Discover more from Lukasz Olejnik on Cyber, Privacy and Tech Policy Critique
TechLetters #60 French data protection fines for Google/Facebook, GDPR breach notification howto, Private Relay, intentionally sabotaging own software causes issues to others, centralised web3
Software security and dependability. Software developer 'sabotaged' his project on which thousands of other projects depend. “Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects”. It’s an issue of software security, integrity, reliability. When a project you depend on depends on other projects, your dependencies inflate.
How to GDPR breach notification. GDPR mandates that organisations often must notify users (“breach should be notified when the controller is of the opinion that it is likely to result in a risk to the rights and freedoms of the data subject” and/or supervisory authorities, after a breach. Failure to do this properly may result in large fines. But how to do it properly, and when, may be tricky (“If a controller self-assesses the risk to be unlikely, but it turns out that the risk materializes, the DPA can use its corrective powers and may resolve to sanctions”). EDPB introduces some clarity. “GDPR states that a breach shall be notified without undue delay and, where feasible, not later than after 72 hours. Exceeding the 72h time limit is unadvisable but when dealing with high risk level cases, even complying with this deadline can be viewed as unsatisfactory”
Apple Private Relay. Apple's Private Relay Overview (“private proxy”) explains that it guarantees that "no single entity can combine IP address, location, and browsing activity into detailed profile". It is supposedly better than a VPN. Apple considers that the feature is not making fraud prevention impossible: their fraud prevention should trusted as a signal. Apple also promises that no logs mapping the true account ID to the used IP addresses are maintained. How happy will law enforcement agencies be?
Data protection fines. French data protection authority CNIL fines Google (€150 million) and Facebook (€60 million). This is about ePrivacy Directive, not GDPR. The reason is as follows: they "offer a button to accept cookies, but they do not set up an equivalent solution to easily refuse". "Several clicks necessary to refuse all cookies, but just one to accept them". Cookie rejection must have a roughly identical mechanics to cookie acceptance. This is inspired with GDPR cookie consents rules, and enforced because of high motivation of the French DPA. Decisions: Facebook, Google
Covid contact tracing, repurposed. Covid contact-tracing app data repurposed to track criminals by police. Speaking about purpose limitation... "total of 21 potential witnesses were found and called". "Mainz public prosecutor's office expresses its regret". https://www.swr.de/swraktuell/rheinland-pfalz/mainz/polizei-ermittelt-ohne-rechtsgrundlage-mit-daten-aus-luca-app-100.html
Insightful Web3 criticism. “So much work, energy, and time has gone into creating a trustless distributed consensus mechanism, but virtually all clients that wish to access it do so by simply trusting the outputs from these two companies without any further verification. It also doesn’t seem like the best privacy situation. Imagine if every time you interacted with a website in Chrome, your request first went to Google before being routed to the destination and back. That’s the situation with ethereum today”. Where is the “distributed” thing now? Now about those millions of dollars worth non-fungible pieces: “Looking at many of the NFTs on popular marketplaces being sold for tens, hundreds, or millions of dollars, that URL often just points to some VPS running Apache somewhere. Anyone with access to that machine, anyone who buys that domain name in the future, or anyone who compromises that machine can change the image, title, description, etc for the NFT to whatever they’d like at any time”
In case you feel it's worth it to forward this letter further, I leave this thingy below:
You may also share here: