Tuesday, June 05, 2018

92 Carphone Warehouse Branch Closures

Dixons Carphone, owners of Carphone Warehouse stores has highlighted people not renewing their handsets as frequently and a declining market for long-term mobile contracts as 2 main reasons for the planned closure of 92 stores.

Profits Hit - Shares Down

The decision to close 92 of its more than 700 Carphone Warehouse stores this year was announced by Dixons Carphone after a warning that the next year’s profits could be down £82 million led to shares in the company falling 20.7%. Share values had already fallen by 30% over the last 12 months,

No Jobs Lost?

The human cost of store closures would ordinarily be those employed in the condemned 92 stores (part of a 42,000 workforce worldwide). In this case, Dixons Carphone has stated that no jobs will be lost because staff will be offered the opportunity to move to larger outlets nearby.

Sales Up

The gloomy prediction disguised the fact that total sales were actually 3% higher in the year to 16 April, while like-for-like sales were up 4%, and the sales were up by 2% for the year as a whole, and by 1% in the fourth quarter. International sales e.g. Nordic countries and Greece outstripped those in the UK.

Even though pre-tax profit is expected to come in at £382m, this is actually dramatically down from the £501m in 2017.

What Happened?


According to reported comments by new boss of only 8 weeks, Alex Baldock, that even though it is acknowledged that performance has not been good, the problems are all "fixable".

Market commentators have noted that a fall in the value of the pound (in the wake of Brexit) has made mobile handsets more expensive. Also, technical innovation has slowed, giving shoppers less reason to update their phones, meaning that they have been hanging onto their current handsets for longer.

SIM Free Popular


Market analysts have noted that there is unlikely to be a boost in the market for long-term mobile contracts any time soon. This is partly because many consumers have been opting for the alternative of SIM free phones in an attempt to keep costs down and get the best deals. Sales of SIM free is one area where Dixons Carphone will need to improve in order to make the most of market trends.

A SIM free phone is sold (unlocked) without any SIM card or network attached, so people buy the phone and then choose a SIM only deal for their calls and data, and can choose whichever network they like. The benefits are the ability to own the handset outright and take out a SIM only deal, thereby reducing the cost of a monthly plan as you are only paying the network for your minutes, texts and data allowance. Also, SIM only can give greater flexibility, with 1-month rolling contracts and 12-month contracts are now being commonplace.

What Does This Mean For Your Business?


Many UK businesses, like Dixons Carphone, will have felt the pressure of consumers reeling in some of their spending in the wake of the fall in the value of the pound after the Brexit vote. Also, as in the case of Dixons Carphone, they’re in a market where so much innovation has been focused on phones and their features in recent years that consumers are going to be reluctant to swap unless the new model offers a new technological jump or can give them features that significantly add value.

High street retailers / well-known bricks-and-mortar retailers have taken a battering in recent times (e.g. store closures at e.g. Carpetright, New Look, Mothercare, Byron, Jamie’s Italian Marks & Spencer, and soon House of Fraser, and Carluccio’s) as consumers move more towards online digital. A recent British Retail Consortium (BRC) report, for example, showed that footfall in retail stores fell by 3.3% in April 2018 compared to last year because of a shift in consumer behaviour towards digital shop visits rather than physical ones.
Many retailers have realised that to fight back they must rebalance investment in physical and digital infrastructure, and change the way stores are used e.g. by adopting technology to engage people, and to make stores more like centres for experiences rather than just places for purchasing goods. This is particularly important for younger consumer groups.

In the case of Dixons Carphone, new boss Baldock hasn’t really elaborated beyond saying that the business had been too inward-looking and distracted. As part of his proposed fixes for the problems, Baldock has said that the group would also now be investing £30m in improving customer service by retraining staff in stores and at its call centres, and that it would try to renegotiate contracts with mobile networks to reflect the slowdown in phone sales i.e. to adapt to market trends. Presumably, the company will also benefit from increased efficiency after closing the 42 stores.

In today’s challenging environment, as well as simply investing, retailers must now try to embrace technology in the right way as an opportunity to deliver more value to customers whether in store, at home or on the move. Retail commentators frequently talk about the importance of the need to create a seamless customer experience between online and offline, and to develop an omni-channel platform. Improving and optimising the current experience that retailers offer customers, and replicating these as effectively as possible across all channels could be the key to staying competitive in the evolving retail business environment.

Alexa Records and Sends Private Conversation

A US woman has complained of feeling “invaded” after a private home conversation was recorded by her Amazon's voice assistant, and then sent it to a random phone contact ... who happened to be her husband's employee.

What?!!

As first reported by US news outlet KIRO 7, the woman identified only as ‘Danielle’ had a conversation about hardwood flooring in the privacy of her own home in Portland, Oregon. Unknown to her, however, her Amazon's voice assistant Alexa via her Amazon Echo not only recorded a seemingly ‘random’ conversation, but then sent the recording to a random phone contact without being expressly asked to do so.

The woman was only made aware that she had been recorded when she was contacted by her husband’s employee, who lives over 100 miles away in Seattle, who was able to tell her the subject of her recent conversation.

How Could It Have Happened?


Last year Amazon introduced a service whereby Amazon Echo users could sign up to the Alexa Calling and Messaging Service from the Alexa app. This means that all of the contacts saved to your mobile phone are linked to Alexa automatically, and you can call and message them using voice commands via your Echo.

In the case of the woman from Portland, Amazon has reportedly explained the incident as being the result of an "unlikely" string of events which were that:
  • Her Alexa started recording after it registered as hearing its name or another "wake word" (chosen by users).
  • Subsequently, in the following conversation (about hardwood floors), Alexa registered part of the conversation as being a 'send message' request.
  • Alexa would / should have said at that point, out loud, 'To whom?’
  • It is believed that Alexa then interpreted part of the background conversation as a name in the woman’s phone contact list.
  • The selected contact was then sent a message containing the recoding of the private conversation.

Investigated

The woman requested a refund for her voice assistant device, saying that she felt invaded.
Amazon has reportedly apologised for the incident, has investigated what happened, and has determined that was an extremely rare occurrence. Amazon is, however, reported to be “taking steps” to avoid this from happening in the future.

Not The First Time


Amazon’s intelligent voice assistant has made the news in the past for some unforeseen situations that helped to perpetuate the fears of users that their home devices could have a more sinister dimension and / or could malfunction or be used to invade privacy. For example, back in 2016, US researchers found that they could hide commands in white noise played over loudspeakers and through YouTube videos in order to get smart devices to turn on flight mode or open a website. The researchers also found that they could embed commands directly into recordings of music or spoken text.

Also, although Amazon was cleared by an advertising watchdog, there was the case of the television advert for its Amazon’s Echo Dot smart speaker activating a viewer's device and placing an order for cat food.

What Does This Mean For Your Business?


Although it may have been a series of events resulting in a ‘rare’ occurrence, the fact is that this appears to be a serious matter relating to the privacy of users that is likely to re-ignite many of the fears of home digital assistants being used as listening devices, or could be hacked and used to gather personal information that could be used to commit crime e.g. fraud or burglary.

If the lady in this case was an EU citizen, it is likely that Amazon could have fallen foul of the new GDPR and, therefore, potentially liable to a substantial fine if the ICO thought it right and necessary.

Adding the Alexa Calling and Messaging service to these devices was really just the beginning of Amazon’s plans to add more services until we are using our digital assistants to help with many different and often personal aspects of our lives e.g. from ordering goods and making appointments, to interacting with apps to control the heating in the house, and more. News of this latest incident could, therefore, make some users nervous about taking the next steps to trusting Amazon’s Alexa with more personal details and important aspects of their daily lives.

Amazon may need to be more proactive and overt in explaining how it is addressing the important matters of privacy and security in its digital assistant and devices in order to gain the trust that will enable it to get an even bigger share in the expanding market, and successfully offer a wider range of services via Alexa and Echo devices.

Now You Can Opt-Out Of Having Your Medical Data Shared

The introduction of GDPR on 25th May has brought with it a new national data opt-out service which enables people to use an online tool to opt out of their confidential patient information being used beyond their own individual care for research and planning.

Replacement

The new ‘Manage Your Choice’ online tool that is a part of the national data opt-out service, follows recommendations by the National Data Guardian (NDG) Dame Fiona Caldicott, and is a replacement for the previous 'type 2' opt-out that was introduced on 29th April 2016. That opt-out service meant that NHS Digital would remove certain patient records from data provided where a patient had requested an opt-out.

About The New National Opt-Out Service


The new service applies to those patients in England who are aged 13 or over, and have an NHS number e.g. from previous treatment. Opting out using the new service will not apply to your health data where you have accessed health or care services outside of England, such as in Scotland and Wales.

The opt-out service covers data-sharing by any organisation providing publicly-funded care in England. This includes private and voluntary organisations, and only children's social care services are not covered.

Using The Online Tool


The online tool for opting-out can be accessed at:
https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/
To use the online tool, you will (obviously) need access to the Internet, and access to your email or mobile phone to go through the necessary steps.

What Else Is Your Data Used For?

According to the NHS, as well as being used for patient care purposes, confidential patient information is also used to plan and improve health and care services, and to research and develop cures for serious illnesses. The NHS has stressed that, for much of the time, anonymised data is used for research and planning, so your confidential patient information often isn't needed anyway.

The NHS currently collects health and care data from all NHS organisations, trusts and local authorities. Data is also collected from private organisations e.g. private hospitals providing NHS funded care. Research bodies and organisations can also request access to this data. These bodies and organisations include university researchers, hospital researchers, medical royal colleges, and even pharmaceutical companies researching new treatments.

Past Controversy

The new service is likely to be welcomed after several past data-sharing controversies dented trust in the handling of personal data by the NHS. For example, NHS Digital were criticised after agreeing to share non-clinical information, such as addresses or dates of birth, with the Home Office, and a report highlighted how the Home Office used patient data for immigration enforcement purposes.

Also, there were serious public concerns and an independent panel finding a "lack of clarity" in a data-sharing agreement after it was announced that Royal Free Hospital in London shared the data of 1.6 million people with Google's DeepMind project without the consent of those data subjects.

What Does This Mean For Your Businesses?

The introduction of GDPR has been an awareness raising, shake-up exercise for many businesses and organisations, and has driven the message home that data privacy and security for clients / service users is an important issue. Where our medical data is concerned, however, we regard this as being particularly private and sensitive, and the fact that it could be either shared with third-parties without our consent, or stolen / accessed due to poor privacy / security systems and practices is a source of genuine worry. For example, many people fear that whether shared or stolen, their medical data could be used by private companies to deny them services or to charge more for services e.g. insurance companies. Data breaches and sharing scandals in recent times mean that many people have lost trust in how many companies and organisations handle their everyday personal data, let alone their medical data.

The introduction of this new service is likely to be welcomed by many in England, and it is likely that the opt-out tool will prove popular. For the NHS, however, if too many people choose to opt-out, this could have some detrimental effect on its research and planning.

GDPR will continue to make many companies and organisations focus on which third-parties they share data with, and how these relationships could affect their own compliance.

7-Fold Rise in Mobile Fraud

It seems that as we spend more time using mobile devices, the fraudsters are following us as a new RSA Security report shows a massive rise in mobile fraud over the last 3 years.

Up Nearly 700%!

The latest quarterly report by fraud and risk intelligence experts at RSA Security shows that as the volume of mobile app transactions has risen by 200% since 2015, accordingly the growth rate for fraudulent transactions has increased to a massive 680%.

New Accounts and ‘Burner Phones’

One of the key trends at the heart of the rise in mobile fraud is the apparent rise of the use of fake new accounts and ‘burner / burn phones’ to commit fraud.

A burner / burn phone is a mobile phone handset that is acquired for temporary use, is usually prepaid / without a contract in order to retain the user’s anonymity, and can be discarded if necessary.

Alongside the burner phone, fraudsters are also known to use stolen identities to set up fake ‘money mule’ accounts, purely for the purpose of collecting the cash from their fraudulent activities.

The RSA report shows that new accounts and new devices have been used in this way in 32% of all the fraudulent transactions in the last quarter.

Phishing Still Top

The report shows that phishing is still the top fraudulent activity accounting for 48% of all fraud attacks in Q1 of 2018.

Trojan Malware & Payment Card Compromise


Other popular frauds involve the use of Trojan malware to steal financial credentials. This method was used in one in four fraud attacks in Q1 2018.

Also, using details from compromised cards is still a very common activity among fraudsters, and the RSA researchers who compiled the report claim to have recovered more than 3.1 million unique compromised cards and card details (which included verification numbers) on offer from online sources in Q1.

Mobile App Security

It is believed that poor security in mobile apps is allowing many criminals to hijack mobile applications and siphon off credentials and funds from many unwitting users.

What Does This Mean For Your Business?


These figures show that our increasing use of mobile devices and apps has opened the door to even more channels for fraudsters. There is clearly a responsibility among mobile app developers and those commissioning mobile apps to deliver their services to ensure that security is built-in from the ground up. This should mean making sure that all source code is secure and known bug-free, all data exchanged over app should be encrypted, caution should be exercised when using third-party libraries for code, and only authorised APIs should be used. Also, developers should be building-in high levels of authentication, using tamper-detection technologies, using tokens instead of device identifiers to identify a session, using the best cryptography practices e.g. store keys in secure containers, and conducting regular, thorough testing.

As users of mobile devices and apps, we also need to pay attention to our own levels of security. For example, we can take precautions to stop ourselves from falling victim to mobile fraud by using mobile security and antivirus scan apps, only using trusted apps / trusted app sources, uninstalling old apps and turning off connections when not using them, locking our phones when not in use, using 2-factor authentication, and using a VPN rather than just the free Wi-Fi when out and about.

Instant GDPR Complaints For Web Giants

In an almost inevitable turn of events, the social media and tech giants Facebook, Google, Instagram and WhatsApp faced a barrage of accusations that they were not compliant within hours of GDPR being introduced on May 25th.

What’s Wrong?

The complaints, spearheaded by Privacy group noyb.eu led by Max Schrems centred around the idea that the tech and social media giants may be breaking the new data protection and privacy guidelines by forcing users to consent to targeted advertising in order to use their services i.e. by bundling a service with the requirement to consent (Article 7(4) GDPR).

Not Necessary?

It has been reported that the crux of the privacy group’s argument is that, according to GDPR, any data processing that is strictly necessary to use a service is allowed and doesn’t require opting in. If a company then decides to adopt a “take it or leave it approach” by forcing customers to agree to have additional, more wide-reaching data collected, shared and used for targeted advertising, or delete their accounts, the argument is that this goes against GDPR which requires opt-in consent for anything other than any data processing that is strictly necessary for the service.

Austria, Belgium, France and Germany


It is alleged in this case that the four tech giants may be doing just that, and, therefore, could be in breach of the Regulation, and possibly liable to fines if the accusations are upheld after investigation by data protection authorities in Austria, Belgium, France and Germany.

A breakdown of the four complaints over “forced consent” made by noybe.eu shows that in France the complaint has been made to CNIL about Google (Android), in Belgium the complaint has been made to the DPA about Instagram (Facebook), in Germany the complaint has been made to the HmbBfDI about WhatsApp, and in Austria the complaint has been made to DSB about Facebook. Under GDPR, the maximum penalties for this issue could be billions of Euros.

What Does This Mean For Your Business?

Many commentators had predicted that popular tech and social media giants would be among the first organisations to be targeted by complaints upon the introduction of GDPR, and some see these complaints as being the first crucial test of the new law.

GDPR should prohibit companies from forcing customers to accept the bundling of a service with the requirement to consent to giving / sharing more data than is necessary, but it remains to be seen and proven whether these companies are guilty.

