Cours CyberSécurité - Privacy


Published on

Cours CyberSécurité - Université Versailles St Quentin - Privacy - Avril 2013

Published in: Education, Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cours CyberSécurité - Privacy

  1. 1. Mars- Avril 2013Franck Franchin1
  2. 2. Master Droit - Franck Franchin - © 20132“Asking Google to educate consumers about privacyis like asking the fox to teach the chickens how toensure the security of their coop”Consumer Watchdog, March 2013
  3. 3. Master Droit - Franck Franchin - © 2013 Search – Yahoo or Google keep your data for 18 months ! Webmail – Google goes through every word of everyGmail that’s sent or received to sell targeted ads. Google Docs Street View (Wifi traffic and pwd scans… hum ?) Conference Management Systems - very used inacademic research community with document sharing(papers, reviews, patent drafts)FREE SERVICE DOES NOT EXIST !3
  4. 4. Master Droit - Franck Franchin - © 2013 The Foreign Intelligence Surveillance Act of 1978 prescribesprocedures for requesting judicial authorization for electronicsurveillance and physical search of persons engaged in espionageor international terrorism against the United States on behalf of aforeign power. The Stored Communications Act of 1986 is a law thataddresses voluntary and compelled disclosure of "stored wire andelectronic communications and transactional records" held by third-party internet service providers (ISPs) Patriot Act - Signed by President George W. Bush on October 26,200, renew by President Bush on March 9, 2006 The Foreign Intelligence Surveillance Act Amendment Act(FISAA - 2008) allows US authorities to spy on cloud data thatincludes Amazon Cloud Drive, Apple iCloud and Google Drive.4
  5. 5. Master Droit - Franck Franchin - © 2013 The US law allows American agencies to access all privateinformation stored with firms within Washington’s jurisdiction,without a warrant, if the information is felt to be in the US interests. That means any company with a presence in the US and regardlessof where the data is stored or the existence of any conflictingobligations under the laws where the data is located Some US-based cloud services and hosting companies might notbe able to comply with the EDPD : customers whose private datashould have been disclosed under FISA won’t be always notified(which is not compliant with EC directives)5
  6. 6. Master Droit - Franck Franchin - © 2013 The famous 95/46/EC Directive The European Data Protection Directive requirescompanies to inform users when they disclosepersonal information There are clauses in the Directive that allow datato be stored outside of the EU Evolution in progress since 2012 ; but stronglobbying against data breach notificationenforcement and data aggregation processingrestrictions6
  7. 7. Master Droit - Franck Franchin - © 2013 The U.S.-EU Safe Harbor Framework provides guidance for U.S.organizations on how to provide adequate protection for personaldata from the EU as required by the European Unions Directive onData Protection. Participation is voluntary Based on principles agreed by Directive 95/46 (October, 1995) Five major points :◦ Data owner has been informed of data processing and transfer◦ Data owner can revoke the rights he granted.◦ Explicit agreement◦ Access and change right (aka droit d’accès et de rectification)◦ Data security (confidentiality, integrity, availability)7
  8. 8. Master Droit - Franck Franchin - © 2013 Payment card security standards body PCI Security StandardsCouncil (PCI SSC) has released new guidance for merchants usingcloud-based systems for customer payment data “Many merchants mistakenly believe that if they outsourceeverything to a cloud service provider, much of of the responsibilitygoes away for being PCI compliant – unfortunately, that’s simply notthe case,” Bob Russo, general manager at the PCI SecurityStandards Council “A merchant needs to ensure that a cloudservices provider is PCI-compliant not just for its own piece, but forthe entire spectrum, including what that provider is specifically doingfor the merchant.”8
  9. 9. Master Droit - Franck Franchin - © 2013 TFTP (Terrorist Financing TrackingSystem)/SWIFT (28 Juin 2010) Europol in charge of Audit conducted by Europol in Nov 2010, withwarning report issued in March 2011 Too generic requests are made by US (Dpt ofTreasury) but acknowledged by Europol So generic, it’s impossible to confirm theserequests are compliant with European DataProtection Directives9
  10. 10. Master Droit - Franck Franchin - © 2013 Nova Scotia Case - As part of a criminalprosecution in US, the Court requested that theUS subsidiary disclosed documents stored inCayman Islands. Valetta Case – Australian subsidiary of this Maltinbank was summoned by australian Court todisclose documents stored in Malta10