Privacy Please
Tune into "Privacy Please," where hosts Cam and Gabe engage with privacy and security professionals around the planet. They bring expert insights to the table and break down complicated tech stuff everyone can understand.
Privacy Please
S5, E228 - 8 New Privacy Laws Coming in 2025 and Cybersecurity Threats
Ever wonder how the privacy landscape in the United States is about to shift dramatically? As we return from our Thanksgiving celebrations, we promise you'll gain highlights into the eight new privacy laws that will redefine how businesses handle consumer data by 2025. States like Delaware, Nebraska, New Hampshire, and Iowa are leading the push for more consumer-friendly policies with default opt-out provisions and enhanced measures for children's privacy.
Switching gears to cybersecurity, we uncover the alarming breach by the Chinese hacking group Salt Typhoon into US telecommunication firms. This episode stresses the critical importance of securing our communications and highlights the vulnerabilities that lie within current infrastructures. We recommend secure tools like ProtonMail and Signal to bolster personal privacy against these persistent threats. Delve into the potential motivations behind these breaches, including the chilling prospect of strategic data collection for future decryption, and understand why vigilance is more crucial than ever. Join us as we explore these pressing topics.
For more insight our resource for this episode for upcoming state laws: https://transcend.io/blog/state-privacy-laws-2025
we are back. Ladies and gentlemen, welcome back to privacy, please. Cameron ivy here with gabe gums. Gabe, how you doing, man? How was your Thanksgiving?
Speaker 1:It was good. It was good. I'm doing well. How are you doing Good? How was your turkey day?
Speaker 2:Life is good. I had some turkey. I had a fried turkey. That was delicious Boy. Nobody blew up, I hope, nah, nobody blew up, I'm watching those videos of people blowing up turkeys on Thanksgiving. I saw one where someone was like lowering it with a string from another room. That thing just exploded. I think you're just not supposed to do it when it's frozen Like come on, You're a hundred percent.
Speaker 1:not supposed to put water and hot oil together, just generally speaking those two things no point.
Speaker 2:Combustion, yes, I mean, I'm pretty sure, one episode or another.
Speaker 1:I'm sure that Bill Nye the science guy taught you that, look, if he hasn't covered it once, he's probably covered it three times. Man, just don't do it, don't do it.
Speaker 2:We need to bring somebody like him back. He was golden back when I was a kid.
Speaker 1:He was. I don't know what his rep's like in the streets anymore is the problem? I think he's ruffled some feathers a couple of ways, has he, I think? So I don't pay too close attention to that kind of stuff, but either way, shout out to Bill Nye from our youth yeah, he's awesome. Yeah, bill Nye, bill Nye the science guy. But today we got Cameron Ivey and Gabe Gumbs the privacy guys. We're pulling on into the year. It's the last month of the year. Election's behind us. We got a new administration coming in next year, but we also got a whole bunch of new privacy laws coming in next year too, don't we? We do.
Speaker 2:I think there's a total of eight for 2025 coming in.
Speaker 1:Eight new privacy laws. Still no, I presume still no federal laws. So these are eight state laws. What are these? Yeah, these are eight state laws. Break this down for us. So these are eight state laws. What are they? Yeah, these are eight state laws. Write this down for us. So eight state laws.
Speaker 2:Yeah, eight state laws. I mean this is definitely going to increase compliance requirements for businesses, especially ones that are offering consumer control over personal data. On January 1st of 2025, we have new privacy laws for Delaware, nebraska, new Hampshire and Iowa Sound like all the swing states.
Speaker 2:Yeah, they be swinging. They be swinging. They got a big swing. Iowa's got the biggest swing, yeah, yeah. So lots of things going on. We don't have to get into the details and some of the resources that we're pulling this from. I'll give a shout out to Transcend Morgan Sullivan over there putting together a great blog.
Speaker 1:I'll share it in the show notes. Yeah, get Morgan tagged in there.
Speaker 2:Yeah, definitely Lots of things going on. Let me see what else In mid-year we have Tennessee, minnesota, maryland there's going to affect. There's a lot of little things that we can go into. Those are really all the states, but we're talking about what's really nice that I pulled out from some of them, like New Hampshire, they're bringing in children data privacy laws, which I like to see, especially around 13 and under.
Speaker 1:There's a couple of states that are jumping on that, which is nice, I see a trend where a lot of them are moving towards more opt-out versus opt-in, so default opt-out looks like it's a trend that these states are picking up on.
Speaker 2:Some are doing both. I mean, what do you think about that?
Speaker 1:I think it's necessary. I think the default mode should be you have to choose to opt in, not have to choose to opt out of it, right? That's where I think a lot of the kind of vacuuming up of all of that data ends up is when you default to people having to choose to opt out versus them having to choose to opt in. You know you're just kind of backdooring their privacy.
Speaker 2:Right, yeah, like specifically. So January 15, new Jersey has a new law and specifically there's a six month grace period for opt out signals. I don't know how common that is. It's so weird how some of these states are there's little things like that that some of them kind of add in or they have differences in that. In that sense, there's a lot of them that are similar, but there's always some kind of there's similarities but some have their own, like nuances like that that are added in to make it you know, some are more strict controls around sensitive data.
Speaker 2:It's it's a lot of stuff around targeted advertising, especially for restrictions on minors, which I'd love to see. New Hampshire has a data broker, registration and biometric data protection. That's pretty cool, that's interesting. Yeah.
Speaker 1:Yeah, make them register, for sure.
Speaker 2:Yeah, there's some pretty neat stuff in here which you know. It's interesting to see what this is all going to trickle for the next. You know there's obviously ones coming out in 2026 already, I think. From my understanding. I think already there's Indiana, Kentucky and Rhode Island that are going to be going into effect in 2026, that are already on the.
Speaker 1:You know what I find interesting about this, also, although I am still a bit dismayed that we don't have privacy laws that are more defined, such as these at the federal level.
Speaker 1:If you operate across all 50 states which many companies do many companies do especially if you're transacting digitally or you're trying to reach customers in other states which pretty much everyone does these days if you offer some kind of service that isn't physically only available within a geographic location right. If you're a business trying to adhere to 50 different privacy laws, your best option is to take the strictest of them, adhere to that one. This way you cover everything. So it's almost like California might still be the de facto privacy law to follow, unless, of course, some of these other new ones have some provisions that are stricter than California, which might make things a little hairier. But I think we're almost going to end up with still this de facto standard of you follow what California does and you'll just get covered for the other 49. Because otherwise, trying to align your privacy program to 49 different states' rights is just not tenable.
Speaker 2:Yeah, you're right, I agree. There's a there's a trend that I've seen a lot of, and I don't know if this just goes by. This could be me being ignorant, but maybe it just goes by the size of the state and how many residents are in that state. But, for example, like California has it's, they have a threshold to applicability around controlling and processing personal data of at least a hundred000 consumers per year. That seems to be the trend for a lot of them, like Virginia, colorado, connecticut, utah. But if you get into smaller states like Montana and Delaware, for instance, delaware is only 35,000 compared to 100,000. There's little things like that where there's subtle differences.
Speaker 1:Hold on, that makes sense, right? It makes sense for me. If it's only going to apply at the state level and your state doesn't have a large populace, setting the threshold to a hundred thousand might effectively mean that no one in the state is protected.
Speaker 2:So lowering it makes sense.
Speaker 1:But when someone like Delaware does it. Delaware happens to be the state where a lot of companies incorporate. A lot of businesses are incorporating Delaware because they are so friendly in the terms for which you can set up C-Corps, s-corps, lses, et cetera. I'm almost curious how that affects those folks. We may need to pull some experts on to kind of dig into that one for us on that level. But if you're incorporated in Delaware and Delaware's threshold is 30,000, it doesn't matter if you're doing business everywhere else. You're going to have to adhere to that lowest threshold.
Speaker 2:Yeah, To your point. You just gave me an idea that I should have thought about earlier, but I think I'm going to ask Dave Barmore to come on the show. I don't know why I haven't done this yet.
Speaker 1:He's a regulatory expert. I'm certain he's listening. Dave, when are you coming on?
Speaker 2:Hopefully I'll try to get him on next week and we can dive further into some of these and he can give us even more insight. I think that'd be pretty interesting for our listeners. So let me do that.
Speaker 1:I think, with eight new laws and a new administration coming online in under 45 days. I think we should get into this conversation a bit more depth, see if we can't help educate our listeners on what to look forward to.
Speaker 2:Well, we can do that, and we can also talk about what's to come in the new year under Trump, what that means for everything. That's all changing, so I think that could be interesting to learn a little bit more about that. So, yeah, good idea, cameron. Thanks, all right.
Speaker 1:Nice work, cameron, nice work.
