Legal & Government Affairs Update Issue 3 - 2019
Whatsapp vulnerability targeted by hackers
Whatsapp has been forced to issue a speedy update to close a vulnerability in its software that allowed hackers to install malicious software on a phone simply by making a phone call to the target device. The target didn't even need to answer the call for the software to install itself and begin gathering all sorts of data from the phone, including the user's messages, calls, contacts, browser history and button presses. Once installed, the spyware would also give the hackers the ability to activate the phone's camera and microphone to watch the user in real time.
The attack reportedly used a piece of spyware called Pegasus that was developed by the Israeli technology company NSO Group. NSO is still investigating the matter and there is no suggestion that the company is behind the attacks itself, but it is possible that one of the companies that bought the Pegasus software from it could be misusing it. NSO has been quick to stress that it employs "rigorous" vetting procedures before licensing the software to any third party.
Pegasus is a tool designed to be used by governments and law enforcement to allow them to catch criminals and terrorists. There are many other similar software tools out there that exploit vulnerabilities in software in ways that are designed to give law enforcement an edge over criminals, but there is always a risk they could fall into the wrong hands.
Whatsapp touts security as one of its biggest selling points, particularly its end-to-end encryption for user messages which it says keeps messages secure from everyone but the sender and intended recipient. While these attacks do not undermine the security of that messaging process, this should serve as a reminder that a system is only as secure as its weakest part. While Whatsapp may have excellent messaging encryption the system supporting voice calls was less robust and allowed the whole system to be undermined.
Whatsapp has been quick to patch the gap and users who update to the latest version will no longer be vulnerable.
Legislation and Case Law Updates
Irish Supreme Court dismisses Facebook's bid to prevent European Court of Justice looking into its US-EU date transfers
On 31 May 2019, the Irish Supreme Court dismissed Facebook's attempt to appeal a decision by the Irish High Court to refer a case concerning Facebook's sharing of data between the US and EU to the European Court of Justice (CJEU).
The Irish Supreme Court unanimously decided that the issue of whether the social media company has engaged in unlawful practices around sharing personal data between the US and EU should be considered by the CJEU. In particular, the CJEU is being asked to consider whether Facebook's data transfer mechanism contravenes European law.
Facebook relies on "standard" contractual clauses which permit Facebook's US entity to access the personal data of European users by agreeing with its European entity to uphold EU privacy rules when handling the data. The EU has previously ruled that such practices are lawful but the Irish regulator has raised fresh questions about whether sufficient protection is being granted to EU citizens' data in the US under such a system.
The challenge to Facebook's data sharing practices was originally brought by Max Schrems, an Austrian lawyer and campaigner, against Facebook in Ireland (where the company's European headquarters is based). Is another judicial dressing down and hefty fine the horizon for Facebook?
More recently the USA appears to be taking a tougher line with Facebook. The Federal Trade Commission recently investigated the social media company for a number of historic privacy violations and looks set to impose a record fine, which could be as high as $5 billion. Facebook is also facing an investigation in Europe over a data breach discovered in September 2018 relating to the unsecure storage of personal data. It has been suggested a fine of well over $1 billion could follow.
The transfer mechanism being investigated in this case is used by many companies as a means to comply with their obligations under GDPR to keep personal data safe when transferring it outside of the EU. If putting contractual restrictions in place when transferring data to a non-EU entity is ruled insufficient to discharge GDPR security obligations, this may pose questions for the future validity of this widely used mechanism to facilitate international data transfers outside the EEA.
BEIS consults on Smart Data Review
On 11 June 2019, the Department for Business, Infrastructure and Industrial Strategy (BEIS), launched a consolation into its Smart Data Review looking the potential uses of data portability. The Smart Data Review was launched to consider how the UK can accelerate the development and use of new data-driven technologies and services to improve consumer outcomes.
The main proposals of the Smart Data Review are:
- the establishment of a new cross-sectoral Smart Data Function to oversee the delivery of smart data initiatives across multiple markets;
- introducing an Open Communications initiative that will require communications businesses to provide consumers’ data to third party providers at the consumer’s request;
- establishing a Vulnerable Consumer Challenge that will encourage data-driven innovation to improve outcomes for vulnerable consumers;
- exploring ways regulators can utilise consumer data, subject to the right protections, to support vulnerable consumers; and
- building trust in innovative data-driven services by introducing strong data protection requirements on Third Party Providers accessing consumer data.
The consultation proposes a range of questions around the core topics of: accelerating the development of innovative data-driven services in consumer markets, using data and technology to help vulnerable consumers and ensuring consumers and their data are protected. The use of data in this way can provide some real insight and drive positive change if done in a measured and informed way.
The consultation closes on 6 August 2019. Readers interested in responding to the consolation's questions on the use of data to improve customer experience and outcomes can do so here:
The Secret Barrister: Stories of the Law and How It's Broken by the Secret Barrister
The Secret Barrister is a criminal barrister and blogger known for his eye-opening, scathing and often hilarious legal commentary. He or she has now written a book on life at the criminal bar, focussing on the extent to which cuts to funding has undermined the functioning of the criminal justice system in the UK.
But the book is more than just a polemic on funding cuts, the Secret Barrister weaves together compelling stories of the individuals that make up the court system, from judges to jurors, as well as those on trial for all sorts of alleged offences. The conversational and funny style makes the book hard to put down.
The Secret barrister does a good job of convincing the reader about why the proper functioning of the criminal justice system matters to everyone. Even if you haven’t set foot inside a court room, the chaotic and unfortunate stories in this book are hard to ignore. A worthy read.