Microsoft Declares Wholehearted Support For Privacy Shield (thestack.com) 64
An anonymous reader writes: Microsoft has declared its support for the EU-U.S. Privacy Shield. The proposed legislation to govern data transmission between the EU and U.S. has been the subject of much debate. While acknowledging that more work will need to be done after it is adopted, Microsoft has thrown its support behind Privacy Shield, stating that after careful and detailed review, it 'believes wholeheartedly that it represents an effective framework and should be approved.' Microsoft has pledged to sign up for Privacy Shield, to adhere to its current and future guidelines, and to respond to Microsoft user complaints under Privacy Shield within 45 days. Despite the framework being criticized for its inadequacy, Microsoft supports the Privacy Shield in its current form, and believes that further adjustments should be made after the initial adoption.Microsoft is the first company to sign up for EU-U.S. Privacy Shield pact. The EU privacy regulators are yet to share their views on the deal. According to a recent leak, however, it appears they wouldn't approve it. While this shouldn't stop the commission from making a decision, as Fortune explains, "they can't technically stop the commission issuing its adequacy decision, but they can make life very difficult for companies transferring the data if they think the U.S. doesn't offer adequate protections."
it's got enough "wholes" (Score:2)
Re: (Score:2)
Re: (Score:1)
One thing is for sure: if government is involved, you can bet that it does exactly the opposite of what the marketing name implies. For example, a new "initiative" that contains the word "privacy" will actively work against privacy.
Re:What doies it do? (Score:5, Interesting)
One thing is for sure: if government is involved, you can bet that it does exactly the opposite of what the marketing name implies. For example, a new "initiative" that contains the word "privacy" will actively work against privacy.
This is exactly right.
For example, the "PATRIOT Act" (which basically gutted many provisions in the Constitution), or the "Clear Skies Act of 2003". The Clear Skies Act reduced regulation of polluting companies and increased the amount of pollutants they could release. "Clear Skies", my ass.
My guess is that "Privacy Shield" is filled with provisions and laws that make it easier to violate privacy, not increase or protect it.
Re: (Score:2)
Companies that trade on your data have no interest in enhancing privacy. While MSFT isn't exactly FB in terms of profiting off compiling data about you and selling it to advertisers, the fact that there is a market for this means MSFT will be trying to get into it.
Re: (Score:2)
While MSFT isn't exactly FB in terms of profiting off compiling data about you ... yet
Remember the Scroogle Ad campaign? Well they are doing the very thing they said they weren't doing. They are now going after that market.
Re: (Score:2)
Oh, it probably shields privacy. The question is who does it shield and which side of privacy is it on?
Re: (Score:2)
The most useful legislation for these things is "facilitation by limitation": doing X is a liability nightmare and legally ambiguous, thus we write laws describing when and how you can do X and banning any doing of X outside these limitations. In this case, a useful law would facilitate the transfer of data between countries by describing how those transfers are handled and what legal and contractual agreements for handling that data must be in place, including requirements for mutual legal protections (
Re: (Score:1)
It is obviously to shield corporations from privacy laws.
Re: (Score:2)
On the face of it, it seems the US Government is recognizing privacy rights of EU citizens -- that the US does not give its own citizens. What does the US get out of this? More profits for MS, Google, et al.? I would support it if the US was willing to step up to European standards of privacy for everybody.
Re: (Score:2)
IIUC the "Privacy Shield" is intended to replace the current data-sharing arrangement between the US and the EU. An EU court said that the current arrangement violated the rights of EU citizens, but gave them some time to craft a replacement program.
Since the US is in favor of "Privacy Shield" one may guess that it's a bit pervious, but that's not proof, and I'm no lawyer.
OTOH, my cynicism is such that if MS in in favor of it, I expect that it would be bad for me.
Re: (Score:2)
Let's play that through.
I connect to a server, send it my public key and ask for its public key so we can negotiate a secure connection.
Problem: Someone in between me and the server could intercept this, pretend to be the server, send me his public key while also sending his public key to the server, then decrypt my traffic, reencrypt it with the server public key and forward it to the server, doing the same in reverse with the replies. For a more detailed idea how this works, Wikipedia has the article [wikipedia.org].
Ok.
Re: (Score:2)
A certificate, properly issued by a CA and that CA's root cert in your browser, changes everything about it. It means that you can actually verify whether the server you are talking to is who it claims to be.
That's the whole point behind CAs.
Surely not! (Score:5, Funny)
>> Despite the framework being criticized for its inadequacy, Microsoft supports the Privacy Shield in its current form
Microsoft prepared to deploy worldwide a clearly not ready half-baked piece of shit? surely not!!
Re: (Score:2)
Don't worry, it will auto-upgrade itself to what MSFT considers a "more functional" version somewhere down the line.
slashdot bot (Score:4, Insightful)
In the off chance it is actually good, this is clearly the "Embrace" step.
Re: (Score:3)
Re: (Score:2)
What about the "devil you know" and all that?
At least we get to bask in the loving embrace phase every 10 years or so...
