IT Compliance Advisor

February 26, 2015  3:28 PM

AT&T’s high-speed service comes with a privacy fee; Google bows to privacy spot checks

Fran Sales Fran Sales Profile: Fran Sales
AT&T, Data privacy, Data-security, Encryption, Fiber optic networking, Google, samsung, Smart machines

AT&T’s has begun rollout of a fiber-optic Internet service that furnishes customers with high-speed access, but they must pay an extra monthly charge if they want to keep their browsing habits private. In other data privacy news, Google accepted the terms of an agreement drawn up by an Italian data privacy regulator, and U.K. security experts found that older Samsung smart TVs don’t encrypt voice-related data.

AT&T charges privacy fee for fiber-optic Internet service

AT&T’s fiber-optic Internet service, called GigaPower, touts access speeds of up to 1 gigabyte per second, but it comes with a catch: Customers must pay a monthly fee to opt out of being monitored by the company and keep their browsing habits private.

Online monitoring expert Jonathan Mayer told the Wall Street Journal that the service’s privacy option was “troubling” because it allows AT&T to perform relatively wide-ranging user tracking, while customers aren’t necessarily in a position to prevent it. Furthermore, Mayer questioned whether the fee was really a penalty meant to discourage customers from opting out of tracking, particularly because many online companies allow their users to do so free of charge.

An AT&T spokeswoman claimed that this was not the case, however. “We can offer a lower price to customers participating in AT&T Internet Preferences because advertisers will pay us for the opportunity to deliver relevant advertising and offers tailored to our customer’s interests,” she said.

Google agrees to privacy inspections by Italian regulators

Last week, Google accepted the terms of an agreement outlined by a European data privacy regulator that lays out how Google will comply with Italy’s privacy laws. Google agreed to comply with an order to improve its privacy policy, including allowing opt-outs for targeted advertising and to reveal how long it keeps user data. The agreement, with which Google will have until Jan. 15, 2016 to comply, includes regular spot checks at the company’s U.S. headquarters to monitor its progress.

The agreement is the latest development in a series of European investigations that began in 2012, when Google released a single privacy policy that encompassed its various services, such as Gmail and YouTube. The EU privacy regulators found the policy to be in violation of European law because it blended together user data collected from across those services to create a fuller profile of users. Those investigations culminated in orders to comply with national privacy laws and fines from Spain and France.

Older Samsung smart TVs do not encrypt voice data

After U.K.-based cybersecurity experts disclosed that some of Samsung’s smart TVs upload users’ voices online without encrypting the data, Samsung told the BBC that it will equip its latest models with data encryption. A software update will also be available for download on previous models.

Samsung’s oversight, according to the experts, makes it easier for hackers to spy on users. The cybersecurity experts made the discovery during their testing of one of Samsung’s older smart TV models. They found that the TVs were uploading audio files of their voice commands in an unencrypted form, along with data about the TVs and their MAC addresses, which could function as an identifier. The transcription of the voice commands, which was sent back to the TVs so their screens could act on the commands, was also unencrypted. According to the experts, the flaw was serious because intercepting those communications could be done over Wi-Fi, or be carried out by Internet service providers, governments and law enforcement.

This news comes at the heels of Samsung announcing an update to its privacy policy earlier this month. The policy’s old language implied that Samsung smart TVs’ voice command feature captured personal or sensitive information and transmitted them to third parties.

February 11, 2015  8:53 PM

FCC chairman urges strong Internet regulation; Anthem breach might set a precedent

Fran Sales Fran Sales Profile: Fran Sales
CIO, Data collection policies, Data Encryption, FCC, Healthcare IT, HIPAA, Internet service providers, Net Neutrality, NSA, NSA Data Collection, NSA surveillance, privacy

In a bold effort to ensure net neutrality, FCC Chairman Tom Wheeler has proposed a new set of rules that would treat the Internet as a public utility and prohibit pay-to-play fast lanes. Also in recent GRC news: Experts warn that Anthem’s breach could lead to more attacks on other healthcare organizations; and President Obama announced minor changes to private data collection rules that would still keep NSA bulk collection efforts intact.

FCC chairman proposes new net neutrality rules

Last week, Federal Communications Commission (FCC) Chairman Tom Wheeler proposed a new set of rules to ensure net neutrality. The proposal comes after President Obama’s recommendation last November that the FCC adopt “the strongest possible rules” to maintain net neutrality and to apply Title II of the Telecommunications Act to the Internet by reclassifying it as a telecommunications service.

Wheeler is urging the Title II approach in his proposal that, if passed, would give the FCC the legal authority to regulate the Internet as a public utility. This would ensure that no content is blocked and would prohibit Internet providers from providing “fast lanes” to customers who can afford it and slower speeds to everyone else.

Wheeler’s proposal will be voted on by the entire commission on Feb. 26 and, if approved, would likely be challenged in court by cable and telecommunications companies.

Anthem breach draws attention to healthcare data security

Anthem, the second-largest health insurance company in the U.S., last week suffered what security experts say is the industry’s largest cyberattack in history. Personal information of 80 million customers were exposed — including Social Security numbers, medical identification numbers and email addresses — that could be used for fraud.

Experts warn that more healthcare companies are likely to be targeted due to hackers’ success in breaching Anthems’ systems, as well as the high value of patient data on the black market. Medical records fetch higher prices than credit card records, especially due to the credit card black market being inundated after numerous data breaches at large retailers.

The Anthem breach and the fact that the data stolen from its database was not encrypted also raised questions about the lack of clear healthcare data security standards. The Health Insurance Portability and Accountability Act, for instance, encourages data encryption, but doesn’t require it. This could weaken public confidence, experts say, as greater numbers of medical records are digitized and the government increasingly promotes electronic data sharing. Encryption mandates remain controversial, however, because it can make daily operations more burdensome and potentially increase costs.

White House makes changes to data collection practices

Last Tuesday, the Obama administration announced changes to how private data is collected for intelligence purposes. The changes tighten rules that govern how intelligence agencies use foreigners’ Internet and phone communications collected by the National Security Agency (NSA) — although the agency’s bulk collection of data would be allowed to continue.

Under the new set of rules, data must fall under one of six threat categories to allow for its collection, and irrelevant data must be purged after five years. The new rules also place more scrutiny on how intelligence agencies use the data they acquire from American citizens without a warrant, and state that this type of data can only be used to prosecute someone for such serious crimes as kidnapping, murder or threats to national security.

Critics contend that the new policy still does not go far enough to protect Americans’ privacy against the NSA’s surveillance techniques. “The reforms are far from sufficient and they really do tinker around the edges. It’s clear the administration is going to continue to stand by a lot of the mass surveillance policies,” Neema Singh Guliani, legislative counsel for the American Civil Liberties Union, told CBS News.

January 20, 2015  7:04 PM

Website offers hackers for hire; Obama pushes new data privacy laws

Fran Sales Fran Sales Profile: Fran Sales
Asset management, CIO, cybersecurity, Cybersecurity legislation, Data privacy, Data protection, grc, Hackers, Identity theft, IT Governance, Privacy rights

Hackers may have found a way to commercialize their services as individuals begin to seek “hackers for hire” to carry out low-profile cyberintrusions. In other recent governance, risk and compliance (GRC) news, President Barack Obama has introduced proposals to strengthen companies’ customer data governance processes, and new research finds that regulatory compliance costs and intricacies prove difficult for small and medium-sized asset management firms to tackle.

Website offers hackers for hire, toes the legal line

A new website called Hacker’s List opened for business in November, offering hackers’ services to people looking to accomplish various acts of low-profile hacking, The New York Times reported. The hacking jobs range from gaining access to email or social media accounts, to removing embarrassing photos or stories from a website, to changing a school grade, to obtaining client lists from a competitor’s database.

The website matches hackers with clients by having both parties bid on any of more than 500 hacking jobs posted on the site. The deed is then done anonymously. Offers from clients all over the globe have ranged from $100 to $5,000.

Whether Hacker’s List violates any laws is difficult to discern. The site’s founders argue that they are exempt from legal liability because they don’t explicitly encourage any illegal acts, and because the website requires users to agree to terms and conditions that forbid the use of the site for illegal purposes. However, some of the jobs posted on Hacker’s List, such as hacking into someone’s email account, are illegal.

President Obama calls for new data privacy laws

President Obama has unveiled a new set of proposals that will govern how companies collect, protect and use customers’ data. The suggested Consumer Privacy Bill of Rights legislation would require companies to inform customers within 30 days if their information has been stolen, make it illegal to sell customers’ identities overseas, and mandate protection of students’ personal data.

President Obama urged Congress to pass the legislation, calling identity theft and other types of cyberattacks “a direct threat to the economic security” of U.S. citizens. Currently, different states have different disclosure regulations, some of which date back 10 years. According to the National Conference of State Legislators, most of these laws only cover certain types of personal information, such as Social Security numbers and driver’s license numbers.

While this is a promising step toward pushing security and privacy to the forefront, Adam Levin, chairman of and Identity Theft 911, asserts in an opinion piece that the legislation doesn’t provide a clear roadmap for addressing the widespread vulnerabilities that exist in many federal agencies. A recent study of the Defense Department’s security programs and practices found that many of these agencies lack effective guidelines. These lacking processes have resulted in incidents such as the hacking of the U.S. Army Corps of Engineers’ network and the breach of the Federal Communications Commission’s emergency broadcast system.

Shortly after President Obama’s announcement, New York Attorney General Eric Schneiderman proposed a data security bill to curb increasing incidents of identity theft. The new law broadens the definition of personal information to include any data that grants access to online accounts.

Regulatory compliance costs hinder startup asset management firms

Small and medium-sized investment firms are held back by the costs and complexities of compliance, according to research by think tank New City Initiative. Regulatory costs not only make it more difficult to enter the asset management field and compete with the largest firms, but are also potentially detrimental to clients by limiting their investment options, the research found.

Regulatory compliance can serve as a competitive advantage for large institutions because they are able to staff in-house lawyers, while startups have to resort to hiring third-party consultants. Additionally, the several months it takes for the Financial Conduct Authority to process an application is an extra obstacle for smaller firms as they struggle to earn revenue in the interim, the research found. These heightened costs associated with increased regulations could ultimately stifle innovation in the asset management industry, said Stephen Black, co-founder of Tier One Capital.

January 7, 2015  7:52 PM

More U.S. firms look to hack back after Sony data breach

Fran Sales Fran Sales Profile: Fran Sales
CIO, Cyberattacks, cybersecurity, Data breach, FBI, grc, Hackers, Network Intrusion, Sony, Threat intelligence, Two factor authentication

Business cybersecurity — or the lack thereof — continued to make headlines in the past few weeks as more U.S. private-sector firms consider counteroffensive tactics against attackers. Also in cybersecurity news, North Korea slammed new U.S. sanctions in response to the Sony hack, and a new report found that last year’s massive JPMorgan Chase data breach was the result of a basic security flaw.

After Sony breach, more firms consider hacking back

A growing number of private-sector companies — including some large U.S. banks — have been targeted by hackers in recent months and are frustrated with a perceived lack of follow-up from the federal government. These companies have started looking to outside options to strike back at their attackers, some security specialists and former law enforcement officials told Bloomberg.

These anxieties have only intensified after the breach of Sony Pictures’ network, according to the article. Some of these businesses have employed cybersecurity firms to advise them on various counteroffensive tactics, including disrupting hacker operations and peering into foreign-based networks to find out what data was stolen.

“Hacking back” efforts gained a higher profile after President Obama’s promise to mount a response against North Korea for the Sony data breach, but many companies don’t actually follow through with such measures, said some of the cybersecurity professionals. These experts and the FBI also discourage companies from retaliating because it might entice hackers still lurking in their networks to ramp up their attacks.

North Korea blasts U.S. sanctions; FBI stands behind its Sony breach assessment

North Korea has publicly criticized new sanctions authorized by President Obama last week, calling them “hostile” and “repressive.” The U.S. sanctions were imposed against three North Korean organizations and 10 government officials, and enacted in response to the Sony Pictures breach.

North Korea’s foreign ministry continues to deny responsibility for the cyberattack. The U.S. government has not offered any public evidence linking North Korea to the Sony breach, which has left many in the cybersecurity community unconvinced that the nation-state was responsible. Many cyberintelligence firms investigating the attack said they have not observed concrete evidence that confirms that North Korea backed the breach.

Security experts’ skepticism has only intensified after the FBI attended a three-hour briefing by a security firm whose research indicates the perpetrator was laid-off Sony staff. After the meeting, the FBI was steadfast in its assertion that North Korea was behind the attack, and officials stated there was “no credible information” to suggest otherwise. One U.S. official told Politico that the discrepancy could be due to the FBI having access to intelligence sources that others don’t.

JPMorgan hack could have been quelled with simple security fix

Last year’s breach at JPMorgan Chase, the largest cyberintrusion on a U.S. bank reported thus far, could have been prevented by updating one of the bank’s servers to include two-factor authentication, according to a report by The New York Times. JPMorgan spends $250 million on computer security annually to prevent sophisticated cyberattacks, but the security hole overlooked by the bank’s security team was a very basic one, people who have been briefed on the investigation into the attack explained to the Times.

Most large financial firms use two-factor authentication, and sources said the oversight is seen as an embarrassment inside JPMorgan as the company conducts an internal review to see if there are other weak spots in its large network.

Security experts say that one reason the vulnerability in JPMorgan’s network has gone so long without being addressed is because the bank’s size made it difficult to secure its information, especially as it acquires more companies and incorporates new networks.

December 23, 2014  3:49 PM

Obama plans response against North Korea for Sony Pictures hack

Fran Sales Fran Sales Profile: Fran Sales
backdoors, CIO, Cyberattacks, Cybercrime, cybersecurity, Hackers, Hacking, Information security, Microsoft, privacy, Sony

President Barack Obama declared that the U.S. government will respond to North Korea’s actions after the FBI announced that the nation-state was behind last month’s calamitous cyberattack against Sony Pictures. In other recent IT security and privacy news, U.S. Senator Ron Wyden introduced a bill to forbid the government from wiretapping users’ mobile devices, while dozens of technology companies — including Amazon and Apple — announced support for Microsoft in its ongoing legal battle against the U.S. government over search warrants.

Obama promises response against North Korea for Sony hack

President Obama announced at a news conference last Friday that the U.S. will “respond proportionally” against North Korea for the cyberattack that crippled Sony Pictures’ computer systems and leaked staffers’ personal information online.

The president was not specific regarding how the U.S. government will respond, only saying that his administration is working on possible options. Obama also reprimanded Sony Pictures, saying it made a mistake by pulling the release of The Interview, its satirical film about a fictional plot to assassinate North Korean leader Kim Jong Un. He said the studio should have consulted him before responding to the hackers’ threats against theatergoers, and warned against getting “into a pattern in which you’re intimidated by these kinds of criminal attacks.”

The White House announcement came hours after the FBI released an update on the Sony hack investigation that concluded North Korea was behind the attack. The FBI added that the attack stands out from other cyberintrusions because of its “destructive” and “coercive” nature, and that it shows cyberthreats are one of the “gravest national security dangers to the United States.”

Senator introduces Secure Data Act to ban ‘back doors’ in products

Senator Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, has introduced the Secure Data Act legislation to prohibit government mandates that manufacturers create “back doors” into people’s mobile applications and devices for targeted surveillance purposes.

In an opinion column for the LA Times, Wyden argues that creating these “security holes” is bad for customer security and businesses’ bottom line because they deliberately create vulnerabilities that hackers and foreign governments can infiltrate. He also contended that Americans should demand more data encryption technology.

Apple and other tech giants back Microsoft in legal battle

Twenty-eight technology and media companies, including Amazon, Apple, Verizon Wireless and AT&T, joined computer scientists, trade associations and civil rights advocacy groups to sign friend-of-the-court briefs filed on Microsoft’s behalf last week.

The briefs are a show of the support for Microsoft as it battles a federal judge’s ruling that the company surrender individual user emails stored in Ireland to the U.S. government after being issued a search warrant for the files. Microsoft later appealed the ruling.

On Microsoft’s blog, General Counsel Brad Smith wrote that these briefs show the scope of the case no longer just focuses on legality, but is now a “broad policy issue that is fundamental to the future of global technology.” Microsoft also argues that the U.S. government’s subpoena disrespects international laws. Requiring Microsoft to turn over emails through a U.S. court order, without input from the Irish government, flouts the treatises the U.S. has established with other countries that deal with these types of situations, Microsoft contends.

December 11, 2014  6:31 PM

North Korea applauds Sony breach but denies responsibility

Fran Sales Fran Sales Profile: Fran Sales
CIO, Compliance, Cyberattacks, Cybercrime, cybersecurity, Data security breaches, grc, Hack, Information security, Startups

Sony is the latest big-name company to have its computer network hacked. Corporate information and entire films were leaked online in what some suspect is retaliation by the North Korean government. In other governance, risk and compliance (GRC) news, a growing number of U.S. law schools are offering compliance courses or programs, and specialized security startups are drawing the eye of Silicon Valley investors.

North Korea calls Sony hack a ‘righteous deed’

The North Korean government this week denied any involvement in last week’s hack of Sony Pictures’ computer systems, but said its “supporters and sympathizers” may have carried out the “righteous deed.”

An article published by the North Korean government-run KCNA news agency accused Sony of “abetting a terrorist act” by producing The Interview, a movie starring James Franco and Seth Rogen as journalists enlisted by the CIA to assassinate North Korean leader Kim Jong-un. The attackers posted films online that have not yet been released, and disclosed the salary information, email addresses and Social Security numbers of thousands of Sony employees, including celebrities. Sony Pictures said it is currently working with law enforcement to investigate the breach, and the FBI is also probing the attack.

More U.S. law schools offer compliance-centric programs

A dearth of U.S. law schools offer courses or degrees tailored to the compliance officer job, but Reuters reports the landscape is slowly changing. A major driver is the thriving compliance industry: The base salary of compliance offers has been rising 3.5% every year since 2011, and companies such as JPMorgan Chase are bolstering compliance functions even as they make cuts in other areas.

One such program featured by Reuters is New York University Law School’s Corporate Compliance and Enforcement (PCCE), wherein students build compliance expertise through relevant coursework and insight from leading practitioners and guest teachers. Another institution, George Washington University Law School in Washington, D.C., offers a compliance and ethics course focusing on the legal issues that surround anticorruption regulations.

Security startups attract more investor funds

As data breaches become the norm, security startups are increasingly drawing attention from Silicon Valley investors, The New York TimesBits blog reports. According to research firm CB Insights, last year there were 240 investments in these startups with a combined worth of $1.7 billion, up from 83 investments worth $340 million in 2009.

All types of security startups are garnering money from investors, including those dedicated to access control and identity management, the creation of secure spaces on computers for different processes, and network monitoring and alerts if anything suspicious occurs.

Established security companies such as Symantec and Juniper are striving not just to compete with the more specialized products and services these startups offer, but also to attract and retain talent as their lucrative and well-paying smaller rivals hire much sought-after security engineers.

November 25, 2014  6:31 PM

Apple’s consumer privacy practices in the government’s crosshairs

Fran Sales Fran Sales Profile: Fran Sales
Android, Apple, Apple iOS, CIO, Data privacy, Data-security, Encryption, FBI, health, personal data

As U.S. federal agencies put tech giants’ data security practices under the microscope, consumer privacy issues are on everybody’s minds. Also in privacy news: Two U.S. business alliances are pushing for greater data management transparency, and a new study shows that Americans remain suspicious of online services and government spying.

FBI publicly censures Apple’s impenetrable encryption technology

Various government and law enforcement agencies are up in arms regarding new device encryption measures put in place by big technology firms. In September, Apple announced that new iPhone software would prevent anyone other than its user — including police armed with a court order — to access data on the phone. Shortly thereafter, Google disclosed that it would implement similar encryption technology on its devices that use the new Android OS.

The FBI met with Apple representatives about the issue Oct. 1, during which Deputy Attorney General James Cole warned that a child could die because the encryption tools would prevent law enforcement from looking inside a criminal’s phone for pertinent information. Apple’s representatives responded that the company is protecting the rights of consumers who are storing more personal data on their devices and losing trust in how technology companies store their information.

FBI Director James Comey also spoke out publicly against the new encryption measures, saying that Apple and Google have swung the “post-Snowden pendulum” too far in favor of protecting consumer privacy. The Obama administration said it plans to continue discussing these issues with the technology companies.

FTC in talks with Apple to confirm health data security

The Federal Trade Commission (FTC) is another U.S. agency with its eye on Apple’s handling of consumer data, particularly with regard to its Apple Watch and the HealthKit platform and the security and privacy of the health data they collect.

Reuters reported that there are no hints that the FTC plans to launch a formal investigation, but the agency has recently focused on the privacy safeguards for increasingly popular mobile health applications. Apple’s HealthKit offers consumers control over their health data and was designed with privacy in mind, Apple spokeswoman Trudy Muller told Reuters. In August, Apple also toughened its privacy policies so that developers cannot use the information collected by HealthKit for data-mining purposes.

Two coalitions publicly encourage user transparency in data practices

Two composite organizations are taking steps toward addressing consumers’ waning trust in data security as breaches grow larger in scale. Earlier this month, the Alliance of Automobile Manufacturers, which represents manufacturers such as Chrysler, Ford Motors, General Motors and Toyota, pledged more transparency into their data management and security practices. The American Farm Bureau has also addressed concerns regarding how agriculture technology providers use the data collected by their services.

While Fortune‘s Heather Clancy wrote that these statements are a step in the right direction, she also argues that businesses need to take privacy further. She cited a Forrester report that predicts the number of executives that view their security strategy as a competitive differentiator will grow next year.

Pew Research unearths pervasive distrust among U.S. consumers

A recent Pew Research Center study reflects a widespread belief among U.S. consumers that they’re losing control of their personal information. According to the study, which surveyed 607 American adults, 91% reported they “agree” or “strongly agree” that they have lost control of how their information is being collected and used by companies. Furthermore, 88% agree or strongly agree that it would be very challenging to remove inaccurate data about them online.

Seventy percent expressed concern about how the government accesses their data, and 80% agreed or strongly agreed that Americans should be concerned about how the government monitors their phone and Internet communications.

The study also found that 80% of those who use social networking sites are concerned about how third parties such as advertisers are using the information they share on those sites. Social media sites garnered the most distrust, with 81% of respondents stating that they are “not very” or “not at all secure” when using the sites to share personal data with other people or organizations. However, 55% of respondents said they were willing to share some of their data in exchange for the use of free online services.

October 30, 2014  6:23 PM

Apple Pay sidesteps compliance rules; FCC takes first privacy action

Fran Sales Fran Sales Profile: Fran Sales
Apple, CIO, Data security standards, FCC, Google, Mobile, privacy

Apple Pay rolled out to much fanfare earlier this week, but may have bypassed some compliance requirements that Apple’s mobile payment rivals have to maintain. In other recent headlines, the FCC took its first steps toward data security enforcement, Google cracked down on online piracy, and Verizon is in hot water with privacy advocates.

Apple Pay under less regulatory scrutiny than rivals

Apple faces less stringent compliance demands than its competitors in the mobile payment space, according to some experts. The company didn’t have to register the recently launched Apple Pay with the U.S. Treasury Department’s Financial Crimes Enforcement Network (Fincen), and thus didn’t have to set up an anti-money laundering compliance program for the service.

This is because Apple merely facilitates the transaction between the consumer and a merchant and doesn’t actually accept or transmit payment, industry insiders told the Wall Street Journal. A phone using Apple Pay doesn’t store card numbers, but rather an encrypted token that unlocks payment card data once the user holds the device near a merchant’s reader.

Rivals PayPal, Google and Facebook are registered with Fincen, however, and thus have to maintain anti-laundering programs.

FCC dives into security, hits two companies with $10 million fine

The Federal Communications Commission (FCC) made its first foray into data security enforcement last Friday, imposing a $10 million fine against two telecom companies for storing personally identifiable information (PII) collected on the Internet without instituting security controls.

From September 2012 to April 2013, YourTel America and TerraCom collected PII from as many as 300,000 applicants to a federal subsidy program. This information included names, addresses and Social Security numbers, according to the FCC. Instead of securing the data or destroying it, the companies stored it on publicly accessible online servers. Reporters for the Scripps Howard News Service discovered the PII with a simple Google search.

The $10 million fine will be split between the two companies.

Google revamps search algorithm to deter piracy

Google announced that it has modified its search algorithm to make it less likely that illegal piracy websites will rank highly on its search results pages when users search for copyrighted media content. The company announced its decision through an updated version of its “How Google Fights Piracy” report, which was originally published last year.

The update includes changes to how Google presents its ads in search results pages for queries associated with entertainment media. The ads will be featured prominently at the top of the page and positioned in a way that points users to legitimate sources of content.

Google is currently only implementing these new results in the U.S., but it plans to expand the effort internationally.

Verizon uses identifiers to help clients target advertisements at users

Verizon Wireless is adding tokens to Web requests traveling across its network that allow the cellular services provider to collect data on consumers’ interests. The user profiling, part of the company’s Relevant Mobile Advertising service, affects all Verizon Wireless customers. The tokens, called Unique Identifier Headers (UIDHs), link website visitors to Verizon’s internal profiles.

The service allows clients to tailor their website advertisements to specific consumer market segments. The websites can request advertisements and UIDHs from an on-demand advertising network, which can then ask for consumer data such as geolocation information from Verizon so it can provide targeted advertising.

Verizon says its users remain anonymous and that this marketing data is private. But because the database is not under any legal scrutiny, privacy advocates say that the service tracks users and should not be using the data outside of the intended purposes.

October 17, 2014  4:12 PM

JPMorgan Chase hackers compromised 13 other finance companies

Fran Sales Fran Sales Profile: Fran Sales
CIO, Customer data, Cyberattacks, Cybercrime, cybersecurity, Data privacy, Data security breaches, Financial firms, Financial industry, Google, Retail/point-of-sale applications, Search engines, Search Indexing

Online consumer security and privacy remains in the headlines as big-name companies continue to report cybersecurity breaches. Further investigations into the JPMorgan Chase cyberhack revealed that 13 other financial institutions’ computers were also breached, while Dairy Queen and Kmart’s in-store payment systems were compromised in recent hacks. In other consumer privacy news, Google added information on European de-indexing requests to its Transparency Report.

JPMorgan Chase hackers targeted 13 more financial companies

More than a month after the JPMorgan Chase cyberattack was made public, the Obama administration and top national security advisers still don’t know whether the financial company’s hack was a typical act of theft or perhaps retaliation initiated by Vladimir Putin for U.S. sanctions on Russia. In addition to JPMorgan Chase, the hackers who perpetrated the attack targeted 13 other financial institutions, including Citigroup, HSBC Holdings, E*Trade Financial and Automated Data Processing, according to a Bloomberg news report. Signs of intruders were discovered in these companies’ computers or logged by their security tools, sources said.

The FBI, the U.S. Secret Service, attorneys general from at least two states and New York federal prosecutors are also conducting investigations, as questions remain regarding the hackers’ motives and the impact of the attacks on the financial industry.

Kmart, Dairy Queen payment systems hit by cyberattacks

Two more U.S. retailers are victims of cyberbreaches that compromised their customers’ payment card information. As in the recent Home Depot breach, hackers infected in-store payment systems at Kmart and Dairy Queen with malware meant to evade antivirus software.

Kmart announced its breach last Friday; company representatives said it was attacked in early September and is working with law enforcement and forensics teams to determine the source of the attack. The company didn’t disclose how many of its stores were affected or how many cards were compromised, but said the malware has been removed from its systems.

Dairy Queen revealed last Thursday that its in-store payment systems were infected, and that it’s working with franchisees to determine which locations were affected. Details of the attacks are provided on its website. According to forensics experts, customer account numbers and expiration dates were stolen.

