The Australian government is considering legislation that would endanger source protection, confidential reporting processes, and the privacy of everyone in an ill-conceived effort to grant law enforcement easier access to electronic communications.
Freedom of the Press Foundation has joined a group of digital rights organizations in calling for the Australian government to refrain from any effort to weaken access to encrypted communication services. “We strongly urge the government to commit to not only supporting, but investing in the development and use of encryption and other security tools and technologies that protect users and systems,” the open letter to Australian officials states.
While it has not yet introduced such legislation, the government has reiterated its intention of doing so consistently over the past year. In July 2017, Australian Prime Minister Turnbull and Attorney General George Brandis held a press conference at which they initially stated their intention to force communications companies to comply with law enforcement decryption efforts. Months later, the foreign minister said legislation intending to work with communication providers to stop terrorism was imminent.
It’s unclear what this legislation will look like, but communication companies or device makers could face significant government fines if they refuse to assist law enforcement with accessing users’ data. This could apply not only to Australian telecommunications companies like Telstra and Optus, but also to huge, internationally-based tech companies like Facebook and Apple.
If companies have the ability to decrypt their users’ data and hold their private encryption keys, those companies could be forced to provide confidential communications anytime the government deems access necessary. Taylor has claimed there will be no requirements for companies to build “backdoors” into their products for law enforcement, but the alternative to undermining encryption itself is to target physical devices.
This is one of the fears of Nathan White, Senior Legislative Manager at Access Now. He is concerned that rather than compelling WhatsApp or Gmail to provide access to encrypted content, the legislation will force device manufacturers to push targeted malware to the devices of people who are the subject of investigations.
Regular software updates are critical to the security and privacy, because they often fix vulnerabilities and introduce new protections. Laws that could force a company like Apple to target a user’s device with malware would eradicate trust between device makers and their users in software updates. The government could hypothetically demand malware to be sent to the devices of journalists, sources, or activists, and use confidential communications acquired through targeted malware to prosecute or investigative them.
Australian Attorney General George Brandis called encryption “potentially the greatest degradation of intelligence and law enforcement capability” in a lifetime. He has indicated that the new laws would be akin to the United Kingdom’s Investigatory Powers Act, and would grant the government the ability to force companies to comply with investigations.
It’s a chilling comparison to make. The Investigatory Powers Act is one of the world’s most Orwellian and sweeping surveillance laws, which authorizes the blanket collection, monitoring, retention of citizens’ communications and online activity.
Australia is also part of the powerful “Five Eyes” intelligence alliance that includes the United Kingdom, United States, New Zealand, and France. The adoption of laws that use broad “terrorism” claims to justify weakening of encryption or targeting of devices could open the door not only to similar legislation in other countries and even normalize international sharing of decrypted sensitive data. (Australia is also hosting a Five Eyes meeting in August, where these legislative efforts could be discussed.)
It’s unclear what this legislation will look like, or when it will be introduced, but the government’s efforts will be met with widespread opposition when it does so. Any laws that threaten software updates or encryption would threaten the privacy of everyone in Australia, and set a disturbing precedent for governments and intelligence agencies around the world.
Digital Asset Management or DAM is traditionally associated with rich media and the companies who employ that type of content, such as media and entertainment. It is big business too. The market for DAM is expected to be worth $9.1 billion USD by 2024. Much of this is driven by the increasing importance of content marketing - digital content offering a very good ROI according to Smart Insights.
I’ve always felt that marketing is a discipline that can inform the world of digital identity. It is engaged with customers, it has a good grasp on user behavior, and it utilizes statistics and reporting to optimize systems. So, where does DAM fit into a consumer identity platform and how can digital content add benefit?
The difference between data privacy protections afforded to European Union residents and people in the U.S. is more sharply highlighted now that the EU’s General Data Protection Regulation has taken effect. Will passage of a new California privacy law make a difference?
At first glance, it may seem California state legislators took a bold first step when they quickly passed a comprehensive data privacy protection law last month known as the California Consumer Privacy Act of 2018.
Like the GDPR, this new legislation spells out these rights for protection of the privacy of California consumers. From the text of the new law, these rights include:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
While the intent of the new California privacy law and the GDPR are the same — protecting consumer privacy — the most important differences between the two laws lie in the process. Whereas the GDPR was the product of years of careful preparation and collaboration between bureaucrats, privacy experts, politicians and technology practitioners, the California privacy law was mashed together in less than a week, according to the Washington Post, in order to forestall more stringent privacy protections from being passed via a ballot initiative that had broad support in California.
The bipartisan rush to enact the new California privacy law (passed unanimously) has everything to do with control, and little to do with the will of the people. Legislation passed by the electorate through a ballot initiative is much more difficult for legislators to tinker with: any changes require a two-thirds majority, while laws passed the usual way by the legislature can be more easily modified with a simple majority.
