At a glance.
- New privacy law in New Zealand.
- US Federal Communications Commission chair expected to resign in January.
- Protections for white hats?
New Zealand’s new privacy law takes effect.
Reseller News says Wellington’s Privacy Act 2020 brings five main developments:
- Serious breaches must be disclosed to both victims and the Privacy Commissioner.
- Accessing another person’s information through subterfuge and erasing personal data somebody has requested are crimes.
- The Privacy Commissioner has expanded enforcement powers.
- Data can be shared internationally if the recipient is beholden to comparable rules.
- The law covers any organization conducting business in the country, regardless of their brick and mortar location.
The Privacy Commissioner sees the updates as needed modernizations of privacy laws and regulations.
We received comments on the law from Gurucul's CEO Saryu Nayyar, who said:
“New Zealand's new personal privacy laws went into effect on 30 November, 2020. These new laws affect any organization doing business in New Zealand, much as GPDR regulations affect business operations in the EU. From a personal privacy perspective, these laws are a win for the citizens in general, and are part of a trend towards increased personal privacy in a significant part of the world. While US privacy laws lag at the Federal level, state laws are following the trend of improving the protections afforded their citizens. While this is great news for the people, it does add challenges to organizations that need to comply with these new regulations.
“Fortunately, many of the tools we have in place to improve our information security stack, such as behavior analytics, can help organizations meet the new compliance challenges. As the trend continues, it will service businesses to get ahead of the curve and offer their customers better security and privacy. It will help improve customer confidence, and can put them ahead in the face of tightening regulations.”
US FCC Commissioner plans to resign.
Ajit Pai has publicized his intention to retire as FCC Chairman in January after nearly a decade of service at the Commission, The Verge reports. Pai’s tenure as chairman, which began in 2017, saw the T-Mobile-Sprint merger, the waning of net neutrality, the creation of a nationwide suicide prevention hotline, the innovation of anti-robocall tools, and new standards of transparency. PCMAG says critics would have liked to see tougher broadband regulations.
Pai said in a statement, “I am proud of how productive this Commission has been, from commencing five spectrum auctions and two rural broadband reverse auctions in four years, to opening 1,245 megahertz of mid-band spectrum for unlicensed use, to adopting more than 25 orders through our Modernization of Media Regulation Initiative.”
Variety claims Democrat and net neutrality advocate Jessica Rosenworcel is under consideration for the role.
White hats concerned about inadequate protections.
The Daily Swig and ComputerWeekly.com present the case that British laws and gamer rules alike are due for an update. Google Project Zero security researcher Ned Williamson was suspended from Call of Duty for reverse engineering its code in search of vulnerabilities in his spare time. Other developers run bug bounty programs, and Williamson thinks this is a best practice, arguing that researchers should be exempt from policies designed to catch cheaters.
Similarly, eighty percent of UK cybersecurity professionals worry they could be prosecuted under the 1990 Computer Misuse Act, implemented when less than one percent of the country operated the Internet. The Act “inadvertently criminalize[s] common defensive techniques” (like gaining unauthorized access), disadvantaging the domestic industry, hampering security, and hindering an estimated £1.6 billion in growth.
Similar concerns are involved in a case that reached the US Supreme Court this week, Van Buren v. United States. The issue is "Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose." The Court yesterday heard arguments concerning what many, including the petitioner, Nathan Van Buren, have seen as an over-broad interpretation of the Computer Fraud and Abuse Act. The Wall Street Journal and the Washington Post report that many see the Computer Fraud and Abuse Act as having exerted a chilling effect on legitimate security research. Chloé Messdaghi, VP of Strategy at Point3 Security, is among those who think the CFAA as having been poorly drafted and interpreted over broadly. She sent us some comments on the case that read, in part:
"The law is very vague, and it has been being used in a broad interpretation. For instance, when hackers who are trying to disclose vulnerabilities disclosures with organizations, they can get slapped with a lawsuit tied to the CFAA, when in reality, hackers don’t exploit any vulnerability or information, just inform the company of it in the hopes to help make everything more secure, versus attackers who would exploit the vulnerability that they found. It’s really all about the interpretation of the law. It needs to be addressed. It could put us all at risk for being considered a criminal because we violate some company’s Terms & Services policies. Legalese fine print that the majority of people don’t even read."