The decision by the European Court of Justice to declare the Safe Harbour arrangements between the US and EU invalid will have interesting repercussions not only for European citizens and companies such as Facebook and Google, but also for countries that increasingly rely on selling services overseas like Australia and New Zealand.
The decision was made as result of a case brought by Austrian citizen Maximillian Schrems on the use of his data by Facebook and in particular the practices of the US government as revealed by Edward Snowden.
This judgment has the consequence that the Irish supervisory authority* is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data. http://curia.europa.eu press release 6 October
*Facebook European HQ is in Ireland
Safe Harbour, is an agreement that had been in place since 2000. It was supposed to give the protections to private data collected by multinational companies on EU citizens wherever it was stored. This allowed Facebook to store EU citizens’ data in the US or wherever it was most efficient, but required them to treat it to the EU’s standards, rather than the more relaxed US standards.
The judgement is an indication of the deep unhappiness in Europe with the US’s cavalier approach to non-US citizen’s data. The US’s binary approach to citizen rights makes many non-US citizens bristle. It is like the Pax Romana of the Roman Empire 2000 years ago.
This decision will not ‘destroy cloud’ in Europe or elsewhere. However, it will require some reorganisation. In this, it will hurt second and third tier players more than Facebook, Amazon and Google.
Moreover, the decision will not seriously curb mass surveillance. The dirty little (not so) secret is that all countries spy on their citizens for mostly good reasons, including the Europeans. It’s just that the US is better at it than most others.
When the big players jostle, smaller countries feel the waves.
For Australian organisations, not only those who hold EU citizens’ data, this decision should cause them pause for thought. Organisations that do not take privacy seriously, or only respect the privacy of a subset of their stakeholders, need to rethink their approach, if only in terms of the reputational damage of a breech in markets like the EU.
The Internet becomes less than one – Time for an International Law of Cyberspace
The Internet has never been one network for all, As much as some might wish, it is a motley collection of many nets with a very minimal governance. The main effect of this decision is to further balkanise the Internet in a similar way to content geo-blocking and country firewalls.
Smaller countries like Australia and New Zealand should be concerned. We need to be able to trade on an even playing field in services. And that means having an Internet that is common to us and our competitors, both in terms of technology and policy. We need common laws governing cyberspace as much as we need trade barriers on physical goods like rice to be reduced.
This is the time that Australia, New Zealand and similar countries should be pushing hard diplomatically for an international ‘Law of Cyberspace’ which achieves the equivalent that the conventions on the Law of the Sea achieved for maritime commerce. It took 300 years for the Law of the Sea to come to pass and it’s still being updated – let’s hope that the law of cyberspace takes much, much less time.
The loss of 4 million records reminds agencies that good Cybersecurity is repetitive and boring
The US Government announced on 4 June that the private information of at least four million current and former government workers had been compromised.
The intrusion occurred in systems owned by the US Office of Personnel Management (OPM) which handles government security clearances. It was detected in April 2015, but in line with most other such intrusions, may have started in 2014.
The attack drew calls by politicians for legislation to strengthen the USA’s cyberdefences. The US blamed China for the breaches, though it is unclear how good their attribution information is.
The Boring but tremendously important bits
Reports from the New York Times indicated that OPM did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside multifactor authentication. OPM also did not regularly scan for vulnerabilities in the system, and found that one third of computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”
Let’s be clear here, the answer for Cybersecurity in organisations is good housekeeping!
Assess the business impact levels for your systems
Scan your logs
There are more things like application whitelisting, but get those right and your organisation can do better than the US Government. The Australian Signals Directorate has published a number of guides for government agencies to help them mitigate all but the most targeted intrusions. They are worth checking out. http://www.asd.gov.au/publications/protect/top_4_mitigations.htm
The answer is not more power for intelligence and law enforcement
Let’s keep it simple
Assess the business impact levels for your systems
Scan your logs
If you have to call the guys/girls in dark suits from government agencies, you’ve lost the fight. Just like in the real world, if you have to call the cops, something’s really wrong with your security.
Attribution is so so hard in the cyber, you have to be very lucky and have deep pockets to go after the crims.
Better to build your fence higher than those around you, but encourage your partners to build their fences higher too, because security is only as good as the weakest link.
Where might government focus its resources?
Rather than spending money on dealing with hacked systems after they happen. Government would be far better off providing good advice, encouraging education of cyber professionals and encouraging software and hardware developers to manufacture secure code and systems.
Some commentators are complaining about how long it took the US to disclose the breach. At least the US has fessed up. In Australia, where there are no mandatory disclosure rules, it seems unlikely that a government agency would admit to this, despite the obvious importance of this to the victims who lost their personal data.
I repeat my call for mandatory data breach notification for all public and private organisations in all OECD countries.
Many Australian state and territory governments have created shared services functions for their ICT and human resources functions. The issue is that if the wrong people get access as they did in the US OPM, then they potentially have access to everything.