As noyb.eu pointed out in their statement, GDPR does not mean that companies can no longer use customer data because GDPR explicitly allows any data processing that is strictly necessary for a service. The complaint, in this case, is that using the data additionally for advertisements or to sell it on, needs the users’ free opt-in consent.

Noybe.eu has also pointed out that, if successfully upheld, their complaints could also mean an end to the kind of annoying and obtrusive pop-ups which are used to claim a person’s consent, but don’t actually lead to valid consent.

Another benefit (if the complaints are upheld) against the tech giants could be that corporations can’t force users to consent, meaning that monopolies should have no advantage over small businesses in this area.

Noybe.eu seem set to keep the pressure on the tech giants, and has stated that its next round of complaints will centre around the alleged illegal use of user data for advertising purposes or "fictitious consent’ e.g. such as when companies recognise "consent" to other types of data processing by solely using their web page.

Tuesday, May 29, 2018

Facial Recognition In The Classroom

A school in Hangzhou, capital of the eastern province of Zhejiang, is reportedly using facial recognition software to monitor pupils and teachers.

Intelligent Classroom Behaviour Management System

The facial recognition software is part of what has been dubbed The "intelligent classroom behaviour management system”. The reason for the use of the system is reported to be to supervise both the students’ learning, and the teachers’ teaching.

How?

The system uses cameras to scan classrooms at Hangzhou No. 11 High School every 30 seconds. These cameras are part of a facial recognition system that is reported to be able to record students' facial expressions, and categorize them into happy, angry, fearful, confused, or upset.

The system, which acts as a kind of ‘virtual teaching assistant’, is also believed to be able to record students’ actions such as writing, reading, raising a hand, and even sleeping at a desk.

The system also measures levels of attendance by using a database of pupils’ faces and names to check who is in the classroom.

As well as providing the school with added value monitoring of pupils, it may also prove to be a motivator for pupils to modify their behaviour to suit the rules of the school and the expectations of staff.

Teachers Watched Too


In addition to monitoring pupils, the system has also been designed to monitor the performance of teachers in order to provide pointers on how they could improve their classroom technique.
Safety, Security and Privacy

One other reason why these systems are reported to be increasing in popularity in China is to provide greater safety for pupils by recording and deterring violence and questionable practices at Chinese kindergartens.

In terms of privacy and security, the vice principal of the Hangzhou No.11 High School is reported to have said that the privacy of students is protected because the technology doesn’t save images from the classroom, and stores data on a local server rather than on the cloud. Some critics have, however, said that storing images on a local server does not necessarily make them more secure.

Inaccurate?


If the experiences of the facial recognition software that has been used by UK police forces is anything to go by, there may be questions about the accuracy of what the Chinese system records. For example, an investigation by campaign group Big Brother Watch, the UK’s Information Commissioner, Elizabeth Denham, has recently said that the Police could face legal action if concerns over accuracy and privacy with facial recognition systems are not addressed.

What Does This Mean For Your Business?

There are several important aspects to this story. Many UK businesses already use their own internal CCTV systems as a softer way of monitoring and recording staff behaviour, and as a way to modify their behaviour i.e. simply by knowing their being watched. Employees could argue that this is intrusive to an extent, and that a more positive way of getting the right kind of behaviour should (also) have a system that rewards positive / good behaviour and good results.

Using intelligent facial recognition software could clearly have a place in many businesses for monitoring customers / service users e.g. in shops and venues. It could be used to enhance security. It could also, as in the school example, be used to monitor staff in any number of situations, particularly those where concentration is required and where positive signals need to be displayed to customers. These systems could arguably increase productivity, improve behaviour and reduce hostility / violence in the workplace, and provide a whole new level of information to management that could be used to add value.

However, it could be argued that using these kinds of systems in the workplace could make people feel as though ‘big brother’ is watching them, could lead to underlying stress, and could have big implications where privacy and security rights are concerned. It remains to be seen how these systems are justified, regulated and deployed in future, and how concerns over accuracy, cost-effectiveness, and personal privacy and security are dealt with.

Data Breach Fine For UK University

The Information Commissioner (ICO) has imposed a fine of £120,000 on the University of Greenwich for a data breach that left the personal details of thousands of students exposed online.

What Happened?

The breach was discovered back in February 2016, but actually dates back to 2004 and concerns a microsite that was made for a training conference. In the incident that the University attributed to “unauthorised access to some data on the university's systems”, the personal details of around 96,000 students were accidentally uploaded to the university’s website, as well as minutes from the university's Faculty Research Degrees Committee. The microsite with the student details left on was not secured or closed down.

What was most shocking and distressing to many of those affected by the breach was the very personal nature of some of the data. For example, as well as the names, addresses, dates of birth, mobile phone numbers and even signatures of students, data concerning medical and other personal issues was also posted. Reports at the time indicated that in some cases, information concerning the mental health and other medical problems of some students were mentioned to explain why students had fallen behind with their work. Also, it was reported that comments about the students' progress, and even emails between staff and students were revealed.

Made Without The University's Knowledge

It has been reported that the main reason that the breach was not noticed earlier is that the training microsite was made by one of the University’s departments without the knowledge of the University, which is the data controller.

Fine

Bearing in mind the seriousness and nature of the breach, and the number of people affected, the ICO have imposed a fine of £120,000 or £96,000 for early payment. It is understood that the University will not appeal against the decision.

Changes Made

The ICO saw no need for enforcement action in this case because the University of Greenwich is reported to have made a number of changes to upgrade security. These changes include investing in new security architecture, tools and technologies, hiring new dedicated internal security experts, conducting vulnerability testing across the entire organisation every day, making information security training mandatory for all staff; reforming the system of internal IT governance, and developing a rapid incident response to tackle threats as they arise and learn from incidents.

What Does This Mean For Your Business?

Even though this incident dates back many years to a time when online security was given less priority by many businesses and organisations, it is an illustration of how things can easily slip through the net with regards to security, particularly in larger organisations and / or where full checks / audits are not carried out and where there is clear no clear line of responsibility for data matters e.g. data controllers and DPOs.

This story is particularly poignant because of the introduction of GDPR on Friday, and should be another reminder to companies that as well as the distress caused to victims of breaches, the ICO will take breaches seriously and can impose stiff penalties.

In this case, the University (which had also suffered another high profile data breach after this one) took the opportunity to seriously upgrade its security, and this will no doubt go a long way to making it GDPR compliant, as all businesses now need to be in order to retain the trust of customers, maintain supplier relationships, protect the business reputation, avoid fines, and deter and protect against attacks by cyber-criminals.

TalkTalk Super Router Security Fears Persist

An advisory notice from software and VR Company IndigoFuzz has highlighted the continued potential security risk posed by a vulnerability in the WPS feature in TalkTalk's Super Router.

What Vulnerability?

According to IndigoFuzz, the WPS connection is insecure and the WPS pairing option is always turned on i.e. the WPS feature in the router is always switched on, even if the WPS pairing button is not used.

This could mean that an attacker within range could potentially hack into the router and steal the router's Wi-Fi password.

Tested

It has been reported that in tests involving consenting parties, IndigoFuzz found a method of probing the router to steal the passwords to be successful on multiple TalkTalk Super Routers.

The test involved using a Windows-based computer, wireless network adapter, a TalkTalk router within wireless network adapter range, and the software 'Dumpper' available on Sourceforge. Using this method, the Wi-Fi access key to a network could be uncovered in a matter of seconds.

Scale

The ease with which the Wi-Fi access key could be obtained in the IndigoFuzz tests has prompted speculation that the vulnerability could be on a larger scale than was first thought, and a large number of TalkTalk routers could potentially be affected.

No Courtesy Period Before Announcement

When a vulnerability has been discovered and reported to a vendor, it is normal protocol to allow the vendor 30 days to address the problem before the vulnerability is announced publicly by those who have discovered / reported the vulnerability.

In this case, the vulnerability was first reported to TalkTalk back in 2014, so IndigoFuzz chose to issue the advisory as soon as possible.

