archivo

Technology Regulation

Ranked as EXCELLENT by Leaders League for the Second Year in a Row

13 May, 2016
Privacy/Protección de Datos, Technology Regulation
Deja un comentario

Captura de pantalla 2016-05-12 a las 11.37.47 p.m.

It is my distinct privilege to convey to you that the prestigious ranking of data protection law firms in Mexico by Leaders League has ranked my practice as «Excellent» for the second year straight. I’m honored to be included among such noted practitioners as Héctor Guzmán from BGBG, Agustín Ríos from R1OS, Bufete Soni and Lex Informática.

Thanks and gratitude are in order to friends who’ve provided encouragement and references, as well as to our esteemed clients who have trusted us with their requirements for compliance and advisory and also to Leaders League.

It further commits efforts to not just remain in that tier, but to reach the one and become «Leading».

 

 

@IFAIMEXICO rules to fine @GOOGLEMEXICO over #righttobeforgotten (Part I)

3 febrero, 2015
Privacy/Protección de Datos, Technology Regulation
2 comentarios

google-law-gavel - Copy

Timing is of the essence, and the release of the communiqué by IFAI, Mexico’s data protection authority, announcing its decision to fine Google Mexico for failing to comply with an individual’s objection to the processing of his data and IFAI subsequent order thereto, is no exception. It was released exactly one week ago, right on the eve of international data privacy day, and therefore remarked upon almost every single one of the participants in the conferences organized for that date. It was also very timely released less than 20 days after the political analysis magazine «Proceso» questioned IFAI’s unwillingness to act against Google, on grounds that it was near and dear to the current administration’s digital agenda, seemingly implying that afforded the search giant some measure of immunity.

However now IFAI ranks up there with countries such as the United States, Germany, the Netherlands and Spain, which have in one way or another acted against Google for transgressions to their privacy frameworks; however it is not the first time that Google has come before IFAI’s crosshairs, and also while many privacy commentators and scholars opine that this case bears a strong resemblance to the «Costeja Case» of the Spanish Privacy Agency and European Court of Justice regarding the «right to be forgotten», there are important nuances to it.

Key ideas following here folks: as of June 2002 there is a «FOIA-equivalent» Transparency Law in force in Mexico, which includes provisions on privacy regarding personal information in the power of agencies and instrumentalities of the Federal government. In 2009 the Mexican Constitution was amended for the right to data protection to be included among the human rights protected by it, and afford Federal Congress the power to pass laws thereupon. About a year thereafter Mexico’s federal privacy law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares or LFPDPPP) was enacted. The amendment to the Constitution and both Federal statutes follow the model set by the European Union’s Privacy Directive, providing for 4 fundamental appurtenances of individuals as concerns the processing of their personal information:

  1. Access thereto;
  2. Rectification thereof;
  3. Cancellation thereof, and
  4. Opposition (to the processing thereof).

Having outlined the above, this is not the first time Google and IFAI have met face to face. In March 2011 IFAI ruled on case 4198/09, concerning the petition of an individual to the Federal Labor Board (the administrative court that hears labor cases in Mexico) for its online-searchable daily bulletin of cases to be heard on a given date to not include his name, so as to prevent him from being rejected by future employers on grounds of having sued a former employer.The petitioner had to sue in Federal court in order for his request to be honored by said Board and IFAI itself, following which the latter found on review that the measures proposed by the Board had been appropiate and in compliance with the rulin in the case wherein the Board proposed to:

  • Modify the format o the files used to publish the Bulletin on the Board’s website, so that search engines cannot find and index the individual’s name with regards to the labor case concerned, and
  • Directly request Google to delete from its indexes the information concerning the individual’s name with regards to the labor case concerned.

The record shows that the Board did reach out to Google therefor; however it remains unknown whether or not Google complied with the Boards request.

Then on March 2014, IFAI ruled on a verification proceeding initiated relative to Google for its caché of a website under the domain abctelefonos.com., which belongs to Nexus World LLP in the UK, for which a person complained about on grounds that the original source for the infringing information had removed it, but Google had not.

Google Mexico was served with a request for information to which it replied in terms that are relevant for the sanctions case at hand, so bear this in mid: it responded that as per its current bylaws its corporate purpose includes (bylaws in Mexico have these ridiculously long listings of things the corporation may do in pursuing its corporate purpose)…

1. Commercializing and selling online advertising and products and services for direct commercialization, in Mexico or abroad, on its own behalf or the behalf of third parties, as well as to provide all kinds of services through electronic means, including but not limited to, search engine, instant messaging, email, storage, reproduction and broadcast and retransmission of of data, and similar, annex and related services.

However another key concept is also quoted on that reply from Google Mexico to IFAI:

Notwithstanding the breadth of its corporate purpose, the activities that my principal in fact performs in Mexico center on those described in numeral 7 of article Third in its bylaws, particularly in the purveyance of administrative, financial, advisory and consulting services for corporations.

7. Receiving from other persons, individuals or corporations, as well as providing said individual or corporations whichever services necessary to comply with their corporate purposes, including but not limited to, administrative, financial, technical assistance, advisory and consulting services.

And then it underscored:

My principal does not provide the search engine service, as said service is provided by Google, Inc., an American corporation that owns the corresponding technological platform, with domicile at 1600 Amphitheatre Parkway, Mountain View…which operates and provides, amongst others, the search engine service for its users using its own servers and equipment. Therefore my principal does not gather nor process personal information of the users of the services provided by Google Inc.

Consequently,…Google Mexico, s de R.L. de C.V., is not the corporation that owns nor is responsible for the operation of the search engine service, as said services is offered and managed by Google, Inc. …Google, Inc., and Google Mexico, S. de R.L. de C.V., are different corporations, besides Google Mexico, S. de R.L. de C.V. is not a liaison office, branch or representative office of Google, Inc.

It further underscored that «Google Mexico only processes personal information of its employees and the databases that include physical files that contain them are the only elements that are protected pursuant to the LFPDPPP, and that exist in its facilities, and so it has been attested by the Verifiers…»

What follows is material for the instant case; in the Third finding («Considerando Tercero») to IFAI’s resolution in the verification proceeding said data protection authority stated that «[f]rom the information in the file being acted upon it is found that as regards the services relative to the search engine and email that in their time gave rise to the opening of the file that is acted upon, as well as the statements of the Complainant in his writ of February 6, 2014, these are provided by Google, Inc., a corporation domiciled in the United States of America, over which this Institute lacks jurisdiction by territory, as it escapes the content of the LFPDPPP, as provided for in its article 1 and is not within the provisions of article 4 of its Regulations…»

Based on the foregoing, IFAI found that there had been no violations of Google to the LFPDPPP, and resolved to have the file archived without further consequence thereto.

Bearing the above in mind, now consider that the instant case was initiated by a complaint dated July 22, 2014, wherein an individual referred having exercised his rights to the cancellation of his data and opposition to the processing thereof before Google with regards to 3 URLs found through its search engine, but having had no reply thereto, whatsoever, from Google Mexico, which is in and of itself a violation of the LFPDPPP. He claims that the information which deletion he requested included his name, his brothers’ (however the record does not refer that the complainant had authority and standing to represent his siblings) and his late father’s (also no reference to standing as executor of the gentleman’s estate), as well as «…clipped and out-of-context information on my activities as a businessman and merchant, which not only affects my most intimate sphere (honor and private life), but also current commercial and financial relationships…said information entails a grave risk to my personal security and physical integrity, as it is information linked to financial, patrimonial and judicial aspects…said information was uploaded and published to the «Google» search engine without my consent».