The 20 second version (Score:1)
The Privacy Shield is an agreement on how to handle data. It has no legal binding until agreed on by the EU courts, and even then can be challenged by members of the EU. Most would consider it a gentleman's agreement at this point.
Since Microsoft has a history of not being a gentleman I doubt anyone takes their faith in this agreement seriously at all. As soon as the US Government said "Give us the data" Microsoft has historically complied. I'm not sure how you are supposed to trust them on this one, bu
Re: (Score:2)
I'd say they have quite some interest in data not being available to anyone.
Data is most valuable if you have it and nobody else does.
Re: (Score:2)
Here:
He causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, and that no one may buy or sell except one who has the mark or[f] the name of the beast, or the number of his name.
Waht doe Social Security numbers have to do with this?
The pattern emerges - by design? (Score:3)
There is this story - about adopting a insecure system that is called "Privacy Shield" - to imply that it is secure. Then there is 'secure boot' which requires UEFI - in the end is less secure than an old BIOS. Then the Apple court case - as if an Apple phone is secure....
All is intended to give people the idea that they have a secure-private method to communicate when the opposite is true.
Of course criminals will use the holes/backdoors at some point - could bring down the banking system.
Re: (Score:2)
Then there is 'secure boot' which requires UEFI - in the end is less secure than an old BIOS.
Are you saying Secure Boot (using UEFI) is less secure than traditional BIOS, or that UEFI by itself is less secure than traditional BIOS? And either way, I'm curious why you think that?
Re: (Score:2)
The old BIOSs did not have a way to write to your hard-drive or connect to the internet(all one needs to compromise your computer). UEFI is a proprietary mini operating system with code no one can see. You can not get the information needed to install coreboot - (by design - at the request of three letter agencies) - no computer younger than 5 years appears to be secure-able.
Of course there is also the problem with the firmware on hard-drives. Or even processor microcode - closed source means not secure..
Re: (Score:2)
We do! We now have collected all that data with Win10, we even gave away that damn OS to get it, we'd be damned if everyone and their dog has that data and we can't sell it anymore!
Re:Europeans forcing their laws on Americans (Score:4, Informative)
Feels kinda bad if you're on the receiving end of something like that, eh?
Re: (Score:2)
You can safely ignore them. Really. Unless, of course, your government agrees with them. You can chuck all the mail in the trash. If they want to then they can block their citizens from accessing your site. They can not burden you - even if you ship a product to their country. Keep in mind, they might arrest you if you ever decide to visit their country in the future. Assuming you're not going to? Stay the course and do what you want.
Another Newspeak name for a new act (Score:1)
Just as Patriot act was actually a treason, and just as Free Trade acts are actually about limiting trade and creating state-supported monopolies, this "Privacy Shield" is actually about viciously attacking individual privacy. You have to replace the words with their antonyms to get the true meaning.
The check is in the mail (Score:1)
Microsoft also promises not to come in your mouth.
Re: (Score:2)
kinda OT (Score:2)
It's about legal certainty (Score:3)
So many knee-jerk comments here. Get a grip folks.
This is about how we treat data of a citizen from one large jurisdiction when it moves to or is stored in another large jurisdiction, and removing legal uncertainty for the companies doing so. For example, this very site's account info of EU residents being stored in the US (handle, email and encrypted password). Nothing overly private, but still falls under privacy laws of hundreds of countries, each of which could voice a problem and issue a warrant or subpoena. Without overarching legal frameworks governing and taming this legal diversity and uncertainty, it is basically impossible to run a large website. Plain and simple. If you're an engineer, you absolutely want to be insulated and protected from all this possible BS, regardless of how much of a non-issue your own data collection might be to your engineering mind.
Privacy shield is a joke (Score:3)
Of course, it's a joke:
- Privacy Shield make companies offer certain guarantees for the way they handle data, and adds a lot of bureaucratic requirements. However, companies are allowed to "self-certify" their compliance. The compliance requirements will be overwhelming for small companies, while the big one will be able to blow them off.
However, the big problem was, frankly, the US government. On this topic:
- Privacy Shield requires "written assurances that government access to EU personal data for national security purposes is subject to clear conditions, limitations, and active oversight." Those assurances would make uncomfortable toilet paper, but won't be good for anything else. "Bulk surveillance" of EU citizens is also still allowed, as long as the US government considers it "necessary and proportionate". Gee golly whiz, I can't wait for the US government to declare it's own spying "unnecessary".
- Oh, and wow: "EU citizens concerned about potential breaches of these binding commitments by the U.S. government can now refer their concerns to a newly appointed Privacy Shield Ombudsman". Who will pat you on the head, and tell you to go be a good little lemming.
The only way to prevent US abuse of data on European citizens is to prohibit the transfer to US servers in the first place. Microsoft has actually done something laudable here: They have set up an Azure data center in Germany, and subcontracted control of this data center to a German company. Theoretically, Microsoft has no access to data in that data center, except through the German company - which would obviously be directly subject to German privacy regulations. That's an excellent solution, if it really is implemented that way.