Entries Tagged "privacy"

Page 35 of 145

Security and Privacy Guidelines for the Internet of Things

Lately, I have been collecting IoT security and privacy guidelines. Here’s everything I’ve found:

  1. Internet of Things (IoT) Broadband Internet Technical Advisory Group, Broadband Internet Technical Advisory Group, Nov 2016.
  2. IoT Security Guidance,” Open Web Application Security Project (OWASP), May 2016.
  3. Strategic Principles for Securing the Internet of Things (IoT),” US Department of Homeland Security, Nov 2016.
  4. Security,” OneM2M Technical Specification, Aug 2016.
  5. Security Solutions,” OneM2M Technical Specification, Aug 2016.
  6. IoT Security Guidelines Overview Document,” GSM Alliance, Feb 2016.
  7. IoT Security Guidelines For Service Ecosystems,” GSM Alliance, Feb 2016.
  8. IoT Security Guidelines for Endpoint Ecosystems,” GSM Alliance, Feb 2016.
  9. IoT Security Guidelines for Network Operators,” GSM Alliance, Feb 2016.
  10. Establishing Principles for Internet of Things Security,” IoT Security Foundation, undated.
  11. IoT Design Manifesto,” www.iotmanifesto.com, May 2015.
  12. NYC Guidelines for the Internet of Things,” City of New York, undated.
  13. IoT Security Compliance Framework,” IoT Security Foundation, 2016.
  14. Principles, Practices and a Prescription for Responsible IoT and Embedded Systems Development,” IoTIAP, Nov 2016.
  15. IoT Trust Framework,” Online Trust Alliance, Jan 2017.
  16. Five Star Automotive Cyber Safety Framework,” I am the Cavalry, Feb 2015.
  17. Hippocratic Oath for Connected Medical Devices,” I am the Cavalry, Jan 2016.
  18. Industrial Internet of Things Volume G4: Security Framework,” Industrial Internet Consortium, 2016.
  19. Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products,” Cloud Security Alliance, 2016.

Other, related, items:

  1. We All Live in the Computer Now,” The Netgain Partnership, Oct 2016.
  2. Comments of EPIC to the FTC on the Privacy and Security Implications of the Internet of Things,” Electronic Privacy Information Center, Jun 2013.
  3. Internet of Things Software Update Workshop (IoTSU),” Internet Architecture Board, Jun 2016.
  4. Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching,” National Telecommunications & Information Administration, Jan 2017.

They all largely say the same things: avoid known vulnerabilities, don’t have insecure defaults, make your systems patchable, and so on.

My guess is that everyone knows that IoT regulation is coming, and is either trying to impose self-regulation to forestall government action or establish principles to influence government action. It’ll be interesting to see how the next few years unfold.

If there are any IoT security or privacy guideline documents that I’m missing, please tell me in the comments.

EDITED TO ADD: Documents added to the list, above.

Posted on February 9, 2017 at 7:14 AMView Comments

New Rules on Data Privacy for Non-US Citizens

Last week, President Trump signed an executive order affecting the privacy rights of non-US citizens with respect to data residing in the US.

Here’s the relevant text:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

At issue is the EU-US Privacy Shield, which is the voluntary agreement among the US government, US companies, and the EU that makes it possible for US companies to store Europeans’ data without having to follow all EU privacy requirements.

Interpretations of what this means are all over the place: from extremely serious, to more measured, to don’t worry and we still have PPD-28.

This is clearly still in flux. And, like pretty much everything so far in the Trump administration, we have no idea where this is headed.

Posted on January 30, 2017 at 6:04 AMView Comments

New White House Privacy Report

Two days ago, the White House released a report on privacy: “Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation.” The report summarizes things the administration has done, and lists future challenges:

Areas for Further Attention

  1. Technology will pose new consumer privacy and security challenges.
  2. Emerging technology may simultaneously create new challenges and opportunities for law enforcement and national security.
  3. The digital economy is making privacy a global value.
  4. Consumers’ voices are being heard—and must continue to be heard—in the regulatory process.
  5. The Federal Government benefits from hiring more privacy professionals.
  6. Transparency is vital for earning and retaining public trust.
  7. Privacy is a bipartisan issue.

