Microsoft Declares Wholehearted Support For Privacy Shield (thestack.com)
An anonymous reader writes: Microsoft has declared its support for the EU-U.S. Privacy Shield. The proposed legislation to govern data transmission between the EU and U.S. has been the subject of much debate. While acknowledging that more work will need to be done after it is adopted, Microsoft has thrown its support behind Privacy Shield, stating that after careful and detailed review, it 'believes wholeheartedly that it represents an effective framework and should be approved.' Microsoft has pledged to sign up for Privacy Shield, to adhere to its current and future guidelines, and to respond to Microsoft user complaints under Privacy Shield within 45 days. Despite the framework being criticized for its inadequacy, Microsoft supports the Privacy Shield in its current form, and believes that further adjustments should be made after the initial adoption.Microsoft is the first company to sign up for EU-U.S. Privacy Shield pact. The EU privacy regulators are yet to share their views on the deal. According to a recent leak, however, it appears they wouldn't approve it. While this shouldn't stop the commission from making a decision, as Fortune explains, "they can't technically stop the commission issuing its adequacy decision, but they can make life very difficult for companies transferring the data if they think the U.S. doesn't offer adequate protections."
to be breached "heartedly"
Is the privacy shield something that protects the transfer of data or does it encourage the transfer of data between the countries?
The name would imply the first, but then that does not mean anything.
Don't fight for your country, if your country does not fight for you.
>> Despite the framework being criticized for its inadequacy, Microsoft supports the Privacy Shield in its current form
Microsoft prepared to deploy worldwide a clearly not ready half-baked piece of shit? surely not!!
I don't know what it is, but since M$ supports it, it must be bad!
In the off chance it is actually good, this is clearly the "Embrace" step.
There is this story - about adopting a insecure system that is called "Privacy Shield" - to imply that it is secure. Then there is 'secure boot' which requires UEFI - in the end is less secure than an old BIOS. Then the Apple court case - as if an Apple phone is secure....
All is intended to give people the idea that they have a secure-private method to communicate when the opposite is true.
Of course criminals will use the holes/backdoors at some point - could bring down the banking system.
Just as Patriot act was actually a treason, and just as Free Trade acts are actually about limiting trade and creating state-supported monopolies, this "Privacy Shield" is actually about viciously attacking individual privacy. You have to replace the words with their antonyms to get the true meaning.
Microsoft has never promised that.
Let's play that through.
I connect to a server, send it my public key and ask for its public key so we can negotiate a secure connection.
Problem: Someone in between me and the server could intercept this, pretend to be the server, send me his public key while also sending his public key to the server, then decrypt my traffic, reencrypt it with the server public key and forward it to the server, doing the same in reverse with the replies. For a more detailed idea how this works, Wikipedia has the article.
Ok. So maybe we could come up with a way so I know if it's really the server answering me when I get a reply. And yes there is. The server can sign its reply with its private key (that only the server knows). Problem: I have to have some kind of way to verify that this signature is genuine. For this I need the public key of the server. Well, the server could transmit that too. Problem: How should I know I get the public key of the server and not that of an attacker?
So I somehow need a way to first of all establish that the public key of the server that I get is actually the public key of the server, not that of some attacker. This could be achieved by using a secondary channel to transmit that public key. Noooo, not a webpage where you can download it, that, too, could be hijacked by a man in the middle and the message could be tampered with. I could call the server administrator and ask him to verify the fingerprint of his public key that I got (basically you calculate a hash of the key and get a short string of hexadecimal numbers).
Now imagine a million people a day doing this.
So it's possible, but unfeasible.
Maybe let's introduce a trusted third party. That third party goes through the hassle to verify that public key once, so we don't have to do it. Then we all get some kind of token from them that allows us to check whether the public key the server sends us is genuine.
That trusted party is called Certificate Authority.
The token is a certificate.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'd say they have quite some interest in data not being available to anyone.
Data is most valuable if you have it and nobody else does.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
We do! We now have collected all that data with Win10, we even gave away that damn OS to get it, we'd be damned if everyone and their dog has that data and we can't sell it anymore!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Feels kinda bad if you're on the receiving end of something like that, eh?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Not like anything ever is on topic around here but does anyone what kind of encryption is in windows phones or anywhere that says? Specifically Lumia 950. With all the apple/fbi stuff the detailed quite well what tech was inside but all i can find for windows is some bumf and how to turn it on.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
So many knee-jerk comments here. Get a grip folks.
This is about how we treat data of a citizen from one large jurisdiction when it moves to or is stored in another large jurisdiction, and removing legal uncertainty for the companies doing so. For example, this very site's account info of EU residents being stored in the US (handle, email and encrypted password). Nothing overly private, but still falls under privacy laws of hundreds of countries, each of which could voice a problem and issue a warrant or subpoena. Without overarching legal frameworks governing and taming this legal diversity and uncertainty, it is basically impossible to run a large website. Plain and simple. If you're an engineer, you absolutely want to be insulated and protected from all this possible BS, regardless of how much of a non-issue your own data collection might be to your engineering mind.
Of course, it's a joke:
- Privacy Shield make companies offer certain guarantees for the way they handle data, and adds a lot of bureaucratic requirements. However, companies are allowed to "self-certify" their compliance. The compliance requirements will be overwhelming for small companies, while the big one will be able to blow them off.
However, the big problem was, frankly, the US government. On this topic:
- Privacy Shield requires "written assurances that government access to EU personal data for national security purposes is subject to clear conditions, limitations, and active oversight." Those assurances would make uncomfortable toilet paper, but won't be good for anything else. "Bulk surveillance" of EU citizens is also still allowed, as long as the US government considers it "necessary and proportionate". Gee golly whiz, I can't wait for the US government to declare it's own spying "unnecessary".
- Oh, and wow: "EU citizens concerned about potential breaches of these binding commitments by the U.S. government can now refer their concerns to a newly appointed Privacy Shield Ombudsman". Who will pat you on the head, and tell you to go be a good little lemming.
The only way to prevent US abuse of data on European citizens is to prohibit the transfer to US servers in the first place. Microsoft has actually done something laudable here: They have set up an Azure data center in Germany, and subcontracted control of this data center to a German company. Theoretically, Microsoft has no access to data in that data center, except through the German company - which would obviously be directly subject to German privacy regulations. That's an excellent solution, if it really is implemented that way.
Enjoy life! This is not a dress rehearsal.
Here:
He causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, and that no one may buy or sell except one who has the mark or[f] the name of the beast, or the number of his name.
Waht doe Social Security numbers have to do with this?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
You can safely ignore them. Really. Unless, of course, your government agrees with them. You can chuck all the mail in the trash. If they want to then they can block their citizens from accessing your site. They can not burden you - even if you ship a product to their country. Keep in mind, they might arrest you if you ever decide to visit their country in the future. Assuming you're not going to? Stay the course and do what you want.
"So long and thanks for all the fish."
A certificate, properly issued by a CA and that CA's root cert in your browser, changes everything about it. It means that you can actually verify whether the server you are talking to is who it claims to be.
That's the whole point behind CAs.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.