Robin’s Newsletter #265

16 July 2023. Volume 6, Issue 29
EU and US adopt new privacy framework for personal data transfers. Microsoft email systems breached by Chinese APT group. Poisoned AI models and disinformation.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

New EU-US Data Privacy Framework agreement

  • Three years after a European court deemed the EU-US Privacy Shield agreement inadequate (vol. 3, iss. 29) to protect personal data transferred outside the EU bloc, a new agreement has been formally adopted by the European Union and the United States of America.
  • The EU-US Data Privacy Framework follows lengthy negotiations over the disparities between the protections afforded to EU citizens under GDPR and the US’ lack of meaningful Federal regulation of data use. In particular, the US is establishing a new data protection review court as a safeguard for EU citizens seeking redress if they believe their data has been collected illegitimately. (Given the secretive nature of espionage, I’m not sure how the individual is meant to know that the US surveillance apparatus has been collecting and processing their data.)

Under the agreement, U.S. tech companies are obligated “to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continuity of protection when personal data is shared with third parties,” according to a European Commission press release.

  • Max Schrems, the privacy lawyer that brought the case leading to Privacy Shield (and Safe Harbor) being struck down, is quoted as saying he will appeal the decision, saying “We would need changes in US surveillance law to make this work and we simply don’t have it”.

Chinese attackers breached Microsoft Exchange Online

  • China gained access to US Commerce Secretary Gina Raimondo’s email account, according to Microsoft, who say the breach occurred after the threat actors forged authentication tokens.
  • The attack affected 25 organisations in total, and used an ‘acquired’ consumer key (used for emails) against enterprise AzureAD system that should have rejected it as invalid.
  • Microsoft didn’t provide details on how the Chinese APT group acquired the consumer key nor how the separation between consumer and enterprise systems was breached. Presumably, they weren’t entirely as separate as thought. Microsoft has also come under fire for the lack of transparency around the vulnerabilities in its code or infrastructure that were exploited, and for ‘pay-to-play’ security: the logs required to detect the intrusion are only included in the top-end E5 licence.
  • The breach occurred in the second half of May and early June, ahead of a US diplomatic trip to China and was presumably for intelligence purposes.
  • British Members of Parliament (MPs) were warned that Chinese state-sponsored attackers ‘frequently’ target them in a 207-page report this week, which described resources devoted to the problem as “completely inadequate”.

Interesting stats

3x increase in attacks using infected USB sticks, say Mandiant, though they neglect to say from what base. (I’m assuming pretty low, in the grand scheme of things).

Other newsy bits / in brief

And finally

  • Authentication incidents haven’t slowed down Microsoft’s product marketing team, who has renamed AzureAD to Entra ID to ‘simplify and unify’ their identity and authentication product family. The announcement also introduced a pair of zero trust offerings in the secure web gateway and secure access service edge (SASE) categories, called Entra Internet Access and Entra Private Access, respectively.

Azure AD / Entra ID get the meme treatment (Source: @janbakker_)


  Robin's Newsletter - Volume 6

  Privacy Data Protection Privacy Shield Safe Harbor EU-US Data Privacy Framework Max Schrems China Espionage Microsoft PoisonGPT Artificial Intelligence (AI) Large Language Model (LLM) Decoupling Balkanisation UEFI