Edward Snowden, el ex empleado de
la CIA que en junio de 2013 hizo públicos documentos de alto secreto, en una entrevista para la televisión
concedida al comediante John Oliver, dio pautas para
confeccionar una contraseña
inviolable.
martes, 14 de abril de 2015
viernes, 27 de marzo de 2015
UNHRC Creates New UN Special Rapporteur on “The Right to Privacy in the Digital Age”*
Many of you might be interested to know that
the UN Human Rights Council in Genevahas just adopted the establishment
of a new UN Special Rapporteur on “The Right to Privacy in the Digital Age”. A
Resolution to this effect was in consideration at the 28th Session of the Human
Rights Council for the past 4 weeks, and the Internet Society was following these
developments closely and engaging with stakeholders during the informal
discussions.
Noteworthy, the mandate of the Special
Rapporteur will include special consideration of issues related to the digital
age and new technologies, including surveillance. This focus led to some
arguments in the drafting sessions, but eventually the Resolution was adopted
today without a vote.
This development is a direct follow-up to the UN General Assembly Resolution 69/166from December 2014, led by Germany and Brazil, that asked the Council to consider the creation of such a mandate.
This development is a direct follow-up to the UN General Assembly Resolution 69/166from December 2014, led by Germany and Brazil, that asked the Council to consider the creation of such a mandate.
If the work of the UN Special Rapporteur on
Freedom of Expression is any indication, we can expect this new independent
expert to bring some useful human rights insights into some of the key privacy
issues that affect people today, whether online or offline.
The text of the resolution establishing the
mandate is currently available on the extranet
of the HRC (Request the password from UNHRC).
We welcome the creation of this Special
Rapporteur and look forward to working with the UNHRC, our community and others
around the world to address these important issues around privacy.
*Captured from http://www.internetsociety.org/blog/public-policy/2015/03/unhrc-creates-new-un-special-rapporteur-%E2%80%9C-right-privacy-digital-age%E2%80%9D
lunes, 16 de marzo de 2015
Top CPOs Talk Privacy Priorities and Concerns at SXSW
By Jedidiah
Bracy, CIPP/E, CIPP/US
The Privacy
Advisor | Mar 16, 2015
Over the
course of two weeks for the iconic SXSW conference, Austin, TX, is filled with
a wide array of smart and engaging people, many of whom are building some of
the latest technologies, developing savvy new start-ups and working hard to get
those products and services out to market. New to many of those young start-ups
and fledgling companies is the idea that they need to implement privacy and
data security protections for their users.
With that
as a backdrop, some of the world’s top chief privacy officers (CPOs), who lead
privacy teams for some of the technology sector’s most established companies,
got together on Saturday to discuss how they are handling some of today’s most
pressing and complex privacy issues.
“We think
of people first,” said Facebook CPO Erin Egan. “We do that so we can build
trust.”
“Trust is a
key part of this,” agreed Microsoft CPO Brendon Lynch, CIPP/US. He explained
that he and his team constantly ask key questions during the product development
life cycle. Across the company, he added, the team has embedded “privacy
champions” who are generally perceived by other teams within Microsoft as
partners. And with a “dotted line” to the corporate office, Microsoft has
recognized that it’s important to get privacy right in the marketplace.
“As you try
to manage down privacy risk,” said Google Senior Privacy Counsel Keith Enright,
“all the legal and regulatory challenges can be difficult.” As a response, he
explained, Google looks for feedback from its users and works with other
experts within the company so that the privacy team can better understand the
technologies and issues others teams are working with. “We partner our folks
with experts in the mobile space or the wearable space, for example, so they
understand the unique things within those spaces.” That way, privacy
professionals within Google develop needed subject matter expertise.
Facebook’s
Egan added that it’s important to make sure your users know what they are doing
with their data when they post something and then, from there, build and
provide them with tools to help control how they use their data. In addition to
providing its users with an understanding of how they are using their data,
Egan said it’s also important to help educate policy-makers and regulators on
their products and services. “They’re the ones passing the laws,” she said,
“and they’re the ones regulating us, so it’s important to help them understand
how it works and the controls users have.”
And what
about regulators’ perceptions about privacy? Do they tend to care more about it
than consumers?