Speaker 2:Good job. Other than that. I mean there's a lot of little smaller details that we can dig into. But I mean, you know, I think if you want to learn more about it, I'll share a link.
Speaker 1:You've got a link to a blog, yeah.
Speaker 2:Yeah, I'll share a link and if you have questions about anything, happy to get the answers for you. Also, if you guys want to shoot any questions our way, and then we'll try to get Dave on next week if that's possible. I think that'll be interesting.
Speaker 1:I think that'll be a great idea. I think that'll be a great idea. It is almost the end of the year, as I mentioned at the top of the show, which means so we'll get Dave on the Salty Suitsay is going to be on pretty soon. We've got him coming up in a few weeks to get some predictions in for 2025. But before we get to predictions for 2025, maybe we just quickly cover some of the top things that happened in 2024.
Speaker 1:I think one of the biggest things that happened relatively recently was a bit of espionage across our telecommunications networks Discovered that a Chinese hacking group that's identified as Salt Typhoon. They infiltrated at least eight US telecommunication firms and a number of other ones globally. And, from a privacy perspective and a security perspective, one of the problems is some of these backdoors and these telecom places were built in by well, our governments themselves, but it looks like they may have been breached and accessed effectively giving these foreign hackers direct access to our communications, which means all the things that you know email, phone, like any non-encrypted communications, and we can go all the way back to episode one. Folks, we highly recommend that you use end-to-end encryption for all of your communications, whether you know, using your own personal email.
Speaker 1:I suggest things like ProtonMail for texting and communications. You can use things like ProtonMail for texting and communications. You can use things like Signal. You don't even have to exchange phone numbers any longer. But I think it's clear that this isn't just some emerging problem and you know it's not about boogeymen watching everything we do. But from my perspective, it's a safe assumption that all the things are compromised from a communication standpoint and if you value at all any privacy, you really should look at this breach of 2024 as probably one of the most public examples of why what we talk about in this show, week in, week out, isn't fear mongering. It isn't the what ifs. This is the what now.
Speaker 2:That was the first one. That's the what's that I was reading the.
Speaker 1:That was the Salt Typhoon, guys.
Speaker 2:Yeah, Salt Typhoon. Yeah, I don't even know. That made me think about the game Rollercoaster Typhoon.
Speaker 1:Rollercoaster, typhoon, yeah.
Speaker 2:And does that show my age?
Speaker 1:Just a little bit it might. That game goes back. That game goes back. I mean, you didn't say Oregon Trail.
Speaker 2:So wait, wait, to dig a little bit deeper on that one Gabe, because talking about breaches and stuff, I know that you've, you know you kind of harm and preach on this about what I guess to dig into your world a little bit when it comes to storing data and databases and things like that. How is this kind of related in that sense when it comes to unauthorized access to private communications?
Speaker 1:Yeah, it's a good question. The best answer is we have to focus on not just securing the things while they're in our possession. Right? I'll just use an overly simplistic example. Right? Like simply encrypting data at rest in your environment, like just encrypting a file, isn't good enough. You've got to encrypt data from end to end, and, unfortunately, one of the primary communication mechanisms we most all use is email, and almost no one encrypts their email between sender and recipient. It's just not as common a practice as it should be, which is why you know and zero affiliation just happened to be big fans of their work, but it's why I suggest, you know folks use things like ProtonMail and maybe move away from, you know, classic Gmail, et cetera.
Speaker 1:Can those services provide encryption? The short answer is I know they can, but for your average everyday user it's not quite as straightforward. More importantly, it isn't just there by default, and that's the real problem. It's not just there by default, and so what we really need to look at is ensuring that all of our communications, from where we send them to when they get to the other side, are fully protected, because if the actual networks they have to traverse the telecommunication networks have been compromised, there's nothing you can do about that. We don't control any of that infrastructure. We can't even really choose which of that infrastructure our data is going to traverse quite frequently, and because so many of them also use and share each other's infrastructure, you really don't have much in the way of guarantees that it's only on infrastructure by this telecommunication provider.
Speaker 1:It's all the same. Really, it's all one big melting pot. So end-to-end encryption is the key. The days of having to use PGP and GPG on your own as an individual are largely behind this. I can tell you explicitly, for example, that my mother uses ProtonMail. If my mother can use ProtonMail, you can all use ProtonMail. Trust me, that's a good point. I am not exaggerating, I'm going to bring a. Mom uses ProtonMail.
