The Effects of GDPR’s 72-Hour Notification Rule

The Law of Unintended Consequences hits yet again.

The Effects of GDPR’s 72-Hour Notification Rule:

The EU’s GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem:

Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete.

1) Announce & cop to max possible impacted users.
2) Everybody is confused on actual impact, lots of rumors.
3) A month later truth is included in official filing.

Last week’s Facebook hack is his example.

The Twitter conversation continues as various people try to figure out if the European law allows a delay in order to work with law enforcement to catch the hackers, or if a company can report the breach privately with some assurance that it won’t accidentally leak to the public.

The other interesting impact is the foreclosing of any possible coordination with law enforcement. I once ran response for a breach of a financial institution, which wasn’t disclosed for months as the company was working with the USSS to lure the attackers into a trap. It worked.

[…]

The assumption that anything you share with an EU DPA stays confidential in the current media environment has been disproven by my personal experience.

This is a perennial problem: we can get information quickly, or we can get accurate information. It’s hard to get both at the same time.

Tags: , ,

 

(Via Schneier on Security)

It’s hard to do incident response well. With the disclosure rules as they are, once the information gets out (and it will) the resources needed to clean things up and properly determine what happened become busy trying to provide customer service as well. Tools like the various IR orchestration platforms (my employer makes one) can certainly help; unfortunately it does come down to a human resource problem.

I get the law enforcement angle referenced above and why it might be in the greater public interest to pursue such a path. Attribution, which is very hard to do well, is fundamental to any kind of trap for the bad guys. Attribution takes time.

It will be interesting to see how this shakes out with this and the next handful of cases.

Also on:

ICYMI: Facebook Is Allowing Ad Targeting Based on Contact Information You Have No Control Over

Facebook Is Allowing Ad Targeting Based on Contact Information You Have No Control Over:

Even for Facebook’s low standards, this is exceptionally unethical: you haven’t given them permission to use this information; someone you know or someone you purchased products from has done that for you, probably with consent buried in an opaque privacy policy. There’s no way to opt out. And there are few-to-no regulations governing this.

(Via Pixel Envy)

This is a disaster from the security perspective. Users should enable 2FA to protect themselves with an expectation that this data is restricted for only this use.

Also on:

Privacy Shield on Shaky Ground: What’s Up with EU-U.S. Data Privacy Regulations

Privacy Shield on Shaky Ground: What’s Up with EU-U.S. Data Privacy Regulations:

There’s a lot going on in the privacy and data protection world. But one of the most pressing issues is the uncertain fate of Privacy Shield, the framework governing the flow of data between the EU and the U.S. for commercial purposes.

The Trump Administration has been given an ultimatum: comply with Privacy Shield, or risk a complete suspension of the EU-U.S. data sharing agreement. In a letter dated July 26, EU commissioner for justice Věra Jourová wagered to U.S. commerce secretary Wilbur Ross that suspension of the EU-U.S. Privacy Shield system would incentivize the U.S. to comply fully with the terms of the agreement. But Jourová’s urging that Ross “be smart and act” in appointing senior personnel to oversee the data sharing deal is hardly new. The July letter closely echoes a European Parliament (EP) resolution passed just three weeks earlier, and the European Commission (EC) voiced similar sentiments in its review of the Privacy Shield Framework last September. Further adding to the chorus of voices raising concerns about Privacy Shield compliance are tech and business groups, which jointly called for the nomination of a Privacy Shield ombudsperson in an Aug. 20 letter.

In addition to admonishing the EC’s failure to hold the U.S. accountable thus far, the EP resolution calls for a suspension of Privacy Shield if the U.S. has not fully complied by Sept. 1—though no such suspension has yet been announced. It also expresses serious concerns regarding the U.S.’s recent adoption of the Clarifying Lawful Overseas Use of Data (Cloud) Act and the legislation’s potential conflict with EU data protection laws. With the General Data Protection Regulation (GDPR)—the EU’s new regulatory regime for the protection of individual data—having come into effect on May 25, 2018, the EP considers the EC in contravention of GDPR Article 45(5). This article requires the EC to repeal, amend, or suspend an adequacy decision to the extent necessary once a third country no longer ensures an adequate level of data protection— until the U.S. authorities comply with its terms.

So what led to this ultimatum, and what’s next on the global data protection stage?    

(Via Lawfare – Hard National Security Choices)

The article gives a level set on Privacy Shield and then dives into specific areas. I highly recommend giving this a good read.

Also on:

Facebook Lenses ←

Facebook Lenses:

Back when Stratechery started I wrote in the very first post that one of the topics I looked forward to exploring was “Why Wall Street is not completely insane”; I was thinking at the time about Apple, a company that, especially at that time, was regularly posting eye-popping revenue and profit numbers that did not necessarily lead to corresponding increases in the stock price, much to the consternation of Apple shareholders. The underlying point should be an obvious one: a stock price is about future earnings, not already realized ones; that the iPhone maker had just had a great quarter was an important signal about the future, but not a determinant factor, and that those pointing to the past to complain about a price predicated on the future were missing the point.

Of course that is exactly what I did in that tweet.

(Via Stratechery by Ben Thompson)

Ben has a long write-up on the Facebook financial news and how one can look at the data:

To be clear, I agreed with the Apple-investor sentiment all along: several of my early articles — Apple the Black Swan, Two Bears, and especially What Clayton Christensen Got Wrong — were about making the case that Apple’s business was far more sustainable with much deeper moats than most people realized, and it was that sustainability and defensibility that mattered more than any one quarter’s results.

The question is if a similar case can be made for Facebook: certainly my tweet taken literally was naive for the exact reasons those Apple investor complaints missed the point five years ago; what about the sentiment, though? Just how good of a business is Facebook?