“Generally,
laws and regulations set a floor and not a ceiling,” explained Microsoft’s
Lynch. “Take individual perceptions of privacy as well. Some consumers care
very deeply about privacy, while others don’t care about it much at all. For
us, protecting privacy is beyond what the law requires. We try and anticipate
what their expectations are, and quite often, we find, consumers are more
demanding than the law.”
Google’s
Enright disagreed. “I think users want their products to work. They want them
to be efficient and they don’t want policies to disrupt that experience,"
Enright said. "In my experience, the regulations and laws often set up
hurdles and obligations that are way outside of the contemplation of our
users.”
Egan chimed in by noting, “Users want to
understand how to use our services. Regulators, however, are trying to imagine
scenarios and often set unrealistic expectations.”
IAPP
President and CEO Trevor Hughes, CIPP, pointed out that companies can often
comply with the law, but noted, “Just because it’s legal, it can still be
stupid.” He asked, “How can you gain authority within your organization when
the product and marketing teams want to do something stupid but purely legal?
In this ‘creepy’ area, where do you get that authority?”
Enright
said that is one of the great challenges in the early stages of an
organization, when it's trying to get its product or service to market quickly.
“It’s not difficult in my organization because we have been scrutinized so
much," he said. "We have not always done the best and we’ve made
mistakes, and we’ve felt the consequences of that. For us, user trust is
absolutely essential, and Larry Page recognizes we can’t get this wrong.”
As an
example, each of the panelists discussed how they dealt with major privacy
blows in the past. Specifically, Lynch talked about the privacy designs that
were embedded in the Xbox Kinect, an interactive gaming console that received
scrutiny for its facial-recognition features. He said, however, the company
began with Privacy by Design. “We didn’t need to store images on our servers,”
he said. Plus, the facial images were only points on a given face, so even if
the data had been accessed by a bad actor, it would make no sense. The
biometric data was also stored locally and deleted after the given session ended.
But, Lynch asked, “How do you teach consumers
how the privacy protections are working?”
There are
multiple ways to achieve that, he explained: Provide a user interface to
explain the uses to consumers. Plus, build a FAQ page that explains user controls
and drives people there. Finally, he added, engage external stakeholders and
talk with consumer groups and regulators to help mitigate misunderstandings.
Looking
forward, Enright said it will be important for companies to give users more
controls, noting, “They can be empowered with the data about them.”
Facebook’s
Egan agreed. “I hope," she said, "to see more control at the center
of people and for them to have more control of their information.”
Lynch,
however, offered a different perspective. “There’s so much information out
there," he said, "much of it with predictive capabilities, and with
that, there needs to be more discussions about the ethical uses of personal
data. We need more systematic approaches to privacy rather than placing the
onus on the individual.”
Really,
whether society goes to a more use-based or collection-based model, it will be
many of the young entrepreneurs here at SXSW who will play a large role in
determining these outcomes. Established companies like Google, Facebook and
Microsoft have learned their lessons the hard way. The question remains, then,
whether these younger companies will learn these lessons the hard way, too.
Protección de datos personales en Chile: ¿compromiso real del Gobierno?
Mientras la
protección constitucional de los datos personales va bien encaminada en el
Congreso, el proceso de reforma a la ley que regula el tratamiento de los
mismos parece estancado, dicotomía que podría mermar la fuerza de la reforma a
la carta fundamental.
La semana pasada, el
Senado de Chile aprobó la reforma
constitucional que consagra el derecho a la protección de los datos personales.
La iniciativa, que
pasará a la Cámara de Diputados para su segundo trámite constitucional,
pretende modificar el artículo 19 de la Constitución, agregando dos incisos que
establecen la protección de los datos personales, el derecho a acceder a ellos
y a obtener su rectificación, complementación y cancelación; el tratamiento,
circulación y traspaso de esos datos deberá realizarse en la forma y
condiciones que fije la ley.
Senadores de todo el
espectro político coincidieron en la necesidad de proteger constitucionalmente
los datos personales, hoy consagrados en una legislación débil. De aprobarse en
la Cámara de Diputados, la iniciativa permitirá que las personas utilicen el
recurso de protección frente a cualquier amenaza, perturbación o vulneración de
sus datos personales, lo que en la práctica significa una tramitación rápida,
de bajo costo, donde no se necesita abogado
La reforma
constitucional avanza con argumentos sólidos y consistentes, con un claro ánimo
de entregar más derechos a las personas. Lamentablemente, los datos personales
de los chilenos siguen bajo una ley deficiente, que no cumple con estándares
internacionales, ni con una institucionalidad firme y que no protege
debidamente a las personas.
El año recién pasado,
el Ministerio de Economía preparó un anteproyecto de ley destinado a cambiar
integralmente el régimen de protección de datos personales en Chile. El
anteproyecto fue sometido a consulta y a discusión técnica en una mesa
público-privada, donde participaron diversas empresas, organizaciones, gremios
y académicos, incluyendo a Derechos Digitales.
El Ministerio fijó
para octubre de 2014 el
plazo de presentación del proyecto al Congreso. Sin embargo, durante meses no
hemos tenido ninguna novedad sustantiva sobre el contenido del proyecto ni
tampoco una nueva fecha de presentación.
Lo anterior es
problemático: en la medida en que la protección legal de los datos personales
siga siendo deficiente, el reconocimiento de su importancia en la Constitución
pierde parte sustancial de su fuerza y propósito; disparidad que, de
mantenerse, bien puede crear potenciales conflictos e incertezas legales.
El país requiere un
fortalecimiento de los derechos de las personas sobre su información personal y
para ello es fundamental el compromiso real del Gobierno, que no se quede
solamente en el discurso y la intención.
El Congreso parece
estar bien encaminado con la iniciativa de reforma constitucional, y esperamos
que prontamente el Gobierno también se contagie con esta energía.
SOBRE EL AUTOR
Rayén Campusano es abogada de
la Universidad de Chile y durante 2012 fue pasante de ONG Derechos Digitales.
En 2014 se integró como Encargada de políticas públicas en Chile, donde sus
principal función es monitorear la actualidad política del país y las tomas de
decisiones, tanto del Gobierno como en el Congreso Nacional, en relacionados a
los derechos humanos en el entorno digital.
Fuente: https://www.derechosdigitales.org/8453/proteccion-de-datos-personales-en-chile-buena-iniciativa-del-congreso-nacional-compromiso-real-del-gobierno/ (16/03/2015)
viernes, 13 de marzo de 2015
White House Proposes Broad Consumer Data Privacy Bill*
*Nota publicada por el New York Times el 27 de Febrero de 2015. Por NATASHA SINGER (http://nyti.ms/187pDGW)
The Obama administration on Friday proposed a wide-ranging bill intended to provide Americans with more control over the personal information that companies collect about them and how that data can be used, fulfilling a promise the president had talked about for years.
But some privacy advocates immediately jumped on the proposed legislation, saying it failed to go far enough, particularly given the broad statements President Obama had made on the issue. They said the bill would give too much leeway to companies and not enough power to consumers.
There are already a number of federal laws, like the Fair Credit Reporting Act and the Video Privacy Protection Act, that limit how companies may use certain specific consumer records. The new proposed bill, the Consumer Privacy Bill of Rights Act, is intended to fill in the gaps between those statutes by issuing some baseline data-processing requirements for all types of companies.
“It applies common-sense protections to personal data collected online or offline, regardless of how data is shared,” the Obama administration said in a statement on Friday, “and promotes responsible practices that can maximize the benefits of data analysis while taking important steps to minimize risks.”
The proposal, at its core, calls on industries to develop their own codes of conduct on the handling of consumer information. It also charges the Federal Trade Commission with making sure those codes of conduct satisfy certain requirements — like providing consumers with clear notices about how their personal details will be collected, used and shared.
Companies that violate those requirements could be subject to enforcement actions by the commission or by state attorneys general.
The administration’s proposal, considered a discussion draft, would need a congressional sponsor before it could be officially introduced. Already, though, industry analysts said that the proposal, along with several other legislative efforts on commercial privacy, was unlikely to be enacted in a Republican Congress.
The White House effort comes during heightened public awareness about both government and commercial data-mining. And the proposal drew sharp reactions.
Some prominent legislators and privacy law scholars said the administration’s effort failed to endow citizens with direct and clear legal rights to control who collects their information and how they use it. And the bill, they say, largely puts companies in charge of defining their own criteria for fair and unfair use of consumers’ personal details.
“Instead of codes of conduct developed by industries that have historically been opposed to strong privacy measures, we need uniform and legally enforceable rules that companies must abide by and consumers can rely upon,” Senator Edward J. Markey, a Massachusetts Democrat who has been investigating consumer-profiling companies called data brokers, said in a statement on Friday.
Companies like Acxiom, a database marketer in Little Rock, Ark., for instance, help marketers target individual consumers by estimated household income, ZIP code, race, ethnicity, social network or interests like “smoking/tobacco” or “gaming-casino.”Continue reading the main story
Experian Marketing Services, another marketing company, uses data-mining to stratify consumers into socio-economic clusters with names like “small town, shallow pockets” and “diapers and debit cards.”
Armed with that kind of information, advertisers might, say, send smokers ads for the latest air filters. But in a report last year on data brokers, the Federal Trade Commission warned that such profiling could be also used in ways that could “adversely impact consumers.” Third parties, regulators wrote, could potentially use brokers’ information on smokers to decide whether someone was “a poor credit or insurance risk, or an unsuitable candidate for employment or admission to a university.”
The report called on Congress to enact legislation to protect this kind of volatile information by, among other things, requiring companies that serve consumers to obtain consent from individuals before collecting such sensitive details about them.
While the White House’s proposal does not explicitly require companies to obtain affirmative consent to collect health information, it does call on companies to give individuals reasonable means to control the use of their personal data, depending on the context and “in proportion to the privacy risk.”
Microsoft heralded the draft bill as a welcome first step in improving consumer trust in how companies handled their information.
“The White House framework tackles issues that are crucial to build trust and foster innovation,” Brendon Lynch, chief privacy officer of Microsoft, wrote in a blog post on Friday. “Not all will agree with every aspect of the proposal — some will say it goes too far, while others will say it doesn’t go far enough — but it’s a good place to start the conversation.”
But some privacy advocates warned against the bill’s reliance on industry-developed codes of conduct. The process, they contended, would allow companies to define for themselves whether their data-use policies constituted privacy risks to consumers. They also said the bill offered companies loopholes that would help them avoid giving consumers meaningful control over their records and make it difficult for federal regulators to enforce the legislation.
“While it claims to provide rights to consumers, behind its flimsy policy curtain is a system that gives real control to the companies that now gather our information,” said Jeffrey Chester, executive director of the Center for Digital Democracy, a consumer advocacy group in Washington.
A few privacy law scholars said that the draft bill could undermine protections consumers already had. If enacted as currently written, for instance, it could pre-empt stronger laws in a few states that require companies to obtain consumers’ explicit consent before collecting unique biometric information like fingerprints or facial scans.
“It would override state statutes that give people more protection,” said Alvaro M. Bedoya, executive director of the Center on Privacy and Technology at Georgetown University Law Center. “It would be a significant setback for privacy.”
Como armar un Plan de Seguridad para la Información Corporativa
Conozca las etapas básicas para la creación de un plan que
sea efectivo a la hora de proteger los datos corporativos
El desarrollo de un plan de seguridad para la información
corporativa comienza con una premisa: la información es un importante
patrimonio y debe ser protegida. Las empresas, generalmente, no logran llegar
al nivel de protección correspondiente al verdadero valor de los datos, y
mientras algunas informaciones están superprotegidas, otras muy valiosas no
tienen la protección adecuada. Lograr el nivel de resguardo apropiado exige el
desarrollo, la adopción y la implementación de un plan.
Etapas para el desarrollo de un plan
Las organizaciones que conocen cómo utilizar y evaluar la
información corporativa consideran el proceso de planeamiento de seguridad
relativamente fácil. Aquellas que no saben cómo hacerlo y esperan encontrar una
solución rápida, posiblemente se encuentren con un proceso penoso. Estas cinco
etapas básicas pueden ser útiles para el desarrollo de un plan de seguridad de
información:
Identificar los tipos de información que exigen protección
Estimar el valor de la información perteneciente a cada tipo
Desarrollar/actualizar una política de seguridad de
información que exija la protección según el tipo de información
Definir estándares de protección para cada tipo de
información
Crear estándares de monitoreo y administración para
verificar la adecuación con los estándares de protección de la información
A medida que las organizaciones realizan estas etapas, el
procedimiento de la evaluación de riesgos es esencial para los siguientes
aspectos:
Identificar la información que exige protección
Establecer el valor de esa información en términos de costo
de creación, recreación, divulgación o modificación no autorizada
Proyectar mecanismos de protección que identifiquen los
riesgos residuales
Analizar los riesgos/beneficios de los costos residuales
relativos a la protección de un determinado tipo de información
Establecer medidas de protección adicionales para lograr un
mayor nivel de seguridad
Las evaluaciones de los riesgos es parte del programa total
de administración de riesgos que la compañía aplica a otras partes de sus
operaciones. Así como ocurre con otras actividades de administración de
riesgos, la evaluación de la importancia de una información debe ser realizada
siempre que hubiera modificaciones en el uso, en el almacenamiento o en el
procesamiento. Los resultados de la evaluación de riesgo pueden causar impacto
y exigir actualizaciones en el plan general de seguridad de la información y
también la adecuación de los requisitos de ese plan.
Retorno de inversión
Aunque un plan de seguridad de información exija una
inversión inicial, una implementación y una administración, el costo que esto
significa puede justificarse al considerar el impacto causado en los negocios
en caso de que la información valiosa sea comprometida en virtud de robo,
destrucción o modificación. De estos casos, el robo y la modificación son,
probablemente, los más perjudiciales - asumiendo que un plan de backup de datos
haya sido implementado.
El impacto causado por el robo de información por un
competidor es relativamente fácil de entender, mientras que los efectos del
impacto generado por la modificación de la información son menos obvios. La
sutil modificación en la información puede ser perjudicial, afectando decisiones
u operaciones, y resultando en daños financieros para la organización.
Comunicación
El proceso en el que se desarrolla un plan de seguridad de
información puede ser fácil o difícil, dependiendo de la política de la
organización y de las personalidades involucradas en la protección de la
información. El desarrollo de un plan de seguridad no está particularmente
orientado desde el punto de vista técnico; se trata, principalmente, de una
tarea administrativa y "política".
Perspectiva administrativa: identificación y evaluación de
la información; designación de los riesgos aceptables en términos de su valor y
del nivel de protección ofrecido.
Perspectiva política: conseguir la cooperación referente a
la adopción de nuevas medidas y al plan final, antes de su efectiva adopción e
implementación.
El desarrollo, la adopción, la implementación y la administración
de un plan de seguridad de información sólo son efectivos si se aprovechan
ampliamente y si se comunican públicamente a la mayor parte del área de
administración de la organización.
La aprobación requerida incluye el apoyo verbal, por escrito
y también financiero. La necesidad, o impacto, los requisitos y beneficios de
realizar el proyecto y la implementación de un plan de seguridad de información
necesitan ser abiertamente y regularmente comunicados a los usuarios de la
información, como parte de un proceso normal de concientización sobre la
seguridad.
El apoyo financiero es necesario para posibilitar el
desarrollo inicial del plan, su adopción e implementación, y también para
garantizar la continua administración y monitoreo de la infraestructura de
protección de la información, a lo largo del tiempo.
Por J. Stuart Broderick, PhD, profesional de Symantec,
especial para VARBusiness
Bienvenidos! Welcome!
Les doy la bienvenida a todos a mi nuevo Blog sobre Seguridad de la Información Corporativa. En este espacio publicaré noticias y escribiré mis opiniones sobre el mundo de la Seguridad de la Información en las grandes empresas.
Mi nombre es Juan Pablo Altmark, soy abogado, especializado en Seguridad Informática y Protección de Datos Personales. Actualmente trabajo en la Dirección Nacional de Protección de Datos Personales del Ministerio de Justicia y Derechos Humanos y soy socio del Estudio Jurídico Altmark & Brenna, líder en Derecho Informático en Argentina.
Espero que les guste y que les sirva para aprender sobre la temática.
I welcome you all to my new Blog on Corporate Data Privacy. In this space I will post news and write my opinions about the world of information security in large enterprises.
My name is Juan Pablo Altmark, I'm a lawyer, specialist in Information Security and Data Protection. Currently working on the National Personal Data Protection Agency of the Ministry of Justice and Human Rights and partner of Altmark & Brenna Law Firm, a leader in Computer Law in Argentina.
Hope you like it and that helps you to learn about the subject.
Juan Pablo
Suscribirse a:
Comentarios (Atom)