Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Declares Wholehearted Support For Privacy Shield (thestack.com)

Posted by msmash on from the dispute-over-what's-right dept.

An anonymous reader writes: Microsoft has declared its support for the EU-U.S. Privacy Shield. The proposed legislation to govern data transmission between the EU and U.S. has been the subject of much debate. While acknowledging that more work will need to be done after it is adopted, Microsoft has thrown its support behind Privacy Shield, stating that after careful and detailed review, it 'believes wholeheartedly that it represents an effective framework and should be approved.' Microsoft has pledged to sign up for Privacy Shield, to adhere to its current and future guidelines, and to respond to Microsoft user complaints under Privacy Shield within 45 days. Despite the framework being criticized for its inadequacy, Microsoft supports the Privacy Shield in its current form, and believes that further adjustments should be made after the initial adoption.Microsoft is the first company to sign up for EU-U.S. Privacy Shield pact. The EU privacy regulators are yet to share their views on the deal. According to a recent leak, however, it appears they wouldn't approve it. While this shouldn't stop the commission from making a decision, as Fortune explains, "they can't technically stop the commission issuing its adequacy decision, but they can make life very difficult for companies transferring the data if they think the U.S. doesn't offer adequate protections."

64 comments

  1. it's got enough "wholes" by turkeydance · · Score: 1

    to be breached "heartedly"

  2. What doies it do? by houghi · · Score: 1

    Is the privacy shield something that protects the transfer of data or does it encourage the transfer of data between the countries?

    The name would imply the first, but then that does not mean anything.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:What doies it do? by Anonymous Coward · · Score: 1

      One thing is for sure: if government is involved, you can bet that it does exactly the opposite of what the marketing name implies. For example, a new "initiative" that contains the word "privacy" will actively work against privacy.

    2. Re:What doies it do? by bluefoxlucid · · Score: 1

      The most useful legislation for these things is "facilitation by limitation": doing X is a liability nightmare and legally ambiguous, thus we write laws describing when and how you can do X and banning any doing of X outside these limitations. In this case, a useful law would facilitate the transfer of data between countries by describing how those transfers are handled and what legal and contractual agreements for handling that data must be in place, including requirements for mutual legal protections (i.e. you can transfer data to Germany as long as German law requires the same protections outlined in this law).

      Whether the limitations in this bill are actually useful, complete, or correct is another matter. You can always execute a correct strategy in an incorrect manner.

      --
      Support my political activism on Patreon.
    3. Re:What doies it do? by JustAnotherOldGuy · · Score: 4, Interesting

      One thing is for sure: if government is involved, you can bet that it does exactly the opposite of what the marketing name implies. For example, a new "initiative" that contains the word "privacy" will actively work against privacy.

      This is exactly right.

      For example, the "PATRIOT Act" (which basically gutted many provisions in the Constitution), or the "Clear Skies Act of 2003". The Clear Skies Act reduced regulation of polluting companies and increased the amount of pollutants they could release. "Clear Skies", my ass.

      My guess is that "Privacy Shield" is filled with provisions and laws that make it easier to violate privacy, not increase or protect it.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    4. Re:What doies it do? by Anonymous Coward · · Score: 1

      It is obviously to shield corporations from privacy laws.

    5. Re:What doies it do? by tripleevenfall · · Score: 1

      Companies that trade on your data have no interest in enhancing privacy. While MSFT isn't exactly FB in terms of profiting off compiling data about you and selling it to advertisers, the fact that there is a market for this means MSFT will be trying to get into it.

    6. Re:What doies it do? by Anonymous Coward · · Score: 0

      Generally speaking, it does seem that negative legislation is often named to imply the opposite of what it does. The two you mention are great examples.

      Privacy Shield sounds like it protects privacy, so I am going out on a limb here and guess that what it actually does is shield anyone from seeing all of the invasions of privacy that are going on. Or shield companies to protect them when they invade your privacy (for their own purposes or at the government's whim).

    7. Re:What doies it do? by Archangel+Michael · · Score: 1

      While MSFT isn't exactly FB in terms of profiting off compiling data about you ... yet

      Remember the Scroogle Ad campaign? Well they are doing the very thing they said they weren't doing. They are now going after that market.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    8. Re:What doies it do? by bromoseltzer · · Score: 1

      On the face of it, it seems the US Government is recognizing privacy rights of EU citizens -- that the US does not give its own citizens. What does the US get out of this? More profits for MS, Google, et al.? I would support it if the US was willing to step up to European standards of privacy for everybody.

      --
      Fiat Lux.
    9. Re:What doies it do? by HiThere · · Score: 1

      IIUC the "Privacy Shield" is intended to replace the current data-sharing arrangement between the US and the EU. An EU court said that the current arrangement violated the rights of EU citizens, but gave them some time to craft a replacement program.

      Since the US is in favor of "Privacy Shield" one may guess that it's a bit pervious, but that's not proof, and I'm no lawyer.

      OTOH, my cynicism is such that if MS in in favor of it, I expect that it would be bad for me.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    10. Re:What doies it do? by KGIII · · Score: 1

      Oh, it probably shields privacy. The question is who does it shield and which side of privacy is it on?

      --
      "So long and thanks for all the fish."
  3. Bad journalism. by downright · · Score: 0

    Would have been nice to explain why "data transmission between the EU and U.S." is an issue we should care about. At least we know where Microsoft stands on a vaguely worded policy whose name sounds more like an antivirus product than that thing Snowden pointed out. Clearly new for regulators by regulators.

  4. Why doesn't someone just invent... by Anonymous Coward · · Score: 0

    I'm no TCP/IP expert. But why hasn't someone just used pgp to make a secure connection. Forget certificates and such, just a simple server to client encrypted connection.

    1. Re:Why doesn't someone just invent... by Opportunist · · Score: 1

      Let's play that through.

      I connect to a server, send it my public key and ask for its public key so we can negotiate a secure connection.

      Problem: Someone in between me and the server could intercept this, pretend to be the server, send me his public key while also sending his public key to the server, then decrypt my traffic, reencrypt it with the server public key and forward it to the server, doing the same in reverse with the replies. For a more detailed idea how this works, Wikipedia has the article.

      Ok. So maybe we could come up with a way so I know if it's really the server answering me when I get a reply. And yes there is. The server can sign its reply with its private key (that only the server knows). Problem: I have to have some kind of way to verify that this signature is genuine. For this I need the public key of the server. Well, the server could transmit that too. Problem: How should I know I get the public key of the server and not that of an attacker?

      So I somehow need a way to first of all establish that the public key of the server that I get is actually the public key of the server, not that of some attacker. This could be achieved by using a secondary channel to transmit that public key. Noooo, not a webpage where you can download it, that, too, could be hijacked by a man in the middle and the message could be tampered with. I could call the server administrator and ask him to verify the fingerprint of his public key that I got (basically you calculate a hash of the key and get a short string of hexadecimal numbers).

      Now imagine a million people a day doing this.

      So it's possible, but unfeasible.

      Maybe let's introduce a trusted third party. That third party goes through the hassle to verify that public key once, so we don't have to do it. Then we all get some kind of token from them that allows us to check whether the public key the server sends us is genuine.

      That trusted party is called Certificate Authority.

      The token is a certificate.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re: Why doesn't someone just invent... by Anonymous Coward · · Score: 0

      That's a MITM. The outcome doesn't change even with a certificate.

    3. Re: Why doesn't someone just invent... by Opportunist · · Score: 1

      A certificate, properly issued by a CA and that CA's root cert in your browser, changes everything about it. It means that you can actually verify whether the server you are talking to is who it claims to be.

      That's the whole point behind CAs.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Surely not! by JustNiz · · Score: 4, Funny

    >> Despite the framework being criticized for its inadequacy, Microsoft supports the Privacy Shield in its current form

    Microsoft prepared to deploy worldwide a clearly not ready half-baked piece of shit? surely not!!

    1. Re:Surely not! by tripleevenfall · · Score: 1

      Don't worry, it will auto-upgrade itself to what MSFT considers a "more functional" version somewhere down the line.

    2. Re:Surely not! by Anonymous Coward · · Score: 0

      "Because the framework is inadequate, Microsoft supports the Privacy Shield in its current form."

  6. slashdot bot by Merk42 · · Score: 3, Insightful

    I don't know what it is, but since M$ supports it, it must be bad!
    In the off chance it is actually good, this is clearly the "Embrace" step.

    1. Re:slashdot bot by DNS-and-BIND · · Score: 2

      This is why you don't run an evil corporation and get a bad reputation. It sticks with you for years, and years, and decades afterwards. There are people today who are still angry at the Ford Motor Company for what they did with the Ford Pinto, and that was in the 1970s. Calling for a megabillion dollar corporation to be treated fairly, when they themselves never felt any obligation to do any such thing, is asking rather a lot.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    2. Re:slashdot bot by Anonymous Coward · · Score: 0

      I don't know what it is, but since M$ supports it, it must be bad!