As with many such things, it all depends on what lens you use to examine the question.

He looks at Facebook using several different “lenses”:  finances, products, ad infrastructure, multiplying moats, and reason for being (Facebook’s Raison D’être). While I follow his various lines of thinking, I think Ben spends a little too much effort on linking back to things he already said and not enough on expanding upon those thoughts. This is most apparent in his moats lens which needs fleshing out (it feels half-baked).

As it stands it’s a useful exercise in understanding a company’s financial and business drivers. Obviously, any discussion of Facebook will include security and privacy (and GDPR and …). Too often professionals in our industry fail to consider these things fully which leads us to the cyber security startup VC and blockchain bubbles we’re in.

Also on:

John Oliver Calls Facebook ‘History’s Most Profitable Data-Harvesting Machine’

John Oliver Calls Facebook ‘History’s Most Profitable Data-Harvesting Machine’:

“We came here for your data and the data of everyone you’ve ever come into contact with,” the ad’s narrator says. “Your data allowed us to make a fuckton of ad money … but here’s the thing. Nothing’s going to change. We’ve got your data, we’ve got your friends. And really, where are you going to go?”

(Via Motherboard)

Also on:

Accessing Facebook …

Quick summary of how I use Facebook:

  1. Launch a VPN
  2. Use a private browser (with ad blocking) to navigate
  3. I do my Facebook stuff
  4. I log out of Facebook and then out of said private browser after clearing my browsing history
  5. I disconnect from the VPN

The moral of the story is that I use Facebook so long as it offers me value. However, I do not use it trivially. If and when I log in, it is with purpose and my session lasts exactly as long as I want.

I set myself up for success:

  • I have no app connections or integrations (with my personal website posts going away soon)
  • I don’t use Facebook for authentication anywhere
  • I do not have any of the mobile apps installed (other than Instagram, and only for the moment)
  • I set up two-factor authentication for Facebook login using an Authenticator app (not SMS or email)

What I thoughtlessly shared on Facebook is out there. Time and experience will tell the usefulness of that information and the impact of my data hygiene regimens.

What are you doing to reduce your social media surface and/or take ownership of your data?

Also on:

↝ Blogging is most certainly not dead

I can’t agree more:

Social media is as compelling as ever, but people are increasingly souring on the surveillance state Skinner boxes like Facebook and Twitter. Decentralized media like blogs and newsletters are looking better and better these days…

From kottke.org.

The article has some great sites to add to the RSS reader as well.

I’m buying in to the push away from the behemoths but they still play a role in getting the word out around content.

I like my site. I write it for me, often times as a bit of my exocortex. But if others enjoy it or find value, so much the better. I like the quote Jason has in his piece from someone named Kari:

I also keep it out of spite, because I refuse to let social media take everything. Those shapeless, formless platforms haven’t earned it and don’t deserve it. I’ve blogged about this many times, but I still believe it: When I log into Facebook, I see Facebook. When I visit your blog, I see you.

She wrote it far better than I.

Also on:

You know who does creepier stuff with your data than Cambridge Analytica? Your ISP

From BoingBoing.net:

So please #DeleteFacebook, but then remember that your ISP is the original creeper, and your Congressjerk is probably in their pocket, and make that a midterm election issue. We can’t win all the really important fights — climate, racial justice, sexual and gender justice, inequality — without an internet to organize with, so we must take the net back to secure those other victories.

Setting aside the name calling, this is definitely true in the US. I’m not sure about other countries.

The Cambridge Analytica-Facebook Debacle: A Legal Primer

Another strong largely hyperbole free summary from Lawfare including possible legal ramifications.

The Cambridge Analytica-Facebook Debacle: A Legal Primer:

What Happened?

On March 17, the New York Times that Cambridge Analytica, the British data analysis firm with ties to Robert Mercer and Stephen K. Bannon and that was hired by the Trump campaign, “harvested private information from the Facebook profiles of more than 50 million users without their permission.” This set off a firestorm in the U.S. and the U.K. as regulators announced they would get to the bottom of what went wrong. Sen. Ron Wyden asked Facebook a . Massachusetts Attorney General Maura Healey into the matter, followed by the . And the U.K.’s information commissioner, Elizabeth Denham, said she would . This in turn —down nearly 7 percent by the market’s close on Monday, March 19 and down nearly another two points on Tuesday, March 20. On Monday night, the New York Times revealed that Facebook’s chief security officer, Alex Stamos, is after much internal disagreement with the way the firm handled concerns about misinformation in the 2016 elections.

(Via Lawfare – Hard National Security Choices)

Enjoy!

Also on:

Facebook Pushes Passwords One Step Closer to Death | Wired Enterprise | Wired.com

October has always been John Flynn’s favorite time of year, but this year, it’s even better. He gets to spend the month trying to hack into a fleet of Facebook computers equipped with a new kind of security tool — a tool that takes computer security beyond the password.

Since jumping to Facebook from his job at Google a few years ago, Flynn has been part of the Facebook security team that masquerades as bad guys during the month of October, doing their best to bust into the corporate network that underpins the social networking giant. They call it “Hacktober,” and the idea is to find the holes where the real bad guys might attack the company. Last year, Flynn and other Facebook security engineers created a fake news story designed to spread a computer worm around the network.

Flynn — who goes by the nickname “Four” — won’t say what’s in store for Facebook’s employees this October, but one thing seems certain: Hacking them is going to be that much more of a challenge. Over the past year, the company has equipped many employee systems with Yubikeys, a little pieces of hardware that let employees securely log into machines with the tap of a finger. This nifty tool can make it that much harder for hackers to bust into a corporate network and do whatever they want — even if the hacker manages to take command of an authorized network machine.

via Facebook Pushes Passwords One Step Closer to Death | Wired Enterprise | Wired.com.