Privacy Roundup #0081 • April 2013
April 2013 was dominated by the fight over CISPA, a run of retail and social breaches, and fresh signs that encryption and surveillance were on a collision course.
1. Six European regulators open coordinated action against Google's privacy policy
Data protection authorities in France, Germany, Italy, the Netherlands, Spain and the United Kingdom launched simultaneous enforcement actions over Google's unified privacy policy. They argued that merging more than sixty product notices into one left users unable to tell what data was collected or why.
2. DEA document admits it cannot intercept Apple's iMessage
A leaked Drug Enforcement Administration intelligence note conceded that the agency could not read messages sent between two Apple devices, even with a court order. The disclosure showed how strong end-to-end encryption was beginning to frustrate routine law enforcement wiretaps.
3. Facebook answers privacy questions about Facebook Home
After its launch event, Facebook published a response to mounting concern that its new Android launcher would track users more aggressively. The company said Home would not collect location data differently from the normal app and would keep a list of launched apps for ninety days.
4. EPIC FOIA request reveals the government advised industry on bypassing wiretap law
Documents obtained through an EPIC Freedom of Information Act lawsuit showed that the Defense Department had advised private companies on how to circumvent federal wiretap law. The records described a programme letting the government monitor private internet networks, later widened from defence contractors to other critical infrastructure firms.
5. Syrian Electronic Army defaces NPR website and Twitter accounts
The pro-Assad Syrian Electronic Army hacked NPR's blog and five of its Twitter accounts, altering stories and posting its own slogans. The intrusion was part of a wider campaign that had already targeted the BBC, Reuters and Al Jazeera.
6. White House threatens to veto CISPA over privacy
The Obama administration issued a Statement of Administration Policy warning that the president would veto CISPA unless it was changed. Officials wanted companies to strip out personal information before sharing data and wanted to narrow the bill's broad legal immunity.
7. Malware breach at Schnucks exposes 2.4 million payment cards
The grocery chain Schnucks confirmed that point-of-sale malware had captured around 2.4 million credit and debit cards across seventy-nine stores. The card numbers and expiry dates were taken over roughly four months before the intrusion was discovered.
8. Privacy International sues UK tax authority over FinFisher exports
Privacy International filed for judicial review of HM Revenue and Customs after it refused to reveal whether it was investigating exports of the FinFisher spy tool. The surveillance software, made by Gamma, had been linked to attacks on activists in Bahrain and Ethiopia.
9. Privacy amendments to CISPA blocked from the House floor
The Rules Committee allowed only twelve of forty-two proposed CISPA amendments to reach a vote, blocking most of the privacy fixes. Among those shut out were proposals to route shared data through a civilian agency and to strip unrelated personal information.
10. FTC brings its first case against mobile phone cramming
The Federal Trade Commission filed its first action targeting unauthorised charges placed on mobile phone bills, naming Wise Media and its operators. Regulators said the scheme had taken in millions of dollars from charges that consumers never agreed to.
11. House passes CISPA despite the veto threat
The House of Representatives passed CISPA by 288 votes to 127, sending the contested cyber sharing bill towards the Senate. The EFF warned that the bill carved a gaping exception into existing privacy law while doing little to improve security.
12. Card breach suspected at Starbucks-owned Teavana
Brian Krebs reported that law enforcement and banks were tracing fraud back to the tea retailer Teavana, which Starbucks had recently acquired. Investigators believed point-of-sale malware had skimmed magnetic stripe data across more than 280 stores.
13. Twitter tests two-factor login after the AP account hijack
Twitter was reported to be trialling two-factor authentication following a wave of high-profile account takeovers. The trigger was the hijacking of the Associated Press feed, which posted a false claim of an explosion at the White House and briefly rattled the stock market.
14. CISPA stalls as the Senate declines to take it up
With the House bill in hand, Senate staff signalled they would not bring CISPA to the floor and would write their own narrower measures instead. Civil liberties groups declared the bill dead for the year, citing its breadth and lack of privacy limits.
15. LivingSocial breach hits more than 50 million accounts
The deals site LivingSocial disclosed that attackers had reached names, email addresses, dates of birth and hashed passwords for over fifty million customers. The company forced a global password reset, though it said stored payment card data had not been touched.
16. Verizon's 2013 breach report points to crime and espionage
Verizon released its annual Data Breach Investigations Report, drawing on more than 47,000 incidents and 621 confirmed breaches. It found that financially motivated crime and state-affiliated espionage drove most attacks, and that the majority of breaches went undiscovered for months.
17. Senate Judiciary Committee advances ECPA email warrant reform
The Senate Judiciary Committee approved the Leahy-Lee bill to require a warrant before police could compel disclosure of stored emails and other cloud content. The measure would scrap the outdated rule that treated messages older than 180 days as fair game without a warrant.
18. Louisiana pulls student records out of inBloom
Amid a growing backlash, Louisiana's schools chief announced the state would withdraw student data from the Gates-funded inBloom database. Parents had objected to the storage of identifiable records, including the use of Social Security numbers to label files.
19. FBI pushes a CALEA update to fine firms that cannot wiretap
Reports revealed an FBI-backed proposal to fine internet chat and email providers that failed to comply with real-time wiretap orders. The plan would extend surveillance mandates to services such as Gmail, Dropbox and Skype, with fines that doubled if left unpaid.
20. Customers sue Schnucks over the payment card breach
Within days of the disclosure, shoppers filed a class action against Schnucks over the theft of their card data. The suit argued the chain should have detected and reported the intrusion far sooner than it did.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: