Tag: privacy

Carphone Warehouse snuffled by watchdog over hack

watchdogThe UK’s data watchdog is “making inquiries” after Carphone Warehouse admitted that personal details of up to 2.4 million of its customers may have been accessed in a cyber-attack.

The attack was discovered on Wednesday, and made public on Saturday.
The encrypted credit card details of up to 90,000 people may have been accessed, the mobile phone firm said.

The Information Commissioner’s Office, which examines data breaches, confirmed it was aware of the incident.

Carphone Warehouse says the data could include names, addresses, dates of birth and bank details and it is contacting all those affected.

Carphone Warehouse claims it was the victim of a “sophisticated” cyber-attack, which was stopped “straight away” after it was discovered on Wednesday.

The affected division of the company operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, and provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers.

The retailer’s owner, Dixons Carphone, has apologised for the attack and said additional security measures have been brought in. It has also taken the affected websites down.

The Information Commissioner will work out if Carphone Warehouse had done enough to protect customer data from hackers.

A spokesman for the Information Commissioner’s Office said: “We have been made aware of an incident at Carphone Warehouse and are making enquiries.”

The Metropolitan Police said its Cyber Crime Unit had been notified of the breach by Carphone Warehouse but no formal allegation of a crime had been made.

The Met said it had not had any reports of fraudulent banking activity.

Google loses over privacy settings

330ogleThe UK Court of Appeal has turned down an attempt by Google to overthrow a previous verdict that allowed people to sue it over privacy settings.

The case, according to the BBC, centres around allegations that Google got round security settings on the Apple Safari browser and threw advertising cookies on people’s websites to advertise stuff.

Google said it wasn’t pleased with the court’s decision. It had attempted to get the courts to prevent peole suing it because it claims people didn’t suffer financially.

But the judges said that the allegations raise serious problems which do merit a trial.

They continued: “The case relates to the anxiety and distress this intrusion upon autonomy has caused. They concern what is alleged to have been the secret and blanket tracking and coalition of information.”

Google’s motto is it does no evil. It claims it hasn’t done anything wrong.

But the US Federal Trade Commission has already fined Google $40 million, while 38 US states also fined the search giant.

Radio Shack customer data sold off

1980-radio-shack-catalogWho needs hackers? It turns out that all that personal data stored in US corporate servers can be sold off to the highest bidder anyway.

Radio Shack, which has been collecting customer data since the 1980s, is about to sell the lot to raise money to pay off some of its debts.

A list of RadioShack assets for sale includes more than 65 million customer names and physical addresses, and 13 million email addresses. The asset sale may include phone numbers and information on shopping habits as well.

Standard General, a hedge fund and RadioShack’s largest shareholder has bought the database but a bankruptcy court still has to approve the deal.

Needless to say some people have a problem with this and some customers have gone to court to block the sale.

As Bloomberg points out, Texas Attorney General Ken Paxton has argued that selling the data would be illegal under state law. Texas doesn’t allow companies to sell personal information in a way that violates their own privacy policies, and signage in RadioShack stores claims that “We pride ourselves on not selling our private mailing list.” Paxton believes that a data sale would affect 117 million people.

AT&T also wants RadioShack’s data destroyed for competitive reasons. AT&T doesn’t think RadioShack is entitled to the personal information it collected from wireless sales, and may be concerned that the data might fall into another carriers’ hands.

But there is precedent for allowing customer data to be auctioned off in bankruptcy proceedings. In 2011, the Federal Trade Commission allowed Borders to auction personal data if the same privacy policy applied, the buyer was in the same line of business, and the data was sold alongside other assets.

Standard General, which plans to keep some RadioShack stores open, may try to argue that it’s putting the data to similar uses.

Jeb Bush leaks supporters details

JebBushFunnyFaceFormer Florida Governor Jeb Bush, who is trying to position himself as a master of tech,  has made a serious of blunders almost as inspired and clever as his brother’s.

