Spain’s New Who Defends Your Data Report Shows Robust Privacy Policies But Crucial Gaps to Fill

ETICAS Foundation’s second ¿Quien Defiende Tus Datos? (Who Defends Your Data?) report on data privacy practices in Spain shows how Spain’s leading Internet and mobile app providers are making progress in being clear about how users' personal data is being protected. Providers are disclosing what information is being collected, how long it’s being kept, and who it’s shared with. Compared to Eticas' first report on Spain in 2018, there was significant improvement in the number of companies informing users about how long they store data as well as notifying users about privacy policy changes.

The report evaluating policies at 13 Spanish Internet companies also indicates that a handful are taking seriously their obligations under the new General Data Protection Regulation (GDPR), the European Union’s data privacy law that sets tough standards for protecting customers’ private information and gives users more information about and control over their private data. The law went into effect in December 2018.

But the good news for most of the companies pretty much stops there. All but the largest Internet providers in Spain are seriously lagging when it comes to transparency around government demands for user data, according to the Eticas report released today.

While Orange commits to notify users about government requests and both Vodafone and Telefónica clearly state the need for a court order before handing users’ communications to authorities, other featured companies have much to improve. They are failing to provide information about how they handle law enforcement requests for user data, whether they require judicial authorization before giving personal information to police, or if they notify users as soon as legally possible that their data was released to law enforcement. The lack of disclosure about their practices leaves an open question about whether they have users’ backs when the government wants personal data.

The format of the Eticas report is based on EFF’s Who Has Your Back project, which was launched nine years ago to shine a light on how well U.S. companies protect user data, especially when the government wants it. Since then the project has expanded internationally, with leading digital rights groups in Europe and the Americas evaluating data privacy practices of Internet companies so that users can make informed choices about to whom they should trust their data. Eticas Foundation first evaluated Spain’s leading providers in 2018 as part of a region-wide initiative focusing on Internet privacy policies and practices in Iberoamerica. 

In today’s report, Eticas evaluated 13 companies, including six telecom providers (Orange, Ono-Vodafone, Telefónica-Movistar, MásMóvil, Euskatel, and Somos Conexión), five home sales and rental apps (Fotocasa, Idealista, Habitaclia, Pisos.com, and YaEncontré), and two apps for selling second hand goods (Vibbo and Wallapop). The companies were assessed against a set of criteria covering policies for data collection, handing data over to law enforcement agencies, notifying customers about government data requests, publishing transparency reports, and promoting user privacy. Companies were awarded stars based on their practices and conduct. In light of the adoption of the GDPR, this year’s report assessed companies against several new criteria, including providing information on how to contact a company data protection officer, using private data to automate decision making without human involvement and build user profiles, and practices regarding international data transfers. Etica also looked at whether they provide guidelines, tailored to local law, for law enforcement seeking user data.

The full study is available in Spanish, and we outline the main findings below. 

An Overview of Companies' Commitments and Shortcomings

Telefonica-Movistar, Spain’s largest mobile phone company, was the most highly rated, earning stars in 10 out of 13 categories. Vodafone was a close second, with nine stars. There was a big improvement overall in companies providing information about how long they keep user data—all 13 companies reported doing so this year, compared to only three companies earning partial credit in 2018. The implementation of the GDPR has had a positive effect on privacy policies at only some companies, the report shows. While most companies are providing contact information for data protection officials, only four—Movistar, Fotocasa, Habitaclia, and Vibbo—provide information about their practices for using data-based, nonhuman decision making, and profiling, and six—Vodafone, MásMóvil, Pisos.com, Idealista, Yaencontré, and Wallapop—provide information only about profiling. 

Only Telefónica-Movistar and Vodafone disclose information to users about its policies for giving personal data to law enforcement agencies. Telefonica-Movistar is vague in its data protection policy, only stating that it will hand user data to police in accordance with the law. However, the company’s transparency report shows that it lets police intercept communications only with a court order or in emergency situations. For metadata, the information provided is generic: it only mentions the legal framework and the authorities entitled to request it (judges, prosecutors, and the police).

Vodafone’s privacy policy says data will be handed over “according to the law and according to an exhaustive assessment of all legal requirements”. While its data protection policy does not provide information in a clear way, there’s an applicable legal framework report that describes both the framework and how the company interprets it, and states that a court order is needed to provide content and metadata to law enforcement.

Orange Spain is the only company that says it’s committed to telling users when their data is released to law enforcement unless there’s a legal prohibition against it. Because the company didn’t make clear it will do so as soon as there's no legal barrier, it received partial credit. Euskatel and Somos Conexión, smaller ISPs, have stood out in promoting user privacy through campaigns or defending users in courts. On the latter, Euskatel has challenged a judicial order demanding the company reveal IP addresses in a commercial claim. After finally handing them over once the sentence was confirmed by a higher court, Euskatel filed a complaint with the Spanish data protection authority for possible violation of purpose limitation safeguards considering how the claimant used the data.

The report shows that, in general, the five home apps (Fotocasa, Idealista, Habitaclia, Pisos.com, and YaEncontré) and two second-hand goods sales apps (Vibbo and Wallapop) have to step up their privacy information game considerably. They received no stars in fully nine out of the 13 categories evaluated. This should give users pause and, in turn, motivate these companies to increase transparency about their data privacy practices so that the next time they are asked if they protect customers’ personal data, they have more to show.

Through ¿Quien Defiende Tus Datos? reports, local organizations in collaboration with EFF have been comparing companies' commitments to transparency and users' privacy in different Latin American countries and Spain. Earlier this year, Fundación Karisma in Colombia, ADC in Argentina, and TEDIC in Paraguay published new reports. New editions in Panamá, Peru, and Brazil are also on their way to spot which companies stand with their users and those that fall short of doing so. 

Read more »

GorillaBot, an eight-servo racing quadruped

La Toulouse Robot Race is an annual racing event held in Toulouse, France, which includes a 10-meter autonomous sprint for multi-legged robots. The current record for quadrupeds is 42 seconds, so Sebastian Coddington decided to construct a robot in hopes of taking the category at the next race in January 2021.

His “GorillaBot” quadruped features limbs made from two-servo five-bar linkage systems, controlled using an Arduino Nano. In autonomous mode, the robot stays on course thanks to a magnetometer; however, if it does lose its way, an on-board ultrasonic sensor helps to keep it from crashing.

Apart from electronics and fasteners, the inexpensive build is completely 3D-printable, and assembly directions with some videos are available in the project write-up. From the demo clip below, the GorillaBot looks like it will be quite a competitor, and perhaps Coddington will even be able to enhance the design before the event!

Read more »

How IoT device provisioning to the Arduino IoT Cloud works

This article was written by Luigi Gubello, Arduino Security Team.

Be kind to the end user. At Arduino, we like to develop powerful ideas into simple tools. This is the spirit behind our team’s efforts in launching our IoT Cloud platform: making the Internet of Things accessible and easy for everyone. We can now offer a complete low-code IoT application development platform that seamlessly integrates with our hardware products: Arduino IoT Cloud.

Behind such simplicity, you’ll always find a thorough design study carried out by our team in order to offer a user-friendly IoT cloud solution, which is suitable for everything from your first IoT project to state-of-the-art professional use — what the user needs to do is connect their compatible Arduino board to a computer and follow the steps displayed in the browser window. The process will configure the device to securely connect to the Arduino IoT Cloud, thus creating an Internet-connected device in minutes.

So how does Arduino IoT Cloud provisioning work?

TLS Client Authentication

In a previous blog post titled “Arduino Security Primer,” we began to introduce how the device provisioning works, showing how security is a fundamental requirement for us. The Arduino IoT Cloud security model is based on three key elements: an open-source library named ArduinoBearSSL, a Hardware Secure Element, and a device certificate provisioning for TLS Client Authentication. 

The TLS Client Authentication (or TLS Mutual Authentication) is an authentication method in which the server verifies the client’s identity through a certificate to grant or deny access to the device. In the standard TLS handshake, only a client authenticating a server is required, while in TLS Client Authentication, the server also needs to authenticate the client by verifying its identity. If the server cannot trust the client’s identity, it does not authorize a connection.

In the TLS Client Authentication system, the device’s credentials are replaced by a signed certificate that guarantees the device identity, thereby eliminating some security risks such as credentials stealing, weak passwords, or brute-force attacks. During the device provisioning process, a certificate — signed by our certificate authority — is stored inside the hardware secure element of supported Arduino boards to be used when identity verification is required.

ArduinoECCX08 Library

In order to communicate with the Microchip secure element (ATECC508A or ATECC608A) mounted on some Arduino boards, our engineering team developed an open-source library (ArduinoECCX8) which is used for device provisioning by the Arduino IoT Cloud. This library is responsible for writing and reading data from the secure element. In particular — during the provisioning stage — it manages the generation of private keys, certificate signing requests, and certificate storage. This library can also be used to generate self-signed certificates and to sign JWT, using the public key generated by the crypto chip.

Arduino Provisioning Sketch

IoT device provisioning for the Arduino IoT Cloud is performed by an open-source Arduino sketch, Provisioning.ino, contained in our ArduinoIoTCloud library. 

The entire device provisioning process is hidden behind a browser based user-friendly interface, so that users can quickly and easily connect their Arduino boards to the Arduino IoT Cloud by following a step-by-step procedure from the Getting Started page. During this process, the provisioning sketch is uploaded to the Arduino board and the open-source Arduino Create agent interacts with the browser content to help complete the device registration procedure. Taking a look at the provisioning source code to better understand what happens “behind the scenes,” it is possible to see how we use the hardware secure element.

The secure element’s slot 0 is used for storing the device private key, only the secure element can access its content. Slots 10, 11, and 12 are used for storing the compressed certificate, signed by Arduino’s certificate authority.

const int keySlot                                   = 0;
const int compressedCertSlot                        = 10;
const int serialNumberAndAuthorityKeyIdentifierSlot = 11;
const int deviceIdSlot                              = 12;

At first, the sketch configures and locks the hardware secure element. This process is required to begin using the device.

#include "ECCX08TLSConfig.h"

[...]

    if (!ECCX08.writeConfiguration(DEFAULT_ECCX08_TLS_CONFIG)) 
      Serial.println("Writing ECCX08 configuration failed!");
      while (1);
    

After the hardware secure element has been configured, a private key and a certificate signing request (CSR) are generated.

 if (!ECCX08Cert.beginCSR(keySlot, true)) 
    Serial.println("Error starting CSR generation!");
    while (1);
  

  String deviceId = promptAndReadLine("Please enter the device id: ");
  ECCX08Cert.setSubjectCommonName(deviceId);

  String csr = ECCX08Cert.endCSR();

The Create Agent takes the generated CSR and sends it to the server via the Arduino IoT Cloud API in order to receive a signed certificate. At this point the signed certificate is sent to the Arduino board and stored in the secure element.

  if (!ECCX08Cert.beginStorage(compressedCertSlot, serialNumberAndAuthorityKeyIdentifierSlot)) 
    Serial.println("Error starting ECCX08 storage!");
    while (1);
  

[...]

  if (!ECCX08Cert.endStorage()) 
    Serial.println("Error storing ECCX08 compressed cert!");
    while (1);
  

Once the signed certificate is successfully stored, the device provisioning is complete and the Arduino board is ready to connect to the Arduino IoT Cloud.

Self-Provisioning

The Arduino IoT Cloud facilitates the first approach to the Internet of Things, providing a simple user experience, but beneath its simplicity lies a powerful tool to develop professional projects. Our platform offers access to the Arduino IoT Cloud API, which is ideal for automation workflows.

In this use case, we will demonstrate how a user in need of provisioning a device fleet can automate and improve the process through the use of the Arduino IoT Cloud’s API and our open-source Arduino_JSON library. The following code is a self-provisioning sketch optimized for the Arduino Nano 33 IoT, which automatically takes care of registering the board to the Arduino IoT Cloud once uploaded to the board and executed.

Self-provisioning for MKR WiFi 1010 and Nano 33 IoT in prod:

To further enhance this process, we use our open-source Arduino CLI to quickly upload the code to the board. All that’s needed is a simple command:

arduino-cli compile -b arduino:samd:nano_33_iot -u -p /dev/ttyACM0 SelfProvisioning

These are only a few of the features that show how the Arduino hardware products and cloud service can automate processes and create an interconnected system to improve users’ projects and businesses. There will be an increasing number of connected and communicating devices added in the near future, and we are working to make this IoT revolution user-friendly, accessible, and open-source.

Read more »

Self-driving trash can controlled by Raspberry Pi

YouTuber extraordinaire Ahad Cove HATES taking out the rubbish, so he decided to hack a rubbish bin/trash can – let’s go with trash can from now on – to take itself out to be picked up.

Sounds simple enough? The catch is that Ahad wanted to create an AI that can see when the garbage truck is approaching his house and trigger the garage door to open, then tell the trash can to drive itself out and stop in the right place. This way, Ahad doesn’t need to wake up early enough to spot the truck and manually trigger the trash can to drive itself.

Hardware

The trash can’s original wheels weren’t enough on their own, so Ahad brought in an electronic scooter wheel with a hub motor, powered by a 36V lithium ion battery, to guide and pull them. Check out this part of the video to hear how tricky it was for Ahad to install a braking system using a very strong servo motor.

The new wheel sits at the front of the trash can and drags the original wheels at the back along with

An affordable driver board controls the speed, power, and braking system of the garbage can.

The driver board

Tying everything together is a Raspberry Pi 3B+. Ahad uses one of the GPIO pins on the Raspberry Pi to send the signal to the driver board. He started off the project with a Raspberry Pi Zero W, but found that it was too fiddly to get it to handle the crazy braking power needed to stop the garbage can on his sloped driveway.

The Raspberry Pi Zero W, which ended up getting replaced in an upgrade

Everything is kept together and dry with a plastic snap-close food container Ahad lifted from his wife’s kitchen collection. Ssh, don’t tell.

Software

Ahad uses an object detection machine learning model to spot when the garbage truck passes his house. He handles this part of the project with an Nvidia Jetson Xavier NX board, connected to a webcam positioned to look out of the window watching for garbage trucks.

Object detected!

Opening the garage door

Ahad’s garage door has a wireless internet connection, so he connected the door to an app that communicates with his home assistant device. The app opens the garage door when the webcam and object detection software see the garbage truck turning into his street. All this works with the kit inside the trash can to get it to drive itself out to the end of Ahad’s driveway.

There she goes! (With her homemade paparazzi setup behind her)

Check out the end of Ahad’s YouTube video to see how human error managed to put a comical damper on the maiden voyage of this epic build.

The post Self-driving trash can controlled by Raspberry Pi appeared first on Raspberry Pi.

Read more »

NEW PRODUCTS – Rugged Metal Pushbuttons – 16mm 6V RGB Latching – Black + Silver Finishes

4659 4660

NEW PRODUCTS – Rugged Metal Pushbuttons – 16mm 6V RGB Latching – Silver + Black Finishes


We’ve got two handsome new pushbuttons! First up, the Rugged Metal Silver Finish Pushbutton – 16mm 6V RGB Latching!

By popular demand, we now have latching rugged metal pushbuttons with a full-color RGB LED ring light! These chrome-plated metal buttons are rugged, but certainly not lacking in flair. Simply drill a 16mm hole into any material up to 1/4″ thick and you can fit these in place – there’s even a rubber gasket to keep water out of the enclosure.

4659 kit ORIG 2020 08

On the front of the button is a flat metal actuator, surrounded by a plastic RGB LED ring. On the back there are two gold contacts for the button and 4 for the RGB LED ring (one anode and 3 cathodes for each red, green, and blue). Power the anode at 3-6V and light up the red, green, and blue LEDs by pulling their designated contacts to ground as you desire – there’s a built-in resistor! If you want to use this with a higher voltage, say 12V or 24V, simply add a 1K ohm resistor in series with the LED cathodes to keep the LED current at around 20mA. You can PWM the RGB pins to make any color you like.

This button is a latching pushbutton when you press and release it the ‘normally-open’ contact shorts to the common contact and stays that way. When you press and release it a second time, the contacts open up again.

The switch and LED are electrically separated, so to change the color, use a microcontroller to both read the contact pins and toggle the color control pins.

And now for the Rugged Metal Pushbutton with Black Finish – 16mm 6V RGB Latching!


By popular demand, we now have latching rugged metal pushbuttons with a full-color RGB LED ring light! These chrome-plated metal buttons are rugged, but certainly not lacking in flair. Simply drill a 16mm hole into any material up to 1/4″ thick and you can fit these in place – there’s even a rubber gasket to keep water out of the enclosure.

