Organizations voluntarily creating big public data breaches are rare. Recently it became widely known that the Public Transport Victoria (PTV) published a dataset of possibly over 15 million users. It was “anonymized”, but PTV may now still face a $336,000 data protection fine. How did this happen? Data Science Read More
We live in times of profound technological impacts and accelerating history. Technology is increasingly influencing fundamental aspects of societies. Some technologies have great potential but their impact in the long term is difficult to imagine in advance by most. My background is compounded. I have experience in security engineering, walked Read More
Welcome to the privacy analysis of Progressive Web Applications. With new features in steady supply, the web is changing in exciting ways. One of the more interesting trends is the concept of Progressive Web Applications (PWA). PWAs use modern and powerful web features to further blur the boundaries between web Read More
In 2009, as people grew concerned over the pervasiveness of web tracking, the idea of adding Do Not Track (DNT) to browsers gained traction across the web. By enabling the setting, the browser attaches “DNT: 1” to a web request, effectively telling the site that user does not wish to Read More
Soon every website will be able to know if its visitors have a disability, or not. Well, not quite. That will relate to those who use assistive technologies (i.e. screen readers for vision-impaired), and who gave access for this feature. This thanks to Accessibility Object Model (AOM), a feature Read More
It is not often when a major product used by millions rolls out changes reducing the privacy posture. Google Chrome is a recent example. The newly released version 69 automatically signs-in users into the browser whenever the user logs into a Google Service (e.g. Gmail); the change also makes Read More
It is surprisingly difficult to find realistic, interesting and creative privacy case studies. It is perhaps even more difficult in the case of major software. There are no proper motivations for making this kind of work public (employees often paid to do some kind of work in-house; their compensation typically Read More
The world is rapidly upgrading data privacy regulations. In that regard, European Union is admittedly at the forefront, with its General Data Protection Regulation. It somewhat permeates outside, spreading the good P-rays (privacy rays). India is a very importan country, the largest democracy in the world. So it is not Read More
Unsecured ways of web browsing are fading away at accelerating pace. Technically this is done thanks to the increased deployment of HTTPS on the of web. Data indicates that above 70% of websites are now accessed via this secured protocol, those numbers quickly increasing. This is an important milestone in Read More
Modern Web browsers are constantly getting new features. It makes for interesting challenges on the level of security and privacy reviews. This is how I usually look on this stuff. There are recently a lot of interesting new browser mechanisms. I previously analysed some in the past, such as proximity Read More
One of the most discussed and often introduced as controversial additions of the General Data Protection Regulations are the high fines. Maximum fines of €10.000.000 (or 2% annual worldwide turnover) or €20.000.000 (or 4%) are definitely significant. They could cripple an entire company. But can or Read More
My work touches multiple dimensions: research, technology, standards and technology policy. One of the aspects of my security and privacy research involvement are the study of sensors privacy - and especially sensors exposed to websites via web browsers. The practical outcome of this work are privacy analyses of Web APIs. Read More
Currently, it is the key question of cybersecurity and privacy strategic policy. The European Union is going through an overhaul of its privacy and cybersecurity regulatory frameworks. New regulations appear with remarkable frequency. Let’s mention merely the three: NIS Directive (“common level of network and information security“), General Data Read More
Websites, mobile apps, IoT devices, smartphones and just about any other products, systems or processes will, in a majority of cases, might soon need to redesign and re-engineer how user consent is being processed. Why? Because of the European General Data Protection Regulation. The GDPR makes consent a bit closer Read More
Data Protection Impact Assessment (DPIA) is a useful tool that can help organizations to understand the risks related to processed data. DPIA helps to find the right balance and proportions, identify risks, assess the necessity and proportionality and generally help with risk management. Due to the European General Data Protection Read More
Simple payment standard will be the new cool thing web browsers can do. This happens thanks to W3C Payment Request API. Early on it has been even featured in the New York Times and rightly so, as it has a big potential. Why? Introduction Chances are that the days of Read More
Users of public transportation are mainly interested in one thing: getting to the right place conveniently and fast. So do I. Public transportation systems around the world struggle with maintaining their systems as efficient as possible. Transports for London (TfL) is perhaps in the avant-garde here. They are on the Read More
When governments acknowledged that computer hacking is increasingly made by criminals, hacking techniques employed by criminals were simply banned. This has solved the problem; since then we‘re not hearing of any data theft, fraud and so on. Right. In the European Union, General Data Protection Regulation will enter into Read More
Web privacy and transparency engineering can work both for businesses and users. Sometimes technologies can effectively open the opportunities for enhancing transparency even without a clear intention of doing so. In this post, I’m analyzing the extension to OpenRTB (Real-Time Bidding specification) which is meant to decrease the rate Read More
Do you know when Apple Messages send end-to-end encrypted messages? This note might look unusual but it was sparked by continuous questions I receive about communication confidentiality. If you’re well-versed in security and privacy technology - feel free to skip, most likely you won’t find much things of Read More
NIST has published new guidelines relating to security and privacy (I noted recent NIST’s involvement in privacy engineering here). As many of their documents, new guidelines will be influential for security and privacy engineering. Though they’re focused on Digital Identity, the reach will be much broader. I paid Read More
Data Protection Authorities of a number of European countries (notably, France, Spain, Belgium, Netherlands) has announced a formal action in the Facebook case. The announcement and summaries are available here. To tackle this particular issue DPAs formed a devoted Contact Group allowing a coordinated analysis. Pretty unprecedented move. Few years Read More
In this post we describe and demonstrate a neat trick to exfiltrate sensitive information from your browser using a surprising tool: your smartphone or laptop’s ambient light sensor. In short: 1. We provide background about the light sensor API and current discussions to expose it more broadly to websites. Read More
When is Privacy Impact Assessment (PIA) or Data Protection Impact Assessment (DPIA) necessary and mandatory according to the General Data Protection Regulation (GDPR)? So far there has been a lot of ambiguity surrounding the issue. I previously wrote about the DPIA guidelines (and its challenges) suggested by the Privacy Commission Read More
ePrivacy is one of the most crucial European privacy and data protection regulations. I already wrote about ePrivacy, analysing its leaked and the later official draft versions. The ePrivacy regulation is important because it touches a number of influential aspects such as: electronic communication, web technologies, and web browsers. To Read More