How To Make Sites GDPR Compliant

newsWhat is GDPR and why should you worry about it?

If you own or have worked in a business that transacts with European citizens, you may have recently heard about the General Data Protection Regulation (GDPR).

This regulation compels businesses (even those outside the EU) to protect the personal data of citizens in EU member states. Non-compliance entails steep penalties (up to €20m or four percent of a business’ annual worldwide revenue, whichever is larger!).

Not even the bigger companies like Facebook or Instapaper were safe.

So:

How do you make your site GDPR compliant?

Read more to find out!

Does It Affect My Business?

First:

Determine if your business is one of the four types that need GDPR compliance.

Is your business:

  • Situated in an EU member state?
  • Outside of an EU member state but collects and/or processes personal data from citizens of EU member states?
  • Employing more than 250 employees?
  • Employing less than 250 employees but your data processing affects the rights and freedom of your data subjects, in a non-occasional way, or includes certain types of personal information.

Simply put:

The four business types include most, if not all, of businesses today. Whether you’re in the Information Technology business or a small online retail, odds are you’re going to be affected by this regulation.

What Are My Obligations Under the Law?

Now:

Once you’ve determined that your business is affected by the regulation, you have to know what you need to comply with as far as your customer’s data is concerned.

Businesses are categorized as either Controllers or Processors.

If your business DETERMINES the purpose of the collection and storage of data, then your business is a CONTROLLER.

If your business collects and stores data ON BEHALF OF ANOTHER business or organization, then your business is a PROCESSOR.

Knowing this is key because each type has a different set of obligations in addition to those which they have in common, including:

  • A list of all the information they hold including the source, who they share it with, what they do with it, how long they hold on to it, and where they keep such information. They must have built-in data protection measures.
  • A privacy policy that shows the processes involving personal data as well as a lawful basis for collecting that data. This policy must be easily accessible to the public.
  • Technical security must be up to date. Perhaps even hiring a Data Protection Officer (more on this later).
  • Reporting data breaches to the local authorities within 72 hours.

Rights Of Data Subjects/Customersmedia

Now that you’ve learned most of what you need to do to make your site one step closer to GDPR compliance, it’s time you learned what rights your customers have.

Which are rights to:

  • Transparency and Modalities– Give your customers transparency of information, communication, and modalities for the exercise of their rights.
  • Information– Provide information to your customers where you collect their personal data and where you didn’t do so. Basically, tell them when you do or do not collect their data.
  • Access– Allow them access to their data that you collected.
  • Rectification– Allow your customers to correct any mistakes in the data they provided.
  • Erasure– They can have their data be permanently erased when they revoke their consent; a partner organization makes requests it; or when the agreement or services have been terminated. This is also called the “Right to be forgotten” which even global giant “Google” was made to respect.
  • Portability– Let them obtain and reuse their own data for their own purposes across different services.
  • Object– The absolute right to object to their data being used for direct marketing purposes and for processing in certain circumstances. You also have to inform them of their right to object and you have one calendar month to respond to their objection. Note: there are situations where you can continue processing their data if you provide a compelling reason to do so.
  • Automated individual decision-making, including profiling– This simply means that the GDPR applies to all Automated individual decision-making, including profiling.

Do I Need a Data Protection Officer?

Finally:

One of the suggested ways to ensure your GDPR compliance is to hire a Data Protection Officer (DPO).

But:

You won’t need one unless your business or organization falls under any of these categories:

  • Public authorities
  • Organizations that engage in large-scale systematic monitoring
  • Organizations that engage in the large-scale processing of sensitive personal data

Conclusion

To sum up:

The GDPR affects most businesses around the world. If you want your site to be compliant, you have to know the GDPR law better and make sure that you comply with the obligations that it sets for your type of business.

For more information on the GDPR law, you can visit the ICO site here.

Facebook Cambridge Analytica Scandal Aftermath

fb watchingUnless you’ve been living under a rock for the last few years, odds are you’ve heard about the whole Facebook-Cambridge Analytica Scandal where private data from 87 million Facebook users were allegedly used by Cambridge Analytica and politicians to influence voter opinion.

Today I’m going to show you what happened after the whole situation and what you can do to prevent a “repeat performance”.

So, hold on to your seats, folks because here we go!

Summary

First:

Let’s start from the very beginning.

The whole story began in 2013 when Aleksandr Kogan, an academic who worked for Cambridge Analytica, developed and built a personality test app called thisisyourdigitallife, separately from the work he does at Cambridge University.

