Archive

Archive for the ‘Data Loss’ Category

NY State vs Microsoft – Part 5

July 17, 2016 Leave a comment

(You can find the previous part 4 of this topic here)

This week there was another progression in the infamous and long running Microsoft vs State of NY case – the one if you remember where the New York, USA court is demanding that Microsoft Ireland aquise to a subpoena issued in the USA.

Well this week the Second Circuit court of appeals agreed with Microsoft USA that the USA had no jurisdiction over assets within Ireland:

§ 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign server.

A great writeup of the case can be found at Lawfareblog.

This case can still be raised to the Supreme Court, but since there are other legal methods for the USA to request the assistance of the law authorities in other countries, the door is finally closing on trying to impose domestic law on USA companies with assets in other countries.

The current global data economy and the 1986 Electronic Communications Privacy act are woefully out of step, but this decision is the right one to support the global technology industry.

After all – if a court in the USA can compel the release of data from Ireland, surely a court in China can compel the release of data stored in the USA?

 

Categories: Cryptography, Privacy Laws Tags: ,

How could Apple help bypass an iPhone Pin?

February 17, 2016 Leave a comment

This week BBC news reported that Apple would not help the FBI bypass the pin on one of their phones

The FBI have apparently asked Apple to create two assistive technologies :

“Firstly, it wants the company to alter Farook’s iPhone so that investigators can make unlimited attempts at the passcode without the risk of erasing the data.

Secondly, it wants Apple to help implement a way to rapidly try different passcode combinations, to save tapping in each one manually.”

Ignoring who is right or wrong in this matter – these are not uncommon requests – I’ve been asked by various governments and “three letter agencies” in the past to do exactly the same thing, which I too have politely declined.

Reading between the lines, the FBI requests would indicate an admission that the actual cryptography within the iPhone is robust and correctly implemented – and that there are no discovered back doors which would allow the FBI access to the data without Apple’s help.

So we can assume that the FBI cannot usually access data stored on iPhones. What help can Apple give?

Read more…

Categories: Encryption, Privacy Laws Tags: , ,

NY State vs Microsoft customer data disclosure update 4

September 25, 2015 1 comment

A quick followup to my blogs of May 2015 here, September 2014 here and July 2014 here, where the NY State court is trying to compel Microsoft to hand over emails from one of their servers in Ireland. The case is still ongoing, and recently went through a session with the appeals court  – you can find the rough transcript online.

In it the two sides argue the legal difference between warrants and subpoenas, and whether our emails should be considered “the business records of a company”.

This far reaching case will have ramifications for governments and service providers which way it goes – Microsoft argue that if it goes against them, that means Russia will be able to obtain records from US Mail.ru servers without the US government having a say, and the US government argue that if they loose, companies can simply offshore their customers data to block US Government inspection.

Which way do you think it will go? Comment below.

Categories: PII Tags: , ,

Microsoft vs NY State – Stalemate, or fiasco continues?

September 8, 2014 2 comments

ny court

vsmicrosoft

Following on from the July report of the Southern District Court of NY’s attempt to compel Microsoft US to hand over personal emails from a server controlled by Microsoft Ireland, physically in Ireland (really!), Today Microsoft voluntarily offered themselves to be in contempt of court.

Ie, they know they’ve not done what the court asked, and they don’t intend to.

Bloomburg gave a brief summary of the event –  which is a follow on from the July storyRead more…

Categories: Privacy Laws Tags: ,

Microsoft vs NY Court’s data request. A turning point for privacy?

July 31, 2014 2 comments

ny court

vs

microsoft

An interesting case brewing courtesy of Microsoft and the Southern District court of NY reported by The Register this week

Here, we have a court order from NY requesting Microsoft produce some emails from a server physically located in Ireland, and managed by a local Irish Microsoft subsidiary.

While there is long standing and well understood that company records stored oversees must be delivered on demand, for example Microsofts financial records across the world would have to be delivered to a court requesting such, the law is a little less clear when it comes to data not strictly owned by a company, yet managed by it.  Read more…

Categories: Copyright Protection / DCMA, Privacy Laws Tags: ,

Underground Economies – The rise of Intellectual Capital Theft.

