Right to be forgotten – good or bad?

Have you ever Binged or Googled for your own name, address or phone number? It’s good to do it now and then, and the result may be shocking. You don’t have to be a celebrity to be mentioned on the net. Most of us occur on the net in quite many places, often a lot more than we imagine.

You can decide how much you reveal to the public in the profiles of your own accounts. But that’s not the full picture. Every time you participate in something under your own name, it may be published on the net, with or without your consent. This kind of publicity is hard to track, and next to impossible to control.

This is what the European court of justice (ECJ) tried to control in a ruling in May 2014. In short, a man from Spain found previously published data to be embarrassing and outdated. The site refused to take down the data and Spanish authorities ruled that there was no legal ground to demand deletion of the lawfully published content. The European court did however rule in favor of him and demanded Google to hide these pages in search results. According to the court, Google has to delete “inadequate, irrelevant or no longer relevant” data from search results.

I’m an advocate of digital privacy and our rights to control our digital footprint. And this is sort of a win for privacy-fighters. But I have mixed feelings about this decision and will not open any sparkling bottles. I think the track that ECJ has entered will turn out to be a dead end.

First of all, trying to create ways to control net content is good. We are dealing with a delicate balance between freedom of speech and peoples’ right to privacy. But most of us probably agree that a net totally without content control isn’t desirable.

But trying to solve this problem with the search engine companies is like creating a giant reality distortion field. The data does not go anywhere even if it’s hidden in Google searches. As a matter of fact, all you have to do is to use a non-European version of Google. And that’s not all. Google is even planning to inform users that items have been hidden from the search result they are viewing. Convenient with a reminder that you should search again with the US version, isn’t it?

Search engines are of great importance for what pages we find and read. But many are probably overestimating this importance now when social media is getting more popular. Nowadays we do not only find our stuff by searching, a significant part is virally spreading links. These links also bypass the reality distortion field totally.

The right to be forgotten is a great principle. But I think it should be restricted to the actual content and not services that help you find it. What we need is a globally working system for content take-down requests. These requests need to be approved by some kind of authority and the system must have built-in safeguards against misuse for censorship. Yes, keep in mind the delicate balance between freedom of speech and privacy. The neutrality of search engines should at the same time be controlled and guaranteed. If something is wrong, let’s fix reality instead of creating a reality distortion field.

Congratulations anyway to Mario Costeja González who won the case against Google. That’s an achievement even if the outcome is questionable. And the funny thing is naturally that you would have no clue who Mario Costeja González is, and that his house had to be sold to pay debts, without this thing called right to be forgotten.

BTW, if your search turned up something you don’t like and you are a European citizen, then you can continue to Googles removal process. We don’t know yet how this will work when the masses start to request removals. The process will probably be an uphill battle, so don’t hold your breath. It will be interesting to see how this develops.




Image by stockimages @ freedigitalphotos.net

More posts from this topic


Cyber Monday Mythbusting

It's Cyber Monday, and marketing companies expect online shoppers to flock to websites and apps in order to take advantage of holiday sales. And naturally, this causes concerns about what kind of risks people are taking when they shop online. But F-Secure Security Advisor Sean Sullivan says any security warnings focusing on Cyber Monday are simply part of the hype. “Cyber Monday is no more or less safe than any other day of the year. People just expose themselves to more online threats when they do more stuff online, but that really has nothing to do with Cyber Monday. And people that tell you otherwise aren’t doing you any favors.” So there you have it. On the other hand, Sullivan does point out that holiday shoppers should beware of the extent to which they expose themselves while online shopping, which is becoming more popular during the holidays. Adobe is projecting an eleven percent increase in online spending during the holidays this year, amounting to a whopping 83 billion dollars. So that’s 83 billion dollars that will be up for grabs (compared to just 3 billion on Cyber Monday), so it’s naïve to think that criminals are just going to ignore the opportunity. Last year, F-Secure Labs registered a sharp increase in ransomware detections during November and December, including a 300 percent increase in the Browlock police-themed ransomware family. Sullivan published a recent blog post examining the Crytowall ransomware family, which he says is prevalent during the holiday season but virtually disappears in early January – when people celebrating Orthodox Christmas in Russia begin their holidays. One easy way to protect yourself from ransomware and other online threats while holiday shopping is to be conscious of the threat landscape. Its trends like these that Sullivan pays attention to, and warns others to do the same. “It would be safe to say that people should be worried about ransomware this holiday season, and probably through next year. I expect that we, or at least security researchers, will look back on 2016 as the year of extortion.” For example, even though mobile device are now widespread and used by many people, they’re not necessarily good tools to use for making financial transactions while online shopping. “I use an iPad running Freedome for the vast majority of my online browsing, which works great for me because it’s easy to use and I can bring it with me if I leave the house. And between the security benefits of a VPN and the relatively small amount of malware targeting iOS devices, I feel pretty confident in using it to casually window shop on different websites. But I always use a PC to make actual purchases. I trust that my PC is secure and the actual keyboard makes it easier to enter financial data.” You can find more great advice on how to stay safe while online shopping here. [Image by Atomic Taco | Flickr]

