Italian regulator fines Facebook €10m for misleading users

Facebook has been fined €10m by Italian authorities for misleading users over its data practices such as:

– Misleading users in the sign-up process about the extent to which the data they provide would be used for commercial purposes.

– Emphasising only the free nature of the service, without informing users of the “profitable ends that underlie the provision of the social network”, and so encouraging them to make a decision of a commercial nature that they would not have taken if they were in full possession of the facts.

– Forcing an “aggressive practice” on registered users by transmitting their data from Facebook to third parties, and vice versa, for commercial purposes. Facebook was specifically criticised for the default setting of the Facebook Platform services, which “prepares the transmission of user data to individual websites/apps without express consent”.

Although users can disable the platform, the regulator found that its opt-out nature did not provide a fully free choice. As an additional penalty, the authority has directed Facebook to publish an apology to users on its website and on its app.

 

For more information on this topic, please visit: https://www.theguardian.com/technology/2018/dec/07/italian-regulator-fines-facebook-89m-for-misleading-users

American company sued for data leakage of nearly 4 million patients

The American company Medical Informatics Engineering (MIE) has been indicted by 12 American states for a data breach in 2015 in which nearly 4 million patient data came into criminal hands. In May 2015, malicious people were able to invade the company’s back-end systems. They managed to steal data from 3.9 million citizens there.

It was not just about names and address details, but also about social security numbers, laboratory results, medical diagnoses, names of doctors and other medical data. MIE is accused of violating 27 federal laws relating to reporting a data breach, misrepresentation and personal data protection, writes Naked Security. The company in question would have insufficiently secured the computer systems.

No one was informed about the poorly secured systems and the victims were informed too late. On 26 May 2015 the hack was discovered, on 10 June a report was made on the website of the company. In July, victims were informed by e-mail and only in December 2017 did the victims receive a letter by post about the incident. The complaint states that MIE failed to encrypt the sensitive data while the company claimed to do so.

 

For more information please visit the original article: https://nakedsecurity.sophos.com/2018/12/07/unencrypted-medical-data-leads-to-12-state-litigation/

Australian parliament agrees with “anti-encryption” legislation

Facebook and other tech companies can now be forced in Australia to help make the encrypted messages of suspects readable. That is the purpose of a bill that has been adopted in the Australian Parliament.

The law applies to Facebook (WhatsApp), but also to similar messaging services such as Signal and Telegram, writes Bloomberg. Companies can not only be forced to decipher the encrypted messages, they can also be required to inject code to tap data from suspects.

According to Australian Prime Minister Scott Morrison, the law is necessary because 95 percent of people who are monitored communicate via encrypted messages. Failure to introduce such a law would make the investigation and intelligence services ‘deaf’ and ‘blind’ in their investigation.

Several organizations, including Digital Rights Watch, the Massachusetts Institute of Technology (MIT), BSA, Human Rights Watch, Australian Laws for Human Rights (ALHR) and the Australian Human Rights Commission have strongly criticized the bill.

 

For more information on this topic, please visit the original article: https://www.bloomberg.com/news/articles/2018-12-06/australia-moves-toward-passing-law-targeting-whatsapp-signal

Dataleak at Quora: 100 million users data stolen

Quora states that last Friday the discovery was that an unidentified malicious third-party managed to gain unauthorized access to one of its systems and stole data on approximately 100 million users—that’s almost half of its entire user base.

The personal user information compromised in the breach includes:

– Account information: names, email addresses, encrypted (hashed) passwords, and data imported from linked social networks like Facebook and Twitter when authorized by users.
– Public content and actions, like questions, answers, comments, and upvotes.
– Non-public content and actions, including answer requests, downvotes, direct and messages (note that a low percentage of Quora users have sent or received such messages).

Quora said it stores salted and hashed passwords to prevent them from cracking, but as a precaution, the company has logged all compromised users out of their Quora accounts, and forcing them to reset their passwords.

Dutch DPA on Wifi Tracking in relation to GDPR

Wifi tracking is subject to strict privacy rules and is therefore permitted in very few cases. This is reported by the Dutch Data Protection Authority (AP) in response to questions about this subject. Wifi tracking is tracking people through their mobile devices. The signal from mobile phones is used to monitor groups of people. In practice, companies use this technique for example in and around shopping centers or other (semi-) public places such as stations.

According to the Dutch Data Protection Authority (AP), however, it almost always concerns the processing of personal data and is therefore subject to strict rules. “Digital monitoring of people in (semi-) public places is a violation of privacy that can only be used exceptionally,” says AP Chairman Aleid Wolfsen. “There are virtually no reasons legitimate to follow shoppers or travelers, and there are less drastic methods to achieve the same goal, without violating privacy.” Even if the data are processed and saved in anonymous form, the General Data Protection Regulation applies, according to the AP.