Tag Archives: privacy

A Note about Third-Party Components in ArcaOS

You may be aware of the recent massive Equifax security breach and the Company’s explanation surrounding a vulnerability in Apache Struts (CVE-2017-5638) disclosed by US CERT in early March 2017. Some reports have implied that the company has somehow blamed Apache Software Foundation for the breach, specifically by not moving quickly enough to address the security flaw. Apache has responded to these allegations clearly and concisely. In light of this incident, we thought this a good opportunity to help provide some clarity concerning third-party work and open source components, in general, as they pertain to ArcaOS and Arca Noae’s position regarding their fitness for use, and who is ultimately responsible to maintain his or her or, in the case of enterprise use, its own systems.

Arca Noae includes several components in ArcaOS developed by reputable third parties, including IBM, Apple, and others. Some of these components are open source, as well, meaning that the code for compiling these components into machine-readable form is freely available to the public. Open source software is often more secure than proprietary software, by nature of the fact that many (sometimes thousands) of developers around the world contribute to the code. This (often massive) group effort allows such projects to react quickly when flaws are discovered, and to work to constantly monitor and maintain the software. However, whether proprietary or open source, Arca Noae may have no control whatsoever over these components, inherent flaws, or as-yet-undisclosed security issues.

It is Arca Noae’s position that each ArcaOS licensee (whether an individual or an enterprise) bears the sole responsibility to consider his or her or its own interests and security. While we do what is within the realm of reasonable possibility to stay abreast of current trends and vulnerability disclosures (CVEs), we cannot guarantee that all issues will be identified and/or reported to our users by us. Thus, best practices dictate that each user remain vigilant and aware of the connected ecosystem in which we live and to take steps to mitigate his or her or its own risks.

Arca Noae welcomes reports from our users of disclosed and non-disclosed vulnerabilities. While we normally encourage our users to avail themselves of our Mantis ticketing system to report issues, those of a sensitive nature (such as an as-yet-undisclosed or little-known security flaw in a bundled component) should be reported through our contact page.

We would also like to take this opportunity to remind all of our ArcaOS licensees that ArcaOS does not utilize telemetry of any kind to communicate with us. We firmly believe that when a user licenses a copy of ArcaOS, his or her or its data should remain on the system as directed by the user, shared only by the user, and with the user’s full knowledge and consent.

The next exciting update to ArcaOS 5.0 is in the making, too. Watch the Arca Noae blog for a release announcement in the coming weeks.

Globally locked

EU-US Privacy Shield – Status Report

If you are a resident of the European Union and a customer of ours, chances are you have been watching (or at least are aware of) the situation regarding data transfer policy between the EU and the US.

On October 6, 2015, the Court of Justice of the European Union (the “CJEU”) invalidated the European Commission’s Decision on the EU-US Safe Harbor arrangement, determining that the Commission’s finding that Safe Harbor was adequate was, in fact, inadequate. More on this decision may be found here.

On February 2, the US and the EU reached an agreement in principle to construct a framework to replace Safe Harbor and to reconcile differences between the laws of both governments. That framework has been named the EU-US Privacy Shield. In response to the agreement, the US Department of Commerce released a fact sheet, which we are making available as a pdf, here.

As the new framework promises to have farther reaching implications for how personally identifiable data is handled by third parties, we have contacted both of our current payment processors (Stripe and PayPal) for their comments. While we are still awaiting comment from PayPal, Stripe has responded that they, too, are monitoring the situation, but have not yet made any changes to their policies or procedures, pending more concrete guidance.

We want you to know that we take the privacy concerns of our customers very seriously, and we will continue to monitor this and any other legislation which may have an impact on doing business with us, whether you are located within the US or anywhere in the world. We believe that our current privacy policy remains in accord with the spirit of the new EU-US Privacy Shield as we anticipate it, but we will keep you apprised of the situation and will make adjustments as necessary.

More information and commentary on the EU-US Privacy Shield may be found on these sites:

Digital Media, Technology & Privacy Alert >> Agreement on EU-U.S. Privacy Shield to Replace Safe Harbor Faces Hurdles, Kibel, Gary A, Partner (Digital Media, Technology & Privacy), Davis & Gilbert, LLP, February 4, 2016.

Article 29 Working Party Reacts to the U.S.-EU Privacy Shield Agreement, Tielemans, Jetty and Steinhardt, Ezra (Data Privacy and Cybersecurity group), Covington & Burling LLP, February 2, 2016.

Privacy Policy Update

In response to visitor feedback, we have clarified the portion of our Privacy Policy concerning use of Google technologies.

To summarize, while we have not knowingly enabled any Google technologies on our site, such technologies may be enabled by third-party components which we employ and of which we may be unaware. If we do choose to employ any such technologies, or if we become aware of a third-party component which utilizes them, we will take reasonable steps to provide advance notification.

We invite you to revisit our Privacy Policy and provide us with your comments.

Privacy & Acceptable Use Policies

We at Arca Noae are firm believers in protecting your data while accessing any of our hosted services. This is especially true of your online shopping experience. You should know that we employ up-to-date builds of software technologies designed to keep your information secure while visiting us. We invite you to read our Privacy Policy and our Acceptable Use Policy, and know that we stand behind our words.