In this episode of the podcast (#206): with movement towards passage of a federal data privacy law stronger than ever, we invite two experts in to the Security Ledger studio to talk about what that might mean for U.S. residents and businesses.
Data theft and misuse has been an acute problem in the United States for years. And, despite the passage of time, little progress has been made in addressing it. Just this week, for example, SITA, an IT provider for the world’s leading airlines said that a breach had exposed data on potentially millions of travelers – just the latest in a steady drumbeat of breach and hacking revelations affecting nearly every industry.
In the E.U. the rash of massive data breaches from retail firms, data brokers and more led to the passage of GDPR – the world’s first, comprehensive data privacy regime. In the years since then, other nations have followed suit.
But in the U.S., despite the passage of a hodgepodge of state data privacy laws, no comprehensive federal law exists. That means there is still no clear federal framework covers critical issues such as data ownership, the disclosure of data breaches, private rights of action to sue negligent firms and so on.
Changes In D.C. Bring Data Privacy Into Focus
But that may be about to change. In a closely divided Washington D.C. data privacy is the rare issue that has bipartisan support. And now, with Democrats in control of Congress and the Whitehouse, the push is on to pass pro-consumer privacy legislation into law.
A new commercial has hit the airwaves in Israel. It begins with a door swinging open to reveal a beautiful seaside patio with a couple awaiting their dinners as a voiceover says, “How much have we missed going out with friends?” Well, with the Green Pass “a door simply opens in front of you” and we can “return[ ] to life.” This commercial is advertising Israel’s version of a digital vaccine passport.
Although there are still lots of unknowns, there are many countries and industries considering vaccine passport programs like Israel’s, including Japan, the United Kingdom and the European Union, as well as airlines and some concert venues, to name a few.
Israel’s vaccine passport was released on February 21. There, vaccinated people can download an app that displays their Green Pass when they are asked to show it. The app also can display proof that someone has recently recovered from COVID-19, which also allows passage. Other proposed ”passport systems” offer several ways to show you are not a threat, such as proof of a negative COVID-19 test. Israel hopes this technology will encourage more citizens to get vaccinated.
However, the Green Pass and other passport programs may also bring up some big privacy concerns. Orr Dunkelman, a computer science professor at Haifa University, says that the Green Pass displays more information than simply whether the individual has been vaccinated or has recently recovered from COVID-19. The pass also displays the date of the recovery and the date of the vaccine and uses outdated encryption technology that is potentially vulnerable to security breaches and hackers. Orr also says that because the app is not open source, no third parties can test whether these concerns are founded.
In the United States, PathCheck Foundation at MIT is working with Ideo on a low-tech solution that may address these privacy concerns before any kind of ”passport” is available here. The prototype uses a paper card similar to the one that individuals are currently receiving once they are vaccinated. However, to avoid fraudulent cards, the paper card being developed by PathCheck Foundation and Ideo would use multiple forms of verification such as QR codes for scanning (maybe at the gate of a concert or movie theater entrance) that only displays an individual’s vaccination status, while other entities (such as health care providers) would be able to scan the card and receive more detailed information (e.g., the type of vaccination received, the date, the location it was administered, etc.). Additionally, PathCheck Foundation points out that privacy is important to those who are undocumented or simply don’t have trust in the government, and we don’t want to create yet another repository that is hackable (and may potentially contain entire state populations).
At this point, it isn’t clear whether the United States will be able to implement a vaccine passport quickly because we don’t have a universal identity record or federal medical records system (which Israel does). However, whichever option eventually becomes widespread across the country, it will need to use a system that will be able to maintain certain individual privacy rights while also allowing businesses and venues to reopen safely.
This week, Consumer Reports published a Model State Privacy Act. The Consumer advocacy organization proposed model legislation “to ensure that companies are required to honor consumers’ privacy.” The model legislation is similar to the California Consumer Privacy Act, but seeks to protect consumer privacy rights “by default.” Some additional provisions of the model law include a broad prohibition on secondary data sharing, an opt-out of first-party advertising, and a private right of action in addition to enforcement by state Attorneys General.
While the introduction of a model privacy law is an interesting development, we also continue to track state privacy laws in multiple states right now, as several states have recently introduced consumer privacy legislation. Connecticut, Massachusetts, Illinois, Minnesota, New York and Utah recently saw the introduction of new privacy legislation. As legislative sessions move forward into 2021, we expect even more states to follow suit.
Our list of pending state privacy legislation includes:
We will continue to provide updates as these bills move forward.
A serious flaw in Zoom’s Keybase secure chat application left copies of images contained in secure communications on Keybase users’ computers after they were supposedly deleted.
The flaw in the encrypted messaging application (CVE-2021-23827) does not expose Keybase users to remote compromise. However, it could put their security, privacy and safety at risk, especially for users living under authoritarian regimes in which apps like Keybase and Signal are increasingly relied on as a way to conduct conversations out of earshot of law enforcement or security services.
The flaw was discovered by researchers from the group Sakura Samurai as part of a bug bounty program offered by Zoom, which acquired Keybase in May, 2020. Zoom said it has fixed the flaw in the latest versions of its software for Windows, macOS and Linux.
Deleted…but not gone
According to researcher John Jackson of Sakura Samurai, the Keybase flaw manifested itself in two ways. First: Jackson discovered that images that were copy and pasted into Keybase chats were not reliably deleted from a temporary folder, /uploadtemps, associated with the client application. “In general, when you would copy and paste in a Keybase chat, the folder would appear in (the uploadtemps) folder and then immediately get deleted,” Jackson told Security Ledger in a phone interview. “But occasionally that wouldn’t happen. Clearly there was some kind of software error – a collision of sorts – where the images were not getting cleared.”
Discovering that flaw put Sakura Samurai researchers on the hunt for more and they soon struck pay dirt again. Sakura Samurai members Aubrey Cottle (@kirtaner), Robert Willis (@rej_ex) and Jackson Henry (@JacksonHHax) discovered an unencrypted directory, /Cache, associated with the Keybase client that contained a comprehensive record of images from encrypted chat sessions. The application used a custom extension to name the files, but they were easily viewable directly or simply by changing the custom file extension to the PNG image format, Jackson said.
In a statement, a Zoom spokesman said that the company appreciates the work of the researchers and takes privacy and security “very seriously.”
“We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates,” the spokesman said.
In most cases, the failure to remove files from cache after they were deleted would count as a “low priority” security flaw. However, in the context of an end-to-end encrypted communications application like Keybase, the failure takes on added weight, Jackson wrote.
“An attacker that gains access to a victim machine can potentially obtain sensitive data through gathered photos, especially if the user utilizes Keybase frequently. A user, believing that they are sending photos that can be cleared later, may not realize that sent photos are not cleared from the cache and may send photos of PII or other sensitive data to friends or colleagues.”
Messaging app flaws take on new importance
The flaw takes on even more weight given the recent flight of millions of Internet users to end-to-end encrypted messaging applications like Keybase, Signal and Telegram. Those users were responding to onerous data sharing policies, such as those recently introduced on Facebook’s WhatsApp chat. In countries with oppressive, authoritarian governments, end to end encrypted messaging apps are a lifeline for political dissidents and human rights advocates.
As a result of the flaw, however, adversaries who gained access to the laptop or desktop on which the Keybase application was installed could view any images contained in Keybase encrypted chats. The implications of that are clear enough. For example, recent reports say that North Korean state hackers have targeted security researchers via phishing attacks sent via Keybase, Signal and other encrypted applications.
The flaws in Keybase do not affect the Zoom application, Jackson said. Zoom acquired Keybase in May to strengthen the company’s video platform with end-to-end encryption. That acquisition followed reports about security flaws in the Zoom client, including in its in-meeting chat feature.
Jackson said that the Sakura Samurai researchers received a $1,000 bounty from Zoom for their research. He credited the company with being “very responsive” to the group’s vulnerability report.
The increased use of encrypted messaging applications has attracted the attention of security researchers, as well. Last week, for example, a researcher disclosed 13 vulnerabilities in the Telegram secure messaging application that could have allow a remote attacker to compromise any Telegram user. Those issues were patched in Telegram updates released in September and October, 2020.
The state of Virginia might be the next state to enact a privacy law. Senate Bill No. 1392 recently passed the Senate and is likely on its way to Governor Ralph Northam’s desk. The bill adds the Consumer Data Protection Act to the Virginia Code and includes definitions of biometric data, precise geolocation data, profiling, sensitive data, and targeted advertising. The bill’s effective date is January 1, 2023.
The bill will apply to persons who conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth, and that (i) during a calendar year, control or process data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenues from the sale of personal data. The law would not apply to any state or local government agency, to financial institutions subject to the Gramm-Leach-Bliley Act, or to covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act).
Consumer rights include the following:
- The right to know whether or not a controller is processing the consumer’s personal data and the right to access such personal data;
- The right to correct inaccuracies in the consumer’s personal data;
- The right to delete personal data provided by or obtained about the consumer;
- The right to data portability; and
- The right to opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
The bill is designed to feature data controllers and data processors and organizes the rights and responsibilities of each according to those roles. There is no private right-of-action in this bill, as the Attorney General is charged with enforcing violations. The Attorney General will have the exclusive authority to enforce violations in the name of the Commonwealth or on behalf of individual persons residing in the Commonwealth.
Although somewhat obvious, the World Economic Forum, in partnership with Marsh McLennan, SK Group and Zurich Insurance Group, recently issued its 16th edition of the Global Risks Report (the Report), which analyzes “the risks from societal fractures—manifested through persistent and emerging risks to human health, rising unemployment, widening digital divides, youth disillusionment, and geopolitical fragmentation” and determined that cyber-attacks are “key threats of the next decade.”
The Report outlines severe risks, including the COVID-19 pandemic, debt crises, climate change and a host of other predicted ailments, and cybersecurity is one of the top risks. The Report has mentioned cyber-attacks as a risk since 2012, and certainly the risk today is far more widespread than it has been in the past.
Cybersecurity failure is listed as a “top risk by likelihood” over the next decade. IT infrastructure breakdown is “among the highest impact risks of the next decade.” Weaving through the Evolving Risks Landscape Chart, cyber-attacks and data fraud or theft have jumped to the top of the list as a cluster.
In preparing for the global risks outlined in the Report, the World Economic Forum, although calling the risks outlined in the report “dire,” surmised that in contemplating the next crisis after COVID-19, “[T]he response to COVID-19 offers four governance opportunities to strengthen the overall resilience of countries, businesses and the international community: (1) formulating analytical frameworks that take a holistic and systems-based view of risk impacts; (2) investing in high-profile “risk champions” to encourage national leadership and international co-operation; (3) improving risk communications and combating misinformation; and (4) exploring new forms of public-private partnership on risk preparedness.”
Although the Report is brutally honest and transparent in its predictions, it perhaps is a snapshot in the future for business leaders to consider when planning strategies for business long term, including managing top risks by likelihood and impact to the organization. This would obviously include cybersecurity preparedness and resilience.
I was scrolling through a social media site this week, and was struck by how many requests asked people to respond to questions regarding their biographical information. For example, what was the number one album when you were a senior in high school? What was your favorite beach or park when you were growing up? Where was your first job? What month is your birthday?
These types of questions are popular on social media because they are designed to generate interaction and engagement, potentially increasing followers. While some requests for such information may be done just to engage followers in interesting dialogue, these types of questions and responses also give data miners and others the opportunity to collect, analyze, and use our data for a variety of purposes, including advertising.
When you answer these types of questions on social media, you are disclosing key personal information, which, when compiled with other public information, creates a data profile that could be useful for scammers. Responding to requests for tidbits of personal information on social media may seem harmless, but keep in mind that every piece of your data that’s on the internet also increases the ability of hackers to steal your identity.
New York Governor Andrew Cuomo recently announced his proposal for a comprehensive data security law that will “provide New Yorkers with transparency and control over their personal data and provide new privacy protections.” The proposal also would establish a Consumer Data Privacy Bill of Rights that would guarantee “the right to access, control, and erase the data collected from them; the right to nondiscrimination from providers for exercising these rights; and the right to equal access to services.”
According to the state of New York’s website announcing the initiative, the proposal also “expressly protects sensitive categories of information including health, biometric and location data and creates strong enforcement mechanisms to hold covered entities accountable for the illegal use of consumer data. New York State will work with other states to ensure competition and innovation in the digital marketplace by promoting coordination and consistency among their regulatory policies.”
This proposal is promising and, if passed, it would mean that New York would join California in enacting a comprehensive consumer privacy law. We will follow the proposal closely to see if this new proposal will add to New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which passed in 2017 and established cybersecurity regulations for the financial services industry.
With the passage of the Consumer Privacy Rights Act (CPRA), we are presenting several blog articles on different topics related to the new law. We previously wrote about key effective dates and the newly-added definition of sensitive information. This week, we will focus on consumer opt-out rights and data profiling.
Consumer Opt-Out Rights
The CPRA created several new rights for consumers – one of which is the right to opt out of the sale or the sharing of their personal information. In order to understand this new opt-out right, we need to review the new definition of sharing personal information in the CPRA.
The CPRA differentiates between the sale of personal information and the sharing of personal information. Sharing personal information means disclosing it to third parties for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” Section 1798.140 (a)(h)(1).
What is cross-contextual behavioral advertising? Think about advertising targeted to the consumer based on their internet behavior. Contextual advertising might be an ad shown specifically to a consumer for a product related to that consumer’s internet search. If you are a California resident, the CPRA will give you the right to opt out of the sharing of your personal information in this way. How will a consumer exercise this right? The CPRA states that a consumer shall have the right, at any time, “to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information.” Section 1798.120(a).
Data Profiling – What is it?
Another consumer right related to the consumer opt-out rights found in the CPRA pertains to data profiling. Profiling is defined in the CPRA as the automated processing of personal information to “to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” Section 1798.140 (z). One bright note is that Section 1798.185 (a)(16) states that regulations will need to be developed “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”
We will be following these opt-out rights closely – both from a consumer privacy standpoint and for businesses that use such targeted advertising technologies, including automated processing of personal information – to see how the regulations will address the logic involved in the decision-making process and its impact on consumers.
Reuters reported this week that two hospitals in England are using blockchain technology to track the storage and supply of COVID-19 vaccines. According to Reuters, this is one of the first such initiatives in the world.
The report stated that the hospitals are using a distributed ledger, a type of blockchain that uses independent computers, to share, replicate, and synchronize data in electronic ledgers in real time.
The hope is that the use of these blockchain systems will assist in monitoring the status of vaccines and keep track of vaccine shipments “from factory freezer to shots in the arm.”