November 30, 2015

Why Cameron hates WhatsApp so much

It’s a well-known fact that UK’s Prime Minister David Cameron doesn’t care much about peoples’ privacy. Recently he has been driving the so called Snooper’s Charter that would give authorities expanded surveillance powers, which got additional fuel from the Paris attacks. It is said that terrorists want to tear down the Western society and lifestyle. And Cameron definitively puts himself in the same camp with statements like this: “In our country, do we want to allow a means of communication between people which we cannot read? No, we must not.” David Cameron Note that he didn’t say terrorists, he said people. Kudos for the honesty. It’s a fact that terrorist blend in with the rest of the population and any attempt to weaken their security affects all of us. And it should be a no-brainer that a nation where the government can listen in on everybody is bad, at least if you have read Orwell’s Nineteen Eighty-Four. But why does WhatsApp occur over and over as an example of something that gives the snoops grey hair? It’s a mainstream instant messenger app that wasn’t built for security. There are also similar apps that focus on security and privacy, like Telegram, Signal and Wickr. Why isn’t Cameron raging about them? The answer is both simple and very significant. But it may not be obvious at fist. Internet was by default insecure and you had to use tools to fix that. The pre-Snowden era was the golden age for agencies tapping into the Internet backbone. Everything was open and unencrypted, except the really interesting stuff. Encryption itself became a signal that someone was of interest, and the authorities could use other means to find out what that person was up to. More and more encryption is being built in by default now when we, thanks to Snowden, know the real state of things. A secured connection between client and server is becoming the norm for communication services. And many services are deploying end-to-end encryption. That means that messages are secured and opened by the communicating devices, not by the servers. Stuff stored on the servers are thus also safe from snoops. So yes, people with Cameron’s mindset have a real problem here. Correctly implemented end-to-end encryption can be next to impossible to break. But there’s still one important thing that tapping the wire can reveal. That’s what communication tool you are using, and this is the important point. WhatsApp is a mainstream messenger with security. Telegram, Signal and Wickr are security messengers used by only a small group people with special needs. Traffic from both WhatsApp and Signal, for example, are encrypted. But the fact that you are using Signal is the important point. You stick out, just like encryption-users before. WhatsApp is the prime target of Cameron’s wrath mainly because it is showing us how security will be implemented in the future. We are quickly moving towards a net where security is built in. Everyone will get decent security by default and minding your security will not make you a suspect anymore. And that’s great! We all need protection in a world with escalating cyber criminality. WhatsApp is by no means a perfect security solution. The implementation of end-to-end encryption started in late 2014 and is still far from complete. The handling of metadata about users and communication is not very secure. And there are tricks the wire-snoops can use to map peoples’ network of contacts. So check it out thoroughly before you start using it for really hot stuff. But they seem to be on the path to become something unique. Among the first communication solutions that are easy to use, popular and secure by default. Apple's iMessage is another example. So easy that many are using it without knowing it, when they think they are sending SMS-messages. But iMessage’s security is unfortunately not flawless either.   Safe surfing, Micke   PS. Yes, weakening security IS a bad idea. An excellent example is the TSA luggage locks, that have a master key that *used to be* secret.   Image by Sam Azgor

November 26, 2015
Secure Wordpress site, mobile blogging, tablet by the bay

This is why you need to protect your WordPress username and password

If you run a Wordpress site, you know that criminals around the world would love to use it to spread malware. Last month, F-Secure Labs spike in "Flash redirectors" that automatically redirect the visitor to a site with the goal of infecting them with malware, in this case the Angler exploit kit. The source was compromised websites -- specifically Wordpress sites. This isn't a new find for the Labs but what is unique is one of the tactics of the attack -- seeking out Wordpress usernames. Why? "After obtaining the username, the only thing that the attacker would need to figure out is the password," Patricia from The Labs explains. "The tool used by the attacker attempted around 1200 passwords before it was able to successfully login." If you happen to have one of those passwords, bam. You site is serving up malware, which is not only harmful to your visitors, it can cost you tons of traffic as Google delists you. Keeping your server and plugins up to date is essential for avoiding most attacks. Beyond that, this attack points to the need to both protect your Wordpress username AND always use a unique, strong password. "Furthermore, in order to defend against this kind of WordPress attack, you should not use a WordPress admin account for publishing anything," Patricia notes. You can also protect your server from enumeration attacks that discover the usernames of your bloggers. To see how to do that, visit our News from the Labs blog. It's pretty amazing what people can figure out about you with just your login and password. But when you're running a website, which can be part or all of your livelihood, the only way to keep from handing criminals the key to your front door is to make sure your password can't be figured out by anyone but you. And turn on two-step authentication if you haven't already. Cheers, Jason

November 26, 2015