Tag Archives: CNIL

The day after the day before

I just noticed a story on Reuters, which came a day after I gave the lowdown on the GDPR. In their story ‘Companies need immediate rethink on U.S. data transfers, says watchdog’ I see “Companies seeking to transfer data to the United States must revert to new arrangements with immediate effect after the Privacy Shield transatlantic pact was declared invalid last week, a European Union watchdog said on Friday”, OK, we know that, but Reuters gives a little more, with “The European Data Protection Board (EDPB) said that companies that transfer data to the United States via standard contractual clauses would have to self-assess whether these have suitable safeguards and inform their national privacy enforcer” we see a part I had forgotten about (Yes, I forget things too), when we consider ‘via standard contractual clauses would have to self-assess’, I am confronted with a thought I had in 1998 in another station. You see there is an issue with ‘self-assess’ and ‘backups’. The self assess part is to ignore that small little data cruncher, whilst the global standardisation of back-up systems give a larger implied stage that for US Intelligence, it remains business as usual, with the optional larger workflow. Did anyone consider that?

So when we see “The EDPB, together with the European Commission, is now looking into ways to beef up standard contractual clauses and binding corporate rules that could be legal, technical or organisational”, I wonder how many delays back up solutions are given before that train ends, I reckon that it will take a while. And the situation is not new, ITProPortal gave us in 2018 “The legislation gives customers the right to be removed from the records of companies even if they have previously agreed to the collection and storage of their data. It’s called the ‘right to be forgotten’ and could be a potential stumbling block as organisations keep backup copies of their data. A request to have personal data removed, technically means that it should be removed from all copies including the cloud, or tape kept off-site in deep storage. Having to do this each time a request comes in, however, has been deemed excessive by those overseeing GDPR due to the logistical challenges it would throw up” and even if you think that it is something else, think again! We see this in “technically means that it should be removed from all copies including the cloud, or tape kept off-site in deep storage. Having to do this each time a request comes in, however, has been deemed excessive by those overseeing GDPR due to the logistical challenges it would throw up” and consider that there is a situation, we see this in “According to France’s GDPR supervisory authority, CNIL, organisations don’t have to delete backups when complying with the right to erasure. … You should also document policies and procedures for keeping backup data secure. This will include instructions on encrypting backups and where you will keep backup devices”, yes this is still about the right to be forgotten, but there is an absence on tertiary locations for backups and cloud backups, they can still be in the US, as such, the Intelligence conclave (the alphabet group) are still in a stage of business as usual. One source is giving me in 2019 “Rather than backing up everything in bulk as whole systems, organisations may find it easiest to separate systems backups and personal data backups so that systems backups can be kept for much longer retention periods than might be allowed/justifiable for the personal data”, yet the station of ‘organisations may find it easiest’ as well as ‘so that systems backups can be kept for much longer retention periods than might be justifiable for the personal data’, which in itself is not really an answer and I was surprised to the amount of ambiguity towards operational and logistical needs, whilst keeping the limelight away from backups, as such I believe that there is a lot more going on and no real matters regarding privacy will be solved any day soon. In this Curtis Preston, chief technical architect at Druva raised in 2019 “GDPR is not going to be able to force companies to ‘forget’ people in their backups – especially personal data found inside an RDBMS or spreadsheet.” (at https://www.theregister.com/2018/05/31/backup_gdpr_analysis/), and it seems that everyone links it to ‘the right to be forgotten’, so what happens to the off site backups of global databases? Are they still in the US? And why is there such a darkness around the states of backups? I find the comment ‘due to the logistical challenges’ a bit of a joke, they had years to get ready. Even closer to home, last January we see “Although Apple uses end-to-end encryption for both iMessage and FaceTime, it doesn’t do the same for iCloud backups. They are encrypted, but Apple holds the key, meaning that the company has access to a copy of almost everything on your phone – and that includes stored messages. I’d long expected Apple to fix this, but a report today claims that the company has decided not to…” so what else has not been done, and where are all these iCloud backups? If they are on an Apple Server, there is every chance others have access (speculation from my side). Which is actually not the weirdest thought, when we go back to 2018 and consider “authorities also discovered a series of hacking tools and files that allowed the 16-year-old boy to break into Apple’s mainframe repeatedly”, so if a 16 year old has access to the Apple mainframe, do you really believe that US Intelligence cannot enter it? 

So when we consider where our backups are, also consider how up to date your personal records are at 57 Duker Rd, Farmville, VA 23901, United States. To be ‘speculatively more precise’, how about IBM-VA23901-1-3.213.5? I wonder how many other places your data can be found, all for the simple reason of national security, all whilst we see the media take a hard look on all the cyber tools that some agencies have no one seems to be looking at all the access that they have to backups. The fact that several locations are giving us versions of ambiguity, none of them look deeper into the matter, I reckon that the Stakeholders wouldn’t allow it, but that is me grasping at straws.

There is a larger station now that the agreement has fallen apart for the EU, on the other hand, there will be a pool of new talent be required all over Europe, and in the light of the Corona events, I wonder how many are still alive. So, what will we see tomorrow in this regard?

 

Leave a comment

Filed under IT, Law, Politics, Science