide a specific time limit that companies must meet. This puts a lot of trust in corporate leaders to put speedy remediation and due diligence at the center of their security policy, which is a bit of a gamble given the track record of executive action during the fallout of the Equifax breach.

The GDPR, on the other hand, is much more prescriptive, giving organizations 72 hours to report an incident related to the personal data of EU citizenry. This isn’t to say that the European Commission has greater distrust for business leaders to make the right call than legislators in the United States, so much as it creates a clear and distinct timetable.

The guidance from the SEC is significant, however, in that it essentially tees up every executive board to make room for or delegate an in-house expert on cybersecurity best practices. It updates a comparably less hawkish stance on the part of the SEC in trying to minimize the occurrence of insiders acting poorly in the time between a major data breach and public disclosure.

Another reason for the vagueness surrounding the actual time limits for disclosure is that the SEC doesn’t want to force businesses to prematurely disclose information that might only publicize vulnerabilities to potential hackers. It’s a delicate balance, as teams want to make sure they are planning their defense thoughtfully before inciting more damage to the company’s data stores – not to mention brand perception.

As part of the GDPR guidance, many data-centric businesses will be required by law to employ a Data Protection Officer (DPO) that acts alongside the network administrators and security teams to enforce best practices and report potential incidents. While this isn’t mandatory for all businesses, companies that aren’t looking to employ cybersecurity experts are doing so at their own risk – especially given this new guidance from the SEC. The cost for not following through on best practices in the event of a breach can be far more significant than putting an in-house expert on the payroll.

While many may view the new SEC guidance and GDPR as onerous red tape, forward-looking organizations should view this as an opportunity to reevaluate their cybersecurity posture and install best practices that should have already been in place. After all, having someone who is tasked with ensuring your organization is secure and protecting its data appropriately is something every organization should embrace.

As president and co-founder of iboss, Peter Martini has played a major role in developing iboss’ innovative technology, and has helped shepherd iboss’ phenomenal growth, since its founding. He has been awarded dozens of patents focused on network and mobile security, and with … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/iboss/how-to-interpret-the-secs-latest-guidance-on-data-breach-disclosure/a/d-id/1331249?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What’s This?

Forward-looking organizations should view this as an opportunity to reevaluate their cybersecurity posture and install best practices that should have already been in place.

On the heels of several headline-grabbing data breaches – and greater emphasis on the importance of disclosure in the lead-up to the May 25 General Data Protection Regulation (GDPR) deadline – the US Securities and Exchange Commission (SEC) recently issued a statement that puts more responsibility on executives for data breaches.

This updated guidance calls for public companies to provide investors with more information on all cybersecurity incidents – even just the existence of potential risks – with minimal delay. The statement goes a step farther in attempting to thwart the potential for the exchange of “insider” information, which was a major concern on the heels of the record-shattering Equifax data breach.

Specifically, corporate officers, directors and “other corporate insiders” are prohibited from trading shares if they have knowledge of any unpublicized security incident within the company.

While the overall intent of this latest statement is clear, the guidance is vague in key areas by design. For instance, the second section of the guidance emphasizes that companies must make “timely disclosure of any related material nonpublic information.” It’s unclear what the SEC explicitly means by “timely disclosure,” as the SEC doesn’t provide a specific time limit that companies must meet. This puts a lot of trust in corporate leaders to put speedy remediation and due diligence at the center of their security policy, which is a bit of a gamble given the track record of executive action during the fallout of the Equifax breach.

The GDPR, on the other hand, is much more prescriptive, giving organizations 72 hours to report an incident related to the personal data of EU citizenry. This isn’t to say that the European Commission has greater distrust for business leaders to make the right call than legislators in the United States, so much as it creates a clear and distinct timetable.

The guidance from the SEC is significant, however, in that it essentially tees up every executive board to make room for or delegate an in-house expert on cybersecurity best practices. It updates a comparably less hawkish stance on the part of the SEC in trying to minimize the occurrence of insiders acting poorly in the time between a major data breach and public disclosure.

Another reason for the vagueness surrounding the actual time limits for disclosure is that the SEC doesn’t want to force businesses to prematurely disclose information that might only publicize vulnerabilities to potential hackers. It’s a delicate balance, as teams want to make sure they are planning their defense thoughtfully before inciting more damage to the company’s data stores – not to mention brand perception.

As part of the GDPR guidance, many data-centric businesses will be required by law to employ a Data Protection Officer (DPO) that acts alongside the network administrators and security teams to enforce best practices and report potential incidents. While this isn’t mandatory for all businesses, companies that aren’t looking to employ cybersecurity experts are doing so at their own risk – especially given this new guidance from the SEC. The cost for not following through on best practices in the event of a breach can be far more significant than putting an in-house expert on the payroll.

While many may view the new SEC guidance and GDPR as onerous red tape, forward-looking organizations should view this as an opportunity to reevaluate their cybersecurity posture and install best practices that should have already been in place. After all, having someone who is tasked with ensuring your organization is secure and protecting its data appropriately is something every organization should embrace.

As president and co-founder of iboss, Peter Martini has played a major role in developing iboss’ innovative technology, and has helped shepherd iboss’ phenomenal growth, since its founding. He has been awarded dozens of patents focused on network and mobile security, and with … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/iboss/how-to-interpret-the-secs-latest-guidance-on-data-breach-disclosure/a/d-id/1331249?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple