Monday, May 14, 2018

Google Driverless Car Involved In Smash

A self-driving vehicle owned by Google's Waymo has been involved in a smash in Arizona when it was hit by a car that swerved across multiple lanes.

Driverless Mode - But With Person On Board

The Google car was in autonomous / driverless mode at the time of the crash, but had a test driver in the driver's seat. The lady occupant is reported to be recovering from the incident.

A discussion is now underway as to whether the driverless car system or the test driver on board could have done anything more to avoid being hit by the other vehicle.

Waymo and Jaguar


Waymo is the self-driving car company that is owned by Google’s parent company Alphabet, and has been testing driverless vehicles since 2009. It has been reported that Waymo wants to purchase 20,000 Jaguar electric vehicles as part of its plans to launch a robotic ride-hailing service in the US.

It is understood that Waymo’s link-up with Jaguar will mean that from 2020 to 2022, UK-based (owned by India's Tata Motors ) Jaguar Land Rover (JLR) I-PACE electric cars will be providing up to one million rides per day in the service. It is thought that Jaguar cars will appeal to more upmarket customers, thereby already showing the possibilities for segmentation in driverless ride-hailing services.

The ride-hailing service will be launched on a small scale in Phoenix, Arizona, first in the coming months.

Not The First Autonomous Vehicle Accident

Although the Google car did not cause the crash, this is not the first time an autonomous vehicle has been involved in a serious incident. Back in March, Uber suspended all self-driving car tests in all North American cities after a fatal accident a 49-year-old woman was hit and killed by one of its autonomous vehicles as she crossed the street in Tempe, Arizona.

This was the second time that Uber has pulled its self-driving cars from the roads after an accident. A year earlier, also on Arizona, an Uber Volvo SUV in self-driving mode ended up on its side after another vehicle "failed to yield" to the Uber car at a left turn.

Autonomous Lorry Convoys on UK Roads This Year

Last year, the UK government announced that ‘platoons’ (mini-convoys) of self-driving, partially autonomous lorries are to be tested on British roads before the end of 2018. The so-called ‘platoons’ will take the form of several lorries driving closely together in a line in the inside lane, with the lead lorry wirelessly controlling the acceleration and braking for all the lorries, and with the following lorries responding to the changes in speed.

It is understood that for the tests which have been promised since 2014 and will be carried out by the Transport Research Laboratory (TRL), a human driver will be in the cab of the lead lorry, and will be able to take control if things don’t go entirely to plan.

What Does This Mean For Your Business?


Autonomous vehicles and vehicles with autonomous elements are already being tested and used in commercial environments and as part of the transport system in the US and the UK. The combination of driverless vehicles powered by electricity and using AI technology could provide a more environmentally-friendly solution to a variety of different transportation and delivery challenges, and to hopefully reduce traffic accidents.

The accidents involving driverless vehicles to date have, however, prompted some commentators to warn that the technology is being deployed before it is ready. Clearly, it is still early days for autonomous vehicles which means that there are still many untapped opportunities to use autonomous vehicles commercially, and there are of course many challenges and issues to consider around safety, insurance, regulations and reliability.

Autonomous vehicles are likely to be adopted more quickly on closed sites first, but operators who decide to adapt such sites to work for autonomy could expect significant improvements in productivity and safety.

Despite any bad press from the unfortunate crashes involving test autonomous cars in the US, having an emerging industry such as autonomous vehicles, with all its talent, technology and development centres here in the UK represents a huge opportunity for UK businesses as potential suppliers, beneficiaries of the technologies and products, and spin-off market opportunities. It also represents an opportunity for UK insurers.

Whereas the UK has a skills gap in many areas of the technology market, with the right amount of support and backing from the government and other investors, the testing, developing, and production of autonomous vehicles and the necessary technologies could be one area where home-grown talent is tempted to stay in what could become a world-centre of excellence for autonomous vehicle / AI technology.v

Cambridge Analytica Ordered To Turn Over All Data On US Professor

The UK data watchdog, the Information Commissioner’s Office (ICO), has ordered the consulting firm Cambridge Analytica to hand over all the personal information it has on US citizen Professor David Carroll, or face prosecution.

Demand Made in May 2017


The consulting firm, which is reported to have ceased operations and filed for bankruptcy in the wake of the recent scandal involving its access to and use of Facebook users’ details is facing the Enforcement Notice and possible legal action (if it doesn’t comply) because it has not fully met a demand made by Professor Carroll early last year.

Who Is Professor David Carroll?


David Carroll is a professor at the New School's Parsons School of Design. Although Professor Carroll is based in New York and is not a UK citizen, he used a subject access request (part of British data protection law) to ask Cambridge Analytica's branch in the UK to provide all the data it had gathered on him. With this type of request, organisations need to respond within 40 days with a copy of the data, the source of the data, and if the organisation will be giving the data to others.

It has been reported that Professor Carroll, a Democrat, was interested from an academic perspective, in the practice of political ad targeting in elections. Professor Carroll alleges that he was also concerned that he may have been targeted with messages that criticised Secretary Hillary Clinton with falsified or exaggerated information that may have negatively affected his sentiment about her candidacy.

Sent A Spreadsheet

Some weeks after Professor Carroll filed the subject access request in early 2017, Cambridge Analytica sent him a spreadsheet of information it had about him.

It has been reported that Cambridge Analytica had accurately predicted his views on some issues, and had scored Carroll a nine 9 of 10 on what it called a "traditional social and moral values importance rank."

What’s The Problem?

Even though Carroll was given a spreadsheet with some information, he wanted to know what that ranking meant and what it was based on, and where the data about him came from. Cambridge Analytica CEO Alexander Nix told a UK parliamentary committee that his company would not provide American citizens, like David Carroll, all the data it holds on them, or tell them where the data came from, and Nix said that there was no legislation in the US that allowed individuals to make such a request.

The UK’s Information Commissioner, Elizabeth Denham, sent a letter to Cambridge Analytica asking where the data on Professor Carroll came from, and what had been done with it. Elizabeth Denham is also reported to have said that, whether or not the people behind Cambridge Analytica decide to fold their operation, a continued refusal to engage with the ICO will still potentially breach an Enforcement Notice, and it will then become a criminal matter.

What Does This Mean For Your Business?

Many people have been shocked and angered by the recent scandal involving Facebook and its sharing of Facebook user data with Cambridge Analytica. The action by Professor Carroll could not only shed light on how millions of American voters were targeted online in the run-up to the 2016 election, but it could also lead to a wider understanding of what data is stored about us and how it is used by companies and organisations.

The right to request personal data that an organisation holds about us is a cornerstone right in data protection law, and this right will be brought into even sharper focus by the introduction of GDPR this month. GDPR will also give EU citizens the ‘right to be forgotten’, and has already put pressure on UK companies to put their data house in order, and prepare to comply or face stiff penalties.

This story also shows that American citizens can request information from companies that process their data in the UK.

Facebook Loyalty Intact Says Survey

Even after all the publicity surrounding Facebook’s selling of the personal data of 87 million users to Cambridge Analytica, a Reuters/Ipsos survey has found that most users are still loyal to the social media giant.

Just A Public Relations Problem

The survey conducted April 26-30 was based in the US, the home country of Facebook and the place where the vast majority of those whose data was sold live. Far from indicating that any users have been outraged by the selling of their personal data property without their permission, the survey appears to show that Facebook has so far suffered no ill effects from the scandal, other than a public relations headache.

A Quarter Using Facebook More!

The survey showed that half of US Facebook users said they had not recently changed the amount that they used the site, and, incredibly, a quarter of those surveyed said they were using it more!

The remaining 25% said that they were using it less recently, had stopped using it, or deleted their account.

64% of those surveyed said they still used Facebook at least once a day, down only slightly from the 68% recorded in a similar poll in late March.

