At a glance.
- European Commission approves transatlantic data transfer agreement.
- The murky waters of government surveillance.
- FTC tightens enforcement on phishing attacks.
- Wyoming governor invests in cybersecurity.
European Commission approves transatlantic data transfer agreement.
The Wall Street Journal reports that on Tuesday the European Commission published a draft approval of the EU-US data privacy framework, which would allow personal information about Europeans to be stored legally in the US. The move, which invalidates a previous agreement made by an EU court in 2020, would reduce the threat of regulatory action against the myriad companies that routinely transmit such data overseas, in particular businesses that use US-based data centers to sell digital advertising, manage their website traffic, or handle company payment in Europe. As part of the new agreement, earlier this year US President Joe Biden issued an executive order giving Europeans new rights to challenge US government surveillance. As well, EU citizens will be given the opportunity to speak to an arbitration panel about any issues they encounter regarding the handling of their data. The next step will be for the European Commission to consult with a board of EU privacy regulators and member states, as well as with the European Parliament, and some privacy experts have predicted the agreement won’t make it past EU Courts.
The murky waters of government surveillance.
As Foreign Affairs discusses, the recent rise in the use of advanced, largely unregulated commercial spyware has transformed the surveillance world. Not only have autocratic regimes been discovered using surveillance software to keep tabs on their citizens and quiet dissenters, but even the intelligence agencies of democracies like the US have been engaged in talks with spyware companies about the adoption of such software for use in investigations. Many governments around the world have been attempting to crackdown on the use of spyware, and Greek lawmakers on Friday approved legislation banning commercial spyware and revising rules for legally-sanctioned wiretaps. AP News explains that the move comes in response to allegations that surveillance software was used to spy on senior government officials and journalists in Greece, which resulted in the resignation of the country’s security chief. The new law dictates that the use, sale or distribution of spyware in Greece will result in a two-year minimum prison sentence (with special exceptions for legal wiretaps). The law also creates parameters for the hiring of a director and deputy directors of the National Intelligence Service (NIS). Though the law passed with a 156-142 vote, all opposition party members voted against the legislation, and some human rights activists say the laws lack adequate oversight and planning.
The spyware debate has many questioning how much access the government should have when it comes to reading citizens’ communications on messaging apps like WhatsApp. Computing reports that the Meta-owned messaging platform is pushing back on UK legislation that would essentially force the company to weaken its encryption. The Online Safety Bill gives law enforcement the authority to read encrypted conversations on WhatsApp, and WhatsApp head Will Cathcart says if the measure requires the firm to stop end-to-end encryption, it may have to shut down use of WhatsApp in the country. Cathcart stated, "The Bill provides for technology notices requiring communication providers to take away end-to-end encryption - to break it. The hard reality is we offer a global product. It would be a very hard decision for us to make a change where 100% of our users lower their security."
FTC tightens enforcement on phishing attacks.
The US Federal Trade Commission (FTC) has issued enforcement orders against two companies – American education tech company Chegg, and online alcohol delivery service Drizly – for security lapses that resulted in customer data breaches. The FTC alleges that the companies deceived their customers about the security of their data, and that the companies’ security practices were unfair to consumers, JDSupra reports. Chegg was found to be storing sensitive student data and tutoring videos on the cloud in Amazon Web Services (AWS) S3 storage buckets. It was determined that Chegg was using outdated encryption technologies, and that some of the data was being stored in plain text. As well, employee security training and password hygiene were lacking, and some employees were given access to the sensitive student data unnecessarily. As a result, Chegg was hit with four recent cyberattacks, three of which stemmed from phishing operations. In the case of Drizly, a cybercriminal hacked into Drizly files being stored on Github that gave them access to credentials for accessing Drizly’s AWS files, which contained the personal data of 2.5 million customers. Both companies will be required to delete customer data as soon as it is no longer needed and adopt phishing-resistant multi-factor authentication for employees. Drizly must also provide an MFA option for customers.
Wyoming governor invests in cybersecurity.
The governor of the US state of Wyoming is requesting to allocate $7.2 million of the state’s supplemental budget to improving the state’s cyber protection efforts. Gordon wrote in his supplemental budget report, “Attacks on Wyoming institutions are increasing, and the risk of a successful attack is now magnified as well. Fortunately, we are making progress in defending our agencies.” As the Cowboy State Daily reports, In recent years, the state has suffered a range of cyber incidents, including attacks targeting Eastern Wyoming College and Campbell County Health. The Wyoming Department of Enterprise Technology Services (ETS) found that over the past year there has been a rise in cybersecurity threats, both in sophistication and volume, and detected critical vulnerabilities in eighty-eight agency applications. This year ETS established Wyoming’s first state government Security Operations Center and developed a partnership with the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Governor Gordon has requested $74,131 in salary for a sworn peace officer at the Wyoming Gaming Commission to investigate online fraud, and ETS plans to develop a cybersecurity framework that will help implement a “whole-of-state” approach to fighting cybercrime.