4660 kit ORIG 2020 08

On the front of the button is a flat metal actuator, surrounded by a plastic RGB LED ring. On the back there are two gold contacts for the button and 4 for the RGB LED ring (one anode and 3 cathodes for each red, green, and blue). Power the anode at 3-6V and light up the red, green, and blue LEDs by pulling their designated contacts to ground as you desire – there’s a built-in resistor! If you want to use this with a higher voltage, say 12V or 24V, simply add a 1K ohm resistor in series with the LED cathodes to keep the LED current at around 20mA. You can PWM the RGB pins to make any color you like.

This button is a latching pushbutton when you press and release it the ‘normally-open’ contact shorts to the common contact and stays that way. When you press and release it a second time, the contacts open up again.

The switch and LED are electrically separated, so to change the color, use a microcontroller to both read the contact pins and toggle the color control pins.

In stock and shipping now!

Read more »

Lemon Plum Jam Revisited

Jars of jam

It has been a great season for plums, so I’ve updated the lemon plum jam recipe that I’ve been gradually refining over the years. The new basic recipe is below along with other tips I’ve gathered.

Ingredients:

  • 8 cups cut up pieces of plums, pits removed, skins left on, fresh or frozen
  • 3 lemons, (optionally peeled) cut into small pieces, seeds removed
  • juice from 3 more lemons
  • 6 cups sugar

Lemon and plum pieces in a pot

Procedure:

Put the plums, lemon pieces and lemon juice in a sauce pot and cook, stirring occasionally, until the fruit starts to soften. At this point, you can use a potato masher to crush the fruit pieces for a more even consistency.

Holding potato masher above fruit cooking in pot

Add sugar and cook, stirring regularly, until it thickens. You can test the consistency for doneness by putting a spoonful in a cold dish in the fridge for a few minutes. After chilling, it’s ready if it holds its shape a bit when you move a spoon or finger through it. You can also follow your favorite canning procedure for longer term storage. Makes about 4-5 pints.

Tips and techniques:

For cutting up the fruit, I like to put a small cutting board inside a baking sheet. This catches the juice much better than any cutting board with a moat that I’ve ever used. It makes cleanup much easier, and you can pour the juice from the baking sheet into the cooking pot.

Most jam recipes call for approximately equal quantities of sugar and fruit. I prefer my jam a little more tart, so I’ve revised down the sugar.

I’ve stopped adding water to my preserves. It cooks a little faster without as much liquid, and there’s enough liquid in the lemon juice to get it started cooking even if the fruit isn’t covered.

I also often leave the lemon peel out for the preserves I make (other than marmalade). The peel gives it a stronger lemon flavor, but keeps the jam from gelling as well. If you want a thicker consistency that gels a little earlier, you can leave the peel out. If you want zingier lemon flavor, leave the peel on and cook a little longer.

During fruit season, I try to preserve as much as I can by making jams and chutneys, but I usually run out of time and end up cutting up the last of the crop and freezing it. Using frozen fruit for jams seems to work just as well as fresh. I measure out 8 cups and store it in a one gallon freezer bag. Then it’s ready to pull out start a batch of jam. I also recently revised my Plum Chutney recipe, and it starts with 8 cups of fruit as well.

Read more »

DIY portable video conference, sharing and teaching device

A DIY conference and teaching device @ mcuoneclipse.com:

COVID-19 is by far not over, and in Switzerland the infection rate is going up again (2nd wave?). During the spring 2020 semester university lock-down we moved pretty much everything to a ‘distance learning’ setup. With that experience and with the request to prepare for the fall semester, I have constructed a DIY conference and teaching device which should make things simpler and easier: a combination of video camera, speaker phone and a muting device

Read more »

Get Your Fix at Virtual Maker Faire Miami 2020 This Weekend!

It’s clear that a pandemic can’t keep makers from doing what they do best and Virtual Maker Faire Miami kicks off tonight at 6:30pm ET to celebrate the spirit of ingenuity, creativity, and fun of the maker community. Maker Faire Miami producer-maker-hacker-inventor Mario Cruz, and his team from Moonlighter Makerspace, […]

Read more on MAKE

The post Get Your Fix at Virtual Maker Faire Miami 2020 This Weekend! appeared first on Make: DIY Projects and Ideas for Makers.

Read more »