The Panama Papers, Mossack Fonseca and Security Fundamentals

The release of details contained in the Panama Papers will be one of the biggest news stories of the year. The number of high-profile individuals implicated will continue to grow as teams comb through the 11.5 million documents leaked from Mossack Fonseca, a Panamanian law firm. While the news headlines will focus on mainly world leaders, athletes and well-to-dos, the overview from The International Consortium of Investigative Journalists (ICIJ) gets into additional details. This overview is worth reading to understand what services the firm provided, who uses the services, how they can be used legally and how they can be abused.

The overview seems like something out of a John Grisham book. In fact some of the information being released is similar to a plot from a book he wrote over 25 years ago. In 1991, John Grisham published “The Firm”, a book which revolves around several lawyers working for the fictional law firm Bendini, Lambert and Locke. Some of the similarities between the book and today include a law firm that primarily exists to assist money laundering and tax evasion, part of the plot involves the details of many transactions from retrieving thousands of documents and there is a whistleblower. The fictional firm also provided services to legitimate clients, although in the book that number is about 25 percent. It is unknown what percentage of Mossack Foneseca clients were legitimate and how many would be described as Ponzi schemers, drug kingpins and tax evaders, as the ICIJ overview mentions. While the novel is fiction, the book sets the stage as something that has been seen before.

Whether the leak started from an external breach of systems or an intentional leak from an insider, it is always intriguing to know how it occurred and what could have been done. Did it start with a phishing email, a rogue employee, a web application flaw, etc.? Forbes reported that the client portal server was running Drupal 7.23, which was found to be susceptible to a SQL injection vulnerability that was announced in October 2014. There were many reports of exploitation of this vulnerability days after it was announced, so it is likely someone took advantage of the exploit. The team responsible for WordFence, a popular WordPress security plugin, provided another possible exploitation scenariorelated to upload functionality that existed in the Revolution Slide plugin. These are just some of the potential means that could have caused a breach at Mossack Fonseca. Other possibilities include scenarios related to weaknesses in the email server and a lack of encryption in transit. Mossack Fonseca’s does have a Data Security page on their site, although it primarily touts SSL and the fact they house all of our servers in-house as their primary security measures. In 2011, I wrote a post on how the legal profession was an easy target for breaches. Looking back I realize that technology has changed, but in many ways the weaknesses are likely to stay the same. One of the biggest changes to note from 2011 is the number of online applications law firms have now. This isn’t just the top 100 law firms; this includes smaller regional firms as well. In addition to the main corporate web site and an area to share documents (or client portal), which are now offerings that appear much more prevalent across firms of all sizes, firms have blog sites, premium service offerings, extranets and even applications that provide a gateway into all the other online applications. More applications means a larger attack surface. Unlike Mossack Fonseca, which claims it hosted everything internally, many law firms we see do use third-party SaaS offerings to handle some of these functions. Outsourcing to a third party which specializes in providing a particular service can often provide better security than a firm can provide in house.

Given the Mossack Fonseca’s focus on company formation, minimizing tax burdens, Private Interest Foundations and the like, the firm could have easily been a target given the recent groundswell of activism against tax avoidance and income inequality. While the lapse in security at Mossack Fonseca may not be representative of security at all law firms, the details surrounding their environment point to likely weaknesses in people, processes and technology which could exist in any organization.

  • People – Given what we know about potential vulnerabilities in their environment and the exfiltration of data, we can surmise that someone was not paying attention for an extended period of time. There are many security roles in an organization including, but not limited to policy development, administration and monitoring. In some environments one person may be responsible for many roles and in some cases not all responsibilities can be met. This may because no one was given the role or the person that was given the responsibility left the organization. A recent search of LinkedIn did not turn up too many IT-related profiles with Mossack Fonseca as a current or previous employer, although this doesn’t necessarily mean these individuals do not exist. Contractors may have also performed the role. That said, a third party could have been hired for a given job, say deploying the client portal, but maybe was not responsible for post implementation support.
  • Process – Being notified of vulnerabilities in the software supporting the organization is paramount to understanding where risks exist. Knowing what data is leaving the environment is also critical. The likelihood that either of these was occurring is low and if either were occurring there wasn’t necessarily anyone to act on it in a timely fashion.
  • Technology – A breakdown in people and processes can occasionally be mitigated by technology. The WordPress and Drupal sites are now protected by a third party security provider, but other sites likely are not. An up-to-date intrusion detection system (IDS) may have detected some of the threats the organization faced, or activities that occurred, although there were several potential options to exploit so one avenue or another would have likely been open. For an organization that appears to have missed some fundamental security concerns, they may have used technology to secure some data as there is a site named crypt.mossfon.com, which is still up.

The Panama Papers incident may once again raise awareness around data security with legal firms. Organizations performing support services to legal firms, such as eDiscovery and Case Management providers, may also want to take note. Mossack Fonseca has a link on their page for ISO Certifications. However, the only one listed is ISO 9001:2008. An ISO 27001 assessment, or certification, may not have prevented the leak, but it would have demonstrated greater consideration of security on the part of Mossack Fonseca. A penetration test would also have been beneficial, although given the vulnerabilities that existed even a vulnerability scan would have detected some of the issues.

With most data breaches, the actual data on the people and companies is less interesting (albeit potentially more valuable) than the way in which the breach occurred or the attacker persisted in the attack. As it relates to the Panama Papers, it is the opposite. The forthcoming details related to various individuals, their transactions, and the potential future tax and privacy implications are far more interesting to the public than the means whereby the exfiltration actually occurred. That said, taking a few minutes to understand how it happened and what we can learn can be a worthwhile step in preventing future breaches.

Matt Wilgus, Practice Director, Schellman

[Cloud Security Alliance Blog]

New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists

Malware writers have always sought to develop feature-rich, easy to use tools that are also somewhat hard to detect via both host- and network-based detection systems.  For many years, one of the go-to families of malware used by both less-skilled and advanced actors has been the Poison Ivy (aka PIVY) RAT. Poison Ivy has a convenient graphical user interface (GUI) for managing compromised hosts and provides easy access to a rich suite of post-compromise tools. It is no surprise it’s now being used against pro-democracy organizations and supporters in Hong Kong that have long been a target of advanced attack campaigns.

Despite its simplicity and prevalence, detection rates for both AV and IDS systems has always been surprisingly low for Poison Ivy.  Possibly for these reasons, since the mid-2000s threat actors have frequently used Poison Ivy to establish beachheads within target organizations, although this occurs much less frequently today than in years past. Since the last public release of version 2.3.2 in 2008, new variants of the tool have been relatively rare, especially versions which modify the core communication protocols.

Unit 42 observed a new version of Poison Ivy which uses the popular search order hijacking, a/k/a “DLL Sideloading,” technique frequently seen in malware such as PlugX. The Poison Ivy builder has an output format option of either PE file or shellcode, and in this case the backdoor was built as shellcode and then obfuscated to help prevent detection.  While analyzing the sample, we also observed a modified network communication protocol which will be discussed in this blog.

SPIVY

In March, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545. All of the decoy document themes involved recent Hong Kong pro-democracy events. In all of the samples we’ve found to date the exploit drops a self-extracting RAR which contains three files:

  • exe – a legitimate, signed executable which is used to side-load the malware DLL
  • dll – the malware DLL loaded by RasTls.exe, which then loads the Poison Ivy shellcode file
  • hlp – the encoded shellcode Poison Ivy backdoor.

Both identified C2 domains are third-levels off of leeh0m[.]org, which was created in late February 2016, less than a month before the attacks.

Figure 1. Malicious RARs and the three files within

In addition to the new variant we discovered, Japan’s Computer Emergency Response Team Coordination Center (JPCERTCC) published a blog last July on a different new variant. That variant is also side-loaded from a legitimate executable and stub DLL, but the shellcode isn’t encoded the same way as SPIVY. JPCERTCC didn’t comment on who was being targeted in their blog, but it is notable that two distinct Poison Ivy variants have recently appeared, several years after the tool largely fell out of common use by advanced actors.

SPIVY Analysis

We believe the samples dropped have a direct connection to older Poison Ivy RATs based off of the behaviors and code reuse present in the shellcode loaded by the samsung.hlp file within the RAR. Once decoded, the shellcode is launched by ssMUIDLL.dll.

Figure 2. The encoded shellcode is decoded with a single byte addition of 0x99, XOR with 0xD4, then subtract 0x33.

The SPIVY RAT uses the same API call table generation historically used by Poison Ivy. Shown below is a comparison of a PIVY sample from 2008 and our newer SPIVY sample on the right. Both have the exact same API call table function.

Figure 3. PIVY sample from 2008 and SPIVY variant with the same API call table function.

Unlike previous versions of Poison Ivy which utilize a fixed 256 byte challenge-response handshake, this new version generates a payload that has been prepended with anywhere from 1 to 16 bytes of pseudo-random data (plus control bytes), the 1st byte of which gives the length of the padding before the start of the 256 byte handshake.  In the example below the first byte (0x09) tells the Poison Ivy controller to ignore the following 9 bytes (which were nulled out below for illustration purposes), plus one more byte which holds the first byte multiplied by 2 ( 0x09 X 2 = 0x12).  Two control bytes, plus the 9 random, plus the 256 byte handshake gives us 267 total bytes. The Poison Ivy protocol has been very well documented in previous research by Conix Security and others, and in these samples the remainder of the protocol remains unchanged.

Figure 4. SPIVY’s new challenge-response.

We saw two Poison Ivy configurations with our samples, shown below.

SHA256: 9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e
Password: bqesid#@
C2 domain: found.leeh0m[.]org
C2 port: 443
Mutex: 40EM76iR9
ID: 03-18
Group: 03-18

SHA256: 4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2
Password: bqesid#@
C2 domain: sent.leeh0m[.]org
C2 port: 443
Mutex: 40EM76iR9
ID: 03-07
Group: 03-07 

Decoy Documents

Decoy documents are a common technique used by many actors to trick victims into believing they have opened legitimate files from spear phishing e-mails. The attacker sends a malicious file which infects the host with malware and then displays a clean document which contains content the victim is expecting to see.

The decoy documents associated with SPIVY are notable because they reference very specific recent events and organizations not widely publicized or known outside of the Hong Kong region and the pro-democracy movement. In addition, all appear to be legitimate invitations to actual events in Hong Kong. One of the decoys purports to be from Joshua Wong, announcing a press conference about ending the Scholarism group to start a progressive democratic political party, Demosistō, in March 2016. Joshua Wong is a well known Hong Kong activist who was one of the founders of the group and is the current Secretary-General for the political party. Scholarism centered around concerns for the Hong Kong’s Department of Education adding a mandatory course for all secondary-school students for “moral and national education”. Scholarism was successful in stopping the course and its members desired to shift into a political party to effect further change.


 

Figure 5. Invitation to press conference about disbanding Scholarism and establishing a political party.

Another decoy concerns the Mong Kok riot that took place February 8, 2016, the first day of the Lunar New Year. It purports to be from the Justice & Peace Commission of the Hong Kong Catholic Diocese and calls for the government to establish an independent commission to investigate the cause of the riots and for parishes to establish booths throughout April staffed with church members advertising this. The riots were officially written off as being caused by a crackdown on unlicensed street vendors, but the decoy claims it’s instead a sign of continued civil unrest and dissatisfaction with the government in Hong Kong.

Figure 6. Decoy allegedly from the Justice & Peace Commission of the Hong Kong Catholic Diocese

The final decoy is an invitation to an April 4, 2016 wreath laying event held by the Hong Kong Alliance in Support of Patriotic Democratic Movements of China. The event commemorated the 28th anniversary of the Tiananmen Square massacre and related events, information to which China heavily censors access for mainland Chinese citizens.

