Oct 242017
 October 24, 2017  Posted by  Business, Featured News, Govt, Surveillance

This is big news. Respect to Microsoft for fighting this battle for their customers.

Reuters reports:

Microsoft Corp said it will drop a lawsuit against the U.S. government after the Department of Justice (DOJ) changed data request rules on alerting internet users about agencies accessing their information.

The new policy limits the use of secrecy orders and calls for such orders to be issued for defined periods, Microsoft Chief Legal Officer Brad Smith said in a blog post on Monday.

 Read more on Reuters.
In a blog post, Microsoft’s President and Chief Legal Officer Brad Smith explains:

Today marks another important step in ensuring that people’s privacy rights are protected when they store their personal information in the cloud. In response to concerns that Microsoft raised in  a lawsuit we brought against the U.S. government in April 2016, and after months advocating for the United States Department of Justice to change its practices, the Department of Justice (DOJ) today established a new policy to address these issues. This new policy limits the overused practice of requiring providers to stay silent when the government accesses personal data stored in the cloud. It helps ensure that secrecy orders are used only when necessary and for defined periods of time. This is an important step for both privacy and free expression. It is an unequivocal win for our customers, and we’re pleased the DOJ has taken these steps to protect the constitutional rights of all Americans.

Until now, the government routinely sought and obtained orders requiring email providers to not tell our customers when the government takes their personal email or records. Sometimes these orders don’t include a fixed end date, effectively prohibiting us forever from telling our customers that the government has obtained their data.

As we said when we filed the lawsuit, we believe customers have a constitutional right to know when the government gets their email or documents, and we have a right to tell them. These are important principles established by both the Fourth and First Amendments to the U.S. Constitution.

Read more on MSFT’s blog.

Oct 242017
 October 24, 2017  Posted by  Breaches, Healthcare, Non-U.S.

NHS employees who are tempted to look at patient records without a valid legal reason should consider the potential implications for both themselves and the health service.

The Information Commissioner’s Office (ICO) issued the warning after an NHS administrator was fined for repeatedly accessing a patient’s medical records without a valid legal reason.

Nicola Wren was employed by Kent and Medway NHS and Social Care Partnership trust when she breached data protection laws aimed at protecting patient privacy.

Medway Magistrates’ Court was told she had accessed the health records of a single patient 279 times over a three-week period in October and November 2015, viewing the files up to 50 times in a day. Although the patient was known to the defendant, she had no valid lawful reason to access the records and did so without her employer’s consent.

Wren, 42, of Rainham, Kent, pleaded guilty to unlawfully accessing personal data in breach of s55 of the Data Protection Act 1998 and was fined £300. She was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £30.

Read more on the ICO’s site.

Oct 232017
 October 23, 2017  Posted by  Breaches, Non-U.S.

Ankush Johar writes, in part:

The government claimed that Aadhaar is completely secure, and the data of the consumers was absolutely safe from any malicious party until a severe flaw was detected in the system. The bug allowed a malicious operator to save a user’s biometrics and simply use it to carry out transactions on the victim’s behalf via replaying the saved biometrics.

In February this year, a Youtube video showed a demo of such a replay attack. Later that month, UIDAI filed a case against an employee of  Suvidhaa Infoserve, saying that an Axis Bank’s gateway was used to carry out around 400 transactions via replaying Aadhaar information that was saved earlier.

Read more on Economic Times.

Oct 222017
 October 22, 2017  Posted by  Surveillance, U.S.

Michael Balsamo reports:

The FBI hasn’t been able to retrieve data from more than half of the mobile devices it tried to access in less than a year, FBI Director Christopher Wray said Sunday, turning up the heat on a debate between technology companies and law enforcement officials trying to recover encrypted communications.

In the first 11 months of the fiscal year, federal agents were unable to access the content of more than 6,900 mobile devices, Wray said in a speech at the International Association of Chiefs of Police conference in Philadelphia.

Read more on Philly Voice.