Sunday, March 13, 2016

Week 9 Takeaways

This week in the news there were 2 invasion of privacy suits front and center.
        
-First, a Tennessee court awarded Erin Andrews 55 million in a suite over violation of privacy          
       
 -Second, Hulk Hogan filed a 100,000,000 law suite over violation of privacy centered around a        sex tape with a former friends wife that was captured by videos inside the home where the incident took place.

Apple also in the new this week:
       Court receives numerous amicus briefs,
                       - Verizon and AT&T call on congress to address the issue of privacy
                       -Wall Street Journal is supporting Apple
                       - Silicon Valley generates 17 briefs in support of Apple
                       - A hearing will be held in a few weeks
           
Verizon admits to violation of FCC regulation in relation to its use of "supercookies",  the fine of 1.3 million is barely a slap on the hand to Verizon.  However, this is the first time the FCC has acted on behalf of consumer in such a way, this will likely have a rippling effect moving forward.

This week we talked extensively about privacy and the Internet of Things which we defined as any device that connects to, or communicates with other devices through, the internet.

In December 2015, the Online Trust Alliance created an IOT trust framework listing 30 principles
in 3 catefories:
                             1-Security
                             2-User access and credientials
                             3-Privacy, disclosures, and transparency
       Security

                 Credentials should be salted or hashed which makes passwords more secure.                                                    
                                    
                 Personally ID data should be encrypted both data at rest (on                                                         device and connecting server) and in transit to protect the data from third persons.

                 Regular upgrades and patches should be updated to fix discovered vulnerabilities and                                                 flaws. This means that security needs upkeep it is not a one-and-done process.

       User Access and credentials

                      Use system-generated or single-use passwords, not master key password.                                                   

                      Lock and disable device after certain number or failed log-in attempts 

       Privacy, disclosures, and transparency                                                

                       Device should provide user notification of password resets

                       Mandatory privacy policy that discloses how Personally Identifiable Information is collected and used
            
                       Personally Identifiable Information should only be shared with with third parties following affirmative consent requiring an opt-in process vs. on opt-out process.

                       Users should be able to delete or anonymize Personally Identifiable Information stored on company servers upon loss or discontinuance or device.


No comments:

Post a Comment