Friday Five: 5/24 Edition
Google's password faux pas, how real-time bidding may violate the GDPR, and tips on mitigating trade theft risk are all covered in this week's Friday Five.
1. Google: We've been storing some enterprise customer passwords in plaintext since 2005 by Sean Lyngaas
Compared to last week, this week, leading up to Memorial Day here in the US, was relatively quiet on the news front. Alas, there was no CPU side channel bug, no massive zero day, no backdoor this week. There was however the latest gaffe by a tech giant when it comes to storing passwords. Much like Facebook admitted several weeks ago that it stored user passwords in plain text for years, Google this week acknowledged that it had stored G Suite enterprise users' passwords in plain text since 2015. The company said Tuesday that while the passwords were in its secure encrypted infrastructure, because of an error implementing a G Suite console for domain administrators, they were stored in plaintext. Google didn't say how many enterprise customers may have been impacted by the mistake but said it hasn't seen any evidence of improper access to or misuse. While certainly embarassing, the blunder shouldn't be a huge concern for enterprise users.
2. How to do a Risk-Limiting Audit by Andrew Appel
We’re not sure how many election administrators are reading this blog but on the off chance you are one, we've got a valuable resource for you. Andrew Appel, writing for Princeton's Center for Information Technology Policy's excellent Freedom to Tinker blog has a line on a new guide to carrying out a risk-limiting audit. According to the U.S. Election Assistance Commission, in election security, a risk-limiting audit allows admins to provide strong statistical evidence that an election's outcome is right. While it can't outright determine that an electoral outcome is correct, it's a good way to protect against tampering and regarded as an essential part of cybersecurity defense, on a whole. According to Appel, until late, the bulk of risk-limiting audits were difficult to understand for the election-administrator audience; that and they're fairly new. Enter Jennifer Morrell and two parts of a guide: Knowing It's Right. The documents look nothing short of comprehensive and could help those in the election security space.
3. The Fight Over a Landmark Digital Privacy Law by Jill Cowan
If you've been following our blog, you're no doubt up to date on all the machinations of next year’s California Consumer Privacy Act but if you're worried you've missed a step, the New York Times - in particular their recurring California Today column - has your back this week. While the piece does a brief recap of the CCPA, it’s especially worth a read because it’s got one of the first interviews with Senator Hannah-Beth Jackson, who introduced SB-561, an amendment to the CCPA, that was blocked last week. The paper asks her what the bill would have done, what her plan is now, and her thoughts on a data dividend - a concept I was unfamiliar with. For what it's worth, it’s the idea of consumers getting paid for their digital data. As you can imagine, many privacy advocates are strongly opposing the idea of paying for privacy.
4. Real-time bidding, a thriving ad targeting technique, is becoming a GDPR dilemma by Jeff Stone
An interesting angle of GDPR that I'd never considered before: The problems associated with real-time bidding, a targeted advertising technique in which advertising inventory is bought, then sold, impression by impression, almost like an auction. Ireland's Data Protection Commission said this week it was looking into whether the way Google Ireland processes personal data through its online ad exchange and whether it violates the data privacy law. According to CyberScoop, the issue was brought up during a Senate Judiciary committee hearing Tuesday. According to TechCrunch, data protection authorities in seven markets, including recent complaints filed in Belgium, Luxembourg, the Netherlands, and Spain, have been asked to investigate the technology. The crux of the complaints? Many allege the process violates GDPR as it exposes users’ information whenever they visit a website.
5. Podcast: The Current Trade Secrets Landscape: Criminal and Civil Litigation Strategies and Tactics by Mark D. Rowland, Daniel W. Richards, Colleen Conry, Mimi Yang and Anthony C. Biagioli
Every so often we like to mix it up and include a non-article. This podcast, via the global law firm Ropes & Gray, is an incredible deep dive into trade secret theft, misconceptions about criminal trade secrets law, the challenge of doing business in China, and the dangers of not protecting intellectual property. Published on Wednesday, the podcast recaps some recent trade theft news, breaks down some essential legislation -- the Economic Espionage Act, the Defend Trade Secrets Act, and gives tips on how to mitigate risk, including drafting and implementing robust compliance policies to respect third party trade secrets. The nearly 20-minute conversation between five lawyers isn’t dry – it actually whizzes by – and is a great alternative for those who don’t have time to read the transcript which is published alongside the podcast.