Thursday Thoughts – 14th October 2021
This week’s Thursday thoughts has kept being added to as I read new articles that I thought just had to be shared. Video is in the news this week with stories about facial recognition in Australia, CCTV in a care home in Italy and a “domestic car park” in UK (in all cases the authorities found against the data controller). I also look at exactly what Netflix knows about us and what if anything we can do about it.
There’s a new ruling from the CJEU that the sale of goods also relates to computer software and a judgement in Italy that may have implications on those who use Linked In messages for direct sales messages.
Also a new email phishing scam which I received this week. A “Chinese registrar company” claiming that someone was trying to register our company name in China and asking us respond and confirm that it isn’t a subsidiary (we all know where this is going). Looked very official though so it pays to be on your toes.
I am delighted to say that “Blogs of the week” are back too!
Blogs of the Week
Neil Brown/Decoded Legal - County court decision on video and audio recording
Tash Whittaker/DPO Organiser - In-house DPO vs External DPO
7-Eleven disables facial recognition for customer feedback!
In Australia 7-Eleven have removed the facial recognition from their customer feedback tablets and deleted the images captured after an adverse privacy ruling. This is a prime example of a practice that was, on the one hand, potentially useful to the company but on the other was highly invasive and of no benefit to the customer. I am surprised it got beyond the PIA/DPIA stage. It is understandable that the company wanted to ensure the feedback was not skewed by one individual answering multiple times but to achieve this through facial recognition? I’d put that squarely in the “totally unnecessary and out of all proportion” category.
Amazon expects some staff WILL continue to work remotely
Amazon have moved away from their previous statement that they expect most employees would need to be in the office at least three days a week when their offices reopen. Those who work in fulfilment chain will not be affected but many tech and corporate workers are expected to continue working remotely indefinitely (as long as they can come into the office when required). This will have a knock on affect on the cafes and restaurants around their corporate HQ.
Deepfakes
Beware of Deepfake voices as well as video. A bank manager in the UAE received a call from a man whose voice he recognized (a company director with whom he had dealings previously). The director asked the bank to transfer approximately $35M). The bank manager then received emails from the director and his lawyer, confirming what money needed to move and where to send it. So he made the transfers only later finding out that that the voice was fake and there was no such request.
Google tracking 270 government-backed hacker groups
Google's Threat Analysis Group (TAG) have announced that it is tracking more than 270 government-backed threat actors from more than 50 countries. TAG has sent out 50,000 alerts of state-sponsored phishing or malware attempts to customers since the start of 2021 a 33% increase from 2020.
LinkedIn in China to shut down
LinkedIn China is shutting down it’s offering in China because it has become increasingly difficult to comply with what the Chinese state expects. The move comes after the site faced questions because if blocked some journalists’ profiles. The company has said it intends to launch a “jobs-only version of the site, called InJobs” but the new site will not allow users to share or post articles in a social feed.
Netflix and tracking
We all know that Netflix tracks our viewing history and gathers a whole lot of other data about us so that it can tailor it’s offer to what we like. This may seem fairly benign but according to their privacy policy your data can be shared between partners and suppliers and this may include TV or internet service provider, streaming media device providers, mobile phone carriers and voice assistant platforms. Content streaming is dependent on knowing “what you watched and when you watched it, where you paused, where you stopped, the devices you used to stream the content, and where you were at the time”. There is no way to turn off personalisation on Netflix but there are some options you can enable in your account settings to increase your privacy but opting out of test participation means you won’t see ads for other Netflix shows, changing your Communications Settings means you won’t get updates on new shows and personalised suggestions. However you may want to opt out of promotional communications on third party services in the marketing section and in the Social Settings, you can check if you have ever logged into Netflix using Facebook and remove your account if you wish to.
New Phishing Scam – Chinese Registrar
This week I saw a new email scam whereby the sender poses as a Chinese registrar company and warns the “target company” that their existing domain or brand name is in danger of being registered by an unrelated third party in china. Sometimes the scammer is looking for money but also they want to gather more specific information about the firm and its lawyers in order to carry out a targeted phishing attack. If you get an email like this the best thing to do with it is forward it to the NCSC “report it” email address report@phishing.gov.uk.
October Patch Tuesday
Microsoft has rolled out security patches for 71 vulnerabilities this month. 2 of the flows are rated Critical and 68 are rated Important. The vulnerability in Win32k was found to be part of a widespread espionage campaign targeting IT companies, defence contractors, and diplomatic entities.
In addition to Microsoft, patches have also been released by Adobe, Android, Apple, Cisco, Citrix, Intel, Juniper Networks, Linux distributions Oracle Linux, Red Hat, and SUSE, SAP, Schneider Electric, Siemens, and VMware.
Botnet taken down
Ukrainian authorities have arrested the hacker responsible for creating and managing a "powerful #botnet" that enslaved more than 100,000 devices (20% of them located in Brazil, followed by Ukraine, Indonesia, Poland, and India). The enslaved devices were used to carry out spam or DDoS attacks on behalf of paying customers. The arrest came after the hacker registered the account to receive money from these customers at his own address.
TrickBot malware has some “new tricks”
TrickBot has developed some new ways of infecting corporate networks with malware. It has evolved from a banking trojan to a Windows-based crimeware solution and is capable of hijacking email threads, using fake customer response forms and social engineering employees with a fake call centre. Attacks earlier this year were delivered in email campaigns (containing Excel documents) and the call centre ruse "BazaCall". More recent attacks include hijacked email threads and fraudulent website customer inquiry forms on organization’s website.
One tactic includes sending an email to a target company to tell them their website has been carrying out a DDoS attack on its servers, and “urging the recipients to click on a link for additional evidence”. Of course the link loads a ZIP archive with a malicious JavaScript downloader that follows a URL and downloads the malware.
Proposed Changes to UK GDPR
There is still time to comment on the proposed changes to UK GDPR. The consultation on the planned changes “Data: A new direction” is open until 11.45pm on 19th November: https://www.gov.uk/government/consultations/data-a-new-direction
Court of Justice of the European Union ruling on the supply of specific software
Court of Justice of the European Union has issued a ruling, which could have significant impacts for certain commercial agents who deal in the supply of specific software. In the ruing the CJEU noted that “The concept of ‘sale of goods’ relating to self-employed commercial agents, must be interpreted as meaning that it can cover the supply, in return for payment of a fee, of computer software to a customer by electronic means where that supply is accompanied by the grant of a perpetual licence to use that software.”
Fines
Here are the European fines this week. Something for many of us to think about get appropriate consents, send things to the right person, take people off the list when they ask you to and stop contacting them, don’t use Linked In to sell (yes really!).
Luxembourg
Luxembourg DPA fined an insurance company €135,000 for sending an e-mail to an uninvolved third party in error. The email included the data subject’s name, gender, detailed information and forms about illnesses. The company sent a second message to a third party which included very specific medical questions. The company did not inform the DPA of the breach in a timely manner and had insufficient “technical and organizational measures” in place to ensure a level of security appropriate to the risk.
Spanish (AEPD) fines
The Spanish authorities have issued the following fines:
A ski club - €10000 - for publishing a video of a minor on a website & social media without informed consent. The club had posted the picture because they wanted to be more attractive to women and had previously obtained consent from the child's father when he registered the child for the course. This consent this did not include the processing of images on SM or website.
Club Deportivo Sansueña - €4,000 - for adding a data subject’s phone number to a WhatsApp group without the data subject's consent.
Orange Espagne - €30,000 – because a subsidiary continued to call and send texts even though the data subject had asked to be deleted from the company database and the controller confirmed the deletion of the data.
Vodafone España - €40,000 for sending telephone bills for a third party to another person’s e-mail address and failing act when it was brought to their attention.
Italy
Italian Garante has fined the real estate portal La Prima €5,000 after a member of staff contacted a data subject on LinkedIn to offer real estate services related to a specific property owned by the data subject. The DPA clarified that the platform is intended to enable the exchange of contact information in order to make job offers and is not intended to be used to send messages to other users in order to sell services. This could have implications for many who have started to use Linked In messages for Direct sales.
Italian Garante has fined a residential home €5000 because it’s CCTV recorded a corridor between accommodation and communal showers. The footage was shown on monitors where it could be seen by third parties.
Austria
The Austrian DPA have announced 3 fines:
Austrian Post - €9.5 million – for introducing a contact form for data protection inquiries but not allowing data protection-related inquiries by e-mail.
A bank €4 million
A customer loyalty program €1.2 million.
Blogs of the Week
Neil Brown/Decoded Legal - County court decision on video and audio recording
Neil discusses the Oxford County Court decision on video and audio recording in the home. The case encompassed harassment, nuisance, and data protection. It came as a result of CCTV in an area around two private parking spaces in a communal car park, of a shared drive way leading to the car park, a camera mounted on a shed and another on a windowsill pointing out towards a public road.
The court found for the claimant (the objecting neighbour). Not on the claims of nuisance/loss of privacy as some would expect but the claims of harassment and breach of the UK GDPR/DPA 2018. These were upheld because the system was found to be processing personal data (photos were collected, transmitted, retained and shared with neighbours and police). The neighbour who installed the equipment was a data controller and had failed to process the data in a fair and transparent manner, had not collected data for a specified or explicit purpose and had failed to balance his legitimate interests against those of his neighbour. You can read an excellent summary of the case in the decoded legal blog: https://decoded.legal/blog/2021/10/ring-doorbells-audio-and-video-monitoring-equipment-data-protection-and-suspiciously-long-raincoats.
Tash Whittaker/DPO Organiser - In-house DPO vs External DPO
Whether you have an in-house or external DPO, getting the right one can be a huge asset to your organisation. Tash tackles the debate as to whether it is better for a business to have an in-house DPO, or an external one…. As with anything DP related “it depends”: different solutions suit different organisations. Tash describes the top 5 advantages of both so you can take your choice depending on whether it’s convenience, in-house knowledge, VFM, corporate buy in and “water cooler moments” that matter most to you or cost, expertise, no conflicts of interest, flexibility and a network - there is merit in both. Read the blog here: https://www.dporganizer.com/blog/inhouse-vs-external-dpo/