March 28, 2011 Leave a comment

By now I hope readers have seen the latest latest report from McAfee that I was involved in – “Underground Economies” where McAfee and SAIC collaborated to investigate perceptions around intellectual capital – the “secret sauce” of companies. The report surveyed over 1,000 senior IT decision makers across the world, getting their opinion on where they thought their valuable data was, their attitude to outsourcing control of it, and questions around how it was protected and the risk of it being “misplaced”.

You can read more from the actual report, or see my corporate blog. There’s been a lot of press on this report, such as

http://news.cnet.com/8301-1009_3-20047876-83.html

http://www.digitalninjastl.com/blog/2011/03/28/intellectual-property-theft-fuels-underground-cyber-economy/

http://www.bbc.co.uk/news/technology-12864666

Categories: Data Loss, Mastercard/McAfee/SafeBoot/Intel, Security/Exploits Tags: , ,

Two London, UK councils fined $100,000+ each for lost laptops..

February 9, 2011 Leave a comment

Reported by Julien Weston of WIREDvc today, two London councils, Ealing Council and Hounslow Council, were fined over $100,000 each for failure to properly protect personal information of a total of 1,700 individuals stored on stolen laptops.

Even though the laptops were password protected, the Information Commissioner of the UK declared the protection isufficulent, as no encryption was in place.

Even though, both councils had policy which mandated encryption on such devices.

You can read more on the WIREDvc site.

Categories: Data Loss, Fines Tags: , , ,

Two charged with data theft from June ’10s AT&T hack…

January 19, 2011 2 comments

Reported today by infosecurity-us and others, the two men (Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco, California) who had fleeting fame after publishing insecurities in the AT&T iPad website in June 2010 have been arrested and charged with one count of conspiracy to access a computer without authorization, and one count of fraud in connection with personal information.  Each count carries a maximum penalty of five years in prison and a fine of $250,000.

You can find the formal press release on the Justice.gov site.

The original hack involved farming the subscriber details off AT&Ts site by presenting it with random ID codes. Unfortunately, while demonstrating a weakness in a site is often not prosecuted, the pair went on to retrieve 120,000 subscriber details and then passed them on Gawker, who published a redacted list amongst much fanfare. This distribution of personal data will probably get them into a lot of hot water.  Read more…

Categories: Data Loss, Exploits, Fines Tags: , , ,

Excellent Blog on Security and Privacy Matters..

January 19, 2011 Leave a comment

I just wanted to post a short note on the excellent Hogan Lovells blog – It’s not gripping reading in the manner of Steven King or Grisham, but if your job or interests revolve around data protection, information security and privacy, the articles posted are well worth your time to read.

http://www.hldataprotection.com/

Categories: Copyright Protection / DCMA, Data Destruction, Data Loss, Privacy Laws Tags:

Airmen to stop using removable media in wake of wikiLeaks incident…

December 13, 2010 Leave a comment

Last week Noah Shachtman of Wired reported that a new cyber-control order has been issued by Maj. Gen. Richard Webber to prevent the us of removable media under threat of Court-Martial. The order demands that airmen:

immediately cease use of removable media on all systems, servers, and stand alone machines residing on SIPRNET

Further in the order adds:

Unauthorized data transfers routinely occur on classified networks using removable media and are a method the insider threat uses to exploit classified information. To mitigate the activity, all Air Force organizations must immediately suspend all SIPRNET data transfer activities on removable media

Of course, blocking the use of removable media is not new – earlier this year a total ban of USB Stick use was in place following a massive worm infection introduced from a rogue usb stick. Operational Buckshot Yankee as it was termed then.

Noah closes with the comment that any remediation technology “Won’t be ready to deploy for years” – I hope he’s going to be surprised, because the technology is ready to deploy right now.

Categories: Data Leakage Prevention, Data Loss Tags: , , ,