Bush touts his technical prowess, referring to himself as “The eGovernor” for how easy it was to email with him when he was in office.  He is expected to declare his desire to run for president in 2016, but he’s already created a major privacy blunder.

Bush’s latest project, which is designed to show the world that he is really hip and knows technology, is called Jeb Emails.  It is a huge open database of correspondence to and from his jeb@jeb.org email address, publishes the names, messages, and email addresses of his constituents who emailed him during his eight years in office.

However it is a huge misuse of the data sent to him because people did not expect them to be made public.

One woman said that she emailed Governor Bush when the state was going through the initial insurance crisis but she never gave permission to publish the emails.

She was a little embarrassed that one of the emails showed her worried about “illegal immigrants” as her feelings had changed on that subject and she hated to unduly upset anyone.

However he has had two internet related cock-ups in as many days from his campaign. His office admitted that they had asked their new Chief Technology Officer to delete jokes he’d tweeted about “sluts”.

Now the Verge  has uncovered emails that contain Social Security numbers, home addresses, and other personal information from Floridians.

GCHQ rapped over US links

GCHQ buildingThe agency that is watching you watching me has been criticised for hiding how it shared data with the USA.
The Investigatory Powers Tribunal (IPT) said that before it changed its rules last December, GCHQ breached human rights law, as embodied in the European Convention of Human Rights.
Last December, GCHQ said that it usually needed a warrant to share information with the US security services.
But before it made this disclosure, the IPT said that the soliciting, storing and transmission by UK authorities of private communications of people here and obtained by the US authorities contravened either articles eight or 10 of the European Convention.
Article 8 relates to privacy while article 10 refers to the right of freedom of expression.
The Home Office said in a statement that the UK government is committed to transparency.


Facebook faces European probe

european-commissionData protection authorities in the European Union are getting edgy about Facebook’s privacy policy, it’s been reported.
Facebook released a new privacy policy at the end of last week which, among other things, even tracks you when you’re not logged into the social network.
You are automatically “upgraded” to the new privacy policy but you can choose to opt out.
According to PC World, authorities in Belgium, the Netherlands and Germany have formed a group in the belief that Facebook may breach the European Union’s privacy rules.
Other elements of Facebook policy the authorities are investigating include it claiming rights to data from profiles for business, and sharing of data with third parties.
The same report says that German authorities are worried about Facebook sharing information with its subsidiaries, such as Instagram.
Facebook always maintains that anything it does is to help individual users.
But the company makes its revenues from advertising – and its users are a means to that end.
European data protection authorities are increasingly cooperating with each other to keep multinationals like Facebook and Google on their toes.
The British ICO recently extracted a promise from Google that it would work to improve its privacy policy in Europe.


Organisations anticipate internet of things

Internet of ThingsAlthough there’s still a clear lack of standards with different vendors vying to take the lead, many organisations are getting ready for the internet of things (IoT).
Companies including Intel, Qualcomm, Google and others want to have a big stake in the future of IOT.
And there’s no doubt the hype is generating interest.
That’s the conclusion of market research company Gartner which said in a study that 40 percent of businesses think the IoT will have a “significant” impact in the next three years.
Nick Jones, a senior analyst at Gartner, said: “Only a small minority has deployed solutions in a production environment. However, the falling costs of networking and processing mean that there are few economic inhibitors to adding sensing and communications to products costing as little as a few tens of dollars”.
But even though many organisations are anticipating the IoT, few have put executives in leadership roles.
The main concerns of the  people surveyed are security and privacy.  And there is a shortage of people with the relevant skills to plot the future.


UK makes Google change privacy policy

OgleThe Information Commissioner’s Office (ICO) has made Google sign an undertaking to improve information about how it collects personal data in the UK.
The ICO said that following an investigation it found that Google’s search engine was “too vague” in describing how it used personal data it had collected.
The ICO said Google has signed a formal undertaking to make changes to its privacy policy so that it meets the needs of the UK Data Protection Act.
The ICO worked with other European data protection authorities, it said.
The enforcement officer at the ICO, Steve Eckersley, said: “This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services.”
Google will have to make agreed changes by the 30th of June this year, and take even more steps over the next two years.
Google’s undertaking can be found here.


