A tale of two cities

A couple of stories that have been doing the rounds this week are a perfect illustration of the competing, if not conflicting desires and requirements of nation states in the area of privacy.

On the one hand, let’s take a trip to the beautiful if not somewhat crazy Rio de Janeiro, Brazil where legal wrangles between Facebook’s WhatsApp and the Brazilian state continue.

Those of you who are avid readers of the security press will recall that Brazil has ordered all carriers to block WhatsApp traffic on two occasions in the past (December 2015 and May 2016), both as the result of individual court cases.

Well they’ve done it again, or at least attempted to, because this order was overruled by a successful injunction and service was restored to the increasing infuriated 100 million WhatsApp users in Brazil.

In each of these cases, the issue is that local prosecutors have asked Facebook/WhatsApp to hand over some keys or the raw text of messages between specific users.

The injunctions are just the tip of the iceberg. The Brazilians also arrested the local FaceBook Queijo Grande after he failed to hand over the requested data, a feat that Facebook say is not achievable since messages are encrypted at the device and cannot be decrypted in transit.

Whether or not you believe that the messages cannot be intercepted, at least not by Brazilians (!), if you have overcome your fear of the head shrinking Zika virus, are headed to the Olympics and your WhatsApp stops working, send a good old fashioned text or use one of the many alternatives to share the Olympic spirit. You probably don’t mind if your picture of the blur that is Usain Bolt is encrypted or not, do you?

Zoom back here to what is left of Europe (actually most of it), to the City of Light, Paris where France’s National Data Protection Commission has ordered Microsoft to comply with France’s (note not Europe’s….yet) Data Protection Act, and sort out the nastiness that lies within Windows 10.

You will have read our misgivings about Windows 10 on numerous occasions and it seems that the French Data people have grown a pair and are standing up to the blatant abuse. They have requested that the following issues are resolved:

  • Irrelevant or excessive data collected
  • Lack of security
  • Lack of individual consent
  • Lack of information and no option to block cookies

You can read a detailed piece on this, written by the excellent Lisa Vaas here.

Initial mutterings from Microsoft indicate that they will work on it rather than let the lawyers deal with it, which can only be encouraging. Maybe the fixes will filter down to countries outside of French Jurisdiction, or perhaps the EU Data Protection people will demand similar. Where that leaves us plucky Brits, who knows.

Privacy is becoming an increasingly hot topic especially with the forthcoming introduction of the European General Data Protection (GDPR), which is transitioning between 27 April 2016 and 25 May 2018.

Despite the implications of Brexit being unclear, we are fairly certain that GDPR will still apply to UK businesses, at least if they want to trade with Europe and will be supporting our customers in their quest for compliance!

If you would like to discuss privacy, Rio or Paris, please contact us on: [email protected] or call us on 020 7517 3900.