The newly unveiled American Privacy Rights Act (APRA) represents a significant step toward establishing a federal data privacy standard in the U.S., offering a bipartisan solution to longstanding legislative challenges. This legislative effort underscores a unified approach to enhance online privacy protections, aiming to reconcile differences over state preemptions and legal remedies for privacy breaches.
Antonio Sanchez, principal evangelist at cybersecurity company Fortra says:
“Today, about half of the states have some sort of legislation, but it’s varied. Ideally, this legislation would be a baseline of privacy at the federal level which provides consumers with more control over their personal data. Each state would then decide on passing something more stringent than the baseline.
This would be a great win for consumers as this would be a big step towards reducing misinformation, disinformation, and AI generated content which are used to sway the public’s mindset on a particular issue. For big tech this would represent a big hit to their bottom line since big tech monetizes personal data by mining, using, and selling it. The ones that use it deliver content (real and AI generated) to targeted audiences to either position a product or gain support on a social issue.
I like the idea, but we will see if this continues to move forward or if it slowly fades away and nothing happens.”
This is a piece of legislation that is long overdue. If the people on Capitol Hill are smart they would do everything possible to move this bill forward and get it passed into law. But given the tenor of politics in the US at the moment, one has to wonder if that will happen.
UPDATE: Madison Horn, Congressional Candidate (OK-5) and cybersecurity expert adds these comments regarding the American Privacy Rights Act:
The American Privacy Rights Act is a significant first-step towards setting up national consumer centric data privacy standards. While the American Privacy Rights Act aims to define the type of data that companies can collect, there is ambiguity and concern in a number of areas that will be left vague. In the typical process for introducing new regulation, there is either over or under calibration, or it is not specific enough. Regulators must define what data is considered necessary, determine how data collection needs should be managed across applications, determine whether data storage will be centralized or segmented, and establish clear limitations on the types of data companies can collect.
I have concerns that regulators will over-calibrate these new data privacy regulations and inadvertently introduce vulnerabilities in company systems, potentially making it easier for bad actors to exploit them. While giving consumers control over their data is a positive step, it’s crucial that identity and access-management are securely designed, otherwise bad-actors could easily steal personal data. Giving consumers the right to access, correct, delete, and export their personal data is a great step forward, but brings significant security concerns. There’s a technical challenge in setting up and managing identities to ensure that people can’t access or edit someone else’s data. Despite the good intentions, opening these doors will inadvertently increase security concerns. The real task lies in minimizing these incidents as much as possible. It’s all achievable, but requires careful planning and execution.
To get this crucial data privacy law right, it’s important that everyone involved – lawmakers, regulators, and the private sector – all meet at the table together. If lawmakers try to force this law through like dictators, there will be endless pushback from lobbyists – something entirely counterproductive to effective regulation – and will only hurt small businesses and innovation. With many of the few qualified individuals in Congress left retiring or being pushed out of office by partisan politics, it’s up to the American people to elect qualified leaders with experience that matches the problems of today. Leaders that understand the nuances and pitfalls of drafting, right sizing and passing acts that adequately protect Americans while not hindering innovation and economic growth.
Qantas Has An EPIC Privacy Breach On Their Hands
Posted in Commentary with tags Privacy, Qantas on May 1, 2024 by itnerdThis one is bad. Qantas as in the Australian airline has one hell of a privacy breach on its hands. The Guardian has the rather bad (if you’re Qantas) details:
Potentially thousands of Qantas customers have had their personal details made public via the airline’s app, with some frequent flyers able to view strangers’ account details and possibly make changes to other users’ bookings.
Qantas said late Wednesday its app had been fixed and was stable, after two separate periods that day “where some customers were shown the flight and booking details of other frequent flyers”.
The airline said this didn’t include displaying financial information, and that users were not able to transfer Qantas points from another account or board flights with their in-app boarding passes.
Clare Gemmell from Sydney said that she and four colleagues encountered the problem shortly after 8.30 on Wednesday morning.
“My colleague logged in and said ‘I think the Qantas app has been hacked because it’s not my account when I log in’.”
When Gemmell logged into the app, she was greeted with a message saying “Hi Ben”. The app told her Ben had more than 250,000 points and an upcoming international flight.
“Another colleague of mine said it looked like she was able to cancel somebody’s flight ticket,” she said.
“You could see boarding passes for other people, one of my colleagues could see a flight going to Melbourne and it looked like you could interact and actually affect the booking.”
Well, that’s one hell of a screw up that Qantas has apparently now fixed. But it’s still bad. Ted Miracco, CEO, Approov had this comment:
This incident with the Qantas mobile app is quite concerning from both a cybersecurity and privacy perspective. Many companies fail to implement adequate API security, which can lead to issues like the one potentially faced by Qantas. The security of APIs is critical as they often handle the logic, user authentication, session management, and data processing that apps rely on to function.
The problem described suggests a significant issue with how user sessions and data are being handled within the app. The Application Programming Interface (API) is incorrectly processing or validating session tokens, leading to unauthorized access to data. The exposure of such personal information, including booking details, frequent flyer numbers, and boarding passes, poses serious risks and liability. The data could be used for identity theft, phishing scams, or unauthorized access to further personal information. Such a breach should have significant legal and compliance implications, particularly under data protection regulations like the Australian Privacy Act (APA) or GDPR, if any EU citizens are affected, or other local privacy laws, depending on the nationality of the affected passengers.
The reliance solely on Google and Apple’s app store security measures for safeguarding mobile applications is indeed a common oversight that can lead to significant security challenges, as potentially evidenced by the Qantas incident. The security features provided by these platforms primarily focus on ensuring that apps are free from known malware at the time of upload and meet certain basic security criteria. However, these protections do not extend into the realms of runtime security, business logic, and specific data handling practices which are critical for ensuring application security.
Stephen Gates, Security SME, Horizon3.ai adds this:
Most people who utilize mobile apps don’t realize that these apps use APIs to communicate between the app and the app provider’s backend. And APIs are often full of potential vulnerabilities and subsequent risks due to how they are implemented.
This is the primary reason why the OWASP API Security Project was created resulting in the most recent version: 2023 OWASP API Security Top 10. Being a contributor of the Top 10 2019 version, and spending time with founding leaders of the Security Project, the API risks organizations and consumers face today are quite clear.
Today’s software (app) developers must not only become familiar with the API Top 10, but also become experts in understanding the intricacies associated with APIs. The API Top 10 provides highly detailed example attack scenarios as well as excellent recommendations on how to prevent such risks from occurring.
Qantas has some explaining to do to a whole lot of people because of this screw up. I hope they have detailed answers at the ready because this is one of these situations where people are going to want those answers. And they won’t be satisfied with anything less.
Leave a comment »