Dutch prepare to take on Google

boyne2_1Search engine outfit Google could face fines of up to $18.6 million if it does not stop violating the privacy of internet users in the Netherlands, the Dutch data protection agency warned.

The DPA said that Google is breaching the country’s data protection act by using people’s private information such as browsing history and location data to target them with customised ads.

Google has until the end of February to change how it handles the data it collects from individual web users or will have to start writing cheques.

The company’s handling of user data under its new privacy guidelines, introduced in 2012, has also been under investigation in five other European countries – France, Germany, Britain, Italy and Spain.

Jacob Kohnstamm, chairman of the Dutch DPA appears to have had a gutsful of Google prevaricating.

“This has been ongoing since 2012 and we hope our patience will no longer be tested,” said.

Google needs to adequately inform users in advance and ask for permission before it uses data in this way, the DPA said.

It ordered the company to stop the violations or face incremental fines up to a maximum of 15 million euros. It said Google must start informing users of its actions and seeking their consent.

Google should be careful, the Dutch managed to humiliate the British Empire on more than one occasion and a tech Empire should be a doddle.


Amazon invests in German datacentres

amazonsMany people might think that Amazon is where you buy your books, your Hue lights and your CDs but behind the scenes it is  becoming a major player in the datacentre business.

And now, according to the Financial Times, Amazon will build several datacentres in Frankfurt in a bid to allay customers’ fears that their data is housed in places where security and privacy are not as high a priority as in Germany.

The FT reports that the EU has much stricter data protection laws than other territories.  And, of the EU countries, Germany has the best privacy control.

A senior VP of Amazon Web Services told the FT that many of its German customers would prefer to have their data held locally. Although a figure hasn’t been placed on the German infrastructure investment, it’s believed that such a project will require a multimillion dollar investment.

US providers like Google, Rackspace and others compete with Amazon but are based in the USA.  Amazon is believed to generate revenues from its cloud business amounting to over $5 billion during 2014.

German watchdog barks at Google

AnubiA German data protection watchdog has snarled at the search engine Google for the way it creates data profiles from its various services.

The data protection commissioner for the German city state of Hamburg has ordered Google to take the necessary technical and organizational measures to guarantee that their users can decide on their own if and to what extend their data is used for profiling.

Commissioner Johannes Caspar growled that Google had refused to grant users more control over how it aggregates data across its services including Gmail, Android and the web search engine.

The Hamburg watchdog said it represented Germany as part of a European task force evaluating Google’s privacy policy.

Processing data that reveals financial wealth, sexual orientation and relationship status, among other aspects of private life, is unlawful in Germany unless users give their explicit consent, it added.

Google is not saying anything about the comments, although the Financial Times earlier quoted a company spokesman as saying Google was studying the order to determine its next steps.

European data privacy regulators last week handed Google a list of guidelines to help it bring the way it collects and stores user data in line with EU law.

Italy, France, Spain, Germany, Britain and the Netherlands, have opened investigations into Google after it consolidated its 60 privacy policies into one and started combining data collected on individual users across its services, including YouTube, Gmail and Google Maps.

Google panics over privacy rules

330ogleSearch giant Google has got itself in a flap because it is being forced to remove thousands of items that people don’t like on the web.

Reuters said Google will hold its first meeting in Madrid tomorrow in a bid to discuss the free flow of information.

This all follows a ruling in May that allows citizens  of the European Union the right to be anonymous on the web.

Apparently, by mid July, Google had received over 90,000 requests to remove information on its search engine. Google has refused a chunk of the requests but people have the right to appeal against the refusals.

Reuters quotes French watchdog Isabelle Falque-Pierrotin as saying that the seven debates to be held over Europe were part of a spin war.

