Vous êtes ici :   Accueil » RSS - Isaca.org
Prévisualiser...  Imprimer...  Imprimer la page...
Base de connaissances

 1669250 visiteurs

 1 visiteur en ligne


Notre site



Neuchâtel, Suisse

Mes coordonées

Crée votre Code

RSS - Isaca.org

ISACA Now: Posts


RSS feed for the Posts list.

Five Common Privacy Problems in an Era of Smart Devices  Voir?


Rebecca HeroldI gave an Internet of Things (IoT) security and privacy keynote half a dozen times throughout the world last year, along with as many executive presentations. These presentations described the lack of security and privacy engineering within the devices themselves and related contributing factors. Throughout the recent holiday season, news broadcasts and publications warned about new IoT breaches, often resulting from insufficient data security controls being engineered into the devices, hacking into the data transmitted through the smart devices and misusing access to associated data in IoT devices. Several news reports throughout the past year also warned of vulnerabilities of IoT devices by nation-state hacking, along with many activities from cyber criminals.

As we mark Data Privacy Day today, it is worth taking a long, hard look at some common information security and privacy risks that exist within and related to IoT devices that have allowed privacy breaches and data security incidents to occur. Here are five common problem areas for IoT security and privacy:

1. Most smart devices do not have security or privacy controls built in to protect sensitive data transmissions. Those comparatively few that do have controls typically do not have them set to be secured by default, and as a result those using them do not set security controls, mistakenly believing that since they were advertised as having security built in that security was turned on by default. The users then unwittingly leave themselves wide open to unauthorized access.

For the hundreds of IoT device and app developers I’ve spoken with and done assessments for in the past several years, I have not found any smart device creator that had all of the following security and privacy features built into their device, and enabled by default:

  1. Strong encryption for data in storage and in transit
  2. Multi-factor authentication
  3. Activity logging
  4. Device management user interfaces

2. Device vendors and manufacturers are using and sharing your data collected through their devices and apps. Data is widely shared not only throughout the vendor business units, but also with downstream third parties, many of which the device users would be surprised to know about. A few examples include cloud sites for other smart devices, government agencies, insurance companies, law enforcement, data aggregators, data banks, social media sites and others. Once data leaves the device, the device user has basically lost all control over how that data will be used and shared.

3. Most smart devices have listening turned on by default. They have to listen to be able to “hear” the trigger words to get them to interact. Some devices, such as smart speakers, have been found to not only be listening all the time but also keeping the recordings of all that is said and can be heard. This despite vendor claims that the devices listen and have the associated conversations in the vicinity recorded and stored in the vendor’s clouds, only after the trigger word is spoken. We also know that vendors have large teams of humans who have the job of listening to the types of conversations taking place.

4. Devices are accessible through online connections. A large number of popular IoT devices, including many that are purchased to improve physical security, actually have no authentication or encryption, and can be easily found through tools such as Shodan, allowing potential attackers to establish a direct connection to these devices while bypassing any firewall restrictions. Many devices also have vulnerabilities that allow for unauthorized peeking by cyberstalkers.

5. Smart device builders/sellers have horrible privacy notices that are vague and usually tell you how you do not have rights to control your own data. I’ve reviewed dozens of privacy notices on smart device sites. Some are getting better now that GDPR and CCPA are in effect. However, in those instances, the site often indicates the protections only apply to California and EU residents. A couple of examples:

a. As the privacy notice reads, only California residents have the right to access their personal data if they use a Philips Hue smart lightbulb.
b. The Ecobee Smart Thermostat also gives such personal data access only to California residents.

If you are from some other US state, like Iowa, where I live, then based on how their privacy notice is written, it looks like you’re out of luck if you want to see the personal data they have about you, and if you want all the other rights they are giving to California residents. The same goes for those outside of the US. Well then, I won’t be buying any of Philips smart lightbulbs or Ecobee smart thermostats under their current privacy notices. But how many others will? As long as smart devices, and the providers of apps used with smart devices, are not penalized for having substandard privacy notices, they will continue this privacy-poor practice.

It is time to take action to get these risks mitigated to acceptably low levels, and also to meet the many existing and emerging legal requirements for privacy and data security controls.

Speaking of privacy practices …

As I was writing this article, I received an email from Fitbit (I’ve never subscribed to their messages, and I have never owned a Fitbit). It contained the following images:

As I looked at these stats, I wondered many things, including:

  • Can all those steps be broken down and attributed to specific individuals?
  • Can all the locations for the Fitbit users’ activities be tracked for each individual?
  • Can the specific times of activities be associated with each individual?
  • Can all this information be shared, without the knowledge of the individuals, with others, such as law enforcement, insurance companies, employers, and others?

I already knew the answer to all these questions was yes. Of course.

I would love to see a research company, or maybe even a university or an association such as ISACA, track and document, within some type of directory, the smart devices that have:

  1. Independent validation that they have privacy and security design and data handling practices in place, and
  2. Privacy policies that not only are easy to understand, but also reflect the organization’s actual practices, and meet all legal compliance requirements.

Is it too much to ask smart device businesses to build security and privacy controls into their devices, and to give consumers accurate information about their privacy practices within posted privacy notices? It seems like it must currently be too much to ask because I couldn’t find examples during my admittedly brief (approximately four hours) search online of any smart device privacy notice that fit these reasonable privacy ideals.

My hope for 2020: to find at least 10 smart devices, from 10 different device building businesses, that address all the previously outlined privacy protections and practices. The time is long overdue for these billions of IoT devices with privacy and security vulnerabilities to be fixed.

Category: Privacy
Published: 1/28/2020 11:03 AM

... / ... Lire la suite

(27/01/2020 @ 00:33)

CCPA’s Do Not Sell: It’s Here, But What Does It Mean?  Voir?


Alex BermudezSo, the California Consumer Privacy Act (CCPA) went into effect – and, the world didn’t burn. Companies have many issues to contend with, but one in particular has presented challenges to businesses that sell personal information. "Do not sell my personal information" requests (or opt-out requests), and confusion around what these really are, have many business leaders scratching their heads.

What is the CCPA Do Not Sell Requirement?
The CCPA provides several rights to California residents, including the right to opt-out of the sale of personal information. Specifically, California residents have the right to direct businesses to stop selling their personal information.

Businesses that sell personal information and do not qualify for an exemption for the opt-out right must take several different actions to comply with the CCPA.

More specific instructions are as follows:

1. A business must provide notice to consumers that it sells consumers’ personal information to third parties and that consumers have the right to opt-out of such sales.

2. The business’s website must post a “do not sell my personal information” link that takes consumers to a web page where they can exercise the right to opt-out of the sale of their personal information.

3. The business must provide this link on its homepage and any page that collects personal information, or on its application’s platform or download page.

4. Users must be able to submit opt-out requests without having to create an account.

5. The business must inform consumers of their right to opt-out and provide the “do not sell” link in its online privacy policy or any other California-specific description of rights.

6. The business must respect the consumer’s decision for at least 12 months. After this time, the business can ask the consumer to authorize the sale of personal information.

7. The business must train individuals responsible for handling customer rights inquiries and processing consumer rights requests.

Like many rules with the CCPA, this individual rule may seem easy to comprehend, but it poses a lot of challenges for businesses and consumers alike. These challenges include knowing exactly what personal information your business collects and sells, knowing what information belongs to which consumer, navigating and targeting information that lives in decentralized systems, and having a system in place to process opt-out requests.

Does My Business Need to Comply with CCPA Do Not Sell?
Not every business is impacted by the CCPA, but any business that collects and sells the personal information of California residents (including those without a physical presence in the state) needs to have a process to comply with the “do not sell my personal information right.”

If your business generates over US$25 million in revenue, collects information of more than 50,000 California residents a year, or derives 50% or more of its annual revenue from selling the personal information of California residents, then the CCPA will impact your business.

What Does “Sell” Mean?
According to the CCPA, selling is: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

Because the CCPA does not clearly define “valuable consideration,” this leaves some gray area for businesses to interpret.

How Can Your Business Comply with the CCPA “Do Not Sell” Rule?
New and evolving digital marketing properties and practices pose unique compliance challenges to businesses with respect to the “do not sell” requirements. In particular, businesses need to do the following:

  • Determine exactly what personal information they are collecting about each of their consumers and whether they are sharing or selling that personal information, or a part thereof, to third parties.
  • Clearly notify consumers of their right to direct businesses to stop selling their personal information and inform them how to do so.
  • Provide ways for consumers to direct businesses to not sell their personal information, including posting a “Do Not Sell My Personal Information” link on their websites. For example, the proposed CCPA regulations issued by the California Attorney General (AG) require, at a minimum, an interactive webform for submitting requests. Other acceptable methods include, among others, an email address and a toll-free phone number.
  • Establish procedures for responding to and fulfilling opt-out requests, as well as training personnel who handle such requests. For instance, businesses may consider automating the opt-out request process.
  • Maintain records of opt-out processes and details on the fulfillment or rejection of opt-out requests to demonstrate CCPA compliance and accountability.

What If I Need to Sell Personal Information?
If you’re a publisher or a blog that relies on ad support, this section of the law applies to you. If you need to sell personal information, make sure you are perfectly clear about what information you sell and why you sell it. Being more transparent about your selling practices may lead to fewer consumers who exercise their opt-out rights.

Author’s note: For more CCPA resources from OneTrust, visit www.onetrust.com/ccpa-compliance.

Category: Privacy
Published: 1/23/2020 11:31 AM

... / ... Lire la suite

(22/01/2020 @ 00:18)

Dernière mise à jour : 29/01/2020 @ 00:56