Google adds details on European de-indexing requests to transparency report

Google is adding a new section to its online Transparency Report called “European privacy requests for search removal,” where it’s listing details about requests for search-listing removals the company receives in Europe.

The section lays out the total number of URLs Google has received for removal, as well as the number of de-listing requests it has received. To date, Google has received 146,938 removal requests and 498,830 URLs to evaluate. The report also breaks down those numbers by European country. Overall, Google grants about 41% of requests, according to the report.

Google’s Transparency report also details removal requests from governments and courts, as well as copyright requests. In May, the Court of Justice of the European Union ruled that Google and other search engines must evaluate individuals’ requests for de-indexing, and that they can only list display results if they serve public interest.

September 30, 2014  4:14 PM

Facebook’s Atlas arms advertisers with deeper reach into user data

Fran Sales Fran Sales Profile: Fran Sales
advertising, Android, Antitrust lawsuits, CIO, Data privacy, Facebook, Google, iOS 8, Marketing, Mobile applications, Search

Facebook has unveiled a new ad platform that promises marketers deeper insight into the data of billions of its users — a move that has raises big concerns among privacy advocates. Also in data privacy headlines this week: Law enforcement officials are uneasy about Apple’s and Google’s new mobile encryption policy; the EU’s antitrust agency continues to call on Google to change its search practices; and mobile developers clamor for clear-cut health data guidelines.

Facebook’s new ad platform equips marketers with deep user data

On Monday, Facebook rolled out a revamped version of Atlas, its digital advertising platform. The updated platform will allow marketers to analyze the data of Facebook’s 1.3 billion users to target ads to these individuals on other websites and within mobile apps. Atlas also provides advertisers with information that determines which ads are most successful.

With the platform, Facebook plans to compete with Google, Yahoo and other online companies’ advertising networks. But while the detailed tracking Facebook conducts on its users’ information certainly provides marketers with a uniquely valuable tool, the revamped version of Atlas has also caused consumers and their advocates to voice privacy concerns. Facebook representatives are on the record claiming that the company never reveals users’ identity to advertisers.

Law enforcement uneasy about Apple’s, Google’s new encryption policy

Both Apple and Google’s new mobile operating systems, iOS 8 and Android L, respectively, include encryption protection that doesn’t allow the companies to extract information from smartphones protected by a four-digit passcode, even when a warrant is issued. This development has spurred members of the law enforcement community, including Law Enforcement Legal Defense Fund President Ronald T. Hosko, to express concern that such policies would hinder efforts to solve crimes and punish criminals.

Apple’s and Google’s new policies “will create needless delays that could cost victims their lives,” Hosko said. He pointed out that while these policies won’t make it more difficult for law enforcement officials to intercept calls, it will be more challenging for them to access information stored on the devices.

EU’s antitrust authorities again demand that Google amend search settlement

European Union antitrust chief JoaquĆ­n Almunia is demanding that Google amend its settlement proposal for a fourth time, as antitrust authorities continue a nearly four-years-long investigation into the company’s search practices in Europe.

Almunia’s agency has been probing allegations that Google tweaks its search results in order to prioritize the company’s own products. The agency and Google reached a deal in February that would have allowed the search company to evade fines of around $6 billion if Google agreed to present rivals’ search results in a manner similar to its own. The settlement collapsed, however, when senior EU politicians and prominent publishing houses criticized the decision and called for authorities to diminish Google’s dominance of the search market.

Mobile app startups pursue developer-friendly health data guidelines

Earlier this month, a group of mobile app developers filed a letter of complaint to Rep. Tom Marino (R-Pa.) regarding the lack of current online guidance concerning the Health Information Portability and Accountability Act’s patient health information privacy rules. The App Association, a group that claims to represent 5,000 mobile app providers, was among the letter’s signers.

Developers say it’s difficult to compete with larger rivals that have the means to hire legal experts, while startups must rely on out-of-date information available on government websites, according to Reuters. The group of developers also requested resources including better guidance for storing health data in the cloud, as well as increased participation by members of the Department of Health and Human Services in mobile health events.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: