I was at the Privacy Foundation
(https://www.law.du.edu/privacy-foundation)
seminar yesterday and spent much of the time thinking about how I
have to revise my lectures and assignments for the classes I’m
teaching this quarter.
Granted, the speakers told us that much of the
GDPR (and the copycat laws) are still in flux. Granted, they believe
that a good faith effort will keep the regulators from jumping in
with maximum penalties, at least in the near term. However, that
will change, and probably quickly.
My problem is I have to teach my students how to
build and secure systems that will work in that not-too-distant
future.
One analogy that sprang to (my simple) mind is the
concept of “Sources and uses of funds.” I can easily explain to
my non-accountants that this requires them to total up income (sales,
interest, income from investments, etc) and then show where that
money went (purchase of raw materials, manufacturing processes,
salaries & benefits, advertising, taxes, and (if anything is
left) profit.
Now think of a “Sources and uses of data”
statement. Something I think we will need. As I see it, the GDPR
will require me to add significant metadata to each record from each
user. Recording everything I need to properly handle that record;
how it entered my systems, where it came from (not just the user’s
location, but which website, App or sensor), what applications it
passed through, every place it was stored, when it left that storage
(was it deleted or did it move elsewhere), and where (multiple
locations) it now resides.
Will I need to determine in advance who might need
to see that record? (See the hospital article below). Do I need to
append all this information to each record? What must happen as I
aggregate that information, for example in a customer dossier with
data from other sources.
If a user requires me to delete his or her data,
does that missing data taint other data? For example, if the
deletion includes a record of a sale, what do I need to do to explain
that missing information in my financial statements? How can I show
that I wasn’t just laundering money?
Yoiks!
(Related) How can your data be secure if you
don’t control access?
Anna Oberschelp de Meneses and Kristof Van Quathem
write:
On July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400.000 € on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”). The decision has not been made public. Earlier this week, the hospital publicly announced that it will contest the fine.
According to press reports, the CNPD carried out an investigation at the hospital which revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty. The CNPD reportedly concluded that the hospital did not put in place appropriate technical and organizational measures to protect patient data.
Read more on Covington & Burling Inside
Privacy.
(Related)
Apple CEO
Backs Privacy Laws, Warns Data Being 'Weaponized'
Speaking at an international conference on data
privacy, Apple CEO Tim Cook applauded European Union authorities for
bringing in a strict new data privacy law in May and said the iPhone
maker supports a U.S. federal privacy law.
Cook's speech, along with video comments from
Google and Facebook top bosses, in the European Union's home base in
Brussels, underscores how the U.S. tech giants are jostling to curry
favor in the region as regulators tighten their scrutiny.
… His
speech comes a week after Apple unveiled expanded privacy protection
measures for people in the U.S., Canada, Australia and New Zealand,
including allowing them to download all personal data held by Apple.
European users already had access to this feature after GDPR took
effect. Apple plans to expand it worldwide.
… The
28-nation EU took on global leadership of the issue when it launched
GDPR. The new rules require companies to justify the collection and
use of personal data gleaned from phones, apps and visited websites.
They must also give EU users the ability to access and delete data,
and to object to data use.
A legal tip for my Ethical hackers? (With, of
course, implications under GDPR)
Told ya.
The
midterms are already hacked. You just don’t know it yet.
… With the midterms two
weeks away, news of electoral cyberattacks has begun to appear with
growing frequency. In 2018, at least a dozen races for the House and
Senate, mostly Democrats, have been the public targets of malicious
cyber campaigns, in a variety of attacks that suggests the breadth of
the threat: Campaigns have been besieged by network penetration
attempts, spearphishing campaigns, dummy websites, email hacking, and
at least one near-miss attempt to rob a Senate campaign of untold
thousands of dollars.
“The Russians will attempt,
with cyberattacks and with information operations, to go after us
again,” said Eric Rosenbach, the former Pentagon
chief of staff and so-called cyber czar, now at the Harvard Belfer
Center, when I talked to him this summer. In fact, he added,
“They’re doing it right now.”