The results appear to show, therefore, that the numbers of those using Facebook more has balanced out the numbers of any respondents who said they used the platform less, meaning that, according to the survey, Facebook appears to have suffered no real damage other than a PR hit from the scandal.

Wait Until 2nd Quarter

Facebook actually showed a near 50% increase its sales in the first quarter of this year, with profits up to $4.9bn from $3bn last year. Some commentators have stressed, however, that any of the financial effects of the scandal are likely to be evident in the second quarter.

Cambridge Analytica Closed

While Facebook, a social media giant, appears to have suffered no real damage other than a PR hit, Cambridge Analytica has been forced to go into liquidation blaming negative media attention. Some commentators have pointed out that Cambridge Analytica portrayed themselves as victims of unwarranted press activity, thereby deflecting blame from their activities involving the use of the personal data of millions to influence election and referendum outcomes.

Trusted With Dating Information?

It may appear that customer loyalty is still intact to a large extent now, but the next test for Facebook could be whether customers will trust them with their privacy when Facebook rolls out its dating service app later this year.

What Does This Mean For Your Business?

This story shows what many tech commentators had predicted - that the fact that Facebook was so much a part of peoples’ daily routine with no real alternative among the other social media platforms, that it could weather the storm and come out the other end with little real impact on its user numbers. It seems strange that, even though customers personal details were harvested and sold to a third party, without the permission of users, and then used to potentially influence how they voted in the US election (and in the Brexit referendum in the UK) that very few people appear to be prepared to see that as grounds to reject Facebook and the service and value that it offers in their lives.

People actively use Facebook as an integral part of their friendship networks and as a source of news, thereby allowing it unprecedented access to their personal lives and interests, as well as allowing it to help shape their view of the world, and it may be this investment and yes, loyalty, that has allowed them to apparently forgive Facebook for its part in the scandal, and to allow the value that Facebook offers in their lives to outweigh Facebook’s indiscretions.

From a business point of view, this shows how powerful loyalty can be, especially if a service can offer value that links strongly to ‘self’ and things that have emotional and personal connections and importance, and allow and enable real engagement.

8 More Security Flaws Found In Processors

Following on from the revelation in January that 2 major security flaws are present in nearly all modern processors, security researchers have now found 8 more potentially serious flaws.

Eight?

According to reports by German tech news magazine c't, the 8 new security flaws in chips / processors were discovered by several different security teams. The magazine is reported to have been given the full technical details of the vulnerabilities by researchers and has been able to verify them.

The new ‘family’ of bugs have been dubbed Spectre Next Generation (Spectre NB), after the original Spectre bug that was made public along with the ‘Meltdown’ bug at the beginning of the year.

90 Days To Respond

The researchers who discovered the bugs have followed bug disclosure protocols, and have given chip-makers and others 90 days to respond and to prepare patches before they release details of the bugs. The 90 day time limit ran out on Monday 7th May.

Co-ordinated Disclosure

Intel is reported to have been reluctant to simply acknowledge the existence of the bugs, preferring to have what it calls a ‘co-ordinated disclosure’, presumably near the end of the protocol time limit, when there has been time to prepare patches and to mitigate any other issues.

It is not yet clear if AMD processors are also potentially vulnerable to the Spectre-NG problems.

How Serious Are The Flaws?

There have been no reports, as yet, of any of the 8 newly-discovered flaws being used by cyber-criminals to attack firms and extract data. According to the magazine C't, however, Intel had classified half of the flaws as "high risk", and the others as "medium risk”.

It is believed that one of the more serious flaws could provide a way for attackers access a vulnerable virtual computer, and thereby reach the server behind it, or reach other software programs running on that machine. It has been reported that Cloud services like Amazon's AWS may be at risk from this flaw.

Meltdown and Spectre


The original Meltdown and Spectre flaws were found to have been present in nearly all modern processors / microchips, meaning that most computerised devices are potentially vulnerable to attack, including all iPhones, iPads and Macs.

Meltdown was found to leave passwords and personal data vulnerable to attacks, and could be applied to different cloud service providers as well as individual devices. It is believed that Meltdown could affect every processor since 1995, except for Intel Itanium and Intel Atom before 2013.

Spectre, which was found to affect Intel, AMD and ARM (mainly Cortex-A) processors, allows applications to be fooled into leaking confidential information. Spectre affects almost all systems including desktops, laptops, cloud servers, and smartphones.

What Does This Mean For Your Business?


The discovery of a family of 8 more flaws on top of the original 2 ‘Spectre’ and ‘Meltdown’ flaws is more bad news for businesses, particularly when they are trying to make things as secure as possible for the introduction of GDPR. Sadly, it is very likely that your devices are affected by the several or all of the flaws because they are hardware flaws at architectural level, more or less across the board for all devices that use processors. The best advice now is to install all available patches and make sure that you are receiving updates for all your systems, software and devices.

Although closing hardware flaws using software patches and updates is a big job for manufacturers and software companies, it is the only realistic and quick answer at this stage to a large-scale problem that has present for a long time, but has only recently been discovered.

Regular patching is a good basic security habit to get into anyway. Research from summer 2017 (Fortinet Global Threat Landscape Report) shows that 9 out of 10 impacted businesses are being hacked through un-patched vulnerabilities, and that many of these vulnerabilities are 3 or more years old, and there are already patches available for them.

Twitter Says Change Your Password

Twitter has advised all users to change their passwords after a bug caused the passwords to be stored in easily readable, plain text on an internal computer log.

The Bug - Passwords Visible Before ‘Hashing’

Twitter reported on their own blog that the bug that stored passwords had been ‘unmasked’ in an internal log. The bug is reported to have written the passwords into that internal log before Twitter’s hashing process had been completed.

The hashing process disguises Twitter passwords, making them very difficult to read. Hashing uses the ‘bcrypt’ function which replaces actual passwords with a random set of numbers and letters. It is this set of replaced characters that should be stored in Twitter’s system, as these allow the systems to validate account credentials without revealing customer password.

Millions Affected?

The fact that the passwords were revealed on an internal server, albeit for what is estimated to be for several months, and that there appears to be no evidence of anyone outside the company seeing the passwords, and no evidence of a theft or passwords turning up for sale on hacker site, indicates that it is unlikely that many of the 330 million Twitter users have anything real to fear from the breach.

Big Breaches

In this case, Twitter appears to have behaved responsibly and acted quickly by reporting the bug to regulators, fixing the bug, and quickly and publicly advising all customers to change their passwords.

Twitter’s behaviour appears to be in stark contrast to the way other companies have handled big breaches. For example, back in November 2017 Uber was reported to have concealed a massive data breach from a hack involving the data of 57 million customers and drivers, and then paid the hackers $100,000 to delete the data and to keep quiet about it.

Breaches can happen for all kinds of reasons, and while Twitter’s breach was very much caused and fixed by Twitter internally, others have been less lucky. For example, an outsourcing provider of the Red Cross Blood Service in Australia accidentally published the Service’s entire database to a public web server, thereby resulting in Australia's largest ever data breach.

What Does This Mean For Your Business?

If you have a Twitter account, personal or business, the advice from Twitter is quite simply to change your password, and change it on any other service where you may have used the same password. Twitter is also advising customers to make the new password a strong one that isn’t reused on other websites, and to enable two-factor authentication. You may also want to use a password manager to make sure you’re using strong, unique passwords everywhere.

In this case, Twitter has acted quickly, appropriately and transparently, thereby minimising risks to customers and risks to its own brand reputation. Twitter will want this message of responsibility to be received loud and clear, particularly at a time where GDPR (and its hefty fines) is just around the corner, and a time when other competing social networks i.e. Facebook have damaged customer trust by acting less responsibly with their data through the Cambridge Analytica scandal.

Tuesday, May 08, 2018

Amazon Challenges Google and Facebook For Ads Dominance

Reports that Amazon.com Inc has doubled its ad profits, is growing its ad business fast, and may be outselling ads on Twitter Inc and Snapchat, may soon see it in serious contention for ad dominance with its bigger rivals : Google and Facebook.

Multi-Billion Dollar Program


Reports that Amazon has achieved around $2 billion advertising revenue and with predictions by eMarketer last October that Amazon would hit $3.19 billion in net U.S. digital ad revenues by 2019 (which is 3.0 percent of digital ad spending), show that Amazon clearly has a multi-billion dollar program underway that is growing fast.

How?


Some commentators put the rapid and impressive rise in ad revenues down to the fact that Amazon has two non-retail businesses that are experiencing fast growth, and are profitable.

Firstly, Amazon’s fastest-growing business segment, which hit $2.0 billion in the first quarter, and showed a 72 % increase from a year earlier, and 100% growth in the last quarter is its “other” section. This segment is mainly Amazon’s growing advertising business which is experiencing strong demand from advertisers that spend money to highlight their products over competitors’ in Amazon’s catalogue. The ad business now generates multiple billions in revenue. For example, the world’s largest advertising company, WPP, directed $200 million of its clients’ ad budgets to Amazon in 2017, and has also predicted that this number could rise to $300 million this year.

Secondly, Amazon’s other key profit driving non-retail business is Amazon Web Services (AWS). This leases computing power and data storage to companies large and small, and has just experienced a 40% growth. The fact that AWS has earned $17.5 billion in 2017 compared to its $9.2 CapEx spending means that it is even making a profit from a business that typically requires a huge amount of investment. For example, Amazon Web Services (AWS), Microsoft, and Google collectively spent $35 billion on data centres to power their cloud businesses in 2017.

One key thing that both of these important business segments have in common is that they deliver big profit margins. For example, AWS’s operating profit margin is consistently over 20% and Amazon’s ad business also contributes big profits to the company’s main bottom line.

Some commentators have said that Amazon’s strong position in the Cloud market, search and advertising, and the voice assistant market with Alexa are boosting the competitive position of the company as well as its profits.

In Competition With Google and Facebook?

This huge surge in advertising profits is still not quite in the same ballpark as Google and Facebook’s Internet duopoly, with Google and Facebook accounting for more than 60% of global online ad revenues, although Amazon is now on the right trajectory to start taking more of their business.

What Does This Mean For Your Business?


Amazon has expanded and diversified in recent years and the big advantages of its advertising that are attracting more business customers are its reach, the fact that Amazon has users’ purchase data and knows what shoppers need, and the fact that advertising on Amazon is delivering results for customers in terms of driving brand awareness, discovery or/and purchases.

These recent ad revenue figures show that although Amazon isn’t seriously challenging Facebook and Google just yet, it is generating significant profits from non-retail parts of its business, and is certainly going in the right direction to challenge the current duopoly. For businesses, this gives them more choice, and another potentially effective advertising platform that could drive more potential buyers their way.

Fake Online Reviews Investigation

A recent investigation as part of a BBC 5 Live programme has led to the underground trade in fake online reviews coming under the spotlight.

What Reviews and Why Does It Matter?

The kinds of reviews of products and services that can allegedly be purchased and displayed online in order to influence purchasing decisions are reported to be those on  sites such as Trustpilot and Amazon.

Three quarters of UK adults use online review websites, and the government's Competition and Markets Authority estimates that such reviews potentially influence £23 billion of UK customer spending every year.

Younger consumers are thought to be particularly influenced by the reviews of others / their peers when it comes to purchasing decisions.

The key motivator for businesses buying fake reviews is, of course, to rank top for your product because this can lead to a lot of extra sales.

How Bad Is The Problem?

A Chartered Institute of Marketing (CIM) Study shows that almost half of UK adults believe they have seen fake reviews, and according to US analysts, as many as half of the reviews for some products posted on international websites like Amazon may be potentially unreliable

What’s Been Happening?

According to the recent BBC investigation of the problem, buyers are offered full refunds on products bought on Amazon in exchange for positive reviews. This practice is believed to be something that was driven underground back in 2016 after Amazon introduced measures designed to prohibit ‘incentivised reviews’ i.e. businesses offering customers free goods in exchange for positive reviews.

The BBC 5 Live team investigators have reported that they were offered deals for Amazon reviews, and were able to use eBay to purchase a false 5-star review on Trustpilot.

Denied

In response to the findings of the BBC investigation, Amazon has stated that it does not permit reviews in exchange for compensation of any kind and that customers and Marketplace sellers who don’t follow review guidelines are subject to action including potential termination of their account.

Trustpilot has said that it uses specialist software to screens reviews against 100's of data points around the clock in order to automatically identify and remove fakes, and that it has a zero-tolerance policy towards any misuse.

E-bay has also stated that the sale of fake reviews is banned from its platform, and that any listings will be removed.

What Does This Mean For Your Business?

The potential rewards of more sales an profits, getting a competitive edge, and boosting brand awareness are powerful motivators for some businesses who may feel that when weighed up against the lack of any serious penalties, buying fake reviews may appear to be worth the risk. For the vast majority of review-reading customers, however, this is a deceptive practice that may cause them to purchase products that do not meet their needs or expectations.

The proliferation of fake reviews also undermines public trust in reviews, and this can be particularly unfair for those companies who have worked hard to get genuine positive reviews through simply providing superior products and service levels.

There is an argument that more preventative action needs to be taken by these platforms to stop fake reviews being published in the first place, and that stronger penalties are needed for those caught selling fake reviews.

Sadly, many commentators believe that we are currently in a 'post-truth era' where many people get their news from social media and where we are becoming conditioned to put less emphasis on the need for objective facts. It is with this backdrop that the trade in fake reviews has been allowed to grow.

There is still a strong argument, however, that there is no substitute for striving to provide quality products and great customer service as these strengthen a business anyway, ensure that reviews are positive, and should ultimately win over short-term deceptive practices.

Online Dating Via Facebook

Facebook CEO, Mark Zuckerberg, has announced that Facebook, the world’s largest online social network, will soon be providing an online dating service, thereby putting it in competition with the likes of Match Group Inc.

On The Cards


Bearing in mind Facebook’s origin as a college dating website and Mark Zuckerberg’s early ‘Facemash’ program, and the fact that Facebook is known to have been wanting to move into online dating for at least 10 years, this move has been on the cards.

Why Now?

There are several key reasons why Facebook has chosen to actually make the move into the online dating world. These include:
  • The need to make people spend longer on the Facebook platform (and not on other platforms). For example, time spent by Facebook users on the platform fell by 50 million hours a day in 2017.
  • The need to attract more young people to the platform.
  • The commercial attractiveness of the booming and growing dating market.
  • The fact that there are 200 million people on Facebook that list themselves as single.
  • The fact that Facebook already holds many facets of information about users that could be used for matching and dating purposes e.g. interests, local events they could attend.
How Will It Work?

The proposed platform is an optional feature that users will be able to use by clicking on a heart shape at the top-right corner of the Facebook app, and setting up a dating profile. The profile will be based on a first name, won’t be visible to friends and users who aren’t on the dating feature, and won’t show up in the News Feed.

Once set up, users can browse events in their local and groups that match their interests, select ‘unlock’ for dating, and then be able to see the profiles of other potential dates who have unlocked that surface. These profiles will show a few photos plus some basic information about potential dates.

The system will not work using the “swipe” left or right on potential matches like Tinder, but there will be two buttons for “pass” and “interested.”

Users will be able to start a conversation with a potential match by commenting on one of their photos, but the conversations will be text-only, thereby eliminating the risk of unsolicited nude photos being sent. Conversations will take place in a special inbox that’s separate from Messenger and WhatsApp.

Security

In the wake of the Facebook and Cambridge Analytica scandal, Facebook has been quick to stress that the service has been built and will operate with an emphasis on privacy.

Not Just Hook-Ups

Facebook has also said that the new dating service is intended to be a standalone feature that will focus on legitimate long-term relationships, rather than just hook-ups. There are already many stories of couples who have met via the normal Facebook platform.

Dating Service Competitors – Stock Value Falls

Shortly after Mark Zuckerberg announced the move into the dating arena, and even though Match Group CEO Mandy Ginsberg said that she was flattered by Facebook’s entrance into its space, Match’s stock traded down about 22%. Match is the owner of mobile dating apps Tinder and OkCupid and describes itself (on its website) as the “global leader” in online dating.

What Does This Mean For Your Business?

If it wasn’t for the recent scandal about data sharing with Cambridge Analytica and the lack of trust that it has created, Facebook would be almost perfectly position to seriously and quickly take on the current online dating giants such as Match. It remains to be seen, therefore, how quickly Facebook users forget or are willing to throw caution to the wind with the promise of powerful motivators and positive reinforcement in the form of dates and possibly, a love match.

Some competitors, such as Bumble, have seen Facebook’s move as an opportunity rather than just a threat, and Bumble has reportedly reached out to Facebook to explore ways to collaborate.

Google Chrome Leads Digital Certificate Clean Up

The Google Chrome Browser is being equipped with transparency logs that are designed to prevent potentially costly digital certificate errors by Certificate Authorities (CAs) and to guard against cyber-criminals issuing their own certificates.

Stopping Misuse


The move has been designed to improve all-round transparency, and to better protect both users and companies from becoming victims of certificate misuse.

Triggers A Warning Message If Not Logged

The change means that all CAs must now log every digital certificate they issue in certificate transparency logs so that any website with a secure socket layer (SSL) or transport layer security (TLS) certificate that isn’t logged will trigger a browser warning. The warning will tell users the website’s certificate doesn’t comply with Google Chrome’s transparency policy, and therefore, may not be safe.

In fact, any part of a website that’s served over an https connection that doesn’t comply with Google’s policy will not load and will display an error in Chrome DevTools.

The change applies to all TLS server certificates issued after 30 April, 2018.

Driving Positive Change

With Google Chrome reportedly being used by 60% of web users, this move is being seen by some as Google using its market dominance to drive better practices. It is expected, therefore, that most other major browsers will follow Google’s example.

What Does This Mean For Your Business?

This is really just an industry change that primarily affects parties issuing the certificates e.g. a Certificate Authority. The change isn’t retroactive and so isn’t going to affect SSL certificates that were issued but not logged before April 30, 2018. This change will not (immediately) directly affect end users, although the clean-up effect that it may have on the whole business around certificates, and in thwarting some of the activities of cyber criminals could contribute towards a more secure internet generally. For example, cyber-criminals have been able to target internet users by finding ways to issue their own certificates.

The change should also give businesses a way to take action to protect themselves and their customers against any potential damage done to their business by mis-issuance of certificates.

This story should also be a reminder that from June, if your website doesn’t have a secure certificate i.e. if it doesn’t have https in the URL, Chrome will post a security warning to visitors which could mean that you lose enquiries and sales. Not having a secure certificate could also potentially mean that your website could suffer in the search engine rankings.

New Google ‘Chat’ SMS Message Replacement Rollout Begins

Google has begun the rollout of ‘Chat’, the messaging service that, it is hoped, will replace SMS text messages on Android phones, and bring it into the same ballpark as WhatsApp and Apple’s iMessage.

What’s The Problem?


The SMS messaging system for Android phones has suffered over many years from being simply a succession of poorly supported, different apps all using the same basic the short message service (SMS) from the1990s to send text messages over a mobile network. The result has been that none have been particularly popular among android users, who have been envious of the simplicity and ease other messaging services e.g. iPhone that have better features and send messages over the internet instead of using SMS.

New System, New Features

The solution to the problem for Google has been to take many years to develop a whole new messaging system that is based on a standard called the “Universal Profile for Rich Communication Services” (instead of simply making another app), which allows Android users to send messages and image files over a data network.

The new ‘Chat’ service offers many more features such as group texts, videos, typing indicators and read receipts. Since RCS is a communications standard, it will be up to mobile operators to enable the service, but Android will still have SMS to fall back on anyway.

Carrier-Based Service

Chat is a carrier/network-based service (i.e. not a Google-based service), so one of the key ways that Google has gone about making sure that Chat will work is to try to convince as many carriers as possible to take the new standard, and make the Chat services interoperable between carriers.

If you text someone who doesn’t have Chat enabled, or who is not an Android user, your messages will revert back to SMS, in the same way that an iMessage does.

It is thought that Google has done enough work with 50+ carriers to ensure that most of them will enable the use of the Chat service this year, which is handy since the global rollout by Google is already underway.

Au Revoir ‘Allo’

Another indicator of Google’s commitment to getting Chat 'out there' is the pausing of its work on its ‘Allo’ messaging service.

Data Plan Instead of SMS

Since Chat messages will be sent over the data network i.e. sent with your data plan instead of your SMS plan, it is expected that charges for messages could be less, although this will be up to the networks.

Security Flaw

One flaw in the Chat service could be the fact that messages are not encrypted, and could, therefore, be a security risk if intercepted.

What Does This Mean For Your Business?

Business and individual users of Android will be pleased to hear that at last there may be a messaging service that is built-in, allows plenty of modern functionality, and is up there with competing services e.g. WhatsApp and iMessage.

Hopefully, the main networks will support the service as soon as possible, and with messages being sent over the data network the hope is also that costs for the service could be kept at a very reasonable level (depending on the network).

The one question mark for many users may, however, be the lack of encryption of the messages, especially at a time when data security is at the forefront of their mind with the introduction of GDPR next month.

Monday, April 30, 2018

GDPR: Don’t Get Caught Out By Your Logfiles

With all the focus on the more visible elements of GDPR compliance ahead of the Regulation’s introduction of May 25th, one EU Working group is warning businesses not to forget what’s stored in the logfiles of their Internet-facing servers.

What Are Logfiles and Why Should We Care?

Logfiles record either events that occur in an operating system or other software, or messages between different users of communication software.

As well as being useful to an organisation e.g. for providing clues about hostile activity affecting the network from within and without, and providing information for identifying and troubleshooting equipment problems, logfiles on Internet-facing computers can also potentially provide information to hackers and cyber-criminals that could compromise your system and data security.

Report Suggestions

A draft report by the Internet Engineering Task Force's Internet Area Working Group (IETF's INTAREA) says that changing data regulations have meant that what were established best practices have now become poor practices. The draft, therefore, offers a checklist as a set of updates to RFC6302 designed to help plug this potential GDPR compliance black spot. The “Recommendations for Internet-Facing Servers” draft suggests that sysadmins adopt a data minimisation approach to configuring their server logs, and suggestions include:
  • Full IP addresses should only be stored for as long as they are needed to provide a service;
  • Logs should only include the first two octets of IPv4 addresses, or first three octets of IPv6 addresses.
  • Inbound IP address logs shouldn't last longer than three days, because that lets logging cover a weekend before it's flushed.
  • Unnecessary identifiers should not be logged e.g. source port number, timestamps, transport protocol numbers, and destination port numbers,
  • The logs should be protected against unauthorised access.
It should be said that any legally-mandated logging e.g. to comply with local telecommunications data retention laws, isn't covered by the draft.

Cookie Consent Pop-Ups

We are all used to seeing cookie consent pop-ups when we arrive at websites, but the “implied consent” website owners have assumed existed once people clicked “I Agree” to cookies may no longer apply under GDPR. This is because GDPR is consent specific, and there is no way “implied consent” can get you water-tight compliance. What this means is that cookie consent pop-ups may soon be on legally shaky ground when it comes to GDPR compliance.

What makes this issue more complicated is the fact that the EU had intended to publish an updated ePrivacy Regulation, with the commencement of GDPR, to relax the cookie popup requirements, but didn’t do so. This means that data privacy rules on this matter will be governed by the old ePrivacy Directive and GDPR at the same time, with GDPR having the precedence.

What Does This Mean For Your Business?

This story shows that with GDPR just around the corner, some of the finer areas of compliance are starting to come under the spotlight. Yes, data protection, data security and privacy are the responsibility of all of us, not just the ‘technical people’, but when it comes to having to deal with server-logs, there clearly is a need for a technical focus to ensure all-round general compliance. Hackers, by nature, are generally technically proficient, and can employ multi-level and sophisticated attack techniques. It makes sense, therefore, that companies make attempts to plug known technical weak-spots such as those highlighted in this draft.

The cookie consent pop-up issue highlights the complicated area of consent that many companies have anticipated with the introduction of GDPR. The important point to remember is that GDPR is consent specific. Consent can’t simply be implied, and consent must also be unambiguous, informed, a statement or clear affirmative action, and freely given. Also, under GDPR, a data subject has the right to withdraw their consent at any time.

Martin Lewis Fights Facebook In Court

MoneySavingExpert’s (MSE) founder and TV consumer champion Martin Lewis (OBE) has commenced UK High Court proceedings against Facebook to sue the tech giant for defamation over a series of fake adverts bearing his name.

What Happened?


Mr Lewis alleges that 50 fake ads bearing his name appeared on the Facebook social media platform over the space of a year, and that the fact that the ads were not from him
, and could / did (in some cases) direct consumers to scammer sites containing false information may have caused serious damage to his reputation, and did cause some people to lose money.

Mr Lewis prepared for the first day of the court action against Facebook (on Monday 23rd April) by giving an interview to BBC radio explaining why he was taking the action, and offering to stop the court action altogether if Facebook ‘took responsibility’ for what he believes were its damaging actions against his reputation.

It is alleged that the adverts featured Mr Lewis’s face alongside endorsements that Mr Lewis says that he did not make. Mr Lewis has publicly stated many times that he does not appear in any adverts, therefore, any advert bearing his name must be a fake.

Long Fight


Mr Lewis has stated in a press release about the case that he has been fighting to stop the adverts from appearing on Facebook over the last year and that, even when they were reported to Facebook, many of the ads were left up for days or weeks, and when they are taken down, scammers were able to new, nearly identical campaigns very soon afterwards.

Mr Lewis is personally suing Facebook (not on behalf of MSE), and has published details of the legal action on the MSE website, saying “I will issue high court proceedings against Facebook, to try and stop all the disgusting repeated fake adverts from scammers it refuses to stop publishing with my picture, name and reputation.”

Mostly ‘Get-Rich-Quick Schemes’

The fake adverts are reported to have been mostly for ‘get-rich-quick schemes’ e.g. titled ‘Bitcoin code’ or ‘Cloud Trader’, which are reported to be fronts for binary trading firms based outside the EU. Martin Lewis has stated online that binary trading is a financially dangerous, near-certain money-loser, which the regulator the Financial Conduct Authority (FCA) strongly warns against.

Not For His Own Financial Benefit

Although Mr Lewis has said that he is seeking exemplary and substantial damages, he has said that this is because he wants to show Facebook that they can’t just pay damages as a kind of cost of business and then simply “carry on regardless”.
Mr Lewis has said that any money he does receive in damages from the court case will go not to him, but to anti-scam charities.

What Does This Mean For Your Business?

This case is compelling for many reasons. Firstly, it appears clear from what Mr Lewis has said publicly about his side of things that the fake adverts are bound to be damaging to a person whose public role is to fight for consumer rights, and is reported to have been damaging to other innocent victims of the scam ads e.g. the lady who reportedly had over £100,000 taken from her by the ad scammers. It’s in everyone’s interest that the activities of scammers are stopped.

Secondly, it will be interesting to see how successful Martin Lewis personally will be in taking on a rich tech giant that some commentators may see as being almost behaving as though it were above the law of some of the countries that it operates in. Since Martin Lewis is a consumer ‘champion’ and influencer when it comes to many financial products, it is likely that he will have a great deal of public sympathy and media attention which could give him extra bargaining power.

Thirdly, one key aspect of this case is which businesses Facebook is actually in rather than what business it thinks it’s in. For example, Mr Lewis is arguing that Facebook claims to be a platform not a publisher – and yet the problem has arisen not just from posts on a web forum, but from Facebook being paid to publish, promulgate and promote what may be fraudulent enterprises i.e. acting like a publisher. If Mr Lewis wins the case, it may be that Facebook will need to re-examine whether or not it now has to see itself as a publisher, and may be forced to change its system.

WhatsApp Raises Age To 16 For GDPR

Facebook’s WhatsApp messaging service is raising its minimum age in Europe to 16 to comply with GDPR which comes into force on May 25th.

Was 13

Up until now, the minimum age has been 13, and that minimum age will remain for the rest of the world, in line with its Facebook parent company. WhatsApp, founded in 2009, has an estimated 1.5 billion users.

Just Asking

Users will be asked to confirm their minimum age by the new WhatsApp Ireland Ltd in the next few weeks, when they will be prompted to agree to new terms of service and a privacy policy. Some critics have pointed out that even though users will be asked if they are 16 or over, it is unclear from the information that the service holds about users how their age can be accurately checked and verified and, therefore, how the new rule can be enforced.

Based on US Law Until Now

The age 13 limit up until now has been based upon the US law "Children's Online Privacy Protection Rule" (Coppa), which bans online services from collecting personal information about younger children. This is why the usage of many other popular social media apps e.g. Snapchat, YouTube, Instagram, Pinterest, Twitter, Musical.ly and Reddit are restricted to persons aged 13 and over.

WhatsApp’s parent company Facebook faced criticism after announcing last December that it would be targeting younger children with its ‘Messenger Kids’ service. At the time, Facebook’s primary (stated) motive for the new junior version of its platform was to provide a safer, more age-appropriate version, but some tech and business commentators suggested that it may also be an ideal way for Facebook to recruit its next generation of users, and to capture the attention of 6 to 12-year-olds before Snapchat or a similar social network competitor.

Collecting and Sharing Information

The recent Facebook and Cambridge Analytica scandal has brought the matter of collecting and sharing of our personal data into sharp focus. WhatsApp, however, has said that the new changes do not mean that it will be asking for any new rights to collect personal information in the agreement it has created for the European Union. WhatsApp says that the goal of the change is simply to explain how they use and protect the limited information they have about users.

As well as the age restriction change, WhatsApp is also, therefore, rolling out a feature with the latest version of the app that allows users to download a report detailing the data that WhatsApp holds on them e.g. the make and model of the device they used, their contacts, their groups and any blocked numbers.

Facebook Nominate

Facebook is also updating its data policy to comely with GDPR which involves asking 13 and 15-year-old users to nominate a parent or guardian to give permission for them to share information on the platform. If they won’t / cannot do so, the young users will not be able to see a fully personalized version of the social media platform.

Also, Facebook's Instagram is launching a data download tool to provide users with a file containing the photos, comments, archived stories, contacts and any other personal data that they’ve posted to the service in the past.

Twitter Too

Twitter Inc is also changing its privacy policy so that users can view information they share with the micro-blogging service and show how it’s being used, ahead of the introduction of GDPR. Twitter has said that the changes are to make the privacy policy visually clear and easy to use, and to clarify legalistic or technical language.

What Does This Mean For Your Business?

This story is another clear reminder that the introduction of GDPR is just around the corner as the tech giants, who have more to lose in fines, potential lost customer numbers, and serious reputational damage, make the necessary legal moves to ensure compliance. For Facebook especially, they have faced some very high profile bad publicity this year over their handling and sharing of personal data, so getting their GDPR compliance house in order may be a way to help avoid any further problems.

There is also a very serious ethical element to this story. It is estimated that Facebook has 20 million under-13-year-olds currently  using the network, and there may also be a very large number of children using WhatsApp. Parents may understandably have serious concerns about what content children can have access to and, equally importantly, who can have access to children via social networks. Unsuitable material, commercialisation, bullying (or predatory behaviour by some adults) are just some of the issues to consider.

As well as these concerns, governments (such as the UK) are looking to stop end-to-end encryption in WhatsApp, GDPR is just around the corner, Facebook is now facing more tough questions about its Cambridge Analytica links, Martin Lewis (OBE) is taking Facebook to court for defamation and calling for Facebook to take responsibility for its actions ... the pressure is now seriously on big social media platforms to make some changes, particularly where EU users are concerned.

Half of UK Manufacturers Hit By Cyber Attacks

A new report published by manufacturers’ organisation EEF in partnership with insurance firm AIG and the Royal United Services Institute (RUSI) shows that 48% of UK manufacturers have been subject to a cyber-security incident at some time.

Loss and Disruption

Half of those manufacturing companies who admit to being hit by cyber-criminals have said that the incident(s) caused financial loss or disruption to business.

Challenges

The report highlighted several key challenges that the manufacturing industry faces in making itself less vulnerable to cyber-criminals. These challenges include:
  • The age of equipment and the networked nature of production facilities. Many industrial systems are up to 20 years old and were developed before cyber threats became a big issue. As a result, poorly protected office systems, often the first implemented historically within manufacturing businesses, are particularly vulnerable. Also, a networked building, such as many manufacturing sites, can be hacked and exploited.
  • Many manufacturing companies hold a large amount of classified information e.g. intellectual property (IP) and trade secrets, which makes them targets for (for example) financially motivated, state-sponsored hackers.
  • Having no idea of the nature and size of the risks. 41% of manufacturing companies don’t believe they have access to enough information to assess their true cyber risk, and 12% of manufacturers admit they have no technical or managerial processes in place to even start assessing the real risk.
  • A lack of basic detection that a cyber attack is taking place / has taken place, and a lack of investment in training i.e. 34% do not offer cyber-security training.
  • Feeling that they are not equipped to tackle the risk anyway. For example, 45% are not confident they are prepared with the right tools for the job.
  • A lack of confidence. Although 91% of the 170 UK manufacturing businesses polled are investing in digital technologies, 35% think that cyber vulnerability is inhibiting them from doing so fully.
What Does This Mean For Your Business?

For manufacturing businesses facing the very real threat of sophisticated, multi-level attacks, now is not the time to be left with a vulnerable outdated system. Advice from the report includes following the advice of the Government backed ‘Cyber Essentials’ scheme. This includes the 5 security essentials of using a firewall to secure your Internet connection, choosing the most secure settings for your devices and software, controlling who has access to your data and services, protecting yourself from viruses and other malware by using antivirus software, only downloading apps from manufacturer-approved stores, or running apps and programs in an isolated environment, and continually ensuring that operating systems and software are up-to-date and running the latest security patches.

Clearly, manufacturing companies with old systems may need to bite the bullet and invest in more modern, digitised, and well-protected systems. The report also indicates that greater investment in staff training is needed to help them spot and deal with risks, and to avoid the kind of human error that is needed in many modern cyber-attacks e.g. malware / viruses sent by email, phishing, and other social engineering attacks.

Another opportunity for manufacturing companies to boost cyber-security could also come from cyber-insurance. For example, many cyber insurers offer a comprehensive package of pre-loss services to businesses to carry out a cyber health check which could help to highlight gaps in cyber risk management and help identify what security measures should be prioritised.

New Google ‘Chat’ SMS Message Replacement Rollout Begins

Google has begun the rollout of ‘Chat’, the messaging service that, it is hoped, will replace SMS text messages on Android phones, and bring it into the same ballpark as WhatsApp and Apple’s iMessage.

What’s The Problem?

The SMS messaging system for Android phones has suffered over many years from being simply a succession of poorly supported, different apps all using the same basic the short message service (SMS) from the1990s to send text messages over a mobile network. The result has been that none have been particularly popular among android users, who have been envious of the simplicity and ease other messaging services e.g. iPhone that have better features and send messages over the internet instead of using SMS.

New System, New Features

The solution to the problem for Google has been to take many years to develop a whole new messaging system that is based on a standard called the “Universal Profile for Rich Communication Services” (instead of simply making another app), which allows Android users to send messages and image files over a data network.

The new ‘Chat’ service offers many more features such as group texts, videos, typing indicators and read receipts. Since RCS is a communications standard, it will be up to mobile operators to enable the service, but Android will still have SMS to fall back on anyway.

Carrier-Based Service


Chat is a carrier/network-based service (i.e. not a Google-based service), so one of the key ways that Google has gone about making sure that Chat will work is to try to convince as many carriers as possible to take the new standard, and make the Chat services interoperable between carriers.

If you text someone who doesn’t have Chat enabled, or who is not an Android user, your messages will revert back to SMS, in the same way that an iMessage does.

It is thought that Google has done enough work with 50+ carriers to ensure that most of them will enable the use of the Chat service this year, which is handy since the global rollout by Google is already underway.

Au Revoir ‘Allo’


Another indicator of Google’s commitment to getting Chat 'out there' is the pausing of its work on its ‘Allo’ messaging service.

Data Plan Instead of SMS

Since Chat messages will be sent over the data network i.e. sent with your data plan instead of your SMS plan, it is expected that charges for messages could be less, although this will be up to the networks.

Security Flaw

One flaw in the Chat service could be the fact that messages are not encrypted, and could, therefore, be a security risk if intercepted.

What Does This Mean For Your Business?

Business and individual users of Android will be pleased to hear that at last there may be a messaging service that is built-in, allows plenty of modern functionality, and is up there with competing services e.g. WhatsApp and iMessage.

Hopefully, the main networks will support the service as soon as possible, and with messages being sent over the data network the hope is also that costs for the service could be kept at a very reasonable level (depending on the network).

The one question mark for many users may, however, be the lack of encryption of the messages, especially at a time when data security is at the forefront of their mind with the introduction of GDPR next month.

Monday, April 23, 2018

Russia Suspected of Hacking Campaign

The UK's National Cyber Security Centre (NCSC), the FBI and the US Department of Homeland Security have warned that Russia may be behind a broad hacking offensive targeting millions of machines that direct data around the net.

Networking Equipment Targeted

US and UK security agencies have issued a joint internet security alert warning and have been reported as suggesting that a surge in global hacks targeting the networking equipment used to move traffic across the net is the result of a Russian state-sponsored campaign.

Why?

Some commentators have suggested that the deterioration between the relationship between Russia and the West resulting from issues like accusations of election meddling, the poisonings in Salisbury, and arguments over the Syrian conflict may have contributed to an online revenge offensive.

As well as the disruption caused, the aim appears to be espionage / the theft of information (which actually dates back at least to the late 1990s), and the threat (so far) of destructive acts of sabotage e.g. disabling parts of the electricity grid. These kinds of suspicions have arisen because many recent hacks appear to be pre-positioning in networks that are part of the critical national infrastructure.

Cyber War Ahead?

While we are being told that we have returned to another 'Cold War' situation, some commentators have suggested that we may be on the brink of a cyber-war with Russia, even though there has not been any real significant cyber-attack or change of behaviour from Russia.

Although Russia has been accused of launching destructive attacks against Ukraine, which had a negative effect on businesses there, and despite the apparent reported increase in cyber-attacks from Russia, it is still difficult for many to say whether Russia has the capability to carry out very destructive cyber attacks. Cyber attacks are often harder to trace and easier to deny than military attacks.

UK’s Own Offensive

It is worth remembering too, that as well as having defences in place, the UK has its own offensive cyber-capability, honed for over a decade, starting in the conflict in Afghanistan. Recently, for example, the UK and the US are reported to have targeted the Islamic State group with cyber attacks, with some degree of success. It would be naive to assume, therefore, that the UK is not planning / undertaking its own activities in Russia e.g. pre-positioning in Russian networks to be able to respond to any Russian cyber aggression.

What Does This Mean For Your Business?

At the moment, it is simply a case that a warning has been issued. If a cyber-conflict does start in a noticeable way, as in real war, it is likely to be individuals, businesses, and other organisations and other services that suffer e.g. service providers, firms running critical infrastructure, government departments and large companies first, followed by other UK businesses. The Internet plays an essential role in modern business and disruption of vital network infrastructure could damage UK businesses and their competitiveness in the home and global market.

UK businesses also face the threat of foreign state-sponsored attacks designed to spy on / steal data, and undermine firewalls and intrusion detection systems used to spot malicious traffic before it reaches users. It has never been more important, therefore, for businesses to configure security systems correctly, apply patches and address any hardware vulnerabilities, and to make sure that their cyber resilience is at its best across all possible channels.

UK Launched Major Cyber Attack Against ISIS

GCHQ’s new director has revealed that last year, the UK has conducted a large-scale cyber-attack against ISIS that was designed to suppress online terrorist propaganda and hinder ISIS's ability to
coordinate attacks.

Growing For A Decade

Confirmation that the attack took place came as part of the first public speech by GCHQ’s new director and former MI5 agent, Jeremy Fleming. During his speech at the National Cyber Security Centre's (NCSC) flagship event in Manchester, Mr Fleming said that the cyber attack is just the latest part in what have been GCHQ’s efforts to grow its online counterterrorism capabilities over more than a decade.

The outcomes of cyber attacks as weapons against any enemy can range from denying online services, disrupting a specific online activity, and deterring individuals or groups, to effectively destroying equipment and networks.

Degraded Infrastructure

The UK’s cyber-attack against ISIS is reported to have degraded the terror group’s online infrastructure, made a significant contribution to coalition efforts to suppress any Daesh propaganda, hindered the terror group’s ability to coordinate attacks, and provided more protection for coalition forces on the battlefield.

Over-Achievers

It seems that this latest big cyber-attack success is only the tip of the iceberg, as a report by Parliament's Intelligence and Security Committee (ISC) has said that GCHQ spies had "over-achieved" in 2017, and that GCHQ had delivered on the first of three stages in its mission to bolster its cyber capabilities thanks to staging almost twice as many potential hacks than its targets.

Russia In The Spotlight

The recent deterioration of the relationship between the West and Russia means that its cyber-behaviour, as well as that of ISIS, is now reported to be more of a focus for GCHQ. In the director’s speech in Manchester, Mr Fleming said that the Russian state should be held accountable for what it does, and that the UK will continue to respond to malicious cyber-activity in conjunction with international partners such as the United States.

Helpful Tool


Another helpful tool that could be used to combat terrorist propaganda online could include the auto-blocker for extremist content that was mentioned by Home Secretary Amber Rudd. The tool, which Home Secretary Rudd would like to see adopted by ISPs can be configured to detect 94% of extremist video uploads.

What Does This Mean For Your Business?

It stands to reason that the UK is launching its own cyber-attacks against what it sees as legitimate targets elsewhere in the world. Cyber-attack and security capabilities are now being used worldwide to support military operations, damage enemy communications and infrastructure and thereby degrade the threat they pose, as well as protecting home infrastructure and vital networks.

Attacks by other states, criminal and terror groups e.g. hacks, DDoS attacks and viruses, can end up impacting many UK businesses, so its good to hear that GCQH, MI5 and other actors are ‘over-achieving’ in their efforts to protect the UK, and reduce the threats that we face in a time of shifting geopolitical and technological landscapes. We can assume, therefore, that the successful actions of our security agencies must be indirectly protecting many of the interests of UK businesses.

Phishing Attack Simulator : Microsoft Goodies

Microsoft has announced a set of business security tools, including a phishing attack simulator, that make it easier and more affordable for businesses to identify and fix vulnerabilities before they become an issue.

Attack Simulator

One of the key tools announced to coincide with the annual RSA conference in San Francisco, is the Attack Simulator. This tool is included in Office 365 Threat Intelligence, and is currently still in preview.

Spear Phishing Simulator

The tool, which simulates display name spear-phishing attacks, password-spray attacks, and brute-force password attacks, enables businesses to determine how end users behave in the event of an attack, and update policies to ensure that appropriate security tools are in place to protect the organization from threats.

A spear-phishing attack, for example, is used to gain access to users' credentials or financial information, and often involves sending emails, purporting to be from a person of influence in an organisation to other users. The Microsoft attack simulator tool applies machine learning models and impersonation detection algorithms to incoming email messages. The AI system is trained to detect phishing messages. It also uses algorithms to protect against various user and domain impersonation attacks.

Intelligent Security Graph

Microsoft credits its ‘Intelligent Security Graph’ as being the ‘central nervous system’ that is at the heart of its tools for tracking and mitigation of attacks across platforms and services. This combines AI with data gained from analysing web pages, emails and malware threats on Windows 10 and the cloud. This enables Microsoft to warn users of existing and new threats.

Only Access SaaS Service If Your Device Is Healthy

Another important development of Office 365’s Conditional Access service is an update (currently in preview) which combines Conditional Access Information with data from the Windows Defender Advanced Threat Protection (ATP) security scanner to ensure that a user can only access a given SaaS service if their device is healthy.

Security Score

A potentially important new tool that Microsoft has developed for IT admins is an expanded version of the Office 365 Secure Score tool, which gives a single measure for evaluating the risk profile across Office 365 service and their users’ devices.

What Does This Mean For Your Business?


For many businesses e.g. SMEs, up-to-date cyber attack simulators would be beyond their resources. These new tools from Microsoft have been ‘trained’ thanks to AI and real-world analysis via Windows 10, thereby making them an affordable, accessible, and hopefully effective and welcome addition to the security options that businesses have at their disposal.

There is no doubt that human / employee error is at the heart of many successful cyber-attacks. With a phishing attack simulator that allows the creation of a fake phishing email, companies can see, for example, which employees fall for them, and this could serve as a way of identifying who needs extra security extra security training.

The combination of these new tools from Microsoft could provide an effective way that companies of all sizes could take proactive measures to plug gaps in their cyber-security shield, and guard against the kind of breaches that could be expensive and damaging, especially with the introduction of GDPR.

Facebook ... Face Recognition Woes

Facebook is in the news yet again, this time for having to face a class action lawsuit for allegedly gathering biometric information without users' explicit consent, via facial recognition technology.

What Facial Recognition Technology?

A facial recognition technology feature in Facebook’s platform suggests who might be present in uploaded photos, based on an existing database of faces, and uses "tag suggestions" technology.

The feature works by trying to detect any faces in an uploaded photo, standardises and aligns those faces for size and direction, then, for each face, Facebook computes a face signature which is a mathematical representation of the face in that photo. Finally, the face signatures are run through a stored database of user face templates to look for similar matches

What’s The Problem?


The problem in legal terms is that the software allegedly gathers (and presumably stores) biometric information about individuals i.e. makes and stores face templates of them, without them giving their explicit consent for it to do so. This sounds as though it may breach Illinois state law - this is the state from which the class of people in the lawsuit question is made up.

The court order is reported to apply to Facebook users in Illinois for whom Facebook created and stored a face template after 7 June 2011.

What Are The Chances?

Although Facebook reportedly intends to fight the case and believes that it has no merit, the fact that the judge, James Donato, has ruled to certify a class of Facebook users, and has said that Facebook could be expecting billions in statutory damages, does not appear to bode well for Facebook.

Not Available Here

Privacy regulations mean that the facial recognition and tagging feature is not available in Europe or Canada, and can be turned off in settings for US users.

Facebook also said back in December 2017 that users would be notified if a picture of them was uploaded by someone else, even if they hadn't been tagged in it.

Hearing In A Crowd Technology Developed By Google

Just as Facebook appears to be in trouble over voice technology, Google has announced that its research team has just developed technology that can recognise individual voices in a crowd, just as a human can.

The tech giant has made a demonstration video for the technology. The video shows how, with lots of people talking at once in a room, a user can select a particular face and hear the soundtrack of just that person. Users of this technology can also select the context of a conversation, and only references to that conversation are played, even if more than one person in the room is discussing that subject matter.

The AI technology behind the feature was developed using data collated from 100,000 videos of lectures and training videos on YouTube.

What Does This Mean For Your Business?


With GDPR on the way, the case against Facebook's voice recognition technology is another reminder of how businesses need to get to grips with the sometimes complicated area of consent. Video images and face templates of individual faces are also likely to qualify as personal data that consent for collection and storage will be needed for under GDPR. Privacy, as well as security, is a right that is getting even greater protection in law.

The technology from Google that can recognise individual voices, and can follow individual conversations in crowds could unlock valuable business opportunities in e.g. improving the function and scope of hearing aids, or improving video conferencing tools by enabling them to take place in the middle of an office space rather than only in a separate, soundproofed meeting room (provided other visual distractions are minimised). It seems that new technology is beginning to be developed to help tackle age-old human challenges.

Google, The Law and Your 'Right To Be Forgotten'

A businessman has won the "right to be forgotten" by Google after taking his case to the High Court, because he wanted a past crime he had committed to be removed from Google’s search engine results.

What Crime?

The (un-named) businessman was hoping to remove details from Google of a conviction from 10 years ago, and of the six months jail sentence he was given for ‘conspiring to intercept communications'. The businessman was forced to take Google to court after Google refused his requests to have the information removed from its search engine results. The man’s legal argument was that the details of his past conviction were disproportionately impacting his life, and were no longer relevant, and therefore, it was not it was not in the public or the man’s interest for Google to show the details in searches.

What Does The “Right To Be Forgotten” Mean?

The legal precedent for what has become known as ‘the right to be forgotten’ was set by the Court of Justice of the European Union back in 2014. It was the result of a case brought by Spaniard Mario Costeja Gonzalez who had asked Google to remove information about his financial history from its search engine results.

In this particular case, the ‘right to be forgotten’ means that Google has to remove all search results about the businessman’s conviction, including links to news articles.

Had Shown Remorse

The judge ruled in favour of the businessman, stating that he had shown remorse. Google has said that it will respect the judgement made in the case and pointed out that it has removed 800,000 pages from its results following ‘right to be forgotten’ requests.

Not So Lucky

Another businessman who also brought a ‘right to be forgotten’ case against Google, and who had committed a more serious crime of ‘conspiring to account falsely’ was not so lucky, and lost his case. It was decided, in the High Court, that the man, who had spent four years in jail for the crime, had "mislead the public”, and that it would still be in the public interest for Google to keep the information about the man and his crimes in the search engine results.

Less Than Half

Google’s own Transparency Report from May this year revealed that of the 2.4 million requests made since 2014 to remove certain URLs from its search results, Google has only complied with less than half. Google doesn’t actually have to comply with a request, and can refuse to take links down if can demonstrate that there is a public interest in the information remaining in the search results. Google can also re-instate links that it has already taken down in a previous request if it can show that it has grounds to do so.

What Does This Mean For Your Business?

It is good news that powerful international tech companies whose services are widely used, and who have the power to influence opinion and affect lives can sometimes be held accountable to national courts. There is a strong argument that they should not be a law unto themselves, and that they may not always be the best party to judge what is in the public interest.

The ‘right to be forgotten’ is particularly significant because it is something that all EU citizens will have when GDPR comes into force next month. This will impact businesses, many of whom may expect to receive ‘right to be forgotten’ requests, and will need to get their data management in order to both comply with GDPR generally, and to be able to respond quickly to such requests and avoid possible fines.

Monday, April 16, 2018

Facebook Notifies People Affected By Scandal

Facebook has begun notifying any of those users whose data is known to have been harvested and shared with data mining firm Cambridge Analytica.

On Your News Feed

If you are one of the 87 million people whose data has been shared, 1 million of whom are in the UK, when you log into your Facebook account, you will see a detailed message beginning with the words "We understand the importance of keeping your data safe.”

It is now understood that the data of 2.2 billion Facebook users was actually shared by Facebook, and all of these users will be receiving a message entitled "Protecting Your Information". This message will include a link which will allow them to see what apps they use, and what information they have shared with those apps. Users will also be given the option to stop sharing information with the apps or to stop any access to third-party apps altogether.

It should be noted, however, that Facebook stopped allowing third-party apps from gathering data about the likes, status updates and other information shared by users' friends back in 2015. Also, Facebook has taken action recently to make information such as religious and political views out-of-bounds to apps.

If you don’t trust Facebook to notify you if your information has been shared with Cambridge Analytica, you can check for yourself by following this link: https://www.facebook.com/help/1873665312923476?helpref=search&sr=1&query=cambridge

What Happened?


This relates, of course, to revelations that Facebook shared the data of its users with London-based data mining firm Cambridge Analytica via a personality quiz app, called "You Are What You Like" (later replaced by the "Apply Magic Sauce" app), that had reportedly been developed for legitimate academic purposes. Revelations that the website from the original quiz re-directed uses to a new one with different terms and conditions, thereby enabling users data to be harvested and reportedly used for political purposes by Cambridge Analytica (the same company used by the Trump election campaign) and by Canadian data company AggregateIQ (AIQ) who were involved in the Vote Leave campaign in the UK referendum, have caused wide-scale outrage.

Facebook is also reported to have suspended a data analytics firm involved with targeted advertising and marketing called Cubeyou. Cubeyou is reported to have collected data for academic purposes, and allegedly used it commercially, as part of a partnership with Cambridge University in the UK (who have also found themselves implicated in the scandal).

Game Changer Says ICO Chief

The head of the UK’s Information Commissioner’s Office (ICO), Elizabeth Denham, has said that what happened with Facebook’s data sharing with Cambridge Analytica can be seen as a game-changer in data protection. The ICO has revealed that Facebook is now one of 30 organisations under wider investigation for the sharing and use of personal data and analytics with political campaigns, parties, social media companies and other commercial organisations.

Denham has said that although the Facebook scandal has drawn attention to the ICO’s ‘Your data matters’ campaign, it is too early to say whether the changes the social networking firm is making are sufficient under the law.

What Does This Mean For Your Business?

If you have been directly affected by Facebook’s data sharing you will have been informed in your Facebook account, and you can follow the link (given earlier in this article) to check for yourself.

As ICO Chief Elizabeth Denham has rightly said, this is an important time for privacy rights, particularly since the introduction of GDPR is little more than a month away. The widespread outrage and condemnation of Facebook’s data sharing with Cambridge Analytica highlights how important data protection and privacy rights are to us all. This should serve as a reminder to businesses and other organisations that as well as making sure that they comply with GDPR to avoid negative consequences, GDPR preparation is an opportunity to fully examine the important issue of how data is being used and stored, and where vulnerabilities are, and how simple improvements could be made that could protect and help the business as a whole.