Google is sending the perfect phishing email.
This weekend I decided to change my Google account password. In response, Google sent me an email to the account address, notifying me of this fact. The email told me that if I did not change my password (and apparently someone else did it for me) I should click on a link to reset my password. Excellent service right? Until I realised we are all doomed!
Pseudonymous data should not be exempted from data protection.
Europe is currently discussing an update of its data protection regime. The Albrecht Report suggests several amendments to the Commission’s proposal for a new regulation. One of the proposals is to limit the protection for pseudonymous data. I think this a dangerous idea.
An eID should not be linked exclusively to an identity card.
Many countries that have an electronic identity (eID) system attach the eID chip to a classical identity card. From a historical perspective this is a natural approach (eIDs have evolved from the electronic or biometric passports). However, as a consequence, people can only own at most a single eID, and a significant group of citizens are excluded from owning an eID at all. This severely affects the coverage and inclusiveness of eID applications, and even prevents the implementation of certain types of eID applications.
Does a centralised eID service in the German eID system pose a privacy risk?
Ideally, a relying party that needs to verify certain attributes of a user would do so all by himself. However, in the new German eID system there are currently 7 so called eID service providers that handle this task on behalf of many relying parties. The Germans did this to allow service providers to quickly adopt the new eID system, because they can simply contract an eID service provider instead of implementing the functionality themselves. However, this creates a hotspot. For all users the eID service provider sees all attributes verified for all relying parties it services. The eID service provider is therefore in principle able to link a user to all the relying parties it visits, together with the relevant attributes. This appears to be a serious privacy risk. Or isn’t it?
Open Access! – But How?
With the suicide of Aaron Swartz, and the subsequent #pdftribute protest on Twitter, the movement for Open Access to research literature has gained momentum. As a scientist in the area of security and privacy I feel I should contribute, but wonder how. (more…)
11 comments