TechLetters #11 - Russia preparing for cyber-retaliation? This is not a drill! Google launching its privacy-preserving ads tech proposal (just without privacy for now), tracking favicons
Welcome to the 11th letter.
Éditorial
Privacy impact assessment helps organisations in understanding the privacy risks of their products or services.
The EU Digital Services Act might in the end expand the requirement from privacy to also other general systemic risks in the case of advanced assessments. It would expand the need to also consider the broader risks.
It seems that legislating this is inevitable - so organisations seriously treating their regulatory compliance should start setting up their internal teams. It’s too bad that at many places, the 2021 budgeting is already cast. Some organisations will be late with hiring the necessary reinforcements. Others still cope with having a working privacy impact assessment process, so they will simply expand their risk to fall into the new big-fines trap.
It’s ultimately their choice to risk being late or end up with a flawed or a malfunctioning process.
Security
Swiss eVoting. Swiss Post made public the eVoting specification used in Switzerland. Understanding the security and privacy properties/guarantees of pen & paper solutions is quite straight-forward. Not so with the explanation of an extremely complex cryptographic protocol, to the general public. Not to mention the implementation and deployment.
Is Russia preparing for cyber-retaliation? Russian internal security services organizations FSB warned of a potential threat of "targeted cyberattacks" after "statements made by the USA and its allies". Is this an anticipatory response to the retaliation(s) or other responses to SolarWinds hack, or? Retaliations happened before.
Privacy
Favicon tracking. Over the years, web browsers improved tracking preventions. Cookies are going away. This means a push towards new directions. One example is a technique of using favicons (the little icons next to the URL bar, yes) for persistent tracking of users without cookies. This might be a bit counter-intuitive. The favicon is simply cached in different ways than the other browsed content. It is possible to devise a redirection-download scheme and use it as a way to encode information (the identifier assigned to the user). Web browsers should fix this eventually.
Privacy-preserving advertising, without privacy? Well, sort of. Google is starting an experiment of their core Privacy Sandbox solution. The solution is quite complex, and it is assumed that much will change in 2021 and 2022. The assumption is that this testing thing will gradually be turning on the privacy features. We will have to see about that.
Technology Policy
KYC for cloud services. On the last day, Trump's administration issued an executive order related to cybersecurity. It will lead to compelling the cloud service providers to verify the identity of their customers. This measure is to avoid the risk of (overlooking) cyberattacks using infrastructure in the US. This took place, probably not only in the case of SolarWinds.
Mandatory identification on the internet. The largest group in the European Parliament (EPP) stated their positions in the work on the Digitals Services Act. They want to have a system that would allow the identification of all users on the internet, mentioning that the blockchain-based approach might be the one used to identify everyone. There would likely be strong opposition to this idea.
That’s it this time, thanks!
In case you decide to forward this letter further for any reason, I’ll leave this thingy below: