Which countries are better at protecting privacy? and why

26 June 2013

Which countries are better at protecting privacy?

 Constance Gustke

Some countries offer more protections for personal data than others. (iStockphoto)

While the United States is again mired in soul-searching debates about personal privacy and how companies collect data, a slew of privacy protection laws have already taken hold around the world

Of the many regions that have passed regulations, the European Union stands out for its overarching and comprehensive approach. The 27-country EU directive, passed in 1995, restricts the use, sharing, storing and collecting of personal data. This holistic view of personal data, defined as anything that can identify an individual — including a person’s address and their image — is seen as the gold standard for many countries. It differs  from the patchwork laws in the US and some other countries.

The EU has strong standards and enforcement. And the rest of the world is playing catch up. — Daniel Cooper

“The EU has strong standards and enforcement,” said Daniel Cooper, a partner at the London office of Covington & Burling. “And the rest of the world is playing catch up.”

Billions of consumer data bytes are spewed through smart phones, video cameras and social media every day. The amount of data is so vast that terra bytes have morphed into zeta bytes, which is 1,000,000,000,000,000,000,000 bytes (that’s 21 zeros, if you are counting). Several US firms like EMC Corp and IBM Corp are eyeing big profits from analyzing and storing this new digital gold because it can more easily predict buying behaviour.

This flood of data about individuals, from the last website someone visited to the phone numbers people call to even more personal information, has worried regulators around the globe.

Even the EU is considering stricter, and controversial, personal privacy measures, such as the right to be forgotten. If approved, a person’s past could be wiped off the internet and their data could no longer be processed or stored. US companies in Silicon Valley, among others, are fighting these proposed EU regulations, but the effort has continued to move forward.

The EU and elsewhere

The EU’s data privacy laws are folded into a directive that identifies core principles that member countries must observe, including adequate data security and an individual’s consent to have their data collected. Data that identifies a person is considered personal, including email addresses and even the IP address that identifies each computer.

“Transparency is a core tenant,” said Cooper.

Each EU country has its own data privacy czar to enforce laws, although enforcement varies greatly between countries. Within the EU, Spain and Germany are widely seen as swinging the toughest data privacy sticks. Regulators there slap violators with large fines when they violate consumer privacy rights. Spain, for example, logs the most data protection complaints and hands out the most severe fines in the EU. Spain’s data agency has handed out several 300,500 euro ($393,355) fines for illegal data transfers, according to the law firm White & Case. Germans are sensitive about data privacy too, including employee data, said Martin Munz, a partner in White & Case’s Hamburg Germany office. And data regulators there also issue stiff fines — up to 250,000 euro ($327,250).

Asia, meanwhile, is also coming along the data privacy curve pretty quickly. Singapore passed a data privacy law last year that protects all personal data ten years after a person’s death. And South Korea has some of the strongest data privacy laws in Asia, even covering a person’s image or voice. The laws, which passed in 2011, are strictly enforced.

The EU has also used its collective clout to drive change in privacy rules in other countries, too, mainly through trade. Central and South American countries such as Peru, Uruguay, Costa Rica and Mexico have hammered out data privacy laws in the past few years in hopes of complying with the EU Data Protection Directive to further open trade with South American businesses. Argentina, which offered its own data privacy rules in 2000 mainly to do more trade with Europe, also meets the EU’s standards.

Enforcement among these countries varies widely, though, said Cooper. Argentina, along with other South American countries, is widely seen as having lax enforcement that leaves individuals with less privacy protection than they believe they have.

Several other South American countries, including Brazil, are in the midst of formulating privacy laws. Australia has also hammered out a bare bones data privacy law that has been added to over the years, although the country’s laws do not meet the EU standards, since Australian data isn’t as rigorously protected.   

How the US lags behind some parts of the world

While much of the developed world seems to be acting to protect personal data the lack of overarching privacy law increasingly sets the US apart. Its laws protect healthcare and financial data, but little else. HIPAA, a US law passed in 1996, protects any healthcare information that identifies a person. And Gramm-Leach-Bliley law protects financial data that is also identifiable, such as peoples’ bank account numbers and addresses.  

Beyond that, US data privacy laws are patchwork. American retailers, for example, are largely self-policing. And enforcement is limited to a company’s own privacy policy. Consumers who want to do business with a particular retailer usually must agree to its privacy policies — in many cases there is no option to opt-out except to not buy from a merchant. The US Federal Trade Commission, charged with protecting American consumers, only steps in when a company doesn’t keep its self-developed privacy promise.

Some states have their own privacy laws, separate to the federal statutes. Massachusetts and California are the best at protecting consumer data among states, said Daren Orzechowski, a partner in White & Case’s Intellectual Property Group.

But otherwise, consumers must scrutinize the policies posted by retailers and decide what privacy they are willing to give up making a purchase.

There is little hope right now for a single blanket data privacy law to pass in the US Congress. And even widely-touted the Consumer Privacy Bill of Rights, which would give Americans some control over all their data, has lost momentum in Congress.

“In Europe, your data is an asset you can protect,” said Terence Craig, co-author of Privacy and Big Data. “The US doesn’t have that history

http://www.bbc.com/capital/story/20130625-your-private-data-is-showing

.

Government cyber-attack

That turned out to be a disastrous mistake, one that eventually led to the demise of the group.

Surprise Attacks

It takes more than anti-virus software to protect cyber assets.

Businesses should continuously monitor all systems used by employees, on top of traditional defences such as anti-virus software, said Jaime Blasco, director of AlienVault Labs, an organisation that researches attacks and advises customers.

“All the prevention technologies and system updates won’t prevent a sophisticated attacker from gaining access to your systems. We have to use detection capabilities that help us identifying anomalies that can indicate a system has been compromised,” said Blasco.

Anomalies can include PCs frequently closing down for no discernable reason, or data being transmitted from a machine when no one is operating it manually.

Clicking on the link didn’t provide any information. It didn’t even open a blank page. But, with each click, spy software, known as malware, was surreptitiously downloaded onto the computers of each staffer who tried to open the document. That program was designed to steal workers’ files, intercept their emails and snoop on their Skype communications.

According to research by the Electronic Frontier Foundation and Citizen Lab, both activist bodies focused on internet freedom, the malware was likely created by a well-known government supplier called Hacking Team. Hacking Team told BBC Capital it cannot reveal its customers and therefore would never confirm nor deny it created the spyware.

Almiraat strongly believes a government was behind the attack.

“This piece of (malware) software costs half a million dollars. I don't know anybody who considers themselves to be our enemy who has the resources and time to purchase this thing and target our group in this manner,” other than a government, he said. The Moroccan government had not responded to several requests from BBC Capital for comment at the time of publication.

This kind of targeted approach is typical of government-led attacks, said David Emm, senior security researcher at computer security firm, Kaspersky Lab.

“People are susceptible to social engineering tricks for various reasons.  Sometimes they simply don't realise the danger,” Emm said.

READ MORE: The US has charged five Chinese army officers with hacking into American companies.

Wide-range of targets

Some nations are using such tactics to watch over activists, experts said. But others are increasingly using hackers to acquire intellectual property to support businesses on their own turf, whilst hoping to gather data related to national security (like military secrets), according to Mark Brown, director of information security at business consultancy EY, formerly Ernst & Young.

A broad range of industries fall into the bull’s-eye of such attacks. In February, security firm Kaspersky disclosed a cyber-espionage campaign that affected not just government institutions, but also diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and activists.

Emails sent to targets contained links to apparently benign websites, promising recipients everything from videos related to political subjects to food recipes, whatever the intended recipient would find interesting enough to open. If the user clicked on the link, their system was infected and the malware could record Skype conversations or take pictures of users’ screens and send the information back to the attackers.

“Nation-state attacks are increasingly focusing on economic growth and competitive advantage as well as national security issues,” said Brown. “Companies of any size can be attacked to gain access to information which can accelerate the economic interests of a nation.”

Devastating impact

The impact on a targeted organisation can vary, but it can be more destructive than even covert surveillance. In 2013, for instance, security company McAfee investigated attacks on South Korean banks.

“Tens of thousands of computers had their hard drives wiped with significant disruption to the cash machine network amongst other systems,” said Raj Samani, chief technology officer for McAfee in Europe, the Middle East and Africa.

South Korea suspected North Korea had used a malware program on the banks, though that country denied any wrongdoing. Whoever was behind the attack caused significant disruption. Customers for Shinhan Bank, for example, were unable to access either internet banking or cash machines for at least two hours. Later in the year, citing figures from the defence ministry’s cyber division, Chung Hee-soo of the ruling Saenuri Party claimed that attacks from North Korea in 2013, which included those on the banks, had cost South Korea 800bn won ($756m) in economic damage.

Even small firms or those with minor interests can be targets — and they’re often most vulnerable because they believe “that their operations are not sensitive enough to attack,” said Brown. “We are increasingly seeing companies further down the supply chain as targets.”

