NIST Transitioning Away from SHA-1 for All Applications

NIST is introducing a plan to transition away from the current limited use of the Secure Hash Algorithm 1 (SHA-1) hash function. Other approved hash functions are already available. The transition will be completed by December 31, 2030.

NIST responded in 2006 with an announcement encouraging a rapid transition to the use of the SHA-2 family of hash functions for digital signature applications, which were initially specified in FIPS 180-2. NIST began a competitive process to develop an additional hash function, which resulted in the SHA-3 family of hash functions published in 2015 as FIPS 202. In 2011, NIST released SP 800-131A, which announced the deprecation of SHA-1 when generating new digital signatures and restricted further use of SHA-1 to only where allowed in NIST protocol-specific guidance.

Cryptanalytic attacks on the SHA-1 hash function as used in other applications have become increasingly severe in recent years (“SHA-1 is a Shambles” by Leurent and Peyrin, 2020 https://www.usenix.org/conference/usenixsecurity20/presentation/leurent). As a result, NIST will transition away from the use of SHA-1 for applying cryptographic protection to all applications by December 31, 2030.

https://www.nist.gov/news-events/news/2022/12/nist-transitioning-away-sha-1-all-applications

Updated FTC-HHS online tool helps developers understand which federal laws apply

The Federal Trade Commission (FTC) in conjunction with the HHS Office for Civil Rights (OCR), the HHS Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA) have updated the Mobile Health App Interactive Tool. This tool is designed to help developers of health-related mobile apps understand what federal laws and regulations might apply to them.

https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool

HHS Bulletin: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

– mentions Google Analytics and Meta Pixel by name..

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

This Bulletin provides a general overview of how the HIPAA Rules apply to regulated entities’ use of tracking technologies. This Bulletin addresses:

  • What is a tracking technology?
  • How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?
    • Tracking on user-authenticated webpages
    • Tracking on unauthenticated webpages
    • Tracking within mobile apps
    • HIPAA compliance obligations for regulated entities when using tracking technologies

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html

LfDI BW: Embedding external videos on web sites

https://www.baden-wuerttemberg.datenschutz.de/videos-einbinden/

asking for consent, and a two-click solution

With the help of a so-called two-click solution, it is basically possible for the website operator, as joint controller with the video platform operator, to obtain the consent of the visitors.

  • A preview of the external content is first displayed – without transmitting the IP address, browser information or other personal information to third parties.
  • Only when visitors actively click on the preview, for example to watch a video, will their data be transmitted.

If website operators embed third-party videos from commercial video platforms or third-party websites without joint responsibility according to Art. 26 GDPR, the two-click solution should be used in the following variant:

  • First, there should be a preview with a reference to the following external content is displayed.
  • This notice should make the visitor understand that when the embedded video is played, the platform operator, for example, receives information about who has just accessed which website and that a link to existing data is possible.
  • Only when visitors actively click on the preview, for example to watch a video, may the video platform operator or third parties receive the IP address, browser information or other personal information.

German DPAs release v3 of the Standard Data Protection Model

The German DPAs approved on 24-Nov the new version of their Standard Data Protection Model – which forms the basis of their enforcement.

https://www.bfdi.bund.de/SharedDocs/Downloads/DE/DSK/DSKBeschluessePositionspapiere/104DSK_SDM-3-0.pdf;jsessionid=5E36059D0001FFEF80688B352A66721D.intranet241?__blob=publicationFile&v=1

There is no translated version available yet.
A noteworthy change is the inclusion of the “SDM cube” – and further details on how infrastructure and applications relate to processing activities…

LfDIBW: Verhaltensregeln für Auftragsverarbeiter

“Um hier mehr Übersichtlichkeit und Rechtssicherheit zu schaffen, hat der LfDI daher die neue nationale Verhaltensregel „Anforderungen an die Auftragsverarbeiter nach Artikel 28 DS-GVO – Trusted Data Processor“ genehmigt. Unternehmen können sich fortan diese Verhaltensregeln zu eigen machen und nutzen damit die Möglichkeit, für sich mehr Rechtssicherheit zu schaffen.”

https://www.baden-wuerttemberg.datenschutz.de/verhaltensregeln-fuer-auftragsverarbeiter/

https://www.verhaltensregel.eu/