Daily Digest (5/28)

Sen. Ron Wyden Opposes Reworked FISA Amendment; Researchers: Internet-Connected Security, Doorbell Cameras Contain Privacy Flaws; Bank of America Breach Affects Paycheck Program Applicants; Human Rights Watch: Russian Federal Database Threatens Privacy. Click “Continue reading” below.

Sen. Ron Wyden Opposes Reworked FISA Amendment

U.S. Sen. Ron Wyden, D-Ore., withdrew his support for an amendment to the Foreign Intelligence Surveillance Act that generally would have barred authorities from collecting web-browsing data without a FISA warrant.

But the amendment submitted for consideration by the Rules Committee of the House of Representatives applied such restrictions more narrowly, The Hill reports.

“It is now clear that there is no agreement with the House Intelligence Committee to enact true protections for Americans’ rights against dragnet collection of online activity,” Wyden said in a statement.

The amendment was sponsored by Democratic Reps. Zoe Lofgren, Calif., and Warren Davidson, Ohio, and was attached to a bill reauthorizing three expired surveillance programs under the USA Freedom Act.

The measure had been put forward as a House version of one from Wyden and Sen. Steve Daines, R-Mont., that missed by one vote in the Senate.

The Senate amendment would have broadly blocked law enforcement from gathering web browsing history without a FISA warrant, but the amendment submitted to the House Rules Committee for consideration Tuesday, after days of negotiations, applied the protection more narrowly, the Hill reports.

Source (external link):

The Hill: Key Senate Democrat withdraws support from House measure on web browsing data

Researchers: Internet-Connected Security, Doorbell Cameras Contain Privacy Flaws

Florida Tech computer science student Blake Janes and two faculty researchers have identified “systemic design flaws” in internet-connected doorbells and security cameras that allow continued access to the video feed of a removed account.

Janes has notified 11 manufacturers, including Ring and Nest, of the issue, Tech Xplore reports.

He and two Florida Tech faculty members said their analysis “suggests there is a long road ahead for vendors to implement the security and privacy of (internet-of-things) produced content.”

In his research, Janes discovered that the mechanism for removing user accounts did not work as intended on many camera systems because it did not remove active user accounts.

This could allow potential “malicious actors” to exploit the flaw to retain access to the camera system indefinitely, covertly recording audio and video in a substantial invasion of privacy or instances of electronic stalking.

Sources (external links):

Techxplore: Student finds privacy flaws in connected security and doorbell cameras
Link to Study: Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices

Bank of America Breach Affects Paycheck Program Applicants

Bank of America Corp. said a breach last month affected clients who had applied for the federal Paycheck Protection Program (PPP). 

The data, which included details about individual businesses and their owners, was exposed on April 22 when the bank uploaded PPP applicant details onto the U.S. Small Business Administration’s test platform, InfoSecurity Magazine reports.

The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications began.

BofA revealed the breach in a filing to the California Attorney General’s Office. As a result, other SBA-authorized lenders and their vendors could view client information.

Other exposed information might have included business addresses and tax identification numbers — along with owner names, addresses, Social Security numbers, telephone numbers, email addresses and citizenship statuses.

BofA, based Charlotte, N.C., said access to the information was limited, though it did not share specifics about who was affected by the breach — only that a “small number” of clients were impacted.

More than 305,000 PPP relief applications have been processed by the bank with the SBA.

“There is no indication that your information was viewed or misused by these lenders or their vendors,” a bank representative said, according to InfoSecurity. “And your information was not visible to other business clients applying for loans, or to the public, at any time.”

Source (external link):

Infosecurity: Data Breach at Bank of America

Human Rights Watch: Russian Federal Database Threatens Privacy

Human Rights Watch said that a law creating a “uniform federal database” would threaten the right to privacy and weaken personal data protections in Russia.

The database would contain birth certificates, passport details, gender changes, taxpayer information and more data on the entire population.

It would be operated by the Federal Tax Service, and data could be shared with election commissions and law enforcement.

The law was adopted by the Russian Parliament’s lower chamber on May 21.  

Source (external link):

IAPP: Russian federal database threatens privacy

— By DPN Staff