The above assertions by the complainant are interesting, insofar as Roman numeral II in article 5 in the Regulations to the LFPDPPP exempt information concerning individuals in their capacity as merchants from its provisions; while that poses legality issues that could lend themselves to successful challenges thereto in court, fact is that IFAI is bound by said Regulations and should therefore not have considered that information as protected under them and the LFPDPP. However it decided to move forward with the case, as per the complainant’s assertions Google failed to respond to his petition, which under the LFPDPP provides for a cause of action before said Institute under a «Rights Protection Proceeding», whereby IFAI may find for fault on the part of the Data Controller and order for the request to be complied with, but also mediate between the parties involved.

The bold assertions by the claimant’s counsel include statements that «Google (Mexico) possesses, controls, processes, authorizes, facilitates, shares, provides, makes possible, distributes, aids and abets the undue processing of sensitive personal data of our client, by allowing for information that does not comply with the requirements of the law, and much less with the principles… that govern the processing of personal information, to be uploaded, published and displayed through its «Google» search engine…».

Anecdotally, it seems that an inappropriately redacted public version of the file was released at some point and has been blogged and reposted by a number of commentators (just as in the Liverpool department store breach case, this blog deals in legal scholarship and not news, so it refrains from further facilitating access to information that was or is not meant to be made public by its originators and thus no hyperlinks to the leaked copy of the file are included), wherein enough information of the search results was visible to allow readers to trace the allegedly infringing URLs the complainant complained about and realize that it had to do with a transport company and allegations that it was one of many favored by the bank bailout of the mid-90s (re: «Fobaproa»). In this sense the case may have the same ironic, undesirable and unexpected collateral effect as the Costeja Case: instead of achieving oblivion, the complainant’s identity and data involved in the case will become pervasive in future discussions and comments on the case. Perhaps there are instances where a good SEO strategy yields better results than the law?

IFAI’s requests for information regarding the instant case, regarding it relationship to Google International, LLC, and Google, Inc., as well as the search engine services it provides, whether it has servers of its own, how its services are, or are not, linked to the aforesaid partners, etc., were responded much in the same way as those in the verification case previously discussed, with Google Mexico reiterating that it does not operate or provide in any way services on behalf of Google Inc., does not have servers of its own and doesn’t provide, in any way, search engine services, which are provided by Google Inc.

However IFAI departed from its criteria set in the previous case, and the Second finding in the ruling for this one established as the cornerstone for the decision to sanction Google Mexico exactly what the Third finding established as the cornerstone to absolve it: regardless that Google Mexico has no servers of its own and does not actually provide the search engine service in and of its own, as there is a provision in its bylaws whereby its corporate purpose includes the purveyance of such services it therefore does provide them and is consequently bound by the LFPDPPP with regards to them. To support this statement IFAI’s verification officers certified screenshots of searches of the complainant’s name made through http://www.google.com.mx, as well as of Google’s pages dealing with its Terms and Conditions, «About», «Locations», etc., on which grounds said Institute found that Google Mexico did provide search engine services that amount to processing of personal data, and is therefore bound by the LFPDPPP, under obligation to comply with the claimant’s petition and subject to that proceeding.

In this point one might wonder if the whole thing could have been prevented if Google Mexico had replied to the claimant’s petition; the answer, for short, is «NO»: under the LFPDPPP an individual has cause for action in a Rights Protection Proceeding not only if the Data Controller does not respond to his petition, but also if he’s in disagreement with the response. However, even if Google Mexico weren’t the Data Controller, it should have responded to the claimant, as articles 95 and 98 of the Regulations to the LFPDPPP state that all petitions by individuals must be responded by Data Controllers, whether or not they possess personal data of the petitioning individuals. IFAI further found that Google Mexico was in fact the Controller of the Data processed as concerns the instant case, and that it failed to invoke any of the exceptions in the law to the obligation to respond to an individual’s petition, or a legal impediment thereto.

It consequently ordered Google Mexico to perform the actions necessary to implement the complainants rights to have his personal data cancelled from its search results and to oppose such processing thereof, within the 10 business days following notice of the ruling, by abstaining from processing said data in such a way that after typing the complainant’s name the URLs quoted in the initial complaint no longer show up, and by having said details cancelled from its databases…although there is record from another case that Google Mexico has no such databases.

Google Mexico could not possibly (technically nor materially) comply with the foregoing; but  in addition to the above, IFAI found that Google Mexico did not comply with the complainants initial petition and carried on with the illegitimate processing of his personal data, so that there were grounds to initiate a sanctioning proceeding against Google Mexico, which the latter would appear may have ample chances of successfully challenging if it came to a fine being assessed against it.

As other privacy practitioners and commentators have remarked and underscored, this case bears an inextricable nexus with the aforementioned Costeja Case, so much so that IFAI itself quoted the ruling thereupon by the European Court of Justice (page 34 of the file). However, as the usual length for a blog entry has been exceeded by far herein, comments on that particular issue will be made tomorrow, in the next entry hereto.

Three regulations where Mexico got ahead of the USA, just FYI…

29 septiembre, 2014
Regulación Bancaria/Financiera, Technology Regulation
Deja un comentario

Card&Phone - CopyThe position of the United States at the vanguard of fields such as finance and technology may lend itself to create the impression that its legal framework is as progressive as its companies in those lines of business. However that’s not always the case; following are three instances where Mexico actually moved ahead of the USA, regulation-wise:

  • Mexico created an agency mandated to protect users of financial services in instances where their purveyors of financial services were not compliant with the law.

Following the financial meltdown nearly 20 years ago interest rates for financial products, whether credit cards, car loans or mortgages, skyrocketed in Mexico; people were unable to comply with their financial commitments and lost their homes, had their cars repossessed or their assets garnished. Of course this prompted widespread protests, and many politicians reaped dividends by demonizing financial institutions, but the national conversation on those issues brought about the creation of an «Ombudsman» in the financial services industry: the National Commission for the Protection and Defense of Users of Financial Services (CONDUSEF as per its acronym in Spanish).

This agency has faced many challenges, and still does; mainly its «teeth» are not sharp enough, its last three Chairs have steered it more towards facilitating financial education and information to the public. For instance, it recently instituted a Financial Institution Rating Website, where users can check for information on how the banks to which they would apply for credit rate relative to each other compliance-wise, sort of in the same way those institutions can assess applicants based on their credit rating.

Apparently such legislative developments are only brought about by widespread financial turmoil: conversely the United Stated created its financial services Ombudsman, the Bureau of Consumer Financial Protection (CFPB) after the Dodd–Frank Wall Street Reform and Consumer Protection Act was passed in 2010, and began working until 2011 following heated debates over President Obama’s proposal to appoint Harvard Law Professor Elizabeth Warren, who first proposed one such agency, to Chair it.

In sum, Mexico has been over a decade ahead of the United States as concerns the enforcement of financial regulations relative to the public.

  • Banks in Mexico are obligated to issue credit cards which are safer than those issues by banks in the USA. Bank cards the world over are made following ISO 7810 and ISO 7813 standards; that’s how come it’s possible for your card to be swiped at point-of-sale terminals and work in ATMs the world over. Those standards cover aspects such as toxicity of materials, flammability, stiffness (how much the card should bend), how characters (your name, the issuer’s identification number) are embossed onto it, their magnetic stripes, integrated circuits and the track data in them, etc.

Disclosures on data breaches at large retailers such as Target, last year, and more recently The Home Depot, have put credit card and point-of-sale terminal technology on the spotlight. In addition to apparent negligence in implementing security controls, one rather large issue is also the common denominator: that bank cards issued by banks in the United States still rely on magnetic stripes for the storage of data that authenticates the transaction, and that is easily copied or stolen by thieves or hackers. As WIRED Magazine explains in a recent piece:

The fatal problem with the credit card magstripe is that it’s only a container for unchanging, static data. And if static data is compromised anywhere in the processing chain, it can be passed around, copied, bought and sold at will.

Now, after resisting it for 10 years because of the formidable transition costs, the US is about to finally embrace the secure chip-based authentication system called EMV—the standard was pioneered by Europay, MasterCard, and Visa—that the rest of the world has already adopted. Pushed by mounting fraud costs, credit card companies have crafted incentives for merchants to switch to the sophisticated readers needed to accept the cards.

While the New York Times piece in the link above on the Target breach underscores that «The new debit and credit card technology, called chip and PIN, is widely used in Europe and considered to be far more secure than most cards used in the United States, which rely on magnetic strips,» it should be noted that Mexico’s National Banking and Securities Commission has steered banks towards substituting magnetic stripe with integrated circuits for over 4.8 years now: as per its General Provisions Applicable to Credit Institutions that approve transactions made without the use of integrated circuits, whether in ATMS or point-of-sale terminals are bound to agree with their Users (in their respective service agreements) that they (the banks) shall undertake the risks, and therefore the costs, of transactions disavowed by said Users when using such cards, and that the claims from such transactions shall be credited to those Users, at the latest, 48 hours after the filing of the respective claim.

The flip side is that the banks are allowed by regulation to regard the information in such integrated circuits as a Category-3 Authentication Factor for transactions made through ATMs and POS terminals, which obtain the cards’ information through such circuits; that is to say, transactions which require for the card with the circuit to have been present in the moment of the transaction. At that point one could assume that the situation would be no different from one in which a card with a magstripe were involved; however the key here is that information in the circuits is not static and is encrypted, so that even if it had been copied during one transaction it still could not be used for others afterwards.

So to that regard Mexico will have been a good 5 years ahead of the United States in credit card security by the time the US transitions from magstripe cards to cards with integrated circuits.

  • Mexico passed regulations making unlocking of mobile phones legal before the USA did.

For years now mobile carriers have entrenched themselves by offering handsets which price is bundled with the fee for their service plans; but once the mandatory term for the plan is over the user is faced with the choice between continuing to cope with her former carrier, usually upgrading to a newer (and hopefully) better handset (which Apple facilitates a lot by releasing a new iPhone every year and a half or so), or moving onto another carrier and having to procure another handset from it, as the old one would only work in the network of the previous carrier. That is evidently a pain and unfair to consumers; after all, one the term for the plan is over and done, the handset has been paid for (often in excess), so the user ought to be able to keep using it, even with a competitor of the carrier.

For sure «jailbeaking» has been possible for awhile now, and even ruled by the Copyright Office of the United States to be an exception to the Digital Millennium Copyright Act (the DMCA). but it is not without risk, as it may impair you from access to essential updates or applications, and removing the protections originally put in place by the developer can put the device and information contained in it at significant risk. However unlocking your device is an entirely different proposition.

Acknowledging a basic right of consumers, Mexico’s Ministry of Economy passed on August 28th, 2012, Mexican Official Norm NOM-184-SCFI-2012, an administrative regulation whereby carriers are under obligation to inform if the handset provided to the consumer is blocked to only be used in its network, and how it can be unlocked, at no additional cost, to be used on other networks once the consumer has acquired title to the handset, whether for the mandatory term of the service agreement having lapsed or having paid for it in full. For sure, as in many other instances, at the outset and notwithstanding there were hurdles to overcome in getting a device unlocked, such as alleged ignorance or misinformation at service centers.

Conversely, it wasn’t until after a long time of public comment and the EFF’s activism that this year President Obama signed into law the «Unlocking Consumer Choice and Wireless Competition Act«, which affords users the right to have their handsets unlocked to be further used on another carrier’s network.

Overall, at least in these three items Mexico moved way ahead of the United States.

The «#AppleWatch»; one «i» that Apple couldn’t dot…

12 septiembre, 2014
IP/Propiedad Intelectual, Technology Regulation
Deja un comentario

 

applewatch - CopyTuesday September 9th was the day that follower of Apple’s hoopla looked forward to, as the company from Cupertino had, as customary, gotten folks the world over hooked on its ballyhoo (performance and release of album by U2 included) over the iPhone 6 and its wearable device, which everybody expected would be named as «iWatch», following the branding convention set since the iMac, the first iPhone, the iPod (which will now be laid to rest -apparently Apple finally conceded that its devices were overlapping-), the iPad, and the service platform attached to them, such as the desecrated (since the «#CelebGate») iCloud and even the «iForgot» password retrieval feature.

However this wearable device, the thing of science fiction less than 30 years ago (when the Dick Tracy film was released), did not follow that branding convention. The New York Times ran a piece on it today, and so did I over a year ago. It essentially boils down to a matter of intellectual property, more specifically of trademark prosecution: the Times reports that since Apple was about to launch its TV product and Steve Jobs hinted it might be called «iTV», the British broadcaster ITV PLC would oppose it. Apparently now Swatch followed suit and took preemptive measures with the trademark offices of the world to make it known that Apple’s attempts to brand this device as an «iWatch» could lead to confusion relative to their iSwatch product (registered with Mexico’s Trademark Office «IMPI» -you can look them up through their MARCANET service-) for products under NCL 14 (clocks and watches), 35 (advertising and retail sales thereof) as well as 37 (repair thereof),

In the case of Mexico, as noted in that post herein from July 4th, 2013 and reported by news journal Reforma, a third party filed to register iWatch in advance of Apple, and ultimately both ran into a prior registration granted in 2011 to an Italian company «I’m, SpA», which began selling its I’m Watch in 2013. And that has not been the only case in which Apple found such obstacles to the pursuit of its naming convention; since last year the press in Mexico reported extensively on the case that mobile carriers here lost against a Mexican company that had secured the registration for «iFone» since 2002, under which resolution hefty fines were assessed against all three then-major carriers but not against Apple, as iFone, S.A. de C.V., had secured said registration for the head-class of Telecomm Services (NCL 38), but apparently not for equipment therefor (NCL 9).

In sum this case illustrates quite clearly how challenging it can be for a global company to follow and implement a branding convention the world over. For sure a company can file for «preemptive» or «defensive» registrations, but unlike domain names trade and service marks cannot be stockpiled indefinetly; both US and Mexican trademark law provide for a term of 3 years for a registered trade or service mark to be effectively used in commerce, or otherwise registrations thereof may be cancelled. It may be difficult for design and development departments to meet with that time window in getting products or services to the market.

Also it often happens that legal and marketing don’t see eye-to-eye, and that is generally a matter of mindsets. Whereas MKT would love for its brands to be the top of mind of consumers in their market niche, for legal that would mean risking the loss of registrations thereof on account of such marks becoming generic, and that would result in loss of valuable intangible assets. This day in age its essential for MKT to regard legal as an allied and an enabler, and for legal to guide MKT through the intricacies and nuances of intellectual property law in a way that affords the company’s intangible assets the best protection possible.

