Europe is moving towards transatlantic data sharing. Public surveillance. FTC phishing enforcement. cyber investments at the state level,
With a glance.
- The European Commission approves the transatlantic data transfer agreement.
- The murky waters of government surveillance.
- FTC steps up enforcement of phishing attacks.
- Wyoming governor invests in cybersecurity.
The European Commission approves the transatlantic data transfer agreement.
The Wall Street Journal reports that the European Commission on Tuesday published a draft approval of the EU-US data protection framework, which would allow personal information about Europeans to be legally stored in the US. The move, which invalidates an earlier agreement made by an EU court in 2020, would reduce the threat of regulatory action against the myriad companies that routinely transfer such data abroad, particularly businesses that use US-based data centers to sell digital advertising, manage website traffic theirs, or handle business payments in Europe. As part of the new agreement, US President Joe Biden issued an executive order earlier this year giving Europeans new rights to challenge US government surveillance. In addition, EU citizens will have the opportunity to speak to an arbitration panel about any issues they encounter regarding the handling of their data. The next step will be for the European Commission to consult with a board of EU privacy regulators and member states, as well as with the European Parliament, and some privacy experts have predicted that the deal will not make it past the EU courts.
The murky waters of government surveillance.
As Foreign Affairs discusses, the recent rise in the use of advanced, largely unregulated commercial spyware has transformed the world of surveillance. Not only have autocratic regimes been caught using surveillance software to keep tabs on citizens and silence dissent, but even the intelligence agencies of democracies such as the United States have been engaged in talks with spyware companies to adopt such software for investigative use. Many governments around the world have tried to crack down on the use of spyware, and Greek lawmakers on Friday approved legislation banning commercial spyware and revising rules for legally sanctioned wiretapping. AP News explains that the move comes in response to allegations that surveillance software was used to spy on senior government officials and journalists in Greece, resulting in the resignation of the country’s security chief. The new law states that the use, sale or distribution of spyware in Greece will result in a minimum sentence of two years (with special exceptions for legal wiretapping). The Act also creates parameters for the appointment of a Director and Deputy Directors of the National Intelligence Service (NIS). Although the law passed by a 156-142 vote, all opposition party members voted against the legislation, and some human rights activists say the laws lack sufficient oversight and planning.
The spyware debate has many questioning how much access the authorities should have when it comes to reading citizens’ communications on messaging apps such as WhatsApp. Computing reports that the Meta-owned messaging platform is pushing back against UK legislation that would essentially force the company to weaken its encryption. The Online Safety Bill gives law enforcement the authority to read encrypted conversations on WhatsApp, and WhatsApp CEO Will Cathcart says that if the measure requires the company to stop end-to-end encryption, it may have to shut down the use of WhatsApp in the country. Cathcart stated: “The bill provides for technology messaging that requires communications providers to take away end-to-end encryption – to break it. The harsh reality is that we offer a global product. It would be a very difficult decision for us to make a change where 100% of our users lower security.”
FTC steps up enforcement of phishing attacks.
The US Federal Trade Commission (FTC) has issued enforcement orders against two companies – the US education technology company Chegg, and the online alcohol delivery service Drizly – for security breaches that resulted in the breach of customer data. The FTC alleges that the companies misled their customers about the security of their data and that the companies’ security practices were unfair to consumers, JDSupra reports. Chegg was found to be storing sensitive student data and tutorial videos on the cloud in Amazon Web Services (AWS) S3 storage buckets. It was determined that Chegg used outdated encryption technologies and that some of the data was stored in plain text. In addition, staff security training and password hygiene were lacking, and some staff gained unnecessary access to sensitive student data. As a result, Chegg was hit by four recent cyber attacks, three of which stemmed from phishing operations. In the case of Drizly, a cybercriminal hacked into Drizly files stored on Github which gave them access to credentials to access Drizly’s AWS files, which contained the personal data of 2.5 million customers. Both companies will be required to delete customer data as soon as it is no longer needed and adopt phishing-resistant multi-factor authentication for employees. Drizly must also offer an MFA option for customers.
Wyoming governor invests in cybersecurity.
The governor of the US state of Wyoming is requesting to allocate $7.2 million of the state’s supplemental budget to improve the state’s cyber protection efforts. Gordon wrote in his supplemental budget report, “Attacks on Wyoming institutions are increasing, and the risk of a successful attack is now also magnified. Fortunately, we are making progress in defending our agencies.” As the Cowboy State Daily reports, in recent years the state has suffered a series of cyber incidents, including attacks targeting Eastern Wyoming College and Campbell County Health.The Wyoming Department of Enterprise Technology Services (ETS) found that over the past year, there has been a increase in cybersecurity threats, both in sophistication and volume, and discovered critical vulnerabilities in eighty-eight agency applications. This year, ETS established Wyoming’s first state security operations center and developed a partnership with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Governor Gordon has requested $74,131 in the pay of a sworn peace officer at the Wyoming Gaming Commission to investigate online fraud, and ETS plans to develop a cybersecurity framework that will help implement a “whole of state” approach to combating online crime.