Thursday, February 24, 2022

Thoughts on taking the CISSP exam - 2

Plan Your Dive, Dive By Your Plan

That is the motto of the Divers Alert Network, and I think it is very appropriate here... and on job interviews.

One thing I did not add to the original post on taking the CISSP exam is that on the day before the exam, I drove to it about the same time I expected to leave. Reason is that I wanted to know where the place was and how long it would take so I would be there 30min or so before it started. In other words, I wanted to eliminate a source of pre-test stress.

Without further ado, here are the real pictures I took that day:

  1. First, here is the building. After driving there on the day before, I decided to leave home 15 minutes earlier to account for the traffic I saw. Also, I am glad I did the dry run since on the exam day, when I drove into the road that leads to the parking lot the building is located, it was packed. I then realized by looking at the vehicles they were going to the construction site I noticed in the previous day, so I was able to go around them instead of sitting there and missing my appointment.

    If you are not driving there, it is even more important to figure out how to get to the test site well in advance. Imagine if you need to take a few trains and maybe a subway or a tram in the process? Are they schedule reliable? If you miss one of those public transports, how long will you have to wait until the next?

  2. Once inside, I was very happy to find out there was a nice sign pointing to where the Pearson VUE office was. Nice touch, Pearson VUE!
  3. The actually office where the exam took place was down the corridor. I also took the opportunity to find out where the bathroom is. Remember you can take bathroom breaks; it might be wise to find its location so you do not waste valuable exam time hunting for it when you really need to go.

    Incidentally, there was a water fountain across the corridor from the bathroom.

  4. During exam day, I had no problem getting there ahead of time. In fact, I was so ahead of time the suit was still locked. By then a few more candidates, for other exams it turned out, had showed up. We chatted a bit until they let us in. And it was smooth sailing until the exam started.

TL;DR: Make your life easier! Eliminate as many variables before the exam as you can.

Sunday, February 20, 2022

GDPR, France, Schrems II, and Google Analytics

If you grew up in The United States, you may recognize the picture below and remember television ads (yes, I have watched network television with commercials) that would push some trinket (think on the lines of a "belt that doubles as straw" or "self-cleaning shoe rack" which in fact is really complicated). When it came the time in the ad to say how much it was and how to order it, there was always a "But wait! There is more!" segment where they would bundle more junk in hopes the viewers would think they are getting a deal.

With that piece of Americana in mind, we will start this article asking if you remember when we talked about the Austrian Data Privacy Authority (DSB) decided Google Analytics is not GDPR-compliant. You do? Great!

But wait! There is more!

Earlier this month the French Data Privacy Authority (Commission Nationale de l'Informatique et des Libertés, or CNIL for those like me who are not typing-trained) concluded, after receiving a complaint from the NYOB association regarding a French website using Google Analytics, that data transfers performed by Google Analytics are illegal in France. The reasoning is the same as their Austrian counterpart: Schrems II, as in there are not enough safeguards to protect this data collected from European Union residents from US intelligence agencies.

Workarounds

We mentioned them before, so let's just focus on the most important ones:

  1. Stop using Google Analytics; it violates GDPR Article 44. Google Ireland does not cut it.
  2. If you really need the functionality provided by Google Analytics, find a tool that transfer data outside the EU.
  3. Any data collected by a Google Analytics-like but GDPR-friendly program should either be immediately anonymized (before being fed to the analytics program), has a Legitimate Purpose as defined in GDPR Article 6, or requires explicit consent from the data subject.

According to the CNIL ruling, the French website in question has 1 month to comply.

Given that NYOB filed complaints the 27 European Union Member States and the three other states belonging to the European Economic Area (EEA), expect more of these decsions to come.

Saturday, February 5, 2022

GDPR, Austria, Schrems II, and Google Analytics

EU vs Google Analytics. EU flag and Google Analytics logo copyright of its respective owners

By now you may have learned that if you are an European company, or a company which does business with European residents, you really should not be using Google Analytics. Case in point happened in Oct 2nd 2020 when, according to The Register, the Austrian Data Protection Authority (Datenschutzbehörde or DSB) received a NOYB-sponsored complaint regarding NetDoktor, a website which offers medical knowledge and health information. It also has versions of this website in English (TLD ".uk") and Danish (TLD ".dk") languages; there may be more but I could not be bothered to look for them. Because this Hubert Burda Media-owned website is financed through advertising and licensing, it chose to Google Analytics probably (educated guess here!) to track what each of its users have done during their visit:

  • Identifiers
  • IP address
  • Browser version, operating system, and other system identifying parameters
  • Which pages were read
  • How much time was spent on each page

Per the General Data Protection Regulation (GDPR), this kind of personal data collection is not viewed as a Legitimate Purpose as defined in Article 6, so it needs to have explicit permission from the data subject. One should also notice that because of the service provided by this website, the personal data collected using Google Analytics, unless properly anonymized, may be used to infer the medical condition -- which is one of the special categories of personal data per GDPR -- of the data subject.

It gets better:

  1. Google is an American company, so it must follow the US CLOUD Act of 2018 and section 702 of the FISA Amendments Act of 2008, which allows US intelligence agencies to collect any personal data stored in servers owned by US businesses that are identified as "electronic communication service provider" by 50 U.S. Code § 1881(b)(4) without the need of a warrant.
  2. Google cannot protect the personal data being collected by Google Analytics in the NetDoktor website to satisfy the Article 44 (transfer of data to be processed on a country outside the European Union or European Economic Area).
  3. Google cannot base the data transfer on standard data protection clauses as the US does not ensure adequate protection
  4. And that means this personal data transfer between NetDoktor and Google violates the Schrems II decision of 2020, where the European Court of Justice (ECJ) declared the Privacy Shield mechanism was not a valid means of transfer data between EU/EEA and the US.

As a result, the DSB declared this data transfer illegal.

Some EU and US companies may have tried to work around these limitations by using Standard Contractual Clauses to transfer data between them. That does not satisfy Schrems II.

What can I do as a US business?

The ideal solution is for the US to adopt privacy laws that are closer to those in the EU. Until that happens,

  • What if I run a website that is not offering a product or a service specifically directed to an EU or EEA resident, like a blog? Even though technically you would not be subject to Article 3 of GDPR, you have no reason to collect any personal data. Let's use Blogger, which is owned by Google, as an example. According to google's documentation, to use analytics with blogger you must
    1. Sign up for an analytics account
    2. Add analytics tracking to blogger.

    Continuing with the Blogger theme, is Google honoring your decision not to collect data? i.e. does it collect any other additional data from the blog users it has not divulged to the blog owner? Good question; IMHO the onus here would be with Google.

  • What if I am providing services/products targeted at EU/EEA residents? You fall into Article 3, so
    1. Minimize the amount of personal data you have to collect. Remember you are still subject to the CLOUD Act.
    2. Avoid using cookies or other form of analytics to collect data you do not need to provide the service to your customers. Remember the Legitimate Purpose (Article 6).
    3. If you really need the functionality provided by Google Analytics, find a tool that transfer data outside the EU.
    4. Anonymize any data you can as soon as possible. Rememeber anonymization is not tokenization or pseudo-anonymization.
    5. Process and store any personal data in an EU server, ideally one not owned by an American company identified as "electronic communication service provider" by 50 U.S. Code § 1881(b)(4).

TL;DR

Don't use Google Analytics.