Much has been made of the potential savings available to governments from centralising their data functions. Whilst this may be the case in the short term, like outsourcing, the return on investment over the long term is very much unproven. Shared services ICT functions aggregate data and create honeypots for organised criminals and national espionage groups. It is true that with shared services, ICT functions are able to afford more staff, the question is whether this advantage truly outweighs the dependencies on data that are created and the increased attractiveness of the target.
It is a question as to whether decreasing the value of a system by decreasing its attractiveness ie by decentralising, can be used to affect business impact levels. However it certainly makes intuitive sense, in that you should be able to maintain the relative risk of a system by splitting it into multiple separate systems whilst giving the organisation its operating requirements in terms of integrity of system and availability – see everybody’s happy!
When I was running Protective Security Policy, my team and I tried to address this with policies about aggregation of data and Business Impact Levels. Business impact levels are an excellent way of approaching agency cybersecurity on a holistic and strategic basis. The reason is that they take into account not only the confidentiality of information, but also its availability and accessibility. This allows the whole organisation to have a discussion about what they are willing to live with.
Human Resources information like that compromised in the OPM hack becomes useless if the right people can’t access it easily and keep it up to date. In the case of OPM, the organisation faces a significant problem in trying to do its job in managing clearances, which requires the information to have good availability against the traditional security argument, to lock things down.
Organisations need to fulfil their function, the confidentiality of information is always secondary to the primary mission in the minds of the executive.
Agency security advisers often find that they lose arguments on the basis of $$$, particularly in these times of shrinking government budget.
The way to make the argument is to do so on the basis not of security, but finance.
Accountants understand risk, they just talk about it differently. Any CISO worth their salt needs to talk in terms of value, efficiency and reputation for the organisation they represent. Otherwise, they might as well be talking Cantonese to a Mandarin speaker.
Here’s a collection of links, which might be useful
The IAPP announced at the 2014 IAPP Privacy Summit “Privacy at Play” held at the Westin on 17 November in Sydney that Alex Webling had won the 2014 award for best article published in the association’s journal “Privacy Unbound”.
The iappANZ is the pre-eminent forum for privacy professionals in Australia and New Zealand. We are affiliated with the International Association of Privacy Professionals (IAPP) which is the largest privacy body at the global level with a membership approaching 20,000. We work with public and private entities across all industry sectors in Australia and New Zealand as well as the Privacy Commissioners in both countries.
The iappANZ Privacy Unbound Journal provides practical thought leadership and case studies along with a popular Q&A with the Australian and New Zealand Privacy Commissioners to keep members in touch with regulators. iappANZ also provides a Weekly and Daily Digest for regular privacy news updates.
Is it possible to enhance privacy with social login?
The likelihood that any Australian Government is going to create an online identity credential now seems distant with the National Trusted Identities Framework (NTIF) almost forgotten. How quickly the Internet forgets, but maybe that’s a good thing if you’re Mario Costeja González.
But the need that the NTIF sought to fill has not gone away. Governments are trying to work out how to service their citizen/customer/users at lower cost. The Internet offers one possibility, but in taking their services online, government agencies expose themselves and us to different threats and potentially higher risk. However, it seems inevitable that government agencies will follow financial institutions in offering higher value transactions online. In the end, the economic argument is likely to drive government agency migration online with more high trust services. Recent federal and state/territory budget announcements are only likely to spur this movement.
There are a number of threats that need to be mitigated before a government agency could potentially provide its services online. Probably the key issue is for the agency to be sure that a user requesting access to a site is who they say they are. Currently issuing the customer with a username and password mostly does this, but the model is beginning to fail. The problem is that most people don’t interact with government agencies on a regular basis and yet information sensitivity and computer capabilities require users to adopt increasingly complex and non-sensical passwords.
This in turn makes the passwords more difficult to remember even as they are harder to crack. It also means that password resets are much demanded. Yet at the same time, customers are expected to change their passwords regularly, not to write them down or repeat them for other online services.
It seems clear that these password requirements largely force customers to break their user agreements and either, write their passwords down, or worse re-use them for other services/websites.
It also puts government agencies in a bind. They want to provide online access to their services because it could be cheaper to operate than bricks and mortar outlets (if they didn’t have to reset too many passwords), but they also do not want to be embarrassed by privacy and security breaches.
One option is the use of a social login to help secure online authentication. This could enhance user information security and minimise privacy breaches. Social login, also known as social sign-in, is a form of simple sign-on (to web resources) using existing membership of a social networking service such as Facebook, Yahoo, Twitter or Google+ to sign into a third party website in lieu of creating a new login account specifically for that website or service. Social login is designed to simplify logins for end users as well as provide more and more reliable demographic information to website owners. Social login can be used as a mechanism for both identity authentication and user authorisation.
Social login is being adopted by private sector organisations for a number of reasons including: Rapid registration; Verified email contacts; and Customer stickiness. However social login also offers three major benefits for government agencies.