Looks Bad After Last October

News that a vulnerability has remained unpatched after it was reported 4 years ago to TalkTalk looks bad on top of major cyber attack and security breach there back in October 2017. You may remember that the much publicised cyber-attack on the company resulted in an estimated loss of 101,000 customers (some have suggested that the number of lost customers was twice as much as this figure). The attack saw the personal details of between 155,000 and 157,000 customers (reports vary) hacked, with approximately 10% of these customers having their bank account number and sort code stolen.

The trading impact of the security breach in monetary terms was estimated to be £15M with exceptional costs of £40-45M.

What Does This Mean For Your Business?


It seems inconceivable that a widely reported vulnerability that could potentially affect a large number of users may still not have been addressed after 4 years. Many commentators are calling for a patch to be issued immediately in order to protect TalkTalk customers. This could mean that many home and business customers are still facing an ongoing security risk, and TalkTalk could be leaving itself open to another potentially damaging security problem that could impact its reputation and profits.

Back in August last year, the Fortinet Global Threat Landscape Report highlighted the fact that 9 out of 10 businesses are being hacked through un-patched vulnerabilities, and that many of these vulnerabilities are 3 or more years old, and many even have patches available for them. This should remind businesses to stay up to date with their own patching routines as a basic security measure.

Last year, researchers revealed how the ‘Krack’ method could take advantage of the WPA2 standard used across almost all Wi-Fi devices to potentially read messages, banking information and intercept sensitive files (if a hacker was close to a wireless connection point and the website doesn’t properly encrypt user data). This prompted fears that hackers could turning their attention to what may be fundamentally insecure public Wi-Fi points in e.g. shopping centres / shops, airports, hotels, public transport and coffee shops. This could in turn generate problems for businesses offering WiFi.

BYODs Linked To Security Incidents

A study by SME card payment services firm Paymentsense has shown a positive correlation between bring your own device (BYOD) schemes and increased cyber -security risk in SMEs.

BYOD


Bring your own device (BYOD) schemes / policies have now become commonplace in many businesses, with the BYOD and enterprise mobility market size growing from USD $35.10 Billion in 2016 to USD $73.30 Billion by 2021 (marketsandmarkets.com).

BYOD policies allow employees to bring in their personally owned laptops, tablets, and smart-phones and use them to access company information and applications, and solve work problems. This type of policy has also fuelled a rise in ‘stealth IT’ where employees go outside of IT and set up their own infrastructure, without organizational approval or oversight, and can, therefore, unintentionally put corporate data and service continuity at risk.

Positive Correlation Between BYOD and Security Incidents

The Paymentsense study, involving more than 500 SMEs polled in the UK found a positive correlation between the introduction of a BYOD policy and cyber-security incidents. For example, 61% of the SME’s said that they had experienced a cyber-security incident since introducing a BYOD policy.

According to the study, although only 14% of micro-businesses (up to 10 staff) reported a cyber-security incident since implementing BYOD, the figure rises to 70% for businesses of 11 to 50 people, and to 94% for SMEs with 101 to 250 employees.

Most Popular Security Incidents

The study showed that the most popular types of security incidents in the last 12 months were malware, which affected two-thirds (65%) of SMEs, viruses (42%), DDoS distributed denial of service (26%), data theft (24%), and phishing (23%).

Positive Side


The focus of the report was essentially the security risks posed by BYOD. There are, however, some very positive reasons for introducing a BYOD policy in the workplace. These include convenience, cost saving (company devices and training), harnessing the skills of tech-savvy employees, perhaps finding new, better and faster ways of getting work done, improved morale and employee satisfaction, and productivity gains.

Many of these benefits are, however, inward-focused i.e. on the company and its staff, rather than the wider damage that could be caused to the lives of data breach victims or to the company’s reputation and profits if a serious security incident occurred.

What Does This Mean For Your Business?


This is a reminder that, as well as the benefits of BYOD to the business, if you allow employees or other users to connect their own devices to your network, you will be increasing the range of security risks that you face. This is particularly relevant with the introduction of GDPR last Friday.

For example, devices belonging to employees but containing personal data could be stolen in a break-in or lost while away from the office. This could lead to a costly and public data breach. Also, allowing untrusted personal devices to connect to SME networks or using work devices on untrusted networks outside the office can put personal data at risk.

Ideally, businesses should ensure that ensure that personal data is either not on the device in the first place, or has been appropriately secured so that it cannot be accessed in the event of loss or theft e.g. by using good access control systems and encryption.

Businesses owners could reduce the BYOD risk by creating and communicating clear guidelines to staff about best security practices in their daily activities, in and out of the office. Also, it is important to have regular communication with staff at all levels about security, and having an incident response plan / disaster recovery plan in place can help to clarify responsibilities and ensure that timely action is taken to deal with situations correctly if mistakes are made.

Slack ‘Actions’

Chat App ‘Slack’ has announced the introduction of a new ‘Actions’ feature that makes it easier for users to create and finish tasks without leaving by having access to more 3rd party tools.

What Is Slack?

Slack, launched way back in 2013, is a Silicon Valley-produced, cloud-based set of proprietary team collaboration tools and services. It provides mobile apps for iOS, Android, Windows Phone, and is available for the Apple Watch, enabling users to send direct messages, see mentions, and send replies.

Slack teams enable users (communities, groups, or teams) to join through a URL or invitation sent by a team admin or owner. It was intended as an organisational communication tool, but it has gradually been morphing into a community platform i.e. it is a business technology that has crossed-over into personal use.

In March 2018, Slack and financial and human capital management firm Workday formed a partnership that allowed Workday customers to access features from directly within the Slack interface. Slack is believed to have 8 million daily active users.

What Is ‘Actions’ and How Does It Help?

The new tool / feature dubbed ‘Actions’ will bring enterprise developers deeper into Slack, because it allows for better / more integration with enterprise software from third-party software providers e.g. Jira, HubSpot, and Asana.

Slack knows that many users now like to choose what software they use to get their job done, and the Actions feature will, therefore, be of extra value to the 90% Slack’s 3 million paid users who regularly use apps and integrations.

Actions can be accessed using a click or tap of any Slack message, require no slash commands, and are being made available to all developers using the platform to deploy bots and integrations. To begin with, Actions will be displayed based on what individuals use most frequently.

What Does This Mean For Your Business?

If you use / your business uses Slack, the interoperability of these systems resulting from integration between software from third-parties means that you have greater choice in what software you use to complete your tasks without having to leave Slack. This offers time and cost saving benefits, as well as a considerable boost in convenience.

Slack knows that there are open source and other alternatives out there, and the addition of Actions will help Slack to provide more valuable tools to users, thereby helping it to retain loyalty and compete in a rapidly evolving market.

Monday, May 21, 2018

Handy Location Tracker

A peanut-shaped, hand-held, smart, long-range tracking device called LynQ has been launched that can tell you how far and in what direction your friends are, all without the need for a data connection, and without monthly fees.

Why?

As well as being used for outdoor activities to replace traditional maps and location methods, a ‘LynQ’ can be used as a safety device for tracking children or pets, for rescue workers, or for making sure dementia sufferers don’t wander too far. It can also be used as a fun / leisure device e.g. to find each other in festival crowds, or to keep track of each other when hiking or skiing.

How Does It Work?

Powered by a rechargeable power cell that can offer up to three days of battery life between charges, a LynQ can reportedly track other LynQ users from up to 3 miles (5km) away.

Being marketed as a kind of smart compass for the 21st century, the LynQ doesn’t need an app, phone or Wi-Fi network. Instead, it uses what is described as “a new approach to GPS”. This means that LynQ devices send their GPS coordinates directly to each other. The GPS data has a compression algorithm applied to it in order to make it possible to send that data more frequently and reliably.

2 To 12 People Can Use

LynQ allows 2 or more people (up to 12 can link up) to use a one-button control and simple digital interface to find each other. The display shows a simple display of distance and direction that changes accurately as you move towards or away from your target, and the single button allows you to switch between people you’re tracking.

The display turns off automatically when you let it go to hang by its clip, thus saving battery life, but the LynQ is always receiving the data.

Other Features

The device allows you to create a “home” location that linked devices can point toward. It also allows you to set a safe zone (a radius from your device) that will warn you if the other person leaves that safe zone. You can also send basic preset messages like “meet up” or “help.”

The price is $154 / £114.30 per pair (early bird), going up to $200 / £148.40.

What Does This Mean For Your Business?

This is another smart device that shows how a combination of technologies can be used to create something that can meet a real need and has multiple applications e.g. leisure, sport, safety, and even defence. For example, the Thai Ministry of Defence tested LynQ and found that it helped soldiers find each other much faster while radio silent, and helped them quickly get into formation for a search mission.

This could also represent another possible way to keep track of those in the care of others e.g. dementia sufferers being tracked by carers. Back in 2016 for example, a barcode tagging system for tracking elderly dementia sufferers was being tested in Tokyo, but the LynQ could provide an even simpler and more practical system.

Quite simply as a gadget, the LynQ appears to have multiple applications, thereby offering many opportunities to business and personal users. The fact that the LynQ requires no monthly fees, and doesn’t require a data connection will increase its appeal.

The hope is that the LynQ device is secure and that signals can’t be intercepted and used by criminals to track victims e.g. for attack or abduction. There are still widespread fears about the vulnerability of many smart / IoT devices to hacking, but the fact that LynQ doesn’t need a connection could make it safer.

Efail - Encryption Flaw

A German newspaper has released details of a security vulnerability, discovered by researchers at Munster University of Applied Sciences, in PGP (Pretty Good Privacy) data encryption.

What Is PGP?


PGP (Pretty Good Privacy) is an encryption program that is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and disk partitions, and to increase the security of e-mail communications. As well as being used to encrypt and decrypt email, PGP is also used to sign messages so that the receiver can verify both the identity of the sender and the integrity of the content. PGP works using a private key that is kept secret, and a public key that the sender and receiver share.

The technology is also known by the name of GPG (Gnu Privacy Guard or GnuPG), and is a compatible GPL-licensed alternative.

What’s The Flaw?

The flaw, which was first thought by some security experts to affected the core protocol of PGP (which would make all uses of the encryption method, including file encryption, vulnerable), is now believed to be related to any email programs that don’t check for decryption errors properly before following links in emails that include HTML code i.e. email programs that have been designed without appropriate safeguards.

‘Efail’ Attacks

The flaw leaves this system of encryption open to what have been called ‘efail’ attacks. This involves attackers trying to gain access to encrypted emails (for example by eavesdropping on network traffic), and compromising email accounts, email servers, backup systems or client computers. The idea is to reveal the plaintext of encrypted emails (in the OpenPGP and S/MIME standards).

This type of attack can be carried out by direct exfiltration, where vulnerabilities in Apple Mail, iOS Mail and Mozilla Thunderbird can be abused to directly exfiltrate the plaintext of encrypted emails, or by a CBC/CFB gadget. This is where vulnerabilities in the specification of OpenPGP and S/MIME are abused to exfiltrate the plaintext.

What Could Happen?

The main fear appears to be that the vulnerabilities could be used to decrypt stored, encrypted emails that have been sent in the past (if an attacker can gain access). It is thought that the vulnerabilities could also create a channel for sneaking personal data or commercial data and business secrets off devices as well as for decrypting messages.

What Does This Mean For Your Business?

It is frustrating for businesses to learn that the email programs they may be using, and a method of encryption, supposed to make things more secure, could actually be providing a route for criminals to steal data and secrets.

The advice from those familiar with the details of the flaw is that users of PGP email can disable HTML in their mail programs, thereby keeping them safe from attacks based on this particular vulnerability. Also, users can choose to decrypt emails with PGP decryption tools that are separate from email programs.

More detailed information and advice concerning the flaw can be found here: https://efail.de/#i-have

AI Drones : Smaller and Smarter

Researchers from ETH Zurich, Switzerland and the University of Bologna have built the smallest completely autonomous quadrotor nano-drone that uses AI to fly itself, and doesn’t need human guidance.

Neural Network

The technology at the heart of the Crazyflie 2.0 Nano Quadcopter is the DroNet neural network. This is able to processes incoming images from a camera at 20 frames per second. From this, the nano-drone is able to work out how to steer, and calculate the probability of a collision, thereby giving it the ability to know when to stop.

Fully On-Board Computation

The fact that the drone needs no external sensing and computing because all computation is fully on-board thanks to the PULP (Parallel Ultra Low Power) platform, means that it is truly autonomous, and is, therefore, a real first in terms of how a small drone can be controlled.

The new autonomous version is an improvement on the first test version, which involved putting the DroNet neural network system in a larger commercial-off-the-shelf, Parrot Bebop 2.0 drone, and using radio contact with a laptop to control it.

Trained Using Images

Since AI requires training so that it can learn to become better at a task, the drone’s neural network was trained using thousands of images taken from bicycles and cars driving along different roads.

Only Horizontal Movement

One major drawback at the current time is that, because it was trained using images from a single plane, the drone can only move horizontally and cannot yet fly up or down.

Even Smaller


Technologies involved in making drones have evolved to such a degree that even a robot ‘fly’ has now been built.

As the successor to RoboBee, the so-called RoboFly it is so small (the size of a fly) that it can’t support the weight of a battery to power it. The power for flight is currently delivered by a laser being trained on an attached photovoltaic cell.

The tiny device has wings that are flapped by sending a series of pulses of power in rapid succession and then slowing the pulsing down as it gets near the top of the wave (with the whole process in reverse for the downward flap).

The RoboFly, developed by a team of researchers based in Australia, can only just take off and travel a very short distance at present. Future plans for RoboFly reportedly include improving the onboard telemetry so it can control itself, and making a steered laser that can follow the bug’s movements and continuously beam power in its direction.

What Does This Mean For Your Business?


Up until now, the main uses for drones have been specialist applications such as within the military, in construction (viewing and mapping sites), film and TV, leisure use, and even for delivery of parcels (Amazon tests). All of these involve the use of larger drones that are remotely controlled.

The ideas that a drone can be made in a miniature size, and / or can control itself using AI could open up many more new areas of opportunity for businesses and other organisations. Such drones could be used in confined spaces or in very specialised situations.

The idea of an AI drone has, however, led to some alarm being expressed by some commentators. Even though AI autonomy could help drones to e.g. to monitor environments, be used in spying, and develop swarm intelligence for military use, some have expressed worries that they could become better at delivering lethal payloads, and could pose other unforeseen security risks.

Less Shop Visits Due To Digital. But More Spending.

British Retail Consortium (BRC) figures show that footfall in retail stores fell by 3.3% in April 2018 compared to last year, marking a further shift in consumer behaviour towards digital adoption.

Two Consecutive Months

The drop in footfall numbers for April was the second consecutive month where the trend away from visiting the physical high street could be observed, and in comparison to this time last year when footfall was on the up, it is seen by analysts as being significant.

Visiting Even Less - But Still Spending

The last time such a significant drop in footfall occurred (3.8%) was recorded was in 2009 when the UK was in recession and consumers were spending less as a result. Even compared to that, this year’s drop in the numbers of people visiting physical store locations is larger at 4.8%.

Despite the apparent fall in physical store visits, Barclays bank data shows that consumer spending is still on the increase.

What’s Happening?

Retail experts have noted a shift in consumer behaviour towards digital shop visits rather than physical ones, based on a number of benefits including flexibility (in what goods they purchase and when), product / service ranges available, convenience, digital innovations enhancing customer experiences, and a predisposition towards leisure rather than retail spend.

This changing consumer behaviour is forcing the retail industry to evolve and re-structure.

Increased Leisure Spending


One key trend that has been noted by analysts is the increase in leisure rather than retail spending by consumers. For example, a report by Deloitte based on the quarterly survey of more than 3,000 UK adults found that 2017 (last quarter) ended positively for the leisure sector, with consumer spending increasing in 7 out of 11 leisure categories compared to the previous year.

The areas that have shown an increase include experience-led activities, short break holidays, going to the gym, drinking in pubs and bars and attending live sporting events.

What Does This Mean For Your Business?

For retail businesses, these figures mean that the digital retail environment is posing many challenges, but the changes can also be embraced as part of a restructured strategy to remain competitive.

Many retailers understand that they now need to rebalance investment in physical and digital infrastructure, and change the way stores are used e.g. by adopting technology to engage people, and to make stores more like centres for experiences rather than just places for purchasing goods. This is particularly important for younger consumer groups.

Retailers can embrace technology as an opportunity to deliver more value to customers whether in store, at home or on the move. Retail commentators frequently talk about the importance of the need to create a seamless customer experience between online and offline, and to develop an omni-channel platform. Improving and optimising the current experience that retailers offer customers, and replicating these as effectively as possible across all channels could be the key to staying competitive in the evolving retail business environment.

Police Face Recognition Software Flawed

Following an investigation by campaign group Big Brother Watch, the UK’s Information Commissioner, Elizabeth Denham, has said that the Police could face legal action if concerns over accuracy and privacy with facial recognition systems are not addressed.

What Facial Recognition Systems?

A freedom of information request sent to every police force in the UK by Big Brother Watch shows that The Metropolitan Police used facial recognition at the Notting Hill carnival in 2016 and 2017, and at a Remembrance Sunday event, and South Wales Police used facial recognition technology between May 2017 and March 2018. Leicestershire Police also tested facial recognition in 2015.

What’s The Problem?

The two main concerns with the system (as identified by Big Brother Watch and the ICO) are that the facial recognition systems are not accurate in identifying the real criminals or suspects, and that the images of innocent people are being stored on ‘watch’ lists for up to a month, and this could potentially lead to false accusations or arrests.

How Do Facial Recognition Systems Work?


Facial recognition software typically works by using a scanned image of a person’s face (from the existing stock of police photos of mug shots from previous arrests), and then uses algorithms to measure ‘landmarks’ on the face e.g. the position of features and the shape of the eyes, nose and cheekbones. This data is used to make a digital template of a person’s face, which is then converted into a unique code.

High-powered cameras are then used to scan crowds. The cameras link to specialist software that can compare the camera image data to data stored in the police database (the digital template) to find a potential ‘match’. Possible matches are then flagged to officers, and these lists of possible matches are stored in the system for up to 30 days.

A real-time automated facial recognition (AFR) system, like the one the police use at events, incorporates facial recognition and 'slow time' static face search.

Inaccuracies

The systems used by the police so far have been criticised for simply not being accurate. For example, of the 2,685 "matches" made by the system used by South Wales Police between May 2017 and March 2018, 2,451 were false alarms.

Keeping Photos of Innocent People On Watch Lists

Big Brother Watch has been critical of the police keeping photos of innocent people that have ended up on lists of (false) possible matches, as selected by the software. Big Brother Watch has expressed concern that this could affect an individual’s right to a private life and freedom of expression, and could result in damaging false accusations and / or arrests.
The police have said that they don’t consider the ‘possible’ face selections as false positive matches because additional checks and balances are applied to them to confirm identification following system alerts.

The police have also stated that all alerts against watch lists are deleted after 30 days, and faces in the video stream that do not generate an alert are deleted immediately.

Criticisms

As well as accusations of inaccuracy and possibly infringing the rights of innocent people, the use of facial recognition systems by the police has also attracted criticism for not appearing to have a clear legal basis, oversight or governmental strategy, and for not delivering value for money in terms of the number of arrests made vs the cost of the systems.

What Does This Mean For Your Business?


It is worrying that there are clearly substantial inaccuracies in facial recognition systems, and that the images of innocent people could be sitting on police watch lists for some time, and could potentially result in wrongful arrests. The argument that ‘if you’ve done nothing wrong, you have nothing to fear’ simply doesn’t stand up if police are being given cold, hard computer information to say that a person is a suspect and should be questioned / arrested, no matter what the circumstances. That argument is also an abdication from a shared responsibility, which could lead to the green light being given to the erosion of rights without questions being asked. As people in many other countries would testify, rights relating to freedom and privacy should be valued, and when these rights are gone, it's very difficult to get them back again.

The storing of facial images on computer systems is also a matter for security, particularly since they are regarded as ‘personal data’ under the new GDPR which comes into force this month.

There is, of course, an upside to the police being able to use these systems if it leads to the faster arrest of genuine criminals, and makes the country safer for all.

Despite the findings of a study from YouGov / GMX (August 2016) that showed that UK people still have a number of trust concerns about the use of biometrics for security, biometrics represents a good opportunity for businesses to stay one step ahead of cyber-criminals. Biometric authentication / verification systems are thought to be far more secure than password-based systems, which is the reason why banks and credit companies are now using them.

Facial recognition systems have value-adding, real-life business applications too. For example, last year, a ride-hailing service called Careem (similar to Uber but operating in more than fifty cities in the Middle East and North Africa) announced that it was adding facial recognition software to its driver app to help with customer safety.

Monday, May 14, 2018

Google Driverless Car Involved In Smash

A self-driving vehicle owned by Google's Waymo has been involved in a smash in Arizona when it was hit by a car that swerved across multiple lanes.

Driverless Mode - But With Person On Board

The Google car was in autonomous / driverless mode at the time of the crash, but had a test driver in the driver's seat. The lady occupant is reported to be recovering from the incident.

A discussion is now underway as to whether the driverless car system or the test driver on board could have done anything more to avoid being hit by the other vehicle.

Waymo and Jaguar


Waymo is the self-driving car company that is owned by Google’s parent company Alphabet, and has been testing driverless vehicles since 2009. It has been reported that Waymo wants to purchase 20,000 Jaguar electric vehicles as part of its plans to launch a robotic ride-hailing service in the US.

It is understood that Waymo’s link-up with Jaguar will mean that from 2020 to 2022, UK-based (owned by India's Tata Motors ) Jaguar Land Rover (JLR) I-PACE electric cars will be providing up to one million rides per day in the service. It is thought that Jaguar cars will appeal to more upmarket customers, thereby already showing the possibilities for segmentation in driverless ride-hailing services.

The ride-hailing service will be launched on a small scale in Phoenix, Arizona, first in the coming months.

Not The First Autonomous Vehicle Accident

Although the Google car did not cause the crash, this is not the first time an autonomous vehicle has been involved in a serious incident. Back in March, Uber suspended all self-driving car tests in all North American cities after a fatal accident a 49-year-old woman was hit and killed by one of its autonomous vehicles as she crossed the street in Tempe, Arizona.

This was the second time that Uber has pulled its self-driving cars from the roads after an accident. A year earlier, also on Arizona, an Uber Volvo SUV in self-driving mode ended up on its side after another vehicle "failed to yield" to the Uber car at a left turn.

Autonomous Lorry Convoys on UK Roads This Year

Last year, the UK government announced that ‘platoons’ (mini-convoys) of self-driving, partially autonomous lorries are to be tested on British roads before the end of 2018. The so-called ‘platoons’ will take the form of several lorries driving closely together in a line in the inside lane, with the lead lorry wirelessly controlling the acceleration and braking for all the lorries, and with the following lorries responding to the changes in speed.

It is understood that for the tests which have been promised since 2014 and will be carried out by the Transport Research Laboratory (TRL), a human driver will be in the cab of the lead lorry, and will be able to take control if things don’t go entirely to plan.

What Does This Mean For Your Business?


Autonomous vehicles and vehicles with autonomous elements are already being tested and used in commercial environments and as part of the transport system in the US and the UK. The combination of driverless vehicles powered by electricity and using AI technology could provide a more environmentally-friendly solution to a variety of different transportation and delivery challenges, and to hopefully reduce traffic accidents.

The accidents involving driverless vehicles to date have, however, prompted some commentators to warn that the technology is being deployed before it is ready. Clearly, it is still early days for autonomous vehicles which means that there are still many untapped opportunities to use autonomous vehicles commercially, and there are of course many challenges and issues to consider around safety, insurance, regulations and reliability.

Autonomous vehicles are likely to be adopted more quickly on closed sites first, but operators who decide to adapt such sites to work for autonomy could expect significant improvements in productivity and safety.

Despite any bad press from the unfortunate crashes involving test autonomous cars in the US, having an emerging industry such as autonomous vehicles, with all its talent, technology and development centres here in the UK represents a huge opportunity for UK businesses as potential suppliers, beneficiaries of the technologies and products, and spin-off market opportunities. It also represents an opportunity for UK insurers.

Whereas the UK has a skills gap in many areas of the technology market, with the right amount of support and backing from the government and other investors, the testing, developing, and production of autonomous vehicles and the necessary technologies could be one area where home-grown talent is tempted to stay in what could become a world-centre of excellence for autonomous vehicle / AI technology.v

Cambridge Analytica Ordered To Turn Over All Data On US Professor

The UK data watchdog, the Information Commissioner’s Office (ICO), has ordered the consulting firm Cambridge Analytica to hand over all the personal information it has on US citizen Professor David Carroll, or face prosecution.

Demand Made in May 2017


The consulting firm, which is reported to have ceased operations and filed for bankruptcy in the wake of the recent scandal involving its access to and use of Facebook users’ details is facing the Enforcement Notice and possible legal action (if it doesn’t comply) because it has not fully met a demand made by Professor Carroll early last year.

Who Is Professor David Carroll?


David Carroll is a professor at the New School's Parsons School of Design. Although Professor Carroll is based in New York and is not a UK citizen, he used a subject access request (part of British data protection law) to ask Cambridge Analytica's branch in the UK to provide all the data it had gathered on him. With this type of request, organisations need to respond within 40 days with a copy of the data, the source of the data, and if the organisation will be giving the data to others.

It has been reported that Professor Carroll, a Democrat, was interested from an academic perspective, in the practice of political ad targeting in elections. Professor Carroll alleges that he was also concerned that he may have been targeted with messages that criticised Secretary Hillary Clinton with falsified or exaggerated information that may have negatively affected his sentiment about her candidacy.

Sent A Spreadsheet

Some weeks after Professor Carroll filed the subject access request in early 2017, Cambridge Analytica sent him a spreadsheet of information it had about him.

It has been reported that Cambridge Analytica had accurately predicted his views on some issues, and had scored Carroll a nine 9 of 10 on what it called a "traditional social and moral values importance rank."

What’s The Problem?

Even though Carroll was given a spreadsheet with some information, he wanted to know what that ranking meant and what it was based on, and where the data about him came from. Cambridge Analytica CEO Alexander Nix told a UK parliamentary committee that his company would not provide American citizens, like David Carroll, all the data it holds on them, or tell them where the data came from, and Nix said that there was no legislation in the US that allowed individuals to make such a request.

The UK’s Information Commissioner, Elizabeth Denham, sent a letter to Cambridge Analytica asking where the data on Professor Carroll came from, and what had been done with it. Elizabeth Denham is also reported to have said that, whether or not the people behind Cambridge Analytica decide to fold their operation, a continued refusal to engage with the ICO will still potentially breach an Enforcement Notice, and it will then become a criminal matter.

What Does This Mean For Your Business?

Many people have been shocked and angered by the recent scandal involving Facebook and its sharing of Facebook user data with Cambridge Analytica. The action by Professor Carroll could not only shed light on how millions of American voters were targeted online in the run-up to the 2016 election, but it could also lead to a wider understanding of what data is stored about us and how it is used by companies and organisations.

The right to request personal data that an organisation holds about us is a cornerstone right in data protection law, and this right will be brought into even sharper focus by the introduction of GDPR this month. GDPR will also give EU citizens the ‘right to be forgotten’, and has already put pressure on UK companies to put their data house in order, and prepare to comply or face stiff penalties.

This story also shows that American citizens can request information from companies that process their data in the UK.

Facebook Loyalty Intact Says Survey

Even after all the publicity surrounding Facebook’s selling of the personal data of 87 million users to Cambridge Analytica, a Reuters/Ipsos survey has found that most users are still loyal to the social media giant.

Just A Public Relations Problem

The survey conducted April 26-30 was based in the US, the home country of Facebook and the place where the vast majority of those whose data was sold live. Far from indicating that any users have been outraged by the selling of their personal data property without their permission, the survey appears to show that Facebook has so far suffered no ill effects from the scandal, other than a public relations headache.

A Quarter Using Facebook More!

The survey showed that half of US Facebook users said they had not recently changed the amount that they used the site, and, incredibly, a quarter of those surveyed said they were using it more!

The remaining 25% said that they were using it less recently, had stopped using it, or deleted their account.

64% of those surveyed said they still used Facebook at least once a day, down only slightly from the 68% recorded in a similar poll in late March.

The results appear to show, therefore, that the numbers of those using Facebook more has balanced out the numbers of any respondents who said they used the platform less, meaning that, according to the survey, Facebook appears to have suffered no real damage other than a PR hit from the scandal.

Wait Until 2nd Quarter

Facebook actually showed a near 50% increase its sales in the first quarter of this year, with profits up to $4.9bn from $3bn last year. Some commentators have stressed, however, that any of the financial effects of the scandal are likely to be evident in the second quarter.

Cambridge Analytica Closed

While Facebook, a social media giant, appears to have suffered no real damage other than a PR hit, Cambridge Analytica has been forced to go into liquidation blaming negative media attention. Some commentators have pointed out that Cambridge Analytica portrayed themselves as victims of unwarranted press activity, thereby deflecting blame from their activities involving the use of the personal data of millions to influence election and referendum outcomes.

Trusted With Dating Information?

It may appear that customer loyalty is still intact to a large extent now, but the next test for Facebook could be whether customers will trust them with their privacy when Facebook rolls out its dating service app later this year.

What Does This Mean For Your Business?

This story shows what many tech commentators had predicted - that the fact that Facebook was so much a part of peoples’ daily routine with no real alternative among the other social media platforms, that it could weather the storm and come out the other end with little real impact on its user numbers. It seems strange that, even though customers personal details were harvested and sold to a third party, without the permission of users, and then used to potentially influence how they voted in the US election (and in the Brexit referendum in the UK) that very few people appear to be prepared to see that as grounds to reject Facebook and the service and value that it offers in their lives.

People actively use Facebook as an integral part of their friendship networks and as a source of news, thereby allowing it unprecedented access to their personal lives and interests, as well as allowing it to help shape their view of the world, and it may be this investment and yes, loyalty, that has allowed them to apparently forgive Facebook for its part in the scandal, and to allow the value that Facebook offers in their lives to outweigh Facebook’s indiscretions.

From a business point of view, this shows how powerful loyalty can be, especially if a service can offer value that links strongly to ‘self’ and things that have emotional and personal connections and importance, and allow and enable real engagement.

8 More Security Flaws Found In Processors

Following on from the revelation in January that 2 major security flaws are present in nearly all modern processors, security researchers have now found 8 more potentially serious flaws.

Eight?

According to reports by German tech news magazine c't, the 8 new security flaws in chips / processors were discovered by several different security teams. The magazine is reported to have been given the full technical details of the vulnerabilities by researchers and has been able to verify them.

The new ‘family’ of bugs have been dubbed Spectre Next Generation (Spectre NB), after the original Spectre bug that was made public along with the ‘Meltdown’ bug at the beginning of the year.

90 Days To Respond

The researchers who discovered the bugs have followed bug disclosure protocols, and have given chip-makers and others 90 days to respond and to prepare patches before they release details of the bugs. The 90 day time limit ran out on Monday 7th May.

Co-ordinated Disclosure

Intel is reported to have been reluctant to simply acknowledge the existence of the bugs, preferring to have what it calls a ‘co-ordinated disclosure’, presumably near the end of the protocol time limit, when there has been time to prepare patches and to mitigate any other issues.

It is not yet clear if AMD processors are also potentially vulnerable to the Spectre-NG problems.

How Serious Are The Flaws?

There have been no reports, as yet, of any of the 8 newly-discovered flaws being used by cyber-criminals to attack firms and extract data. According to the magazine C't, however, Intel had classified half of the flaws as "high risk", and the others as "medium risk”.

It is believed that one of the more serious flaws could provide a way for attackers access a vulnerable virtual computer, and thereby reach the server behind it, or reach other software programs running on that machine. It has been reported that Cloud services like Amazon's AWS may be at risk from this flaw.

Meltdown and Spectre


The original Meltdown and Spectre flaws were found to have been present in nearly all modern processors / microchips, meaning that most computerised devices are potentially vulnerable to attack, including all iPhones, iPads and Macs.

Meltdown was found to leave passwords and personal data vulnerable to attacks, and could be applied to different cloud service providers as well as individual devices. It is believed that Meltdown could affect every processor since 1995, except for Intel Itanium and Intel Atom before 2013.

Spectre, which was found to affect Intel, AMD and ARM (mainly Cortex-A) processors, allows applications to be fooled into leaking confidential information. Spectre affects almost all systems including desktops, laptops, cloud servers, and smartphones.

What Does This Mean For Your Business?


The discovery of a family of 8 more flaws on top of the original 2 ‘Spectre’ and ‘Meltdown’ flaws is more bad news for businesses, particularly when they are trying to make things as secure as possible for the introduction of GDPR. Sadly, it is very likely that your devices are affected by the several or all of the flaws because they are hardware flaws at architectural level, more or less across the board for all devices that use processors. The best advice now is to install all available patches and make sure that you are receiving updates for all your systems, software and devices.

Although closing hardware flaws using software patches and updates is a big job for manufacturers and software companies, it is the only realistic and quick answer at this stage to a large-scale problem that has present for a long time, but has only recently been discovered.

Regular patching is a good basic security habit to get into anyway. Research from summer 2017 (Fortinet Global Threat Landscape Report) shows that 9 out of 10 impacted businesses are being hacked through un-patched vulnerabilities, and that many of these vulnerabilities are 3 or more years old, and there are already patches available for them.

Twitter Says Change Your Password

Twitter has advised all users to change their passwords after a bug caused the passwords to be stored in easily readable, plain text on an internal computer log.

The Bug - Passwords Visible Before ‘Hashing’

Twitter reported on their own blog that the bug that stored passwords had been ‘unmasked’ in an internal log. The bug is reported to have written the passwords into that internal log before Twitter’s hashing process had been completed.

The hashing process disguises Twitter passwords, making them very difficult to read. Hashing uses the ‘bcrypt’ function which replaces actual passwords with a random set of numbers and letters. It is this set of replaced characters that should be stored in Twitter’s system, as these allow the systems to validate account credentials without revealing customer password.

Millions Affected?

The fact that the passwords were revealed on an internal server, albeit for what is estimated to be for several months, and that there appears to be no evidence of anyone outside the company seeing the passwords, and no evidence of a theft or passwords turning up for sale on hacker site, indicates that it is unlikely that many of the 330 million Twitter users have anything real to fear from the breach.

Big Breaches

In this case, Twitter appears to have behaved responsibly and acted quickly by reporting the bug to regulators, fixing the bug, and quickly and publicly advising all customers to change their passwords.

Twitter’s behaviour appears to be in stark contrast to the way other companies have handled big breaches. For example, back in November 2017 Uber was reported to have concealed a massive data breach from a hack involving the data of 57 million customers and drivers, and then paid the hackers $100,000 to delete the data and to keep quiet about it.

Breaches can happen for all kinds of reasons, and while Twitter’s breach was very much caused and fixed by Twitter internally, others have been less lucky. For example, an outsourcing provider of the Red Cross Blood Service in Australia accidentally published the Service’s entire database to a public web server, thereby resulting in Australia's largest ever data breach.

What Does This Mean For Your Business?

If you have a Twitter account, personal or business, the advice from Twitter is quite simply to change your password, and change it on any other service where you may have used the same password. Twitter is also advising customers to make the new password a strong one that isn’t reused on other websites, and to enable two-factor authentication. You may also want to use a password manager to make sure you’re using strong, unique passwords everywhere.

In this case, Twitter has acted quickly, appropriately and transparently, thereby minimising risks to customers and risks to its own brand reputation. Twitter will want this message of responsibility to be received loud and clear, particularly at a time where GDPR (and its hefty fines) is just around the corner, and a time when other competing social networks i.e. Facebook have damaged customer trust by acting less responsibly with their data through the Cambridge Analytica scandal.

Tuesday, May 08, 2018

Amazon Challenges Google and Facebook For Ads Dominance

Reports that Amazon.com Inc has doubled its ad profits, is growing its ad business fast, and may be outselling ads on Twitter Inc and Snapchat, may soon see it in serious contention for ad dominance with its bigger rivals : Google and Facebook.

Multi-Billion Dollar Program


Reports that Amazon has achieved around $2 billion advertising revenue and with predictions by eMarketer last October that Amazon would hit $3.19 billion in net U.S. digital ad revenues by 2019 (which is 3.0 percent of digital ad spending), show that Amazon clearly has a multi-billion dollar program underway that is growing fast.

How?


Some commentators put the rapid and impressive rise in ad revenues down to the fact that Amazon has two non-retail businesses that are experiencing fast growth, and are profitable.

Firstly, Amazon’s fastest-growing business segment, which hit $2.0 billion in the first quarter, and showed a 72 % increase from a year earlier, and 100% growth in the last quarter is its “other” section. This segment is mainly Amazon’s growing advertising business which is experiencing strong demand from advertisers that spend money to highlight their products over competitors’ in Amazon’s catalogue. The ad business now generates multiple billions in revenue. For example, the world’s largest advertising company, WPP, directed $200 million of its clients’ ad budgets to Amazon in 2017, and has also predicted that this number could rise to $300 million this year.

Secondly, Amazon’s other key profit driving non-retail business is Amazon Web Services (AWS). This leases computing power and data storage to companies large and small, and has just experienced a 40% growth. The fact that AWS has earned $17.5 billion in 2017 compared to its $9.2 CapEx spending means that it is even making a profit from a business that typically requires a huge amount of investment. For example, Amazon Web Services (AWS), Microsoft, and Google collectively spent $35 billion on data centres to power their cloud businesses in 2017.

One key thing that both of these important business segments have in common is that they deliver big profit margins. For example, AWS’s operating profit margin is consistently over 20% and Amazon’s ad business also contributes big profits to the company’s main bottom line.

Some commentators have said that Amazon’s strong position in the Cloud market, search and advertising, and the voice assistant market with Alexa are boosting the competitive position of the company as well as its profits.

In Competition With Google and Facebook?

This huge surge in advertising profits is still not quite in the same ballpark as Google and Facebook’s Internet duopoly, with Google and Facebook accounting for more than 60% of global online ad revenues, although Amazon is now on the right trajectory to start taking more of their business.

What Does This Mean For Your Business?


Amazon has expanded and diversified in recent years and the big advantages of its advertising that are attracting more business customers are its reach, the fact that Amazon has users’ purchase data and knows what shoppers need, and the fact that advertising on Amazon is delivering results for customers in terms of driving brand awareness, discovery or/and purchases.

These recent ad revenue figures show that although Amazon isn’t seriously challenging Facebook and Google just yet, it is generating significant profits from non-retail parts of its business, and is certainly going in the right direction to challenge the current duopoly. For businesses, this gives them more choice, and another potentially effective advertising platform that could drive more potential buyers their way.