Why would any intelligence service ignore the low
hanging fruit?
Nobody’s
Cellphone Is Really That Secure
But most of us
aren’t the president of the United States.
Earlier this week, The New York Times
reported
that the Russians and the Chinese were eavesdropping on President
Donald Trump’s personal cellphone and using the information gleaned
to better influence his behavior. This should surprise no one.
Security experts have been
talking
about
the potential security vulnerabilities in Trump’s cellphone use
since he became president. And President Barack Obama bristled
at—but acquiesced to—the security
rules prohibiting him from using a “regular” cellphone
throughout his presidency.
Three broader questions obviously emerge from the
story. Who else is listening in on Trump’s cellphone calls?
… There are two basic places to eavesdrop on
pretty much any communications system: at the end points and during
transmission. This means that a cellphone attacker can either
compromise one of the two phones or eavesdrop on the cellular
network. Both approaches have their benefits and drawbacks.
… an attacker could intercept the radio
signals between a cellphone and a tower. Encryption ranges from very
weak to possibly
strong, depending on which flavor the system uses. Don’t think
the attacker has to put his eavesdropping antenna on the White House
lawn; the Russian Embassy is close enough.
Because we don’t have enough data to sift
through? Typically, the USPS suggests a vast improvement in service
but delivers only a half-vast result.
The US
Postal Service will email you photos of your mail before it’s
delivered
For those in the US now concerned about the
contents of their mailboxes, rest assured. There is a way to check
that whatever is delivered to you is safe and familiar. The United
States Postal Service (USPS) has a free system that will email you
images of your physical mail before it reaches you, called “Informed
Delivery.”
The system is free and offers a number of
conveniences, apart from the ability to screen incoming mail.
“Digitally preview your mail and manage your packages scheduled to
arrive soon! Informed Delivery allows you to view greyscale images of
the exterior, address side of letter-sized mailpieces and track
packages in one convenient location,” according to the USPS
website. You can also leave instructions if you won’t be home for
a delivery, reschedule deliveries, and set up notifications so that
you’re aware of what mail is coming when.
The service does have limitations. For one, it
seems that not every zip
code qualifies, though there is a handy search tool that
allows you to check if yours does before you sign up. And images of
your mail will only be sent
for letter-sized mail processed through USPS’ automated equipment,
according to the postal service.
Propaganda is easy.
Iranian
Propaganda Targeted Americans With Tom Hanks
The auto industry is shifting.
GM pushes
national electric car plan as Trump tries to roll back emissions
standards
General Motors is calling for the federal
government to start a nationwide program that would put more electric
vehicles on the roads and turbocharge innovation.
… GM's plan would be modeled on California's
Zero Emission Vehicle program. Automakers would be required to sell
a certain percentage of zero emissions vehicles, which are usually
electric powered, or pay credits to other companies that make such
vehicles.
… A program like this could make good business
sense for GM. It would give the company a competitive advantage over
most other automakers. GM has already invested heavily in creating
the Chevrolet
Bolt EV and Chevrolet Volt plug-in vehicles and committed to
launch 20 emission-free models by 2023. That could include
hydrogen fuel cell vehicles, which also qualify as zero
emissions.
Under GM's proposal, 7% of vehicles each automaker
sells in 2021 would have to qualify as "zero emissions."
I have to try this...
An Easy Way
to Create Your Own Captioned Flipped Video Lessons
Two weeks ago I published a video about how to use
the automatic
captioning feature in Google Slides. A lot of people have asked
if there is a way to download the captions that are automatically
generated when you speak while presenting your slides.
Unfortunately, there isn't a downloadable transcript of the captions.
However, you could use a screencasting tool like Screencastify
or Screencast-o-matic
to easily make a video that includes the captions. And by
doing that you would be making a video that could be used as a
flipped lesson. Here's the outline of how you can use
Google Slides and screencasting to create a captioned flipped lesson.