Cookie consent tools are being used to undermine EU privacy rules

Most cookie consent pop-ups served to internet users in the European Union — ostensibly seeking permission to track people’s web activity — are likely to be flouting regional privacy laws, a new study by researchers at MIT, UCL and Aarhus University suggests.

“The results of our empirical survey of CMPs [consent management platforms] today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems,” the researchers argue, adding that: “Enforcement in this area is sorely lacking.”

Full article: Cookie consent tools are being used to undermine EU privacy rules, study suggests | TechCrunch

The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About

More and more of our vital infrastructure is coming online and vulnerable to digital attacks, data breaches involving the leak of personal information are becoming more frequent and bigger, and there’s an increasing awareness of political interference and state-sanctioned cyberattacks.

Here’s what will be top of the agenda when it comes to cybersecurity over the coming year:

  1. Artificial intelligence (AI) will play an increasing role in both cyber-attack and defense
  2. Political and economic divisions between east and west lead to increased security threats
  3. Political interference increasingly common and increasingly sophisticated
  4. The cybersecurity skills gap continues to grow
  5. Vehicle hacking and data theft increases

Full article: The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About

Exploit Fully Breaks SHA-1 encryption

Users of GnuPG, OpenSSL and Git could be in danger from an attack that’s practical for ordinary attackers to carry out.

A proof-of-concept attack has been pioneered that “fully and practically” breaks the Secure Hash Algorithm 1 (SHA-1) code-signing encryption, used by legacy computers to sign the certificates that authenticate software downloads and prevent man-in-the-middle tampering.

Source: Exploit Fully Breaks SHA-1, Lowers the Attack Bar | Threatpost

Will online privacy make a comeback in 2020?

Last year was a landmark for online privacy in many ways, with something of a consensus emerging that consumers deserve protection from the companies that sell their attention and behavior for profit.

The debate now is largely around how to regulate platforms, not whether it needs to happen. The consensus among key legislators acknowledges that privacy is not just of benefit to individuals but can be likened to public health; a level of protection afforded to each of us helps inoculate democratic societies from manipulation by vested and vicious interests.

Full article: Will online privacy make a comeback in 2020? | TechCrunch

Lawmakers push bipartisan update to children’s online privacy law

House lawmakers are introducing a bipartisan bill Thursday to update a long-standing children’s online privacy law so that parents could force companies to delete personal information collected about their kids.

The changes include allowing parents to delete personal information collected online about their kids. The legislation would also require parental consent before companies can collect personal data like names, addresses and selfies from children under 16 years old.

Source: Reps. Walberg and Rush push bipartisan update to children’s online privacy law – Axios

UK looks to replace passwords with biometric technology to reduce NHS login time

The U.K. government is investing £40 million (USD$52 million) in multi-factor authentication technology to upgrade NHS staff computer login system and reduce employee login time, which has reportedly brought great stress and dissatisfaction among staff members.

The system will focus on a partnership with IT system suppliers to replace password logins with biometric multi-factor logins such as fingerprint access, making sure trusts comply and update processes so that staff is granted the access permission needed, and merging local with national system so healthcare facilitators can access all clinical and workforce systems. The upgrade will not only save time logging into different IT systems, but it will also boost infrastructure security.

Source: UK looks to replace passwords with biometric technology to reduce NHS login time | Biometric Update

Retailer fined half a million pounds for data breach of at least 14 million people

The Information Commissioner’s Office (ICO) has fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.

An attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected.

The company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.

Source: National retailer fined half a million pounds for failing to secure information of at least 14 million people | ICO

Dutch Court Decides on Scope of GDPR Right of Access

In late December 2019, the Court of The Hague (Netherlands) published a preliminary reference procedure (see here , in Dutch). The Court was asked to decide on the scope of the right of access under the GDPR.

The Court also pointed out that the GDPR does not grant a right to obtain a copy of documents; it only grants a right to obtain a copy of personal data. In relation to documents that do not contain much personal information, such as the e-mails in question, the court held that it suffices to describe the data they contain.

Source: Dutch Court Decides on Scope of GDPR Right of Access

State Legislatures Are Off to the Privacy Races

New Hampshire legislators introduced new data privacy legislation, New Hampshire House Bill 1680.

The legislation is similar to the California Consumer Privacy Act (which we’ve written extensively about before, including here and here ). It grants consumers access, portability, transparency, non-discrimination, deletion, and opt-out-of-sale rights (or opt-into-sale rights for minor consumers) with respect to their personal information.

New Hampshire’s is the first data privacy bill we have seen this season, but it’s worth noting that Virginia and Illinois have introduced their own bills. Additionally, several states, including Washington and New York, had proposed privacy bills in the 2019 legislative session.

Source: State Legislatures Are Off to the Privacy Races, With New Hampshire in the Lead

EU Parliament debates if California could be considered ‘adequate’

Members of the Parliament’s Committee on Civil Liberties, Justice and Home Affairs discussed in depth the European Commission’s report, issued Oct. 21, with representatives of the European Commission and European Data Protection Board.

Referring to the California Consumer Privacy Act, which took effect Jan. 1, Bruno Gencarelli, the commission’s head of International Data Flows and Protection Unit, said many of those who worked on the EU General Data Protection Regulation and Law Enforcement Directive “would not even have imagined a few years ago that there would be serious discussion in Congress about a federal privacy legislation or that California would have strong privacy rules that have just entered into application.”

Source: EU Parliament debates: Could California be considered ‘adequate’ on its own?