Employees beware

Every developed nation is believed to be involved in carrying out such attacks, and each has experienced digital attempts on their own properties, affecting both private and public organisations, said Jaime Blasco, director of AlienVault Labs, an organisation that researches attacks and provides advice to customers.

“The usual suspects have been always been countries such as Russia, China and with the Snowden revelations [of mass spying by the US National Security Agency] we can include the US,” Blasco said. “That said, it makes perfect sense that most governments around the world have developed these capabilities and are actively using that to support traditional intelligence operations.”

Any employee can be targeted, from the CEO to human resources to the information technology team. But Mikko Hypponen, chief research officer at Finnish security firm F-Secure, says there are a select few who are more likely to attract hackers.

“It's fairly easy to figure out who is the most likely target: board members, chief executives, secretaries and admins,” who have direct lines into the most valuable information on a business’ network, he said.

If workers are duped into letting malware on their company PC, the financial cost to their employer could be severe. A survey of 800 chief information officers by McAfee revealed in March that of those who had been breached by advanced attacks in the last 12 months, the cost to the organisation was upwards of £600,000 ($1m USD).

Preventing cyber hacks

Every department should receive training to reduce the exposure of business assets to attackers, Blasco said. Workers should be taught to identify suspicious emails, he added.

Caution using public wi-fi is vital, as information shared over those networks can be easily intercepted by a hacker, he said. Since social media accounts can also prove valuable to government attackers—and activists in particular have had their Facebook accounts hacked — it’s critical to use strong passwords for such accounts and be careful with what is shared on Facebook, LinkedIn and Twitter, said Emm.

“If you wouldn’t write it in a letter to the local newspaper, don’t post it online,” Emm said.

Anti-virus software, relied on to stop malicious software infecting PCs, is not always very effective at preventing other kinds of attack either.

15 April 2014

When governments attack — online

By Tom Brewster

(Thinkstock)

In mid-2012, Hisham Almiraat and his colleagues at Mamfakinch, a pro-democracy citizen media project, received a curious email.

It appeared to offer information on a scandal involving a Moroccan politician, an enticing story to an online publication that was openly anti-government. The sender said he did not want to be identified, but simply recommended the recipients open the file if they wanted some potentially newsworthy content. Some at the group, who were spread across cities in Morocco, downloaded the purported Microsoft Word document, for which the sender had offered a link.

The Heartbleed bug surfaced earlier this month, after a pernicious flaw was discovered in a widely used web encryption program known as OpenSSL. This glitch may allow attackers to trick machines in to giving up data they should not leak, such as passwords for email accounts.  To exploit the weakness, attackers don’t need to use malware which means an anti-virus system may not prevent a leak. The only way to stop this type of attack would be to fix or ‘patch’ the Heartbleed vulnerability, according to experts.

Government attacks can be catastrophic. Mamfakinch, which was given a Breaking Borders Award in 2012 by Google and Global Voices, was rendered all but out of business as a result of the attempt on its systems.

Not long after the attack, the number of people involved in the running of Mamfakinch, from editorial staff to technical employees, dropped from 35 to just five. The group has now shut down indefinitely. Even though the attack was caught and the body does not believe the malware succeeded in its aims to spy on employees, the mere fact that Mamfakinch was targeted was enough to scare off sources who were fearful of arrest and further punishment from the authorities.

“When you are dealing with very sensitive political issues and … you're targeted by software of this kind, that really destroys this trust around protecting anonymity. It created a psychological flaw in our organisation,” Almiraat said. “After that people just couldn’t keep on working with us.”

spirit rover mars images

Next in "Coast to Coast" show

Anomalous Object in Rover Photos:

First hour guest, exopolitics pioneer Michael Salla talked about the evidence for life on Mars that NASA doesn't want to discuss. In a set of images taken by the Spirit rover, an object that may be an animal about the size of a basketball, appears next to some distinctive rocks in some of the photos but not others, implying to him that it was some kind of creature on the move. Salla also talked about his newest book Kennedy's Last Stand, exploring what JFK knew about ETs and UFOs.

In tandem with his 5/20/14 appearance, Michael Salla shares a series of Spirit Rover images that he believes shows a moving object/animal on the surface of Mars. 

 
#1 - Click on image to enlarge. 



 
#2 - Click on image to enlarge. 



 
#3 - Click on image to enlarge. 



 
#4 - Click on image to enlarge.

5 Most Mysterious Sounds Ever Recorded

Scientist gets too close to lava lake! - Richard Hammond's Journey

Britains Got Talent

Susan Boyle - Britains Got Talent 2009

Paul Potts sings Nessun Dorma

Build a Coax Tester!