      In the off chance it is actually good, this is clearly the "Embrace" step.

      My thoughts precisely. Mod parent up...

      As a rule of thumb, if it comes from, or is endorsed by Microsoft, you can bet no good will come of it. Put simply: IT'S A TRAP!

      As far as I'm concerned, Microsoft can do one good thing: discorporate. Release all source-code for all products EVER, declare all their products open source, disclaim all patents, licenses, rights, etc., and just basically drop dead.

    3. Re:slashdot bot by Anonymous Coward · · Score: 0

      People also have to realize that a corporation is made of many pieces, and those in turn of many people. A company could be saving babies with one branch while simultaneously screwing over someone else with another branch.

    4. Re:slashdot bot by The-Ixian · · Score: 1

      What about the "devil you know" and all that?

      At least we get to bask in the loving embrace phase every 10 years or so...

      --
      My eyes reflect the stars and a smile lights up my face.
  7. It is still MS by Anonymous Coward · · Score: 0

    What's the catch? It is Microsoft.
    There is always a catch.

  8. That says it all by Anonymous Coward · · Score: 0, Interesting

    That Microsoft, author of forced upgrades to Win10 with trackers that can't be turned off, supports the new privacy framework, pretty much tells you how effective the new rules will be.

    1. Re:That says it all by Opportunist · · Score: 1

      I'd say they have quite some interest in data not being available to anyone.

      Data is most valuable if you have it and nobody else does.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Where are we heading? by Anonymous Coward · · Score: 0

    It seems to me that too few people are considering where we are heading. These political arguments narrowly focusing on privacy are missing a lot of more important considerations. Back in the late '80s and '90s I did a bit of reading of somewhat dystopian cyberpunk stories, and the biggest difference from current reality is that the government and large corporations are a lot less competent in real life. The biggest similarity, though, is the persisting existence of sub-national groups with interests totally orthogonal to civil society.

    1. Re:Where are we heading? by Anonymous Coward · · Score: 0

      Here:

      He causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, and that no one may buy or sell except one who has the mark or[f] the name of the beast, or the number of his name.

    2. Re:Where are we heading? by Ol+Olsoc · · Score: 1

      Here:

      He causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, and that no one may buy or sell except one who has the mark or[f] the name of the beast, or the number of his name.

      Waht doe Social Security numbers have to do with this?

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  10. The pattern emerges - by design? by xtronics · · Score: 2

    There is this story - about adopting a insecure system that is called "Privacy Shield" - to imply that it is secure. Then there is 'secure boot' which requires UEFI - in the end is less secure than an old BIOS. Then the Apple court case - as if an Apple phone is secure....

    All is intended to give people the idea that they have a secure-private method to communicate when the opposite is true.

    Of course criminals will use the holes/backdoors at some point - could bring down the banking system.

    1. Re:The pattern emerges - by design? by Anonymous Coward · · Score: 0

      There is this story - about adopting a insecure system that is called "Privacy Shield" - to imply that it is secure.

      wut? The Privacy Shield is nothing more than an agreement between the US and EU about protecting user (particularly EU users) privacy when their data is handled by US corporations. It's really nothing more than a set of agreed upon policies and thus by nature are entirely legal and political and not technological.

    2. Re:The pattern emerges - by design? by Curate · · Score: 1

      Then there is 'secure boot' which requires UEFI - in the end is less secure than an old BIOS.

      Are you saying Secure Boot (using UEFI) is less secure than traditional BIOS, or that UEFI by itself is less secure than traditional BIOS? And either way, I'm curious why you think that?

    3. Re:The pattern emerges - by design? by xtronics · · Score: 1

      The old BIOSs did not have a way to write to your hard-drive or connect to the internet(all one needs to compromise your computer). UEFI is a proprietary mini operating system with code no one can see. You can not get the information needed to install coreboot - (by design - at the request of three letter agencies) - no computer younger than 5 years appears to be secure-able.

      Of course there is also the problem with the firmware on hard-drives. Or even processor microcode - closed source means not secure..

      The worst of it is that the three letter folks think they are so smart that no one will find their back-doors ( or that no one will be so compromised as to provide it). Bad people - in our government - or other governments will leak information - could bring down the whole financial system - could take weeks to restore.

      The Chinese have been caught putting backdoors in equipment exported to the USA - the US does the same stuff.

  11. Microsoft: We Care Because... by Anonymous Coward · · Score: 0

    Actually, we don't. We care about the illusion of caring so more people will become our data-cattle with our new 'operating system'.

    1. Re:Microsoft: We Care Because... by Opportunist · · Score: 1

      We do! We now have collected all that data with Win10, we even gave away that damn OS to get it, we'd be damned if everyone and their dog has that data and we can't sell it anymore!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. Another Newspeak name for a new act by Anonymous Coward · · Score: 1

    Just as Patriot act was actually a treason, and just as Free Trade acts are actually about limiting trade and creating state-supported monopolies, this "Privacy Shield" is actually about viciously attacking individual privacy. You have to replace the words with their antonyms to get the true meaning.

    1. Re:Another Newspeak name for a new act by Anonymous Coward · · Score: 0

      You have to replace the words with their antonyms to get the true meaning.

      Not always. If the words are overtly evil, stick with the synonyms.

  13. The check is in the mail by PopeRatzo · · Score: 0

    Microsoft also promises not to come in your mouth.

    --
    You are welcome on my lawn.
    1. Re:The check is in the mail by zenlessyank · · Score: 1

      Microsoft has never promised that.

  14. Re:Europeans forcing their laws on Americans by Anonymous Coward · · Score: 0

    If you have no presence in Europe, how in all the world do you manage to transfer data from the EU to the US? The answer is you wouldn't and thus this whole thing is not relevant to you.

  15. When Microsofft and the republicans agree... by Anonymous Coward · · Score: 0

    you know you're going to get screwed.

    1. Re: When Microsofft and the republicans agree... by Anonymous Coward · · Score: 0

      Those Republicans hate us.

    2. Re: When Microsofft and the republicans agree... by Anonymous Coward · · Score: 0

      This. No two modern groups are as horrific as those two.

    3. Re: When Microsofft and the republicans agree... by Anonymous Coward · · Score: 0

      And want uz two diez.

    4. Re:When Microsofft and the republicans agree... by Anonymous Coward · · Score: 0

      you know you're going to get screwed.

      This Gates is their ultimate example of who their kind wants to worship. He is hateful and spiteful and puts money above people. Money above people. That's how those Republicans be. They're horrific things that aren't even whole people. We need to stop them, but we can't because their kind has all of the money and power. Money and power.

    5. Re:When Microsofft and the republicans agree... by Anonymous Coward · · Score: 0

      Bill Gates hasn't set foot in Redmond in 15 years.

    6. Re:When Microsofft and the republicans agree... by Anonymous Coward · · Score: 0

      Bill Gates hasn't set foot in Redmond in 15 years.

      I work at a restaurant on campus, and I've seen him dozens of times the past decade. You're full of crap.

  16. Re:Europeans forcing their laws on Americans by Opportunist · · Score: 3, Informative

    Feels kinda bad if you're on the receiving end of something like that, eh?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  17. kinda OT by stealth_finger · · Score: 1

    Not like anything ever is on topic around here but does anyone what kind of encryption is in windows phones or anywhere that says? Specifically Lumia 950. With all the apple/fbi stuff the detailed quite well what tech was inside but all i can find for windows is some bumf and how to turn it on.

    --
    Wanna buy a shirt?
    https://www.redbubble.com/people/stealthfinger/shop?asc=u
    1. Re:kinda OT by Anonymous Coward · · Score: 0

      Apple is the only company that has made a public stand of actually incorporating non-backdoored encryption in their consumer devices.

      So, while there is no definitive answer there for you, it is almost certain that you do not have the protections that a 6g+ iPhone user would.

  18. Propaganda by Anonymous Coward · · Score: 0

    With a piece of legislation named liked that, we all know it is propaganda aimed at manipulation. PR spin doctors.

    Not only does there need to be a proper set of laws in the US to support this, but there must also be a minimum technical standard and the ability to conduct audits.

    Its a pile of crap otherwise.

  19. The 20 second version by s.petry · · Score: 0

    The Privacy Shield is an agreement on how to handle data. It has no legal binding until agreed on by the EU courts, and even then can be challenged by members of the EU. Most would consider it a gentleman's agreement at this point.

    Since Microsoft has a history of not being a gentleman I doubt anyone takes their faith in this agreement seriously at all. As soon as the US Government said "Give us the data" Microsoft has historically complied. I'm not sure how you are supposed to trust them on this one, but that's what TFA is attempting to imply.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  20. It's about legal certainty by cweber · · Score: 2

    So many knee-jerk comments here. Get a grip folks.

    This is about how we treat data of a citizen from one large jurisdiction when it moves to or is stored in another large jurisdiction, and removing legal uncertainty for the companies doing so. For example, this very site's account info of EU residents being stored in the US (handle, email and encrypted password). Nothing overly private, but still falls under privacy laws of hundreds of countries, each of which could voice a problem and issue a warrant or subpoena. Without overarching legal frameworks governing and taming this legal diversity and uncertainty, it is basically impossible to run a large website. Plain and simple. If you're an engineer, you absolutely want to be insulated and protected from all this possible BS, regardless of how much of a non-issue your own data collection might be to your engineering mind.

  21. Re: Europeans forcing their laws on Americans by Anonymous Coward · · Score: 0

    You would then be banned from selling to eu markets or fined appropriately. How this is enforced is questionable, depends what your government agree to in the deal.

    If you don't like that then you would either not do business with Europeans or take it up with your own government.

  22. Privacy shield is a joke by bradley13 · · Score: 2

    Of course, it's a joke:

    - Privacy Shield make companies offer certain guarantees for the way they handle data, and adds a lot of bureaucratic requirements. However, companies are allowed to "self-certify" their compliance. The compliance requirements will be overwhelming for small companies, while the big one will be able to blow them off.

    However, the big problem was, frankly, the US government. On this topic:

    - Privacy Shield requires "written assurances that government access to EU personal data for national security purposes is subject to clear conditions, limitations, and active oversight." Those assurances would make uncomfortable toilet paper, but won't be good for anything else. "Bulk surveillance" of EU citizens is also still allowed, as long as the US government considers it "necessary and proportionate". Gee golly whiz, I can't wait for the US government to declare it's own spying "unnecessary".

    - Oh, and wow: "EU citizens concerned about potential breaches of these binding commitments by the U.S. government can now refer their concerns to a newly appointed Privacy Shield Ombudsman". Who will pat you on the head, and tell you to go be a good little lemming.

    The only way to prevent US abuse of data on European citizens is to prohibit the transfer to US servers in the first place. Microsoft has actually done something laudable here: They have set up an Azure data center in Germany, and subcontracted control of this data center to a German company. Theoretically, Microsoft has no access to data in that data center, except through the German company - which would obviously be directly subject to German privacy regulations. That's an excellent solution, if it really is implemented that way.

    --
    Enjoy life! This is not a dress rehearsal.
  23. Always well intentioned by Anonymous Coward · · Score: 0

    I would assert that these bills are always written with good intention when first penned.

    And then the special interests get involved. Special interest could be a or many governments 'special interests'.

    And then as demonstrated again and again congress doesn't actually read the law in full, and then it gets passed at midnight on a Saturday while everyone else is sleeping or drinking.

    What aught to be made illegal first is 'omnibus' legislation.

    Congress wouldn't be so broken if one law was one issue and not one law is 10 issues. This is the thing that leads to 'well it has 9 of the 10 things i want, and even though Obamacare is REALLY STINKING BAD I'll vote yay so I get the other 9 things'.

    If you bought a car like this would be like saying this new car has all the things I want in a new car but it only had a 3 cyl carbed pushrod engine from the late 70's that runs on leaded fuel, and then going ahead and buying it because the other 9 features were acceptable.

    I don't think our legislators and lawyers have bad intentions. I think they are lazy, and do lazy things like the rest of us. And I think that laziness has led to this system we face now as described above. Every executive I've ever worked with does this kind of thing.

  24. Re:Europeans forcing their laws on Americans by KGIII · · Score: 1

    You can safely ignore them. Really. Unless, of course, your government agrees with them. You can chuck all the mail in the trash. If they want to then they can block their citizens from accessing your site. They can not burden you - even if you ship a product to their country. Keep in mind, they might arrest you if you ever decide to visit their country in the future. Assuming you're not going to? Stay the course and do what you want.

    --
    "So long and thanks for all the fish."
  25. More crap from MS by Anonymous Coward · · Score: 0

    Come on Microsoft, do you think anyone believes you embrace privacy, when what you really embrace is information gathering? You can put a pig in a suit, but it doesn't make it an executive at MS. Oh wait, maybe it does.

  26. Global Mother Fucking Spyware? by Anonymous Coward · · Score: 0

    distrowatch.com and shit on Microsoft.