TechLetters #111 - 4-level scale to speak of cyberattack impact. Yet another quantum factoring algorithm claim. USB malware spread. GDPR fines for Apple and Meta. DPAs take each others to theEU Court?
My proposal to describe the impact of cyberattacks using 4-impact scale. For the keen politicians and policymakers. Most of the stuff you read about is not even achieving the level 1 (violation of sovereignty), some of the cyberattacks in fact did attain the level 2 (interference with domestic affairs), a few did achieve the level 4 (use of force), none so far fortunately achieved the level 4 (armed aggression).
Security
Quantum integer factoring with low-scale quantum computer? Paper here. Well, not quite. “We factorize the 11-bit integer 1961, 26-bit integer 48567227 and 48-bit integer 261980999226229 with 3, 5 and 10 superconducting qubits, respectively”? Another year, another ‘proposal’ of the kind (and expect more!). The algorithm is based on a magical ingredient - the quantum computer optimisation step, which is assumed to work. But sufficiently scaled machines should be available soon so it should be possible to test-verify this one in practice. So that's a plus of the claim.
USB still used to spread malware. Be careful what pendrive do you connect to sensitive systems. Or any systems at all. “malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims”
Privacy
French DPA gives a data protection fine for Apple. 8 million euros, and “public naming” of the company, for two years. "Did not collect the consent of iPhone users before writing identifiers used for advertising purposes".
GDPR fines for Meta/Facebook/Instagram, €210+180 million. The Irish Data Protection Authority is also to sue the European Data Protection Board before the Court of Justice of the EU. That is a MAJOR precedent. Bring the popcorn?
the EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. The DPC’s decisions naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions. The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.
IWPE conference. International Workshop on Privacy Engineering accepts various submissions about privacy/technology/etc takes. Consider submitting!
In case you feel it's worth it to forward this content further:
If you’d like to share: