Weekly Privacy Roundup #14
"My inbox is the enemy" - Glenn Greenwald
'Unforgivable': The privacy breach that exposed sensitive details of WA's virus fight
One of Western Australia's biggest privacy breaches, which involves the interception of thousands of State Government communications, is under investigation.
Nine News revealed on Monday evening that the most sensitive information to be hacked and posted to a public website relates to the management of the Covid-19 crisis in WA.
No-Log VPNs Exposed Users’ Logs and Personal Details for All to See
A group of free VPN (virtual private network) apps left their server completely open and accessible, exposing private user data for anyone to see. This lack of basic security measures in an essential part of a cybersecurity product is not just shocking. It also shows a total disregard for standard VPN practices that put their users at risk.
The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.
Each of these VPNs claims that their services are “no-log” VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.
The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all of which appear to be connected by a common app developer and white-labeled for other companies.
CJEU invalidates Privacy Shield: what about the UK?
The Court of Justice of the European Union (CJEU) just delivered their Schrems II judgment, writing a new chapter of the never ending saga about the adequacy of US privacy standards. The case called into question the legitimacy of Facebook transfers of personal data from the European Union to the United States, and ended up invalidating the Privacy Shield decision of the European Commission (a certification mechanism which allowed US companies to adhere to EU data protection laws).
Although related to the US legal system, Schrems II sent a clear and wide-ranging message: free flow of personal data can take place only and insofar third countries provide adequate protection for EU citizens rights over their own data. Needless to say, this judgment has important implications for the United Kingdom as well, which will be leaving the EU by the end of this year.
Italian Garante Fines Telecoms Provider 17 Million Euros for Direct Marketing Infringements
On July 13, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) announced that it levied a €16,729,600 fine on telecoms provider Wind Tre S.p.A. (“Wind Tre”) for several unlawful data processing activities, mostly related to direct marketing.
The Garante indicated that it had already issued a prohibitory injunction against Wind Tre for similar infringements in the past, prior to the EU General Data Protection Regulation.
Following its investigation, the Garante found that numerous complaints were filed by users against Wind Tre for unsolicited marketing communications sent to them without their consent. In several instances, complainants declared that they had not been able to withdraw their consent or object to the processing of their personal data for marketing purposes, partly because the contact details provided to them in Wind Tre’s privacy notice were not accurate. In addition, some users’ contact details were included in public phone listings despite their prior objections. The Garante also found that Wind Tre’s apps were configured in a way that required users’ consent to the processing of their data for various purposes, including direct marketing and geolocation, on each access. Such consent could only be withdrawn after a 24-hour waiting period.
Furthermore, the investigation revealed various infringements related to Wind Tre’s business partners. One business partner was fined €200,000 for having unlawfully subcontracted parts of its processing activities to call centers that were collecting data unlawfully.
1M e-learning Student Records Exposed Online From Misconfigured Cloud Storage
More than 1 million e-learning users data exposed from a misconfigured and unencrypted Amazon S3 buckets and other types of servers. The exposed data can be accessed by anyone online without any form of authentication.
The breach was found by researchers at Wizcase, the breach affects 5 different eLearning Companies around the globe. The data found to be stored 4 Amazon S3 buckets and an ElasticSearch server, due to misconfigurations the data are available publically.
The looming disaster of immunity passports and digital identity
'Immunity passports' are a theoretical credential - most likely digital - that someone can prove that they have either had the virus and recovered, or have had a vaccination.
Immunity passports are being hyped as a solution to ending lockdowns around the world by actors including the proponents of digital identity; the digital identity industry; think-tanks; and the travel industry.
Yet there is currently no scientific basis for these measures, as highlighted by the WHO. The nature of what information would be held on an immunity passport is currently unknown.
The social risks of immunity passports are great: it serves as a route to discrimination and exclusion, particularly if the powers to view these passports falls on people's employers, or the police.
The digital identity industry - pushing their own products as immunity passport solutions - is failing to protect against these harms: they are interested in building wider digital identity systems, based on their pre-existing models, rather than developing a genuine solution to the risks of these passports.
Regulators Issue Reactions to Invalidation of EU-U.S. Privacy Shield Framework
On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) invalidated the EU-U.S. Privacy Shield Framework as part of its judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the Privacy Shield framework on the basis that the limitations on U.S. public authorities’ access to EU personal data were not sufficient for the level of protection in the U.S. to be considered equivalent to that ensured in the EU, and that the framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law.
New Report on “The Use of Biometric Data to Identify Terrorists: Best Practice or Risky Business?"
New report by the UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Prof. Fionnuala Ní Aoláin and Dr. Krisztina Huszti-Orbán on the “Use of Biometric Data to Identify Terrorists: Best Practice or Risky Business?".
The report explores the human rights risks involved in the deployment of biometrics in counter-terrorism context.
PI previously highlighted concerns about the obligations imposed on UN Member States by Resolution 2396 use of biometric data in counter-terrorism which echo the recommendations presented in this report.
A human rights approach is imperative to ensure an effective counter-terrorism strategy and below we highlight what a human rights approach should at least involve.