Speaker 2:I think I'm going to pull my card and bring on my ethical hacker correspondent from the field, Mr Gabe Gumbs. What do you think that Salt Typhoon? Obviously, when it comes to a hacking group, they're not just hacking random things for randomness. There's probably some kind of mission here. What do you think that they were trying to get out of this particular breach?
Speaker 1:So hard to say, but I think my intuition tells me that part of it isn't just about what you can get now, but we are in the precipice of quantum encryption capabilities being able to break current encryption mechanisms with quantum computing. If you've got access to telecommunication links, you can just vacuum up all of that data, even if it's encrypted right now, and hold onto it until you can break.
Speaker 2:Let me ask you this when you get access to something like that and let's say you know it gets taken care of and they lock you out or whatever how that works Is there still a connection there, because they've already gotten into where they can get in again because they're connected already. So it's kind of like a because they've already gotten into where they can get in again because they're connected already. So it's kind of like they've already connected to another time zone or time travel, but they've gone to that place so they can go back to it. Does that make sense?
Speaker 1:No, it makes sense. It makes sense. I mean basically you're asking can they establish a foothold that, even if you root it out, they can simply revert back to it? Right, how persistent can they make that threat?
Speaker 2:Yes, yeah.
Speaker 1:Got to tell you, at this level of sophistication, it is my assumption that their persistence can last almost indefinitely. It is very, very, very, very difficult to know that you would have gotten all the things out.
Speaker 2:Sure, yeah that, yeah, that's scary. It's also kind of cool to think about.
Speaker 1:It's fascinating, it's a hell of an interesting digital world we live in and you know, in the last call it three years we've watched a lot of evolution through things like AI and we're going to see a big evolution in encryption Again as we get closer to quantum computing. It's going to change a lot of the conversations we're having around security. Many things will not be as secure as they were literally overnight.
Speaker 2:Man, I love all these things. It's so fascinating. Let's talk about the next one. It was a Russian cyber attack yeah, down on the Australian port. So this one happened last month, in November. There was a cyber attack attack yeah down on the Australian port.
Speaker 1:So this one happened. Last month in November, there was a cyber attack that was attributed to some Russian actors, targeting DP World. They're a major port operator in Australia. That attack in particular disrupted some imports and exports of over 30,000 containers. Right, and really the importance of that is it's just economic disruption. Right, goods can't move back and forth. It creates lots of problems for a nation A lot of times. I think people forget that.
Speaker 1:Sometimes hacking isn't about necessarily getting into the system. It isn't always necessarily about getting to the data. Sometimes it's just about disruption. Sometimes it's just about disrupting operations. If we look at ransomware as an example, the primary impact ransomware has is an availability impact. It's not just it stole the data and the data got leaked. Yes, that's an obvious problem, but if we're being honest, data brokers are a bigger freaking privacy problem than ransomware is. I'm sorry, it just is. It's just. Data brokers pose a much greater risk to society than ransom attackers getting a hold of PII. But ransom attackers themselves, they're mostly interested in economic disruption. They want to take you offline, forcing you to pay, and in this case I don't know that these Russian actors were a state sponsor or not, but there's a lot of reasons why state sponsors might want to disrupt shipping industries in a country. It is very harmful to the overall economics of those countries. So that was a pretty big attack.
Speaker 2:Pretty big attack. Yeah, I mean safe to say that was kind of Russian of them to do that.
Speaker 1:Little Russian of them to do that. They've been busy this year. Back in June there was another one. There was another one back in June by some Russian attackers, right, that was the Microsoft email.
Speaker 2:Huge, oh, okay, okay, I was going to say Australia too? No, okay.
Speaker 1:No, no, no, this is a Microsoft one, and so Russian hackers had compromised Microsoft systems. That's right, yeah, accessing emails of both their staff and their customers Huge, that was the one that prompted Was this by the same people or no?
Speaker 1:We don't have. I certainly haven't seen attribution to the same people, just to the same region, gotcha but not necessarily to the same threat actors. But it is quite plausible. But again, if this were nation state and I'm not saying it is, but it certainly looks like it might have been A lot of times nation state attackers have different units that are engaged in different activities under one larger umbrella. This was the breach that prompted a bit more regulatory scrutiny from Congress.
Speaker 1:There were congressional hearings on this and in fact after that the US government put out quite the scathing note about Microsoft not taking security seriously, to which Microsoft responded and said we're sorry and we're going to start taking it seriously now. We're very sorry that we hadn't before which is wild because Microsoft is the largest security vendor in the world, so they're super invested in selling security products.
Speaker 2:It's like a backhand, slap Like, oh you know what.
Speaker 1:We're sorry this is one of those cases where you should be getting high on your own supply. Microsoft, you need to take a couple of tokes of your own good stuff. All right, Just maybe get some of that in there. I enjoy picking on.
Speaker 2:Microsoft. This reminds me, by the way and I don't know if this is way off topic but do you think that we're going to start seeing more stuff like what just happened with the shooting of the UnitedHealthcare CEO? You know what I'm talking about. Do you think that there's going to be more like? I don't know why, we don't know why that happened, but it is interesting that it's like that. Civilians targeting industry leaders because they are not pleased.
Speaker 1:Look, that's a damn good question. And let's go back to our friends in the data broker world. It is not implausible to think that somebody could be so upset and disgruntled about their information having made it into the hands of, say, a jaded ex-lover or whatever. The case is right. There are some industries that are so disliked generally by the public that what you're hypothesizing is very much a concern, I think. I think, if I were to use the parallel in our industry, it would be data brokers. Right, they are seen by and large as not really adding any value to our world, not at any right and at the expense of all of us and all of our privacy. Could there be some person that goes lone wolf and gets mad and targets the CEO of a data broker? I am no advocate for violence.
Speaker 2:No.
Speaker 1:No advocate for violence. But in that scenario you paint. Yeah, I could see it happening.
Speaker 2:I could see it happening. It's believable, right. It's very much believable.
Speaker 1:Right it's, it's very much believable, yeah it's scary yeah, mr robot style right mr robot style.
Speaker 2:Yeah gosh, he's a weird looking dude, isn't he? He's got some weird beady eyes, but he did a good. Uh, freddie mercury, I did the best freddie mercury.
Speaker 1:That was a hell of a freddie mercury I'll even give him a shout out too.
Speaker 2:I don't know if anybody saw this, but there was a detective movie that um, he was a fbi. I saw that one did you see it.
Speaker 1:I did, and I don't watch much. It was good. It was very good nine out of ten times. If you ask me, gabe, have you seen that movie, the answer is usually I haven't seen that, but I don't know. Yeah, I've seen that movie, though I know exactly who it was.
Speaker 2:I think it's the singer from 30 seconds to to Mars. He played the Joker, yeah, yeah, yeah, yeah, I forget his name. I should know his name. He plays the. I think he plays the killer, and then I can't remember who he works with. Is it Denzel it?
Speaker 1:is Denzel, it's Denzel. Denzel is the cop.
Speaker 2:Yes, who's the BDI guy? What's his name? Malachi.
Speaker 1:Yeah, something like that, See.
Speaker 2:I'm not good with the names.
Speaker 1:I'm not the celeb guy.
Speaker 2:I couldn't tell you that's okay, but what was it called?
Speaker 1:It was. See, this is even more questions I'm going to.
Speaker 2:Man, we're going down a rabbit hole. We are going down a rabbit hole.
Speaker 1:It's all good. It's the end of the year. That's how we wrap it up. It was a good flick.
Speaker 2:I'm not going to leave you all hanging. If you haven't seen it and you like detective movies, it was actually worth a watch.
Speaker 1:It was kind of slow, but I thought it was a decent If you've got a Sunday afternoon and you're not really getting into much. I'd highly recommend it.
Speaker 2:Yeah, it was a decent little, the Little Things.
Speaker 1:That's it. That's it. Rami Malek Jared Leto. Yes, jared. Leto's the Jared.
Speaker 2:Leto and Denzel Washington.
Speaker 1:That was a good man, Denzel. I'm leaving with something. It was good, I liked it. Yeah, it was good Well. Cam my man. Yeah, it's always good to catch up. It's always good to have you folks along for the listen, as promised. We've got a few things coming up before the year is out. We're going to bring in the salty soothsayer for some predictions for next year. We'll cover a little bit more of what went down in security and privacy this year.
Speaker 1:We'll bring on some of our friends to help close out the year and tell us about some of these privacy laws that are upcoming. And until next time, friends out in listening land, we appreciate you always tuning in.
Speaker 2:Absolutely. Thank you, gabe, thanks everyone, and I've got some good changes coming for 2025 as well. So I'm excited for all the things that we're going to be working on and doing, so just be aware of that, and thanks for sticking around with us. All right, guys, till next time.