He then collaborated with Cambridge Analytica where they paid hundreds of thousands of Facebook users to take their test while agreeing to have their data collected.

They claimed that this data was collected only for academic use.

However, not only did the app collect the information of the test-takers but it also collected the data from all their Facebook friends.

Through Facebook’s “platform policy”, the app was allowed to collect friends’ data to improve the app user’s experience but barred this data from being sold or used for advertising.

This lead to the data collection of not just hundreds of thousands of Facebook users but tens of millions!

These acts only became known to the public after The Guardian reported in December 2015 that US Senator Ted Cruz was using data from Cambridge Analytica to influence voters for his presidential campaign.

It was later found that the data from Cambridge Analytica helped President Trump be elected to office in 2016 and even influenced the Brexit vote.

The whistleblower was later on identified as Christopher Wylie– a former Cambridge Analytica employee. He revealed that Cambridge Analytica actually collected private data from over 87 million Facebook users!

Fear soon spread among the public that their private data was allegedly being used to attempt to influence voter opinion of the politicians who hired Cambridge Analytica.

This sparked a public outrage against Facebook and Cambridge Analytica which led to Facebook founder Mark Zuckerberg making public apologies amid public outcry and fallen stock prices.

He was then invited to talks with the US Congress. During which, Zuckerberg apologized and accepted full responsibility for what happened.

He then went on to say that it was only in 2015 that he became aware that Kogan shared the private data Kogan had collected with Cambridge Analytica. He added that Cambridge Analytica was later asked to remove all the data (which later on The Guardian, The New York Times and Channel 4 rediscovered that it was not in fact deleted).

Zuckerberg then said that with the rapid increase of Facebook users there was a need for more security measures to ensure the protection of their data and that Facebook has taken action to improve this protection.

What Has Happened Since Thenbye facebook

Now:

You’ve caught up with the whole story, the next question to ask is:

How has this issue affected Facebook, Cambridge Analytica, governments around the world, and the public in general?

Facebook

Mark Zuckerberg has made an apology on CNN. He called the issue “a mistake” and “a breach of trust” and pledged to make changes and reforms for the better protection of the private data of Facebook users.

A survey in March 2018 reported that only 41% of users trusted Facebook.

In April, Facebook implemented the EU’s General Data Protection Regulation across all areas of operation and not just those in the EU.

Later on, Facebook released their first earnings report since the scandal. It showed that their revenue had fallen since the last quarter, but this was not unusual as it followed the holiday season quote.

Their quarter revenue was still the highest for a first quarter, and the second overall.

Facebook then announced, during its annual developer conference, of its intention to build a “Clear History” tool. This tool will allow users to delete their browsing data from Facebook’s servers which prevents their data from being used to target them with ads.

Cambridge Analytica

In April 2018, Aleksandr Kogan apologized for his role in the scandal stating that at the time he didn’t know what he was doing was wrong and that now he believes that the core idea they had that “Everybody knows, nobody cares” was flawed.

In May 2018, The Information Commissioner’s Office (ICO), the UK’s data regulator, refused to let Cambridge Analytica get off scot-free. It served London-based SCL Elections Ltd, the firm’s affiliate company, with a legal notice to hand over all the data it holds on US-based voter Professor David Carroll, a media design professor at Parsons School of Design in New York City.

SCL was given 30 days to comply. Failure to do so is a criminal offence, punishable in the courts by an unlimited fine!

The Indian and Brazilian governments have since demanded that Cambridge Analytica report how anyone used data from the breach in political campaigning.

Governments

In April 2018, The Canadian House of Commons made formal investigations on the matter.

Daniel Therrien, the privacy commissioner of Canada, called for stronger regulations to protect Canadians’ data and for the ability of his agency and the election agency’s ability to make and enforce orders.

He went on to say that “The time of self-regulation is over,” and that “Transparency and accountability are necessary, but they are not sufficient.”

Although Canadian Facebook users were not as affected by the scandal as US users, they were still not immune after CBC’s report that said that the data of about 600,000 Canadians was collected by Cambridge Analytica.

In May 2018, The UK Parliament held talks with Zuckerberg but it wasn’t satisfied and stated that the one hour talk only yielded 10 minutes of answers. “He merely repeated what he said in his opening statement.”

Just recently,  the government of Papua New Guinea announced that it was shutting down Facebook for one month to better assess the benefits versus risks of Facebook for its citizens, specifically regarding pornography and fake accounts.

Public in general

US citizens from several regional governments have filed lawsuits in their courts for the data breach.

Amazon has said that they suspended Cambridge Analytica from using their Amazon Web Services after learning that Cambridge Analytica was using their service to collect private information.

The Takeaway

In the end:

Although the problem stemmed from Facebook and Cambridge Analytica’s actions, perhaps we, as users, should look more closely at an app’s fine print and permissions for our own sake.

How Free VPNs Sell Your Data

If you’ve read my post about the 13 steps to improve your privacy online, you would have read the part where I talk about using a VPN.

Before you do, let me just issue a word of caution:

Try not to use a free VPN.

Why?

Because most free VPNs sell your data without telling you!

Remember:

If the company behind the VPN is not making money off their product, this typically means that you’re the product– and they make money on you.

This is why I’ve made a list of some free VPNs that (at least) admit that they sell your data and I hope this will help you decide whether or not a free VPN is worth your online privacy.

Ten VPNs That Admit to Selling Your Data

1. Betternet (38 million users)

Betternet is a relatively new VPN that has quickly risen in popularity.

They tell you that they make money by offering free sponsored apps and through videos and other ads. They also allow advertisers to track and log your information.

betternet terms

2. FinchVPN

Apart from being one of the more secure VPNs out there, they also offer a substantial 3GB monthly data.

They make money by sharing your user activity data with third parties.
They also limit the number of servers you can access in order to get you to upgrade.

finch vpn terms

3. Hola (150+ million users)

hola terms 1

Hola is unsurprisingly one of the most popular free VPNs by offering free unlimited data without ads.

However:

A group of security researchers have said “Hola is harmful to the internet as a whole, and to its users in particular. You might know it as a free VPN or “unblocker”, but in reality, it operates like a poorly secured botnet – with serious consequences”.

Hola may turn your computer into an exit node and sell access to your computer and network to third-parties through Luminati– their commercial brand.

How do you opt out of this scheme:

Subscribe to their premium subscription.

But, just when you thought it couldn’t get any worse:

It seems Hola can be exploited to allow anybody to execute programs on your computer!

Now:

If you’re like me and immediately visited the Hola FAQ page, you may wonder where all of the above was said.

Well:

If you read through the findings of the group of researchers that I mentioned above, you’ll discover that Hola actually tried to change history quietly once the media started getting involved.

They also make it clear in their terms of service that by using Hola you become a peer on their paid Luminati network — in other words, access to your computer could be sold to people paying to use their services.

hola terms 2

4. HotSpot Shield (500+ million users)

Hotspot Shield is hands down the most popular free VPN service.

With that many users, HotSpot becomes a goldmine– both for users and advertisers.

While they make it clear in their terms of service that they display ads to free users (which they display in front of apps and websites you use), it also makes money off users through other means— like sharing free user data and redirecting their traffic to third-party affiliate sites.

hotspot terms

5. HoxxVPN (5+ million users)

HoxxVPN is a popular VPN.

But:

If you manage to read through its long and confusing logging policy, you’ll find that they log your information for their own purpose and share it with 3rd parties

However, if you try to read it over and over again, you’ll soon understand that HoxxVPN makes money on you by logging your information for their own purposes to share it with 3rd parties.

hoxx terms

6. Opera VPN

Once you install the Opera browser, you instantly gain access to the free Opera VPN.

Its privacy policy tells you that it shares your data with third-parties and marketing partners and allows them to monitor your data.

opera terms

7. Onavo Protect

Onavo Protect is owned by Facebook so it isn’t shocking that they were recently in the news for their data usage practices.

Onavo does say that they log user data and share this information with affiliates and third-parties.

They make money on you by using your information for advertising and marketing purposes as well as displaying ads to you.

onavo terms

8. Psiphon (1+ million users)

Psiphon has been a free VPN since 2008.

They’ve survived over ten years by sharing your data with advertisers and letting advertisers track your data usage and through displaying ads.

psiphon terms

9. TouchVPN

TouchVPN is another sketchy free VPN.

They do state that they share your “anonymous” data with third parties for marketing purposes, they don’t say what “anonymous data” includes.

They make money on you by adding Cookies, Pixel Tags, and Web Beacons to your browser while using their service.

touch terms

10. ZPN (8+ million users)

ZPN is another popular VPN.

They offer a whopping 10GB of monthly data– which is nothing to snort at.

They make money on you by sharing your data with their affiliates.

They also try to get you to upgrade to a paid plan by limiting your bandwidth and data, disabling P2P and torrenting, as well as limiting you to just 5 locations.

zpn terms

Conclusion

In the end:

I can’t say I recommend using free VPNs.

When dealing with them, always remember to read the fine print and If it’s too good to be true, it probably is.

13 Steps to Improve Your Online Privacy

“How do I protect my privacy online”?

Online privacy has become a lot more important to ordinary people these days especially after the aftermath of the Facebook Cambridge Analytica scandal.

Do you feel that your private information is really private?

Don’t worry. In this post, I’ll show you how to improve internet security in just 13 steps!

So, let’s begin!

Your Phone

your phone

    1. Lock your screen

This one’s a no-brainer. By locking your screen every time you’re not using your phone, you’re making it a harder for other people to access any of your online accounts should they get a hold of your phone.

  1. Protect your password

Use strong passwords especially for sensitive accounts (like email, online banking, and cloud storage).

When choosing a strong password, always remember that while longer is better, most times a complex password is better than a long one. 

That said, why not have both and make your password long and complex!

Use capital letters, numbers, and symbols (if allowed) and randomly place them in your password (Here’s an example: Compl3xity_>_L3ngth!).

Now:

If you find it hard to memorize all your different passwords, consider using a password manager app. It will keep track of your passwords and you’ll never need to write them down on a piece of paper that could get stolen.

Also:

Consider turning on two-factor authentication to make sure that you are informed each time someone logs into one of your accounts.

Finally:

In case you do suffer a privacy breach, remember to change your password ASAP.

  1. Review permissions

Watch out for apps that request permission for things that are more than necessary for their function.

Weigh its importance before you download it.

Why would a photo editor app need access to your location all the time?

If you find apps on your phone that request these permissions, consider uninstalling them.

Your Computerlaptop

  1. Update operating systems

Operating systems will release updates when they discover security issues. Hackers will quickly exploit these opportunities before the users install the updates.

However:

Most users often forego installing these updates when they become available– most of the time because of inconvenience.

If you want to protect your private information, always install updates when they become available.

  1. Clear Cookies regularly

Cookies are text files on your computer that contain little packets of your data connected to your activity with a website like your preferences, your shopping cart, and keeping you logged in to a site.

You can’t avoid cookies altogether as it would make certain sites (like social networks and online shops)  impossible to use but you can always clear cookies regularly to prevent websites from accessing older cookies– thus making it harder to track your online activity.

  1. Use a Guest Account on Windows

By using a guest account instead of an administrator account, you’re limiting any malware damage to that specific guest account.

  1. Keep your User Account Control on

Your UAC monitors the changes that happen in the system and asks for your permission before allowing these changes. It also alerts you to important events like installing or uninstalling an app.

It makes sure that these events don’t make changes to your computer without your permission thereby nipping untrustworthy software in the bud.

  1. Block location data

Sites these days can use location data to target you with advertisements. Even mapping apps can be used to identify you based on your whereabouts.

To avoid this, see if your browser allows you to toggle location data off.

Browsing the Internetinternet

  1. Use SSL connections

SSL connections prevent prying eyes from viewing your web traffic.

By using sites that support SSL, you’re making sure that anyone sniffing around for your packets will go home empty handed.

To check if you’re using an SSL connection, check for a closed green padlock and “https” before the URL.

  1. Go Incognito

One of the easiest ways to protect your online privacy is using “incognito mode” on your browser.

This prevents people who use the same device from seeing your activity like your browsing history, cookies and site data, and information entered in forms.

  1. Use the TOR browser

If you want to know how to stay anonymous on the internet, using the TOR browser should be at the top of your list.

The TOR browser bounces your connection three times before it arrives at the server you’re looking for. By doing this, the TOR browser makes sure that whatever site you visited will not be traced back to you.

  1. Use a VPN

Another way to protect your online browsing is by using a VPN.

The connections your computer makes on the web is usually public, easily intercepted, and viewable by every server your connection makes contact with.

Using a VPN ensures that your IP is kept safe from prying eyes by routing your connection to the VPN server before arriving at its destination. This makes it that much harder to track you down.

  1. Don’t trust free public wifi

Using free public wifi raises many privacy concerns because you don’t know who runs the hotspot, what the setup is, or what information it logs. It may even be a duplicate of the real wifi that you wanted to connect to.

Conclusion

At the end of the day:

These internet privacy tips are just the methods I’ve used to improve my online privacy and I hope that by sharing them I have helped you to better protect your online browsing.