Biden's Privacy Shield 2.0 order may not satisfy Europe
Also, Albania almost called in NATO over cyber attacks, and Facebook warns of account-stealing mobile apps
In brief An executive order signed by President Biden on Friday to setting out fresh rules on how the US and Europe share people's private personal info may still fall short of the EU's wishes, says the privacy advocate who defeated the previous regulations in court.
The executive order is designed to codify agreements the EU and America made earlier this year that would reinstate Privacy Shield, albeit version 2.0 of it. This is a framework that defines how, when, and what citizens' data is sent overseas, between Europe and America.
The new framework addresses concerns raised in a case decided in 2020 known as Schrems II, named after Max Schrems, the Austrian privacy activist who brought the case to the EU Court of Justice (CJEU). Schrems II struck Privacy Shield down, in part, because EU citizens had no rights to petition the US government if they felt their data had been improperly gathered.
Biden's order addresses those issues by restricting how signals intelligence can be gathered by US spy agencies and placing collection of info behind several layers of conditions, including ensuring only tightly tailored data is collected.
The new framework also implements a Data Protection Review Court made up of non-government employees to hear cases from EU citizens, provided their complaints first make their way through the Office of the Director of National Intelligence's civil liberties team for review.
That all said, Schrems says Biden's order is unlikely to satisfy EU law, and he ought to know – he's killed prior versions. According to Schrems, while some language may have changed in the new agreement, the EU and US still don't seem to be defining certain terms, such as "proportionate," in the same way.
"In the end, the CJEU's definition will prevail, likely killing any EU decision again. The European Commission is again turning a blind eye on US law, to allow continued spying on Europeans," Schrems said.
NOYB, Schrems' privacy rights organization, said in its response to Biden's EO that the Data Protection Review Court fails to be an actual court as legally defined by US law, and criticized the amount of recourse for EU citizens, saying there was no additional guarantee they would be heard beyond the previous frameworks.
The bottom line? This one probably won't hold up, and might give Schrems a hat trick. "At first sight it seems that the core issues were not solved and it will be back to the CJEU sooner or later," Schrems said.
The UK and US came to a data-sharing agreement earlier this week.
Albania weighed NATO response to Iranian cyber attacks
Cyberattacks Iran perpetrated against Albania this past summer were so bad that Albania's Prime Minister actually considered invoking NATO's mutual defense pact for the first time over a cyber incident.
In an interview with Politico, PM Edi Rama said he decided against invoking Article Five to avoid risking escalation. "I have too much respect for our friends and our allies to tell them what they should do … We are always very careful to be very humble in our assessments," Rama said.
The July attack occurred only a couple months after the Albanian government had shuttered many offices in favor of online services. Albania severed relations with Iran after the attack, and faced another round of cyberattacks in September believed to also be from Iran. The US has since sanctioned Iran's intel agency over the attacks.
Rama didn't invoke Article Five, but by mentioning the possibility he's opened the door to other NATO leaders considering that possibility, too. As to what that could entail, it's worth looking at the joint communiqué issued by the heads of 30 NATO states in July 2021, specifically paragraph 32, which discusses NATO commitments regarding cyberattacks.
"A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis … If necessary, we will impose costs on those who harm us. Our response need not be restricted to the cyber domain," the alliance leaders said.
Facebook flags 402 fraudulent phone apps found on Android, iOS
When it comes to logging into apps with your Facebook credentials, beware. A report from the social media giant this week listed 402 apps it found on Android and iOS app stores that contained malicious Facebook login prompts that stole people's login details.
The apps are "disguised as photo editors, games, VPN services, business apps and other utilities," Facebook said, which present "Login with Facebook" prompts. As is the case with these sorts of scams, the entered credentials are sent to the app's controller forthwith.
Facebook said that it reported the apps to Google and Apple, which had taken down all the offenders prior to the report's publication.
There's not much call to be curious when it comes to guessing where most of the malware lives - of the 402 apps Facebook listed in the report, 355 can be found on Android, and only 47 on iOS.
To make matters worse for those in the Google ecosystem, the apps Facebook found were all over the map on Android, with entries running the gamut of categories mentioned above.
In Apple's case, all the malicious apps fell into two types: Business/page management apps and Facebook ad management software. Just avoid those, or logging into apps using social media credentials altogether, and you'll be fine. ®