How Privacy Compliance Helps with Cyber Attacks

9 septiembre, 2014
Privacy/Protección de Datos, Technology Regulation
Deja un comentario

http://play.buto.tv/5cmRY

This video from «Magic Circle» London firm Freshfields, Bruckhaus, Deringer illustrates how and why privacy compliance is much less costly than risking a cyber-attack, and some preemptive measures against such attacks.

Steps outlined to be taken are the following:

  1.  Assess your businesses’s relevant information, where it’s at and how it is protected;
  2. Be joined (by a cross-functional committee) in managing risk;
  3. Have contractual protections, allocating and excluding liability if and where applicable, including insurance if possible;
  4. Readiness: rehearse responses.

The dire consequences of cyber-attacks have been illustrated in current affairs media by Sony’s settlement of a class action suit for the breach of its PlayStation userbase, as well as by the attack against Target, which even lead to the ousting of Board members, and more recently Home Depot’s.

You try and do the math as to which is more costly between investing in privacy compliance and having your business take its chances in an equation where the variable for the cost (financial and reputational) of a breach cannot be determined ex ante, but the laws do provide for parameters to assess fines.

 

The #CelebGate Nude Photographs Hack of 2014; stormy skies for the cloud business

2 septiembre, 2014
IP/Propiedad Intelectual, Privacy/Protección de Datos, Technology Regulation
Deja un comentario

kateclouds - Copy(Katherine Heigl may have been among the victimized celebrities)

Despite all conspiracy theories as may abound, the massive hack of any number of celebrities iCloud accounts through which their intimate pictures were made public on Sunday was not the work of President Coriolanus Snow’s minions to attack the character of Katniss Everdeen and undermine her as the icon of the revolt against his oppresive regime. Contrary to many such hoaxes that proliferated in the days of the Web 1.0, back when imaging software was still so primitive you could easily tell that a celeb’s face had been pasted on a naked woman’s body’s picture, this time it’s very much for real.

Througout the past couple of days the attention of the media and public at large (put any of the URLs below into Bitly.com and you’ll see they’re all «Catching Fire» -pun totally intended, as Jeniffer Lawrence has been made into the poster girl for the victims of this attack-) has been captured by a massive breach of the security in Apple’s iCloud by a hacker who leaked into the 4chan message board heaps of snapshots that an A-List of female celebrities had taken in the intimacy of their private spaces for purposes that should not concern the public. The first thing stemming from this we should reflect upon is: does this matter in a world where there are/have been armed conflicts claiming thousands of lives and billions in damages going on in the Ukraine, Israel, the Gaza strip and Irak? Is it relevant when an infectious epidemic for which no efficient cure has yet been discovered spreads throughout Africa and seeps into other continents? Should we give a rat’s ass about these celebrities’ derrieres (and other parts) being so exposed?

In some way, and at some level, the answer is YES. For many lucky people, armed conflict remains something not to be experienced but in the very worst of scenarios, and they may never become exposed to the Ebola virus at all. However a massive leak of nude celebrity pictures powerfully calls the attention, and however out of people’s reach or leagues the inhabitants of the Olympus of stardom might be, the fact that a service they use as most other people do hits very close to home, and brings into question a number of things.

For starters, a word of warning to the E-peepers who would look upon such images: if not out of respect for them or themselves (as Mary E. Winstead has put forth), while the question of «how?» this hacker did it, which is for Apple and the Feds to answer, the question you should have on your mind before you view/download these images ought to be «why did he/she do it?». Do you really think that this person is a benefactor of the lewd and did this so that the lonely guys out there could have something of their liking to «entertain themselves» with? Or just to gain notoriety in hacking circles. I would not think so; it seems unlikely that such an undertaking would have been made just for kicks. Be warned that JPG and PNG images can, have been and are still used to inject systems with malicious codes written into them. So it might be reasonable to entertain the possibility that despite honest confirmations of the authenticity of the images by some of the celebrities involved, these images may have been tampered with prior to them being uploaded all the time knowing that they would have a wide audience precisely because they would have captured the attention of the media and the public. So potentially there is the risk that by perusing these pictures your system could now be part of a very large botnet, or that your personal information has been siphoned off of it.

Having said that, the First matter to address is what a parent is to say to his/her daughter/son about sexting, when it becomes a matter of public record that all these celebrities that youngsters look up to have made it a part of their intimacy? Just a week ago some parents in Virginia turned their daughter in to the police in order to prevent her from further involvement in sexting. For sure, it’s probably been going on since photography was invented (remember the part in Parenthood when Diane Weist gets the nude pictures that Martha Plimpton’s and Keanu Reeves’s characters had shot?), and the easy answer would be: they’re big girls, and they knew (or ought to have known) what they were doing and the risks involved. Even more so of course if the matter was a publicity stunt such as those trite celebrity sex tapes that «accidentally» got out and brought the figure(s) involved back under the spotlight.

The Second matter is that, as usual, public attention and outcry always comes when this happens to the high and mighty, but not so much so when it happens to «Jane Town». For years victims of «revenge porn» have been fighting for legislation to criminalize the act of disseminating intimate images of people without their consent. While anyone has the right to take this up to the authorities for them to attempt and prosecute the poster and those who aided and abetted him/her, as well as to sue to seek redress, it is all the more difficult (and expensive) for the average Jane or Joe on the street, whereas this case has speedily mobilized the Feds to prosecute the culprit.

And even if the culprit is ever apprehended, existing law may still have rather ample loopholes through which that person could elude some measures of liability. Also there’s the difficulty of getting the website operators to take the offending materials down, as many often benefit from exemptions afforded to «passive sites», much needed for the development of the Web and eCommerce as we know them today, which unfortunate collateral effect is sometimes that questionable sites get off the hook through the same avenues available to the reputable sites we all know, whether the «Communications Decency Act» or  §512 of the Copyright Act, supported by case law in law school case books (ie. Zeran v. America Online and Blumenthal v. Drudge) which is the reason these materials often show up on open sites, such as messages boards and other such, and also not on social networks, as their Terms of Use generally provide against sexually explicit, libelous and/or harassing content. I myself have succeed in having such content removed from some social networks in a case or two, and the accounts involved cancelled, but others can prove to not be as cooperative in so doing, or in producing the information of the user concerned. So getting such offending content removed from the Web may be a Herculean feat, or nearly impossible once it has «gone viral».

Another matter to consider is that not only these celebrities’ intimacy and dignity have been breached, but also their privacy as digital photographs have metadata embedded in them that can reveal the location where they were taken. That may not be a big deal if the photo shooting was done in a hotel while on location when a film was being shot; however the proposition is entirely different with pictures shot in the celebrities’ (or anyone elses’) homes.

Third, there’s the damage such instances can wreck on the reputation of the storage provider concerned, maybe even on the lot of them, at a time when all the major tech companies wage a price war in the market for cloud computing services, forcing smaller companies in the business of cloud storage, such as Box, Dropbox and Hightail, to «pivot» their business models. While under a theory of free markets with some antitrust checks such competition and pivoting may work to the benefit of consumers, who will have more innovative products and services at lower and more competitive prices, the fact is that this could be as harmful to Apple, specifically, and to the cloud business, generally, as the ignition switch recall was for General Motors. How could one rely on cloud storage services when an event such as this happens?