I especially like the framing of privacy as a right. From President Obama’s introduction:

Privacy is more than just, as Justice Brandeis famously proclaimed, the “right to be let alone.” It is the right to have our most personal information be kept safe by others we trust. It is the right to communicate freely and to do so without fear. It is the right to associate freely with others, regardless of the medium. In an age where so many of our thoughts, words, and movements are digitally recorded, privacy cannot simply be an abstract concept in our lives; privacy must be an embedded value.

The conclusion:

For the past 240 years, the core of our democracy—the values that have helped propel the United States of America—have remained largely the same. We are still a people founded on the beliefs of equality and economic prosperity for all. The fierce independence that encouraged us to break from an oppressive king is the same independence found in young women and men across the country who strive to make their own path in this world and create a life unique unto to themselves. So long as that independence is encouraged, so long as it is fostered by the ability to transcend past data points and by the ability to speak and create free from intrusion, the United States will continue to lead the world. Privacy is necessary to our economy, free expression, and the digital free flow of data because it is fundamental to ourselves.

Privacy, as a right that has been enjoyed by past generations, must be protected in our digital ecosystem so that future generations are given the same freedoms to engage, explore, and create the future we all seek.

I know; rhetoric is easy, policy is hard. But we can’t change policy without a changed rhetoric.

EDITED TO ADD: The document was originally on the whitehouse.gov website, but was deleted in the Trump transition. It’s now available at the Obama archives site.

Posted on January 20, 2017 at 9:51 AMView Comments

NSA Given More Ability to Share Raw Intelligence Data

President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the US’s other 16 intelligence agencies.

The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches.

The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people.

Here are the new procedures.

This rule change has been in the works for a while. Here are two blog posts from April discussing the then-proposed changes.

From a privacy perspective, this feels like a really bad idea to me.

Posted on January 12, 2017 at 12:07 PMView Comments

Law Enforcement Access to IoT Data

In the first of what will undoubtedly be a large number of battles between companies that make IoT devices and the police, Amazon is refusing to comply with a warrant demanding data on what its Echo device heard at a crime scene.

The particulars of the case are weird. Amazon’s Echo does not constantly record; it only listens for its name. So it’s unclear that there is any evidence to be turned over. But this general issue isn’t going away. We are all under ubiquitous surveillance, but it is surveillance by the companies that control the Internet-connected devices in our lives. The rules by which police and intelligence agencies get access to that data will come under increasing pressure for change.

Related: A newscaster discussed Amazon’s Echo on the news, causing devices in the same room as tuned-in televisions to order unwanted products. This year, the same technology is coming to LG appliances such as refrigerators.

Posted on January 11, 2017 at 6:22 AMView Comments

My Priorities for the Next Four Years

Like many, I was surprised and shocked by the election of Donald Trump as president. I believe his ideas, temperament, and inexperience represent a grave threat to our country and world. Suddenly, all the things I had planned to work on seemed trivial in comparison. Although Internet security and privacy are not the most important policy areas at risk, I believe he—and, more importantly, his cabinet, administration, and Congress—will have devastating effects in that area, both in the US and around the world.

The election was so close that I’ve come to see the result as a bad roll of the dice. A few minor tweaks here and there—a more enthusiastic Sanders endorsement, one fewer of Comey’s announcements, slightly less Russian involvement—and the country would be preparing for a Clinton presidency and discussing a very different social narrative. That alternative narrative would stress business as usual, and continue to obscure the deep social problems in our society. Those problems won’t go away on their own, and in this alternative future they would continue to fester under the surface, getting steadily worse. This election exposed those problems for everyone to see.

I spent the last month both coming to terms with this reality, and thinking about the future. Here is my new agenda for the next four years:

One, fight the fights. There will be more government surveillance and more corporate surveillance. I expect legislative and judicial battles along several lines: a renewed call from the FBI for backdoors into encryption, more leeway for government hacking without a warrant, no controls on corporate surveillance, and more secret government demands for that corporate data. I expect other countries to follow our lead. (The UK is already more extreme than us.) And if there’s a major terrorist attack under Trump’s watch, it’ll be open season on our liberties. We may lose a lot of these battles, but we need to lose as few as possible and as little of our existing liberties as possible.

Two, prepare for those fights. Much of the next four years will be reactive, but we can prepare somewhat. The more we can convince corporate America to delete their saved archives of surveillance data and to store only what they need for as long as they need it, the safer we’ll all be. We need to convince Internet giants like Google and Facebook to change their business models away from surveillance capitalism. It’s a hard sell, but maybe we can nibble around the edges. Similarly, we need to keep pushing the truism that privacy and security are not antagonistic, but rather are essential for each other.

Three, lay the groundwork for a better future. No matter how bad the next four years get, I don’t believe that a Trump administration will permanently end privacy, freedom, and liberty in the US. I don’t believe that it portends a radical change in our democracy. (Or if it does, we have bigger problems than a free and secure Internet.) It’s true that some of Trump’s institutional changes might take decades to undo. Even so, I am confident—optimistic even—that the US will eventually come around; and when that time comes, we need good ideas in place for people to come around to. This means proposals for non-surveillance-based Internet business models, research into effective law enforcement that preserves privacy, intelligent limits on how corporations can collect and exploit our data, and so on.

And four, continue to solve the actual problems. The serious security issues around cybercrime, cyber-espionage, cyberwar, the Internet of Things, algorithmic decision making, foreign interference in our elections, and so on aren’t going to disappear for four years while we’re busy fighting the excesses of Trump. We need to continue to work towards a more secure digital future. And to the extent that cybersecurity for our military networks and critical infrastructure allies with cybersecurity for everyone, we’ll probably have an ally in Trump.

Those are my four areas. Under a Clinton administration, my list would have looked much the same. Trump’s election just means the threats will be much greater, and the battles a lot harder to win. It’s more than I can possibly do on my own, and I am therefore substantially increasing my annual philanthropy to support organizations like EPIC, EFF, ACLU, and Access Now in continuing their work in these areas.

My agenda is necessarily focused entirely on my particular areas of concern. The risks of a Trump presidency are far more pernicious, but this is where I have expertise and influence.

Right now, we have a defeated majority. Many are scared, and many are motivated—and few of those are applying their motivation constructively. We need to harness that fear and energy to start fixing our society now, instead of waiting four or even eight years, at which point the problems would be worse and the solutions more extreme. I am choosing to proceed as if this were cowpox, not smallpox: fighting the more benign disease today will be much easier than subjecting ourselves to its more virulent form in the future. It’s going to be hard keeping the intensity up for the next four years, but we need to get to work. Let’s use Trump’s victory as the wake-up call and opportunity that it is.

Posted on December 15, 2016 at 3:50 AM

Securing Communications in a Trump Administration

Susan Landau has an excellent essay on why it’s more important than ever to have backdoor-free encryption on our computer and communications systems.

Protecting the privacy of speech is crucial for preserving our democracy. We live at a time when tracking an individual—­a journalist, a member of the political opposition, a citizen engaged in peaceful protest­—or listening to their communications is far easier than at any time in human history. Political leaders on both sides now have a responsibility to work for securing communications and devices. This means supporting not only the laws protecting free speech and the accompanying communications, but also the technologies to do so: end-to-end encryption and secured devices; it also means soundly rejecting all proposals for front-door exceptional access. Prior to the election there were strong, sound security arguments for rejecting such proposals. The privacy arguments have now, suddenly, become critically important as well. Threatened authoritarianism means that we need technological protections for our private communications every bit as much as we need the legal ones we presently have.

Unfortunately, the trend is moving in the other direction. The UK just passed the Investigatory Powers Act, giving police and intelligence agencies incredibly broad surveillance powers with very little oversight. And Bits of Freedom just reported that “Croatia, Italy, Latvia, Poland and Hungary all want an EU law to be created to help their law enforcement authorities access encrypted information and share data with investigators in other countries.”

Posted on November 23, 2016 at 2:01 PMView Comments

1 33 34 35 36 37 145

Sidebar photo of Bruce Schneier by Joe MacInnis.