Another superficial similarity between the GDPR and the California Consumer Privacy Act is that enforcement of the new law is set to begin (almost) two years from the date of passage. For the GDPR, enforcement began May 25, 2018; the California privacy law goes into effect on Jan. 1, 2020. Companies facing the requirement to comply with the GDPR were given a two-year window by the EU lawmakers to get ready, but the conventional wisdom around the California privacy law is that the next year and a half will be used by big tech companies and legislators to negotiate the precise terms of the law.
There are many other differences, but companies aiming to comply with the California privacy law should note that the terms of the law as currently written could be softened considerably before enforcement begins.
And some of the differences are worth noting. First, most businesses are likely to not be affected at all, as businesses subject to the law must meet one or more of the following conditions:
- Annual gross revenues in excess of $25 million,
- process information of 50,000 or more consumers, households or devices,
- derive at least 50% of their annual revenues from the sale of personal information
As for penalties, companies subject to the regulation face fines as high as $7,500 for each violation, to be levied through a civil action “brought in the name of the people of the State of California by the Attorney General,” the law reads — but that requires the finding that the offending entity violated the law “intentionally.”
Is the California privacy law comparable to the GDPR? We don’t know, and we probably won’t know for at least a year — and perhaps not until after Jan. 1, 2020, when the new law goes into effect. If the law, as written, is applied to a company like Equifax, which exposed roughly half the adult U.S. population in the breach uncovered last year, then the results could be devastating. The share of Californians exposed in that breach can be estimated at about 12 million; if the Equifax breach was found to have been caused intentionally, the maximum fine would be close to $100 billion.
That’s far higher than the GDPR maximum penalty of 4% of annual global turnover, which in 2017 was only $3.36 billion, meaning the maximum fine could be about $135 million.
However, GDPR penalties don’t require a finding of intent to break the law on the part of the offending entity, and many smaller companies subject to GDPR — those with annual gross revenues lower than $25 million, processing personal data of fewer than 50,000 consumers, households or devices, and which make less than 50% of their revenue from the sale of that data — would be immune from any penalties under the new California privacy law.
The bottom line: unlike in 2016, when the final form of the GDPR was approved and companies were granted a two-year period to prepare to comply with the new privacy regulation, the new California privacy law is coming — but it’s still an open question just how effective or useful it will be for protecting consumer privacy.
The post Is the new California privacy law a domestic GDPR? appeared first on Security Bytes.
Over the years I have been asked a curious question numerous times. ‘If we use product x or solution y we wouldn’t have to patch anymore, right?” At this point in the conversation I would often sit back in my seat and try to look like I was giving their question a lot of thought. The reality was more pragmatic. I was trying very hard to stifle my screams while appearing considerate of their query.
Let’s be honest with ourselves. No one likes to apply patches. If that were the opposite I have little doubt that we would have far fewer data breaches than we read about in the news these days. I’m sure that there is a mythical unicorn out there that simply lives for this sort of activity. I will be entirely honest when I say that I have never met this person.
Applying patches is a very necessary activity. So, why is it that we continually have to return to this discussion point? Time and again we read in the press about companies that were compromised because of a missed patch or configuration error. One of the things that I do a fair bit is to read the data breach notices that companies issue. There are some trends that are inescapable. A piece of software wasn’t patched to current. There was a configuration error or a laptop was stolen but, have no fear, there was a password.
Two of the aforementioned were easily preventable situations and the third…well, I’ll just leave that one alone for this post.
Let’s just dispense with the nonsense. There is no product on this little blue marble that we call home that will ever give you 100% security. It just isn’t going to happen. Full stop. There are so many moving parts in the modern IT ecosystem that we have to take this in to account. There is a real problem that we seem to drift farther and farther from each and every day. We are failing to tackle the fundamentals well and as a result the security of our digital supply chain is suffering.
I often get teased by some friends for using the phrase “defined repeatable process”. This idea is absolutely nothing new. This is a term that has been floating around for a long while now but, we seem incapable of implementing them. Why is that? When we drift away from doing things well, such as patching, we are inadvertently increasing our technical security debt. As this chasm continues to widen there will come a point after which most organizations would not be able to pivot to the safety of higher ground.
So as I knock this idea around in my head I continue to wonder what it is that we can do to improve things from a repeatable process standpoint.
Go ahead and put up your feet on your desk basking in the glow of knowledge that some vendor is going to solve all of your security issues. Never patch another system again and we shall gleefully dance around the smoldering crater that was once your enterprise network after the hordes of attackers are done savaging it.
An apple a day keeps the doctor away and all that sort of rot.
This week, Michael and Paul interview Mayank Varia, Research Associate Professor of Computer Science at Boston University! Mayank is also the co-director of BU's Center for Reliable Information Systems & Cyber Security.
Full Show Notes: https://wiki.securityweekly.com/BSWEpisode92
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Visit https://www.activecountermeasures/bsw to sign up for a demo or buy our AI Hunter!!
→Visit our website: https://www.securityweekly.com
→Follow us on Twitter: https://www.twitter.com/securityweekly
→Like us on Facebook: https://www.facebook.com/secweekly