– Currency of contact data. Contact data such as email tend to be kept up to date by the user.
– Passwords are less easily forgotten because they are regularly used. At the same time, the social login passwords are not transmitted from the user to the agency website.
– Security. Agencies can leverage security technologies implemented by the social networks that they might never be able to replicate themselves. Because of their resources, social networks such as Google and Facebook are able to detect and patch zero day exploits quickly.
So what are the privacy risks?
A user, when accepting the convenience of a social login, can share a significant amount of their information between a third party website (such as a government agency) and the social network. The social site is informed of every social login performed by the user. Often, it is worth considering whether users understand exactly what they are sharing and whether they are giving informed consent to share. However this risk can be mitigated with the creation of clear and detailed login screens, which explain what the users are sharing.
As an example, the following information is returned when a Facebook user agrees to share their ‘Basic Profile’. Other than the email, the information is not verified and may not be present. However, several organisations claim that the quality of the data returned is in general very good because social network users feel social pressure from their friends to be accurate.
At the same time, it is not necessary for the third party website to collect all the information if it is not required.
Another issue surrounds current sensitivities with the USA NSA’s indiscriminate hoovering of online data. It is important to note that because all the large social networking sites are based in the USA, they are subject to USA’s laws and customs related to security and privacy. Under that regime, Australians are given significantly fewer protections than USA citizens or residents. Effectively, the social networking site itself provides the main protection for reputational reasons. However, readers may be aware that there have been recent moves in the USA to change this approach for what the US charmingly calls ‘aliens’ like Australians and give the same protections for all users irrespective of citizenship.
Can we get the benefits of social login and have citizen privacy as well?
With careful design it seems possible that social login could enhance privacy for users at the same time as providing benefits to government agencies. Considering the social login as an adjunct to agency authentication rather than the whole process could be an answer. If customers nominate their social login at the same time as they were enrolled into a government service, they could later use their social login as the first stage of an authentication process. This would provide an outer layer of defence against hacking. The user could then login to the agency itself using a separate authentication process.
The advantages of this model, beyond defence in depth, are that the user logs into the agency with their authenticated social login username, but does not gain access to sensitive information without providing an agency specific authentication. The social network also does not receive any sensitive information beyond the fact that a user logged in at a website. The use of government portals can be used to obfuscate which agency a user is accessing. At the same time, with consent, contact information from the social login site could be compared with that held by the agency and presented to users so that they can choose to update the information held on them by the agency.
At both the state and federal level, government agencies are starting to actively consider social login. Provided that governments are also prepared to carefully design the user interaction so that the social networks don’t get any more personal information than the user/citizen is prepared to share – by turning off analytics and sharing social network authentication gateways across groups of government agencies, it can provide benefit to users and government alike.
In the longer term, government will be able to verify citizens online when they wish to enrol themselves for services. The possibility arises to use the Document Verification Service (DVS) combined with social history to connect an entity to an identity, but that may be a discussion for another time.
I’d love to hear what you think.
This article originally appeared under the title “Can social login be privacy enhancing” in the May 2014 edition of Privacy Unbound, the journal of the International association of privacy professionals (IAPP) Australia New Zealand chapter and can be found here at this link iappANZ_MayJournal
The Australian Privacy Principles come into force on 12 March. The APPs extend coverage of privacy laws to most business with turnover of $3 million or more.
Fines of $1.7 million are possible for breaches.
Australian Privacy Principles
The Privacy Act now includes a set of 13 new harmonised privacy principles. The APPs regulate personal information handling by the federal government. In addition, the law significantly expands the number of private sector organisations covered.
The new Australian Privacy Principles (APPs) replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organisations. The changes do not generally replace existing state of territory privacy legislation (eg Victoria & ACT) which will probably cause some confusion at the edges
A number of the APPs are quite different from the existing principles, including
APP 7 -on the use and disclosure of personal information for the purpose of direct marketing, and
APP 8 – on cross-border disclosure of personal information.
The OAIC gets teeth
The Privacy Act now includes greater powers for the OAIC which include:
conducting assessments of privacy compliance for both Australian Government agencies and some private sector organisations.
accepting enforceable undertakings
seeking civil penalties in the case of serious or repeated breaches of privacy
In some ways Australia is just catching up with Europe, Canada and USA, but its worth noting that breaches can mean organisations get fines of up to $1.7 million. It is probably an understatement to say that this could have a serious impact on company finances as well as reputations.
One thing that is very good about these changes is that there is better alignment with good information security practice. We hope that these changes may help some organisations improve the state of their information security as they become privacy compliant.
A new mandatory credit reporting privacy code (CR code), created by the Australian Retail Credit Association ( OAIC’s Codes Register ) also starts on 12 March 2014.
We can help
We are helping government agencies and businesses assess the privacy impact of their activities in light of these legal changes. In particular, we have recently worked with the health and finance sectors in Queensland, the ACT and Victoria.
Please contact us at Resilience Outcomes for assistance.