Figure 7. Decoy for an April 4, 2016 wreath laying event commemorating the Tiananmen Square massacre held by the Hong Kong Alliance in Support of Patriotic Democratic Movements of China.

Conclusion

The venerable Poison Ivy has been revamped and used to continue targeted attacks against pro-democracy activists in Hong Kong. It’s fairly common to see actors retool malware to make it harder to detect, though it was rarely seen before with Poison Ivy. The updated execution and communications mechanisms of SPIVY offer insight into the ever changing tools, techniques, and practices of targeted attackers. Unit 42 will continue to follow these attacks and any new Poison Ivy variants and provide updates as we uncover new information. It is clearly demonstrated by this recent campaign that an old dog can learn new tricks.

Pro-democratic activists in Hong Kong have increasingly been targeted by APT campaigns. Below are links to several related reports from different researchers. We don’t necessarily link the activity in this blog to any of the specific campaigns cited in the links; instead, they are provided for situational awareness.

  • October 2014 blog from Volexity titled “Democracy in Hong Kong Under Attack”
  • June 2015 blog from Citizen Lab titled “Targeted Attacks against Tibetan and Hong Kong Groups Exploiting CVE-2014-4114”
  • December 2015 blog from FireEye titled “China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets”
  • April 2016 blog from Citizen Lab titled “Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns”

Palo Alto Networks customers can identify SPIVY command and control traffic using Threat Prevention signature ID and AutoFocus users can track this family using the SPIVY tag.

IOCs

Weaponized EPS Docs:

13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0
4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2
9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e

Loader Files

RasTls.exe – legitimate, signed binary that is used in the sideloading process
0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead
ssMUIDLL.dll – 7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4

Poison Ivy shellcode files

c707716afde80a41ce6eb7d6d93da2ea5ce00aa9e36944c20657d062330e13d8
0414bd2186d9748d129f66ff16e2c15df41bf173dc8e3c9cbd450571c99b3403

C2 Domains

sent.leeh0m[.]org
found.leeh0m[.]org

, , and

[Palo Alto Networks Research Center]

Automate Security or Face the Wrath of the Millennials

Like it or not, Millennials will dominate the workforce of the future. Right now, Millennials comprise about 38% of the workforce, and by 2025, that will rise to 50%. For the past year, Anitian has been researching the impact this trend will have on workforce development and information security. In short, most companies are not equipped for this change. Among the many issues we have uncovered,automation is one of the most disruptive to information security.

The Millennial generation has grown up surrounded with ubiquitous Internet access. Moreover, they have also grown up in a world where significant aspects of their lives are automated.

Consider an obvious example:  Google. Prior to the 1990s, if you did not know something, you had to go to a library or search through a book. This was time consuming, which meant you were motivated to remember whatever you looked up. Google changed all that. It put nearly unlimited information a few keystrokes away and automated the process of searching. The mere fact that Google is a verb proves this. Don’t believe me? Well, Google it.

Consequently, we have a generation of workers who are extremely accustomed to this kind of automation. There are countless other examples:  iPhones, Netflix, Facebook, Instagram, Amazon.com, and so forth…all of these are highly automated platforms with ubiquitous access to data that can do a lot of the tedious work of storing, searching and cataloging. They also provide automated ways to alert or remind us of events.

Millennials expect this kind of access and automation. Nothing is more frustrating to a Millennial than being forced to use manual, time-consuming processes. They seem archaic and stupid. This results in disengagement, and eventually, they quit and go elsewhere. Millennials trust the cloud more than they trust a piece of paper.

Information security is not immune from this issue. Sitting at consoles chasing down every virus alert is stupid to a Millennial (I think it is stupid as well, and I am a GenXer). They expect this kind of work to be automated. However, for older executives and directors, this kind of automation is frightening. We hear it all the time in our assessments:  “We cannot allow security to impede the business.”

Except, that is exactly what is happening. The lack of automation is creating an environment where attack, compromise and theft are more likely. It is naive to think that humans (or any internal incident response process) can work at the speed of the attackers. The “bad guys” leverage automation in every conceivable way possible. The notion that hackers are all hoodie-wearing kids with tattoos tapping away on keyboards is the stuff of TV shows, not reality. The bad guys are global, sophisticated and highly automated. The sophistication of today’s attackers can outclass some of the largest software vendors in the world. And while a living person may monitor all the attacks, it is the compromised servers and content distribution networks that do all the work.

Millennials know this, implicitly. Their whole life has been about automating anything they could. And for them, it seems positively archaic to reject automation, when your enemies have completely embraced it. This means if your information security program is going to be effective with the workforce of the future, it must automate.

The good news is automation is getting easier. The growth of security analytics platforms is allowing organizations to unify and automate large portions of their security monitoring. Leading security analytics market are companies like Cisco, IBM, Blue Coat, Forcepoint (formerly Raytheon|Websense), Palo Alto Networks and Fortinet. Emergent companies like Phantom are exciting, as they can provide cross-platform automation.

Your workforce is changing and your information security must change along with it. If you want to build the next generation security program, then you need to listen to what the next generation is saying. And they have made a very clear statement:  automate or we are out of here.

Andrew Plato will speak on Insider Threats at the North America CACS 2016 2-4 May in New Orleans, Louisiana. He is a veteran author, speaker and industry analyst on matters of IT security, risk management and compliance.

Andrew Plato, CISSP, CISM, QSA, President/CEO, Anitian

[ISACA Now Blog]

May the Fourth Be with EU

On April 14, 2016, the EU Parliament passed the long-awaited new EU rules for personal data protection (GDPR). Everyone who holds or processes data on individuals in the 28 countries of the EU has until Star Wars Day 2018 (May 4) to comply.

The top 10 provisions of the regulation are:

  1. It is a global law. No matter where you are in the world, if you have data on individuals in the EU and lose it, you are responsible and can be fined. As an example, if you have a web site and a European comes on and enters their contact information, you have to conform.
  2. Increased fines. Up to 4% of global turnover or €20,000,000 (US$22M)
  3. Opt-in regulations. Users must give clear consent to opt-in to their data being collected and you must only use it for the purpose defined. No opting out, no hidden terms, no selling/giving data to other people.
  4. Breach notification. If you lose data, you have 72 hours to tell the authorities.
  5. Joint liability. If multiple companies process the data, they are all liable if data is lost, so if you hold data YOU are responsible if data gets lost via a risky cloud service.
  6. Users can demand their data back, that it is updated and deleted. If you hold data, you need to work out how to achieve those.
  7. Removes ambiguity. One law across all 28 countries of the EU.
  8. Common enforcement. The authorities are expected to enforce consistently across all the countries, the good news is data holders only need to deal with one authority.
  9. Collective redress. Users can sue together if data is lost in class action lawsuits.
  10. Data transfer. Data transfer from the EU is allowed, but subject to strict conditions.

If you work for a company collecting data, you are responsible for the security of that data no matter where it gets processed. It’s more important than ever that you know the shadow IT services that employees may be using, as they could be the conduit for data loss and your organisation will be liable.

There’s some good news for IT in the regulation – the new rules encourage privacy-friendly techniques such as pseudonimysation, anonymisation, encryption and data protection by design and by default. So capabilities such as encrypting data before it is uploaded to the cloud, especially when harnessed with keeping the keys on premises, can reduce your liabilities.

This is good news for EU citizens, as they will have strong and clear rights over their personal data, its collection, processing and security.

Some organizations have in the past treated personal data as a cheap commodity but this regulation clearly shows how valuable data really is and demands that they treat it with great respect.

We should all put a value on data about ourselves and our families and embrace this legislation because the outcome is that all of our data will be safer.

Nigel Hawthorn, EMEA Marketing Director, Skyhigh Networks

[Cloud Security Alliance Blog]

WP29: Thumbs Down to Draft EU-US Privacy Shield

In a 58-page opinion published April 13, 2016, the influential European Union Article 29 Working Party (WP29), which includes representatives of the data protection authorities of the 28 EU Member States, expressed significant concerns with respect to the terms of the proposed EU-US Privacy Shield that is intended to replace the EU-US Safe Harbor.

The WP29 made numerous critiques to the proposed EU-US Privacy Shield framework. Some of which include, for example, the lack of consistency between the principles set forth in the Privacy Shield documents and the fundamental EU Data Protection principles outlined in the 1995 EU Data Protection Directive, the proposed EU General Data Protection Regulation, and related documents.

The WP29 group also requested clearer restrictions for the onward transfer of personal information that occurs after personal data of EU residents is transferred to the US. The WP29 is especially concerned with the subsequent transfer of data to a third country, outside the United States. In addition, the WP29 continues to be concerned about the effect, scope, and effectiveness of the measures proposed to address activities of law enforcement and intelligence agencies, often described as a “massive collection” of data.

Background
On Feb. 29, 2016, the European Commission and U.S. Department of Commerce published a series of documents intended to constitute a new framework for transatlantic exchanges of personal data for commercial purposes, to be named the EU-U.S. Privacy Shield. The Privacy Shield would replace the EU-US Safe Harbor, which was invalidated by the Court of Justice of the European Union (CJEU) in October 2015, in the Schrems case.

Since the publication of the draft Privacy Shield documents, the WP29 members have convened in a series of meetings over the course of the past six-weeks in order to evaluate these documents and come up with a common position.

The results of this 6-week evaluation were expressed in an opinion entitled: “Opinion 01/2106 on the EU-US Privacy Shield Draft Adequacy Decision – WP 238,” published on April 13, 2016. The 58-page document, which is well-drafted and thoughtful, contains numerous positive comments about the efforts of the EU and US in trying to design a framework that would adhere to the two-page guidance published at the end of January, which outlined the key aspects of the proposed cross-Atlantic framework.

The document also expressed a wide variety of concerns with respect to the proposed EU-US Privacy Shield. The WP29 group was concerned by: (i) the commercial provisions (which address issues similar to those addressed in the Safe Harbor principles); (ii) the surveillance aspects (specifically, the possible derogations to the principles of the Privacy Shield for national security, law enforcement, and public interests purposes); as well as, (iii) the proposed joint review mechanism.

Commercial Aspects
Consistency with Data Protection Principles
The WP29 indicated in its Opinion that its key objective is to make sure that the Privacy Shield would offer an equivalent level of protection for individuals when personal data is processed. The WP29 believes that some key EU data protection principles are not reflected in the draft documents, or have been inadequately substituted by alternative notions.

While it does not expect the Privacy Shield to be a mere and exhaustive copy of the EU legal framework, the WP29 stressed that the Privacy Shield should contain the substance of the fundamental principles in effect in the European Union, so that it can ensure an “essentially equivalent” level of protection. To this point, WP29 explains that the data retention principle is not expressly mentioned and there is no wording on the protection that should be afforded against automated individual decisions based solely on automated processing. The application of the purpose limitation principle to data processing is also unclear.

Onward Transfers
The WP29 paid special attention to onward transfers, an issue that was key to the Safe Harbor decision. It believes that the Privacy Shield provisions addressing onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose, and the guarantees applying to transfers to Agents.

The WP29 noted that since the Privacy Shield would be used to address onward transfers from a Privacy Shield entity located in the US to third country recipients, it should provide the same level of protection on all aspects of the Shield, including national security. In case of an onward transfer to a third country, every Privacy Shield organization should have the obligation to assess any mandatory requirements of the third country’s national legislation applicable to the data importer before making the transfer.

Recourse Mechanisms
Finally, although the WP29 notes the additional recourses made available to individuals to exercise their rights, it is concerned that the new redress mechanism may prove to be too complex in practice and difficult to use for EU individuals, and therefore, ineffective. Further clarification of the various recourse procedures is therefore stressed; in particular, where they are willing, the WP29 suggests that EU data protection authorities could be considered as a natural contact point for EU individuals involved in these complex redress procedures, and could have the option to act on their behalf.

National Security
Derogations for National Security Purposes
The WP29 observed that the draft EU Commission Adequacy Decision extensively addresses the possible access to data processed under the Privacy Shield for purposes of national security and law enforcement. It also notes that the US Administration, in Annex VI of the documents, also provides for increased transparency on the legislation applicable to intelligence data collection.

Massive Collection
Regarding the massive collection of information, the WP29 notes that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not exclude massive and indiscriminate collection of personal data originating from the EU. This brings concerns for the protection of the fundamental rights to privacy and data protection. The WP29 pointed to other resources for clarification on this point, such as the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.

Redress
Concerning redress, the WP29 welcomes the establishment of an Ombudsperson as a new redress mechanism. Concurrently, it expressed its concern that this new institution might not be sufficiently independent, might not be vested with adequate powers to effectively exercise its duty, and does not guarantee a satisfactory remedy in case of disagreement.

Annual Joint Review
Regarding the proposed Annual Joint Review mechanism mentioned in the Privacy Shield framework, the WP29 noted that the Joint Review is a key factor to the credibility of the Privacy Shield. It points out, however, that the specific modalities for operations, such as the resulting report, its publicity, and the possible consequences, as well as the financing, need to be agreed upon well in advance of the first review.

Drafting Deficiencies
Consistency with the General Data Protection Regulation
The WP29 notes that the Privacy Shield needs to be consistent with the EU data protection legal framework, in both scope and terminology. It suggests that a review should be undertaken shortly after the entry into application of the General Data Protection Regulation (GDPR), to ensure that the higher level of data protection offered by the GDPR is followed in the adequacy decision and its annexes.

Structure and Content
Regarding the structure and content of the documents, the WP29 noted that the complexity of the structure of the documents that constitute the Privacy Shield make the documents difficult to understand. They are also concerned that the lack of clarity in the new framework might cause it to be difficult to comprehend by data subjects, organizations, and even data protection authorities. In addition, they note occasional inconsistencies within the 110 pages that form the current draft of the Privacy Shield framework. The WP29 urges the Commission to make the documents more clear and understandable for both sides of the Atlantic.

Conclusion
In its 58-page opinion, the WP29 made great efforts to point to the improvements brought by the Privacy Shield compared to the Safe Harbor decision. However, overall, the evaluation of the 110-page proposed Privacy Shield framework is generally negative. The WP29 appears to doubt that the protection that would be offered under the Privacy Shield would be equivalent to that of the EU. The extent to which the EU Commission will be able to address these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the proposed documents remains to be seen.

Six months after the CJEU invalidated the EU Commission decision that had created the EU-US Safe Harbor, it seems that cross-Atlantic data transfers are still in limbo. There is still no simple, business friendly solution to addressing the stringent prohibition against cross border data transfers between EU/EEA entities and US based companies. The viability of the Privacy Shield remains in question. With the negative opinion issued by the WP29, a very influential body of the European Union, it is uncertain whether and when a stable and final draft will be completed. Assuming such framework may reach a form that is satisfactory to both sides, it would then need to be implemented. At a minimum, a new infrastructure, a website, and additional personnel will also be needed to make it operational—these are all things that take even more time.

In the meantime, US companies that built their operations and business models around the simple and easy to use EU-US Safe Harbor should review the legality of their cross border data transfers with their counsel. With no light at the end of the tunnel, it is urgent that they evaluate and implement means to address the stringent restriction against cross border data transfers in effect in the European Union and European Economic Area, and that they understand and address the needs of their counterparts in the EU/EEA region in order to minimize the risk of enforcement action against the European entities.

Françoise Gilbert,Global Privacy and Cybersecurity Attorney, Greenberg Traurig

[Cloud Security Alliance Blog]

English
Exit mobile version