What exactly does Apple’s iCloud’s Security and Privacy Overview state?

Data Security

iCloud secures your data by encrypting it when it is sent over the Internet, storing it in an encrypted format when kept on server (review the table below for detail), and using secure tokens for authentication. This means that your data is protected from unauthorized access both while it is being transmitted to your devices and when it is stored in the cloud. iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties.

Security and iCloud Features
The table below summarizes how your data is secured when using various iCloud features:

iCloudChart - CopyBeg your pardon, but I’m a bit confused; right in the line where it says «iCloud.com», the column for Encryption on Server also says «All sessions at iCloud.com are encrypted with SSL. Any data accessed via iCloud.com is encrypted on server as indicated in this table.» so is the data itself encrypted while stored on their server, or is only the access thereto?

And as is customary, the provide as follows:

Your Account

As a registered user of the Service, you may establish an Account. Don’t reveal your Account information to anyone else. You are solely responsible for maintaining the confidentiality and security of your Account and for all activities that occur on or through your Account, and you agree to immediately notify Apple of any security breach of your Account. You further acknowledge and agree that the Service is designed and intended for personal use on an individual basis and you should not share your Account and/or password details with another individual. Provided we have exercised reasonable skill and due care, Apple shall not be responsible for any losses arising out of the unauthorized use of your Account resulting from you not following these rules.

So what exactly happens when it is the media at large, and not the user, that notifies Apple of security breaches to numerous accounts? You are looking at it, ladies and gentlemen.

Disclaimer of Warranties

APPLE DOES NOT REPRESENT OR GUARANTEE THAT THE SERVICE WILL BE FREE FROM LOSS, CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, OR OTHER SECURITY INTRUSION, AND APPLE DISCLAIMS ANY LIABILITY RELATING THERETO.

Of course, how could it? No system is impregnable (Spanish speakers, this means something entirely different in English); however, at which point and how should a line be drawn between a reasonable exemption from liability for companies in a business which participants are constantly beset by their own governments and foreign sovereigns, as well as rouge military units, so much so that even the NATO allies are about to include cyberattacks as a trigger for the Alliance’s defense mechanisms.

In sum, issues stemming from this case which are to be discussed and sorted out over the months (or years) to come range from personal issues for the affected celebrities, social issues because of the perception of these icons that youths might develop, as well as from the fact that as has been underscored all victims are female, technical issues for the security and privacy professionals working with and for tech companies (apparently the exploited vulnerability lay in the «Find my iPhone» app in the victims’ handsets), business issues concerning how to salvage the trust of tech users and consumers before the cloud business dissipates, as well as legal and political issues for lawmakers and regulators to respond to.

Preserving privacy and security online and on the cloud is paramount for contemporary life and business. While most people can do without racy/raunchy pictures of themselves and/or their intimate partners, or at least live without having them in digitial formats and available at any place and time, it would seem unfeasible and virtually (pun intended) unbearable to go back to life, work and entertainment the world over as they were in the 1970’s.

To close on a high note, even though some of the women affected by this attack make a (pretty decent) living on their physique, and at least one relies very heavily on her one ASSet and «talent» for selfies, the fact is that they are nevertheless persons and women, and the fact that they are performers does not necessarily mean that they have such thick skin to be 100% OK with their intimate images spread throughout the Web. For example, even though she was playing a stripper in Closer, and the film was quite ghastly, Natalie Portman had her full-frontal nude removed from the film: «Actress Natalie Portman ordered director Mike Nichols to remove her full frontal nude scenes from her latest movie Closer – despite playing a stripper in the film. Nichols is very protective of the 23-year-old beauty and agreed the topless footage was acceptable, but decided raunchy shots of her fully nude were gratuitous and should be deleted from the drama. Portman explains, «He wants to see my bare ass much less than (even) my father would. He’s as or more protective of me than my parents are. So doing sexual, physical stuff for him felt very uncomfortable

#LeyTelecomm; la Unidad de Inteligencia Financiera se adelanta…

13 agosto, 2014
Privacy/Protección de Datos, Regulación Bancaria/Financiera, Technology Regulation
Deja un comentario

cctv3 - CopyPrevio a la promulgación de la Ley Federal de Telecomunicaciones, diversos medios publicaron múltiples comentarios sobre la afectación que los artículos 189 y 190 del proyecto de Decreto aprobado por el Congreso de la Unión suponen para la protección de datos consagrada en el artículo 16, párrafo segundo, de la Constitución Política de los Estados Unidos Mexicanos, sobre lo cual se comentó en este blog el 4 y 28 de julio de este año.

El tema se resume en que los artículos referidos obligan a los autorizadosy proveedores de servicios de aplicaciones y contenidos a atender todo mandamiento por escrito, fundado y motivado de la autoridad competente, referida de manera muy genérica como «instancias de seguridad y procuración de justicia», cuyos titulares podrán designar, mediante acuerdos publicados en el Diario Oficial de la Federación, a los servidores públicos encargados de gestionar tales requerimientos que se realicen y recibir la información correspondiente a la localización geográfica, en tiempo real, de los equipos de comunicación móvil, so pena de sanción de la autoridad por desacato.

Hoy día el Reforma reporta que la Unidad de Inteligencia Financiera de la Secretaría de Hacienda y Crédito Público presentó a la Comisión Federal de Mejora Regulatoria el proyecto de Acuerdo por el que el Titular de esa Unidad designa a los Servidores Públicos que se mencionan en el mismo, para efecto de lo dispuesto en el citado artículo 189 de la #LeyTelecomm, designando como tales a los titulares de la propia Unidad de Inteligencia Financiera, y a su Dirección General de Procesos Legales.

El encabezado de prensa pareciera ser sensacionalista y amedrentar a muchos: «Rastreará SHCP a evasores por celular«. Al respecto hay que considerar si las facultades de la UIF atañen a la seguridad y procuración de justicia; naturalmente dicha Unidad lo estima así, y por ello motiva el proyecto presentado a COFEMER indicando que el artículo 15 del Reglamento Interior de la SHCP le otorga competencia para denunciar ante el Ministerio Público Federal las conductas que pudieran favorecer, prestar ayuda, auxilio o cooperación de cualquier especie para la comisión de esos delitos (art. 15, fracción XIII), por lo que se ajustaría al extremo previsto en el citado artículo 189 de la Ley Federal de Telecomunicaciones y Radiodifusión.

Al respecto debe considerarse que los tipos penales referidos en la norma del Reglamento Interior que se cita, comúnmente conocidos como «lavado de dinero», son esencialmente accesorios; es decir, aunque son penados en sí mismos aunque sirven como medio para la comisión de otros actos previstos como delito por los artículos 139 Quáter y 400 Bis del Código Penal Federal, y de la lectura del proyecto de Acuerdo se podría interpretar que la intención del Titular de la UIF sería acotar su ejercicio de la facultad prevista en el referido artículo 189 a su actuación respecto de los mismos. Adicionalmente, la fracción XI del citado artículo del Reglamento Interior la faculta también para «coordinarse con las autoridades fiscales para la práctica de los actos de fiscalización que resulten necesarios con motivo del ejercicio de las facultades conferidas conforme al citado artículo; por lo tanto, el rastreo mediante geolocalización en tiempo real de dispositivos de telecomunicación móvil debería darse solamente en los casos en que la «evasión fiscal» hubiera sido una de las conductas punibles de las que se hubieran obtenido los recursos con los que se hubieran realizado las operaciones investigadas hubieran derivado de alguna de las conductas previstas en el artículo 400 Bis del Código Penal Federal hubieran sido producto de la comisión de alguna de las conductas previstas en los artículos 108 a 111 del Código Fiscal de la Federación.

