Tag Archives: ccpa

Privacy and digital security is a personal responsibility. It can’t be anything else

by Steve Blum • , , , ,

Gagged by privacy

Three unrelated stories that broke within 24 hours demonstrate why digital security is a personal responsibility, and how blindly trusting third parties – individuals or private companies or governments – to look after your best interests is no solution:

  • The European Court of Justice nixed a data sharing safe harbor deal between the European Union and the U.S., pointing out in its decision that “the requirements of US national security, public interest and law enforcement have primacy”, which makes any promises of privacy meaningless.
  • Western intelligence agencies took the unusual step of calling out Russia by name, and blaming its spooks for breaking into systems used by researchers working on a covid–19 vaccine.
  • Crackers punked Twitter employees, and got the keys to the kingdom. Or at least sufficient credentials to take over Bill Gates’, Warren Buffett’s and Joe Biden’s accounts, among others.

Twitter’s explanation for its breach is as succinct a description of the fundamental problem as I’ve ever seen…

We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.

I have no doubt that Twitter takes security and customer privacy seriously and takes the steps it truly believes are necessary to safeguard its systems. I believe the same about medical researchers.

And the National Security Agency too. But that, thankfully, did not prevent Edward Snowden from blowing the whistle on its mindless and pervasive surveillance of electronic communications, thanks to AT&T’s “extreme willingness to help”and similar assistance from other compliant telecoms companies.

Good intentions and diligent efforts are not enough. With U.S. law enforcement agencies continuing to press for backdoors into secure systems and breakable encryption, the problem will only get worse.

People will always have to have “access to internal systems”. Trustworthy, competent people, to be sure, but people with human frailties and fallibility. Perfect privacy and security is impossible. All we can do is vigorously accept personal responsibility for individual privacy and security, and resist anyone’s claim of greater need or superior authority.

Privacy is now a Made in California product

by Steve Blum • , , , ,

California’s data privacy law took effect yesterday, although formal regulations and active enforcement by the attorney general’s office don’t kick in until July. Even so, the AG plans to respond to complaints and monitor compliance with the bits of the law that do have teeth now. Until – unless – congress does something, the California Consumer Privacy Act (CCPA) is the national standard.

If you want confirmation, just look in your email inbox. If it’s anything like mine, it’s full of CCPA notifications. A similar flood of messages happened when the European Union’s data privacy regulations took effect last year. The notices were sent regardless of whether a customer lived in the EU or not, because it’s easier and safer to apply a single standard to everyone when it’s practical to do so. In the U.S., the path of least resistance is complying with California’s standard.

Microsoft certainly agrees

We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents. Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual. This is why, in 2018, we were the first company to voluntarily extend the core data privacy rights included in the European Union’s General Data Protection Regulation (GDPR) to customers around the world, not just to those in the EU who are covered by the regulation. Similarly, we will extend CCPA’s core rights for people to control their data to all our customers in the U.S.

Google jumped on California’s bandwagon, too. Its CCPA-compliant tools are available worldwide.

Although there seems to be general agreement in Washington, D.C. that something must be done, there isn’t consensus on what that something will be. The big question is whether or not to preempt state privacy laws and impose a single, national standard. A bipartisan draft produced by a house of representatives committee doesn’t offer an answer, because it’s still a partisan issue. Which means California might set the standard for some time to come.