Thursday, March 31, 2022

Facebook, Ireland, and GDPR inconsistencies

Early this month Meta Platforms, Facebook's parent company, was fined € 17 million by the Irish Data Protection Commission (DPC) fined after concluding the American business failed to comply with GDPR requirements in 12 breach notifications between June and December of 2018, and which affected 30 million Facebook users.

Meta has downplayed the severity of the violation in an emailed statement:

"This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people's information."
However, this lack of "record keeping" means Facebook is not documenting/proving they are protecting people's information. And that not only violates the principle of Due Care but also infringes GDPR Articles 5(2) and 24(1).

But, this is not important.

This is not the first time Meta had been fined for GDPR violations, nor it is the largest fine it has received; the € 60 million penalty from Jan 2022 and the € 225 million from Sept 2021 top that by such a long margin they are in a different league.

And this is not important either.

It is significant that the Irish GPC fined it; that does not happen very often. Ireland is the European headquarters of most of the American companies, including the 10 tech giants -- Apple, Google, Twitter, etc -- with an European presence. Since 2018, an average of 10,000 complaints per year have been filed with the Irish GPC. According to the Irish Data Protection Commissioner Helen Dixon, of those thousands of complaints, two were issued decisions in 2020, and she expected up to six decisions to be made in 2021, or 0.07% of all GDPR complaints.

Then we have the issue of the fines. Per the GDPR, they can be up to 4% of a firm’s global revenue. While Dixon said any fine would reflect the significant number of users affected, in June 2018 Facebook reported a bug caused 14 Million users to share friends-only content with strangers. Then September 2018 thr social medial giant disclosed a major hack which could have compromised up to 50 million user accounts. Later it claimed this hack resulted in a data breach where the data of only 30 Million users was stolen. Finally in December of that year another bug compromised 5.6 Million users.

And yet the Irish DPA decided € 17 million was enough to reflect the significant number of users affected.

Max Schrems, who has stated that

The [Irish] DPC simply interprets the word "handle" to mean that the DPC can also simply dispose of complaints on the fundamental right to privacy. She openly argued “In fact, there is no obligation on the DPC under the 2018 Act to produce a decision in the case of any complaint.”
has also accused the Irish DPC of advising Facebook on how to bypass GDPR by redefining their agreement with the user as a "contract," which would make the GDPR "consent" requirement no longer applicable.

But, this too it also not important.

What is important anyway?

This show a clear inconsistency between the how Ireland and the rest of the EU handles GDPR complaints. The Irish DPA is the lead supervisory authority for cross-border cases that fall into its jurisdiction. Given its past history, it is probable it may not side with the Austrian and the French Data Protection Authorities regarding Google Analytics.

This regulatory discrepancy creates an incentive for companies which want to use Google Analytics and other means of data transfer between the US and EU that are considered against the GDPR to set up shop in Dublin. While this may be good for the Irish economy,

  • How will this different interpretation of the GDPR articles play out given that one of the goals of the GDPR is to regulate the processing personal data within the entire European Union?
  • Is this even an inconsistency or do EU members have some latitude to interpret GDPR articles based on local laws? Remember that when the French Data Protection Authority decided that Google Analytics was not GDPR compliant, the Austrian one had already made the same decision. That seems to imply there is some jurisdiction independence across the EU, and perhaps the Google Analytics ruling will only become applicable to the entire EU/EEA if enough Data Protection Authorities decide to support that.
  • Will other European countries invoke Article 65(1)(a) and request the European Court of Justice, or the European Data Protection Board, to intervene and enforce some kind of legal consistency for all member countries?
Only time will tell.

Saturday, March 12, 2022

Phishing Is Too Easy - 2

A long while ago I posted here about how easy it was to phish. Yes, it was that long; where has time gone?

Anyway, some phishers seem to have decided that embeding malicious code as payloads into either the email itself (thanks to HTML-aware emails) or into attached documents -- Microsoft Word/Excel/Powerpoint documents, PDF files, or even some image formats -- was a bit too time consuming. Or, it was being picked up by the usual mail scanners and deleted. So, what can they do? Well, elicit the help from the user! Ok, you may argue that all phishing campaigns rely on social engineering, and you would be correct. But, how can that be craft to evade scanners once the users are conned? Let me answer that by presenting this gem of phishing email, which I added to my collection a few days ago:

Phishing email which does not have its payload as an attachment, but contains a phone number to contact the attacker and get instructions on how to download and install the maware.

At first glance, it seems this email will be innefective, as it starts rather carelessly:

  1. The return address is a typical quasi-randomly created Gmail one; they could not be bothered with making it sound like it came from a billing department as it claims to be.
  2. Also notice they do not even specify the company they are hailing from; they just said something about a Billing Department.
  3. This email from some billing department from an unknown company is about the purchase of McAFEE Total 360.

What seems to be carelessness is actually genius. You see, most people who read this email will not pay attention to the return email address and lack of a business name. All they will focus on is the 3rd item listed above: they just received what seems to be a bill for a software they can't remember ordering. What to do?

There is a phone number prominiently on the bottom of the email. That is the clever move. I expect the next moves to play out as follows:

  • Customer's (the mark) mind will focus on, as mentioned above, the fact they are seeing an unexpected $300 bill. Why did they receive it? Was that an accident? Did someone with a similar name ordered it? This is the fear component of the phishing email.
  • It says the charge mode is "Auto Debit!" I too have no idea of what "Auto-Debit" means. Maybe they wanted to say auto renewal using a debit card. But the point is these words create a sense of urgency, which is another component of a good phishing email.
  • So, they call the phone number to fing what is going on. The person on the other end, who is an Eastern European man called Peggy (bonus points if you know which old ad I am alluding to), will maybe ask for the mark's personal (before you get excited, GDPR does not apply to criminals since by definition they do not follow the law) and credit/debit card information to "confirm" (read: store and sell) if that was the card used. However, it would make more sense if he...
  • Peggy will probably ask the mark to go to a website and then download and install something in the mark's computer (ideally a work one) to check if the McAFEE program is installed and then uninstall it. As expected, that is a trojan horse to help deploy the real payload. The good thing about being on the phone is that Peggy can help the mark work around the malware protection software in place so the trojan can be successfully installed.

Recommendation

If you receive such email, take a break before acting on it. Then, if you received it at work, reach out to your IT security people and ask for help. Relying on software to magically find and delete such emails does not work all the time. You the user is the most important line of defense.