En los meses siguientes se verá, sin duda, a muchas otras autoridades administrativas presentar ante la COFEMER sus respectivos proyectos de Acuerdo para los mismos efectos. Posiblemente ello contribuya para paliar, en la práctica y de manera fáctica, la falta de claridad y ambigüedad del multicitado artículo 189 de la Ley Federal de Telecomunicaciones y Radiodifusión, aunque no debiera ser el caso.

Por otra parte, en breve se verá si el IFAI, en su nueva integración, resuelve afianzar su papel de garanta del acceso a la información pública y protección de datos personales, pues su pleno resolverá en su sesión del día de hoy sobre el ejercicio de la acción de inconstitucional que le fue conferido por virtud de la reciente reforma constitucional publicada en el Diario Oficial de la Federación el 7 de febrero del año en curso. La discusión se escucha reñida, y sin lugar a dudas los votos de sus Comisionados aportarán indicaciones sobre sus criterios y lo que podría esperarse de su actuación en esos puestos y de la del Instituto mismo.

 

 

 

 

Vulneraciones de Seguridad y Factores de Autenticación

7 agosto, 2014
Privacy/Protección de Datos, Technology Regulation
Deja un comentario

 

bugshack

12345Las «Medidas de Seguridad» (Reglamento, art. 57: «control o grupo de controles de seguridad para proteger los datos personales») es uno de los temas de protección de datos personales que probablemente presenten mayor complejidad en la práctica e implementación, no obstante las Recomendaciones en materia de Seguridad de Datos Personales del IFAI y su Metodología de Análisis de Riesgo BAA. La LFPDPPP es «tecnológicamente neutra», en tanto que no requiere la implementación de medidas específicas, lo cual tiene todo sentido considerando la amplitud de su ámbito de aplicación, que abarca desde Responsables cuyo Tratamiento de Datos es sumamente elemental, como una tienda que entregue a domicilio o un salón de belleza que tome citas por teléfono, hasta el de aquellos que es sumamente sofisticado, complejo e intensivo en cuanto a datos personales patrimoniales y/o sensibles, como instituciones de crédito o seguros, o prestadores de servicios de salud.

El requerimiento mínimo contemplado en la LFPDPPP (art. 19) es que los Responsables establezcan y mantengan medidas de seguridad administrativas, técnicas y físicas que protejan los datos personales contra daño, pérdida, alteración, destrucción o su uso, acceso o tratamiento no autorizado, medidas que no deberán ser menores a las que mantengan para el manejo de su propia información, y  ser determinadas conforme al riesgo existente, las posibles consecuencias para los titulares, la sensibilidad de los datos y el desarrollo tecnológico. Ello sin perjuicio de que los responsables tuvieran que implementar medidas de seguridad dispuestas específicamente por las autoridades del sector en el que aquellos operen, si éstas contemplasen una protección mayor para el titular que la dispuesta por la LFPDPPP y su Reglamento.

El hecho es que el cumplimiento normativo en protección de datos personales no se limita a, ni se agota en, la redacción e implementación de avisos de privacidad, de una política de privacidad y la designación de una persona o área a cargo de la protección de datos personales en la organización; el art. 9 del Reglamento hace al deber de seguridad tan obligatorio y vinculante como los son los 8 principios que informan a la Ley. Dependiendo de la complejidad y/o sofisticación del Responsable, puede ser necesario involucrar a uno o más expertos en mitigación de riesgos, seguridad perimetral y/o informática; esto último particularmente considerando la facilidad con la que incluso negocios pequeños o emprendimientos modestos pueden acceder a medios y recursos para lograr presencia en Internet. Por ejemplo, el New York Times reportó desde enero de 2012 sobre vulnerabilidades encontradas en sistemas de videoconferencia en salas de consejo en todo el mundo en los términos siguientes:

«Rapid7 discovered that hundreds of thousands of businesses were investing in top-quality videoconferencing units, but were setting them up on the cheap… The most popular units, sold by Polycom and Cisco, can cost as much as $25,000 and feature encryption, high-definition video capture, and audio that can pick up the sound of a door opening 300 feet away. But administrators are setting them up outside the firewall and are configuring them with a false sense of security that hackers can use against them«.

De acuerdo con la citada Metodología BAA, Internet es el entorno de accesos que ofrece mayor nivel de anonimidad (Nivel 5) a un atacante, tal que las tablas matriciales para nivel de riesgo por tipo de dato, nivel de accesibilidad y de anonimidad contenidas en esa Metodología indican con respecto a ellos que «…no se recomienda que existan (tales escenarios). En caso de que su organización presente estos escenarios, es necesario que impida que se presenten accesos directos a estos tipos de datos personales desde redes de terceros, Internet o redes inalámbricas».

Ello puede poner a los responsables entre la espada y la pared, ya que por una parte la conectividad por medio de Internet incrementa el riesgo al que estén expuestos los datos personales a los que dan tratamiento, y por otra es una necesidad en muchos casos, no sólo por permitir el acceso a un auditorio mayor o a mercados más extensos, sino también por facilitar la realización del trabajo en organizaciones que así lo requieren, ya sea por desplegar a su personal en campo o para facilitar prestaciones de carácter laboral, como licencias de maternidad/paternidad. De ahí la necesidad de ejercer un mínimo deber de cuidado en su implementación y concientizar, mediante una adecuada capacitación, a todo el personal de la organización en las medidas de seguridad que deben cumplir en el desarrollo de sus labores, lo cual atiende precisamente al principio de responsabilidad y deber de cuidado que tienen obligación de observar. Por ejemplo, el New York Times reportó hace 2 semanas que sistemas tales como Microsoft’s Remote Desktop, Apple Remote Desktop and Chrome Remote Desktop, que permiten el «teletrabajo» o «home office», son escaneados por hackers, quienes al descubrirlos lanzan programas que adivinan credenciales de acceso hasta obtener las correctas, lo cual podría haber sido el medio por el cual se consumaron vulneraciones como las que sufrieron el año pasado las cadenas comerciales Target y Neiman Marcus.

Al respecto debe tenerse en cuenta que los factores de autenticación, tales como nombres de usuario y/o contraseñas de acceso, son también datos personales, categorizados precisamente como «datos de autenticación», considerados como con «Riesgo Inherente Medio» por la Metodología BAA con la advertencia de «…que las categorías antes descritas se desarrollaron exclusivamente para la aplicación de esta metodología, y no pueden ser consideradas como un criterio emitido por el IFAI. Más aún, el Pleno del Instituto no ha emitido criterios institucionales al respecto, además de que ciertos datos personales que en principio no se consideran sensibles, podrían llegar a serlo dependiendo del contexto en que se trata la información», y consecuentemente tanto los de los trabajadores o prestadores de servicios de los responsables como los de sus clientes, referencias personales, etc., son objeto de responsabilidad para ellos, por lo que deben ser incorporados en su Sistema de Gestión de Seguridad de Datos Personales.

Hace menos de un mes escribí en este blog sobre la posibilidad de que el uso de factores de autenticación inadecuados o poco robustos (ej. simplemente nombre y apellido, fechas de nacimiento propias o de terceros cercanos, letras o dígitos secuenciales, etc.) podría resultar en la transgresión al principio de responsabilidad que informa a la LFPDPPP y su Reglamento. Lo mismo podría resultar del diseño inadecuado de los sistemas informáticos y/o telemáticos mediante los cuales se dé tratamiento a datos personales; por ejemplo, en un evento de la Asociación Nacional de Abogados de Empresa (ANADE) realizado este año, el Ing. Oscar Lira, jefe del Departamento de Telecomunicaciones e Informática de la Dirección General de Coordinación de Servicios Periciales (DGCSP) de la Procuraduría General de la República (PGR) comentó que uno de los principales aspectos a considerar para la seguridad informática es precisamente que, no obstante ser creados mediante suites como Dreamweaver u otras similares, los sitios web estén «armados» de tal manera que el flujo de la información entre sus partes sea debidamente asegurado. En su opinión, invertir en la contratación de personas debidamente capacitadas para ello es tanto o más importante que invertir en herramientas informáticas, como lo ilustra la nota del New York Times sobre la vulnerabilidad de diversos sistemas de videoconferencia debido a su mala instalación.

Ahora bien, ¿qué sucedería, o qué se debería hacer en caso de que a pesar de haber invertido lo necesario para contar con los recursos necesarios para la correcta implementación del sistema de gestión de seguridad de datos personales se detectaran u ocurrieran vulneraciones al mismo por destrucción, alteración, acceso, sustración o uso no autorizados de los datos de autenticación del personal del responsable y/o de sus clientes? Por ejemplo, hace unos meses fue difundido el caso de «Heartbleed«, una vulnerabilidad encontrada en la biblioteca de criptografía del «Open SSL«, que exponía la llave privada de los servidores usados para implementar medidas de Transport Layer Security, que permiten la comunicación segura en Internet. Básicamente se trata de la tecnología que hace que la indicación «http» en la barra de direcciones del navegador cambie a «https» y se active el conocido ícono del candado, señalando que la comunicación contaba con esa medida de seguridad, y la vulnerabilidad permitía decodificar la información utilizada para proporcionar seguridad a esas comunicaciones, permitiendo montar diversos ataques o usurpar la identidad de los usuarios.

Por otra parte, anteayer medios como el propio New York Times, TIME y El País reportaron que Hold Security descubrió que una organización de hackers llamados CyberVors, presumiblemente rusos, había sustraído los factores de autenticación de 1,200 millones de usuarios de 420,000 sitios de Internet en todo el mundo, así como 500 millones de direcciones de correo electrónico, que también son datos personales, atacándolos con «inyección SQL» realizada mediante «botnets» que «auditaban» los sitios atacados en búsqueda de vulnerabilidades al SQL. De momento parece que los hackers sólo han usado esos datos personales para el envío de spam, pero ello no obstaría para que el día de mañana tal información sea vendida en el mercado negro; en enero de este año una pareja de mexicanos fue detenida en McAllen, TX, con tarjetas de crédito que tenían información producto del ya mencionado ataque que sufrió la minorista Target.

Respecto de ambos casos deben ser considerados los artículos 20 de la Ley así como 64 a 66 de su Reglamento, los cuales respectivamente disponen que:

  • las vulneraciones de seguridad en cualquier fase del tratamiento que afecten de forma significativa los derechos patrimoniales o morales de los titulares (de datos personales) habrán de serles informadas de forma inmediata por el responsable, a fin de que este último pueda tomar las medidas correspondientes a la defensa de sus derechos;
  • se deberá informar al titular las vulneraciones que afecten de forma significativa sus derechos patrimoniales o morales, en cuanto confirme que ocurrió la vulneración y haya tomado las acciones encaminadas a detonar un proceso de revisión exhaustiva de la magnitud de la afectación, y sin dilación alguna, a fin de que los titulares afectados puedan tomar las medidas correspondientes.
  • dichas notificaciones deben informarle a los titulares cuando menos: (i) la naturaleza del incidente; (ii) los datos personales comprometidos; (iii) las recomendaciones al titular acerca de las medidas que éste pueda adoptar para proteger sus intereses; (iv) las acciones correctivas realizadas de forma inmediata, y (v) los medios donde puede obtener más información al respecto.
  • el responsable deberá analizar las causas por las cuales se presentó e implementar las acciones correctivas, preventivas y de mejora para adecuar las medidas de seguridad correspondientes, a efecto de evitar que la vulneración se repita.

La lectura de los artículos arriba citados es importante, puesto que evidencia un módicum de responsabilidad compartida entre el responsable y los titulares ante una vulneración de seguridad, que debe llevarnos a un cambio cultural importante en la protección de datos personales: por una parte, el responsable debe analizar cómo fue que se produjo la vulneración, e implementar las acciones preventivas y correctivas procedentes, además de notificar a los titulares afectados, o potencialmente afectados, al respecto, de manera que estos a su vez puedan reaccionar en protección de sus derechos morales, patrimoniales (nótese que son términos no definidos por la LFPDPPP ni por su Reglamento, y que se encuentran en la Ley Federal del Derecho de Autor), e intereses. En casos así sería interesante analizar la medida en que la culpa o negligencia del responsable, su personal y/o encargados pudieran motivar la imposición de una condena indemnizatoria por vía civil o mercantil.

La citada Guía del IFAI prevé que ante una vulneración los responsables deben identificar: a. Los activos de su sistema de gestión de seguridad afectados; b. Los titulares afectados; c. Las partes interesadas que requieran estar informadas y/o puedan tomar parte en la
toma de decisiones para mitigar las consecuencias de la vulneración. Identificada la vulneración, se debe notificar a los titulares, a través de a través de medios masivos, electrónicos o digitales, incluso de manera personalizada, para que puedan tomar medidas que mitiguen o eviten una posible afectación. Podría también notificarse a las autoridades de protección de datos y/o procuración y/o impartición de justicia, como partes interesadas, para que auxilien en el proceso de mitigación del incidente. Además de la información pertinente sobre la naturaleza del incidente y los datos personales comprometidos, se deben notificar las acciones inmediatas que está tomando el responsable, así como proporcionar mecanismos de atención para que los titulares estén informados y reciban recomendaciones al respecto. Identificada la vulneración y realizadas las notificaciones mencionadas, habrá que profundizar en el análisis de las causas del incidente para establecer medidas correctivas, que incluyan medidas inmediatas para reducir los efectos de la vulneración.

Aunque hay debates en el medio y la práctica, particularmente en los EE.UU.A. sobre si se debería notificar de inmediato o del todo a los titulares sobre un evento de vulneración de seguridad, en un escenario como el de Heartbleed el responsable debería proceder de inmediato a la revocación y renovación de los certificados de seguridad de los sitios web que se supieran o presumieran atacados, recomendando a los titulares de los datos personales tratados por medio suyo actualizar su información y dar seguimiento al uso que pudiera haberse hecho de la misma (compras por internet, modificación del contenido de perfiles en redes sociales, etc.).

En el escenario del ataque de los «CyberVor», los responsables deberían auditar sus páginas para determinar si eran, o son susceptibles a un ataque por inyección SQL, y de serlo averiguar si fueron afectadas o no. De haberlo sido o serlo, se puede consultar a Hold Security para asesoría en cuanto a si se encuentran entre las empresas afectadas; de estarlo, se debería notificar a los titulares de los datos personales a los que dieran tratamiento a la brevedad posible, recomendándoles modificar sus contraseñas de acceso u otros factores de autenticación, y estar al pendiente de sus tarjetas de crédito, tal vez incluso solicitar la sustitución de las mismas, para monitorear o prevenir su uso indebido. Como titulares, haríamos bien en asumir que nuestros datos personales de autenticación y/o correo electrónico fueron parte del botín de los CyberVor y cambiarlos cuanto antes por nuevos y más robustos, en la medida de lo posible (no todos los sitios permiten cambiar el nombre de usuario, o hacerlo más de una vez).

AAcidPwords

 

#LeyTelecomm: contra la vigilancia de un Estado Policial

28 julio, 2014
Privacy/Protección de Datos, Technology Regulation
Deja un comentario

bigbro - CopyComo corolario a la entrada del 4 de julio de este año, en la que fueron referidas disposiciones de la Ley Federal de Telecomunicaciones y Radiodifusión, publicada en el Diario Oficial de la Federación el pasado 14 del mismo mes, vale la pena referir que el día 9 también de julio la Revista Nexos publicó en el Blog de su Redacción una nota en similar sentido.

La publicación también criticó que, contra la tendencia al respecto en la Unión Europea y los EE.UU.A., así como de la orientación de la actividad legislativa en materia de privacidad durante la administración pasada en México, dotan a las «instancias (sic; debería decir «autoridades») de seguridad y procuración de justicia» con facultades para requerir a los concesionarios y/o autorizados conforme al citado estatuto información para la localización en tiempo real de equipos de comunicación móvil y metadatos de las comunicaciones de sus usuarios.

El Economista publicó un día antes de la promulgación de dicho ordenamiento una nota refiriendo que la Conferencia Mexicana para el Acceso a la Información Pública, integrada por los órganos garantes de acceso a la información y protección de datos del país como el IFAI, InfoDF, Transparencia, Acceso a la Información Pública y Protección de Datos Personales de Oaxaca, etc., preparan el estudio para iniciar una controversia constitucional en contra de los Poderes Ejecutivo y Legislativo Federal por considerar que los actos consistentes en la iniciativa, aprobación y promulgación de la «#LeyTelecomm» resultan en violaciones constitucionales a los artículos 1, 11, 14 y 16 de la Constitución Política, relativos a derechos humanos, libre tránsito, debido proceso, e intimidad de las personas.

A pesar del lamentable resultado del proceso legislativo en materia de telecomunicaciones a ese respecto, el hecho que un organismo que apenas recientemente obtuvieron la facultad para iniciar una controversia constitucional no sólo considere ejercerla con tal motivo, sino que prepare su estudio es alentador y da un respiro de esperanza sobre el constitucionalismo mexicano, así como sobre el progreso del país en materia de privacidad y protección de datos personales.

 

Nihilism of Ourselves and Others around Us

26 julio, 2014
Technology Regulation
Deja un comentario

flixRecently I caught a couple of flicks that made me think back to a Lawrence Lessig seminarI took at Stanford Law, called «Ideas v Matter«, where we bounced off ideas on how to go about regulating the advances of technology that as early as 10 years ago were already having a significant impact in our lives. That’s more or less what this post is about: rather than opine on matter of black-letter law, I’m just putting forth a few thoughts and questions out there for others to cogitate upon and, ideally share with yours truly.

The first is «Trascendence«, wherein Johnny Depp’s character of Dr. Will Caster uploads his consciousness to a network computer and begins to work the unbelievable through nanotechnology but, as happens in real life (such as with stem-cell research), finds that extremist groups will stymie or attack his endeavours. That’s still in theatres in some places, so I won’t delve into it at length so as to not be a spoiler, but it seems that the reflection to be had towards the end is just how precious free-will and self-determination might be for us as a species over ostensible benefits spawned off of technology.

The second is «her«, and since that’s from last year and already available in home video, as well as for streaming, I’ll drill down on it. Essentially the flick is about a sad-ass divorcé who works as a copyrighter at a sort of Hallmark company that takes care of other people’s sentimental correspondence. One day he gets this operating system that’s actually artificial intelligence, and personalizes the options for it to have a female voice (Scarlett Johanson’s; not a bad choice!), which picks the name Samantha for itself (or «herself»?). So then the OS evolves, since it has the ability to, and so does the interaction between them, until it develops into a relationship. Very weird, even sad and creepy.

Anyhow, as the story unfolds, it presents a number of instances that merit thought and discussion, other than how very not improbable it would be for things to get to that point judging by how involved people are with their gadgets these days. Phubbing is a social issue already, and you need only stroll through a lounge, in an airport or elsewhere, to see heaps of people bowing to the little idols of glass and plastic in their hands.

Some of the issues I wanted to highlight in this entry are the following:

  • Infidelity and/or Adultery. Short messages,e-mail and social networks have presented vexing scenarios for couples, whether married or not; messages exchanged through those platforms have been resorted to in order to prove cheating and adultery in and outside of the courthouses. Would it «count» as infidelity for one or both of the individuals involved in a relationship to develop a bond of sorts with an operating system that they can be in touch with anywhere, any time, unbeknownst to their significant other? Would that constitute adultery for a married couple? Would it constitute infidelity if the operating system, which would have the ability to interact with more than one person or another operating system at the same time became involved in a relationship with another human being or operating system?
  • Surrogacy. There’s this scene where Joaquin Phoenix and Samantha engage in what would seem like phone sex by today’s standards; but in an attempt for their relationship to be more physical or concrete, Samantha enrolls a girl to serve as an interface of sorts for them to engage in intercourse. Surrogacy in human reproduction has posed a significant amount of social, ethical and legal issues, down to motherhood itself. So, if a there were people who lent themselves to perform such roles, would they be dubbed as or considered to be a prostitute?
  • Commitment and/or Marriage. Nowadays the laws that govern the institution of marriage are being rewritten in ways that wouldn’t have been imaginable a decade ago, and that a lot of people do not agree with. With the utmost respect to all couples and activists who have striven for such legal developments, in a scenario as portrayed by the film, could things get to the point where people would push to have the ability to marry their operating systems? I reckon that the prenup would have to be drafted in source code as well as in human-readable code, perhaps the ceremony might be performed by a programmer, but how would such a relationship serve the purposes of a marriage?

In sum, how would society and the law, as an essentially social construct, go about handling these issues in such situations, should they ever arise if (and when) artificial intelligence reached a point where we could interact with technology in such ways and to such extent?

Bits and bytes of food for thought.

Compliance Report

Compliance and Ethics Powered by Advanced Compliance Solutions

Xavier Ribas

Derecho de las TIC y Compliance

Marcus Kazmierczak

Business & Money

The latest news and commentary on the economy, the markets, and business

CIDE-Comunicación

Canal de difusión con los medios.

Martha Salamanca Docente

Blog de TICs, Redes Sociales y Multimedia Educativo

Devil's Advocate Crib

Just another WordPress.com site

Investigating Internet Crimes

An Introduction to Solving Crimes in Cyberspace

Cedric's Privacy Blog

SoshiTech - Soshitech.com

Technology News, Startup Information & Social Networking