Environmental Risk #1: Air Pollution

The World Health Organization (WHO) recently published a report with new numbers of dead people because of air pollution each year: 7 million worldwide – most of them because of stroke and heart and lung diseases.

This is more than twice as high as previously estimated and thus air pollution is the biggest environmental health risk now. And even in Europe 600,000 deaths are linked to pollution according to the WHO study and the German SPIEGEL reports that particulate matter pollution in some German cities like Berlin or Leipzig is significant.

Of course pollution is not a direct risk to data centers or IT equipment like an earthquake or flood, but it has a significant influence when it comes to sustain one of the most important resources for IT: Skilled people. Pollution already influences decisions about whether to outsource IT to certain countries especially in South-east Asia. It becomes harder to find employees from Western countries that are willing to build up a subsidiary or manage partners in these countries if there is significant pollution in this area.

And pollution might even be a risk to IT operations in case administrators are not able to leave their homes due to high Pollution if critical maintenance has to be done on-site. So pollution definitely becomes a topic for information security considerations and a gas mask might be standard equipment in your future emergency kit.

OWASP Top 10 Privacy Risks

I started the OWASP Top 10 Privacy Risks project together with a colleague. Its goal is to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. The list will cover technological and organizational aspects like missing data encryption or the lack of transparency. The project is open source and non-profit. Feel free to contribute!

Tips against governmental surveillance

Many people currently ask what to do against governmental surveillance (NSA spying) and some managers even think that standard security measures are useless because “the NSA has access to everything anyway”. But there are other attackers besides secret services and there are also things you can do against governmental surveillance. Here is my list of the most important things to consider:

  • Use encryption. The NSA is not able to read all encrypted data with reasonable effort and if you use the algorithms and key sizes recommended by ENISA you are quite secure. Furthermore there are tools for anonymized internet browsing like Tor and JonDo.
  • Choose European IT companies instead of US IT companies. It will not only help to lower the likelihood that your data leaks to the NSA, but also to put some economic pressure on US companies. US companies themselves will demand to restrict governmental spying if they lose a significant number of customers or users.
  • Blow the whistle if you are aware of governmental back-doors in products or systems, unlawful eavesdropping or even attempted blackmailing. Media companies like the German SPIEGEL have set up guidelines for informants and sometimes whistle-blowing is the only way to point out serious deficits. But prepare to run and leave your family 😉
  • Request independent audits and product certifications that prove the absence of data leaks for governmental bodies. Choose trusted auditors.
  • Continue securing your assets because as a security consultant or manager you are mainly defending the reputation of your company. The NSA would not publish that they hacked your company. But if your customer data gets published or sold by cyber criminals, you will get huge media attention and this will damage your reputation and possibly your shareholder value. Furthermore you also have to comply with laws and regulations.

Note: There are governments from other countries besides the USA that have powerful secret services and support spying on private and company data and internet traffic without providing transparency. One self has to decide whom he or she trusts, and in how far eavesdropping is acceptable and helpful to fight terrorism.

False Risk Perception

I recently read an article about eight people having died in a medium German city last year because they walked over red traffic lights and have been hit by a car. They apparently had the feeling they had everything under control, but they underestimated the risk. The story reminded me about the daily business of information security people having to deal with risk perception of their managers and employees – luckily without casualty. But in a much more complex environment that is hard to oversee. False risk perception is typical for human beings. There are studies saying that the number of deaths of the 9/11 attacks was exceeded by the number of deaths caused by additional car accidents because people chose to drive instead of flying and driving is much more dangerous than flying.

As it seems there is also a false risk perception about terror attacks and the NSA spying. The NSA only contributed to the prevention of 4 out of 225 terror cases since 9/11 according to a study of the New America Foundation. The rest was prevented by the police etc. If there is only a small number of suicides because people are identified as terrorists by mistake because of misleading correlation results of the NSA, the spying would not only help to save lives, but even “kill” additional people. But I doubt there are public reports on the impact of such false positives.

Swedish Transparency

ScreenHunter_03 Jan. 08 19.41

I spent New Year’s Eve in Sweden and it is always interesting again to see that Swedes are much less concerned regarding privacy than people in most other European countries. Especially services like requesting the holder of a car including type, registration date and location by just sending a SMS with the license number to 72503 or getting detailed information about the salary history and financial standing of a person on ratsit.se for only a small fee would not be possible and accepted in most other European countries.

This is not surprising if you have a look at a Eurobarometer report from 2011 stating that only 33% of the Swedes are concerned about over-disclosure of personal information. The EU average is 72%. The revelations about the Swedish government spying on Russia to support the NSA and opposing to the planned reform of the European Data Protection Regulation confirm that privacy is not a big concern in Sweden.

 

Germany’s new DPC supports governmental spyware

The christian-democratic politician Andrea Voßhoff will succeed Peter Schaar as Federal Data Protection Commissioner (DPC). Her election is criticized because she did not care about data protection so far: She supported the data retention that was declared unlawful later on, and demanded the online searching of computers with spyware by governmental bodies and the Anti-Counterfeiting Trade Agreement (ACTA). Green politician Konstantin von Notz says in a guest article for German Handelsblatt that this is just another part of the government’s try to weaken fundamental rights protection of German citizen.

Since Christmas is close when hope and happiness is celebrated in many parts of the world, I still hope that her new role will change Mrs. Voßhoff’s mindset and she will become a strong supporter of the right of informational self-determination and privacy 😉

On this note, Merry Christmas and a Happy New Year!

Privacy profession likely to explode

As European Data Protection Supervisor Peter Hustinx stated at the IAPP Europe Data Protection Congress: “I would not be surprised if the privacy profession would just explode in the coming years.”

700 participants and nearly 40% more than last year at one of Europe’s biggest privacy congress that took place from 10-12 December in Brussels show that his prediction is likely to happen. You can read about the most interesting discussions and quotes on Twitter.

Hot topics at the congress were recent developments regarding the EU Data Protection Regulation, but also Privacy by Design. I moderated a session about Current and Future Privacy Trends with Facebook’s Head of Policy Erika Mann and Aurélie Pols, who stated that many people say: “Yeah, privacy by design. We do it. But that’s not the reality at most companies.” I totally agree and I consider the concept of Privacy by Design as very important, but there lacks a clear definition in the upcoming data protection regulation about what it really means in practice and which level is adequate.
Siobhan McDermott, Chief Policy Officer at AVG, made a funny but true statement in our session that “NSA is looking for a privacy pro, although I don’t think anyone is crazy enough to take that job.”

NSA supports German IT industry

The NSA spying affair lowers the trust in U.S. IT companies. Customers especially from the European and Asian market try to avoid products and services provided by U.S. technology companies including Cisco, IBM, and Microsoft. IBM reported a 22 percent revenue decline in China in October and Cisco expects a 8-10 percent drop in this quarter. A study even predicts a loss of $22 to $35 billion for the U.S. cloud industry over the next three years as a result of the NSA’s recently revealed surveillance programs.

At the same time IT companies from Europe (except UK) and above all from Germany see an increased demand for their products and services, especially from Asian countries. There is a real run for IT Security made in Germany.
An economic decrease of its IT industry will put additional pressure on the U.S. government to better constrain and control the surveillance measures of the NSA. So there is hope for privacy.