TechLetters #63 - EU eID, Cyberattacks on ICRC condemned, Russia-China agreement over internet management, GDPR heat
My privacy and data protection analysis of EU eID Regulation proposal. Found issues: privacy, data protection, protection of persons with disabilities, risk of technical censorship and problems with web security and privacy.
Security
US Department of State is condemning cyberattacks on ICRC. This is unprecedented, but not surprising this is happening - for examle, if it was conducted by a State, it was as violation of neutrality. “ICRC often does what no one else can — accessing detained persons in conflict zones or crossing frontlines to reach those in need. Its independence and impartiality have long allowed it to have access to confidential information and data, including data on conflict victims and other victims of armed violence, the forcibly displaced, missing persons, and other vulnerable populations”
Cyberattacks on infrastructure in Europe. Wave of cyberattacks on European critical infrastructure in Belgium, Netherlands, Germany. “impacting the flow of oil products such as heating oil, diesel, jet fuel, gasoline and fuel oil in Antwerp, Hamburg, Amsterdam, Ghent and Terneuzen, many cargoes and barges being diverted”. Suspicion is over two uncoordinated ransomware group activities. That said, it is unclear how it was established so soon that there was no coordination. Coin toss?
Russia-China agreement. Putin and Xi issued a strong statement speaking of tech and internet: "equal rights to manage it, consider unacceptable any attempts to limit their sovereign right to regulate and ensure the security of national segments of the Internet", “The Parties reiterate their readiness to deepen cooperation in the field of international information security and contribute to building an open, secure, sustainable and accessible ICT environment. The Parties emphasize that the principles of non-use of force, respect for state sovereignty and fundamental human rights and freedoms, non-interference in the internal affairs of other states, approved by the UN Charter, are applicable to the information space. Russia and China reaffirm the UN's key role in responding to threats to international information security and express their support for the Organization in developing new standards of behavior for states in this area”.
Privacy
BE against IAB. Belgian DPA said that the internet advertising bureau’s transparency and consent framework violates GDPR: “imposed a €250.000 fine to the company, and gives IAB Europe two months to present an action plan to bring its activities into compliance”.
When users visit a website or application for the first time, an interface (a Consent Management platform or CMP) will pop up where they may consent to the collection and sharing of their personal data, or object to various types of processing based on the legitimate interests of ad tech vendors. This is where the TCF comes in : it facilitates the capture, through the CMP, of the users’ preferences. These preferences are then coded and stored in a “TC string”, which will be shared with the organisations participating in the OpenRTB system so that they know to what the user has consented/objected. The CMP also places a cookie (euconsent-v2) on the user’s device. When combined, the TC string and the euconsent-v2 cookie can be linked to the IP address of the user, therefore making the author of the preferences identifiable. The TCF plays a pivotal role in the architecture of the OpenRTB system, as it is the expression of users’ preferences regarding potential vendors and various processing purposes, including the offering of tailor-made advertisement.
Facebook feels the GDPR heat. In its filling: “We also notify the Irish Data Protection Commission (IDPC), our lead European Union privacy regulator under the General Data Protection Regulation (GDPR), of certain other personal data breaches and privacy issues, and are subject to inquiries and investigations by the IDPC and other European regulators regarding various aspects of our regulatory compliance. The GDPR is still a relatively new law and draft decisions in investigations by the IDPC are subject to review by other European privacy regulators as part of the GDPR's consistency mechanism, which may lead to significant changes in the final outcome of such investigations. As a result, the interpretation and enforcement of the GDPR, as well as the imposition and amount of penalties for non-compliance, are subject to significant uncertainty”
Technology Policy
Other
On DevOps and Compliance. Compliance process.
In case you feel it's worth it to forward this letter further, I leave this thingy below:
You may also share here: