German chat platform Knuddels.de (“Cuddles”) has been fined €20,000 for storing user passwords in plain text (no hash at all? Come on, people, it’s 2018).
The data of Knuddels users was copied and published by malefactors in July. In September, someone emailed the company warning them that user data had been published at Pastebin (only
8,000 members affected) and Mega.nz (a much bigger breach). The company duly notified its users and the Baden-Württemberg data protection authority.
…
Interesting stuff: this German region’s equivalent of the ICO applied a fine to this app for failing to hash
passwords, describing them as personal information that was inadequately protected following their theft. That’s interesting because it sets a German, and to a lesser extend a European,
precedent that plaintext passwords can be considered personal information and therefore allowing the (significant) weight of the GDPR to be applied to their misuse.
Earlier this week, the Spanish government raided the Barcelona office of the PuntCat Foundation, the company that administers the .cat domain, and arrested one of its senior
executives.
PuntCat means “dot cat” in Catalan, the language spoken in the Catalonian region of Spain as well as places in France, Andorra, and Italy. The office was raided because Catalonia
hopes to hold a referendum on October 1 to decide if it should secede from Spain, and in an effort to quash the referendum, the government of Spain ordered puntCat to “block all .cat
domain names that may contain any kind of information about the forthcoming independence referendum,” according to a press release from the foundation.
This is an astonishing attempt at censorship by a member of the E.U. but, unfortunately, that aspect is going largely uncovered because the media is idiotically obsessed with cats…
Next year, 25 May looks like being a significant date. That’s because it’s the day that the European Union’s
general data protection regulation (GDPR)
comes into force. This may not seem like a big deal to you, but it’s a date that is already keeping many corporate executives awake at night. And for those who are still sleeping
soundly, perhaps it would be worth checking that their organisations are ready for what’s coming down the line.
First things first. Unlike much of the legislation that emerges from Brussels, the GDPR is a regulation rather than a directive. This means that it becomes law in all EU countries at
the same time; a directive, in contrast, allows each country to decide how its requirements are to be incorporated in national laws…
This week, I was reading the new EU legislation [PDF]
which relates to, among other things, the way that websites are allowed to use HTTP cookies (and similar technologies) to track their users. The Information Commissioner’s Office has released a statement to ask website owners to review
their processes in advance of the legislation coming into effect later this month, but for those of you who like the big-print edition with pictures, here’s the short of it:
From 26th May, a website must not give you a cookie unless it’s either (a) an essential (and implied) part of the functionality of the site, or (b) you have opted-in to it.
This is a stark change from the previous “so long as you allow opt-outs, it’s okay” thinking of earlier legislation, and large organisations (you know, like the one I now work for) in particular are having to sit up and pay attention: after all, they’re the
ones that people are going to try to sue.
The legislation is surprisingly woolly on some quite important questions. Like… who has liability for ensuring that a user has opted-in to third-party cookies (e.g. Google Analytics)?
Is this up to the web site owner or to the third party? What about when a site represents companies both in and outside the EU? And so on.
Hey! I didn't opt-in to any of these cookies, Mr. Information Commissioner!
…not what I was looking for: just more circular and woolly thinking. But I did find that the ICO themselves does not comply with the guidance that they themselves give. Upon
arriving at their site – and having never been asked for my consent – I quickly found myself issued with five different cookies (with lifespans of up to two years!). I checked their
privacy policy, and found a mention of the Google Analytics cookie they use, but no indication about the others (presumably they’re not only “opt-out”, but also “secret”). What gives,
guys?
Honestly: I’m tempted to assume that only this guy has the right approach. I’m all in favour of better
cookie law, but can’t we wait until after the technological side (in web browsers) is implemented before we have to fix all of our websites? Personally, I
thought that P3P policies (remember when those were all the rage?) had a
lot of potential, properly-implemented, because they genuinely put the power into the hands of the users. The specification wasn’t perfect, but if it had have been, we
wouldn’t be in the mess we are now. Perhaps it’s time to dig it up, fix it, and then somehow explain it to the politicians.