This month, representatives of Microsoft, Yahoo and other companies operating search engines are being asked to cooperate to create guidelines for the removal of personal data, if requested.

Ministry of Justice fined for privacy leak

Not a good idea: prisoners in uniform from the 1920 film From Now On.The Ministry of Justice has been fined £180,000 by the data watchdog for failing to safeguard sensitive and confidential information about prisoners.

According to the data watchdog, the information commissioner’s office the Ministry of Justice allowed data to go missing twice and failed to encrypt personal data.

It all started when an unencrypted hard drive containing data on 2,935 prisoners went missing at HMP Erlestoke in Wiltshire last May. The information included details of links to organised crime, health information, history of drug misuse and material about victims and visitors.

This followed a similar case in October 2011, when the information commissioner’s office (ICO) was alerted to the loss of another unencrypted hard drive containing the details of 16,000 prisoners at HMP High Down in Surrey.

After the first mistake, the prison service was given new hard drives in May 2012 for all of the 75 prisons across England and Wales. The devices could encrypt the information stored on them, but for some reason the prison service did not realise the encryption option needed to be turned on.

Sensitive information was insecurely handled by prisons across England and Wales for over a year, leading to the latest data loss at HMP Erlestoke. If the hard drives in both of these cases had been encrypted, the information would have remained secure despite their loss, the ICO noted.

Stephen Eckersley, ICO head of enforcement said that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.

“The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally set up correctly.

“This is simply not good enough and we expect government departments to be an example of best practice when it comes to looking after people’s information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it,” he said.


Stop taking a pizza the action, Italy tells Google

OgleItaly has given Google 18 months to sort out how it treats and stores user data.
According to the Italy’s data protection regulator has been investigating Google as part of a European drive to reform the internet giant’s privacy practices.

There was concern after Google consolidated its 60 privacy policies into one, combining data collected on individual users across its services, including YouTube, Gmail and social network Google+. It gave users no means to opt out.

The Italian watchdog barked that Google’s disclosure to users on how their data was being treated remained inadequate, despite the company having taken steps to abide by local law.

The Rome-based regulator said Google would not be allowed to use the data to profile users without their prior consent and would have to tell them explicitly that the profiling was being done for commercial purposes.

The watchdog snarled that requests from users with a Google account to delete their personal data be met in up to two months.

A spokesman for Google said the company had always cooperated with the regulator and would continue to do so, adding it would carefully review the regulator’s decision before taking any further steps.

Google also agreed to present a document by the end of September that will set a roadmap of steps to comply fully with the Italian regulator’s decision.

If it does not it could cost Google a million euros in fines, which is such a small part of Google’s income it is a wonder if it will care. There are criminal proceedings which could get a few Google executives in the dock. Google executives have been in the dock before in Italy and it ended badly.
Regulators in France and Spain have already fined Google for breaking local laws on data protection, underscoring growing concerns across Europe about the volume of personal data that is held in foreign jurisdictions.

In Britain, the ICO regulator gave Google until September 20 last year to make changes to bring the policy into line with local law.

Facebook falls foul of ICO

George OrwellYesterday Facebook announced the results of a psychological experiment into human behaviour to find if Facebook could alter the emotional state of its users and prompt them to post either more positive or negative content.

It was all fairly tame stuff, but it did raise the eyebrows of the UK Information Commissioner’s Office (ICO).

It is concerned that Facebook might have broken data protection laws when it allowed researchers to conduct a psychological experiment on 700,000 unwitting users in 2012 users of the social network.

The ICO monitors how personal data is used and has the power to force organizations to change their policies and levy fines of up to £500,000 pounds ($839,500).

Facebook said that it could do what it liked with the 700,000 because they had signed an terms of use agreement when they joined.  Of course they had not read it, but they had signed it.
It is not clear what part of UK data protection laws Facebook might have broken, but it does seem that if there is not a clause which says you cannot submit the personal data of your customers to scientific experimentation, there should be.