Monday, February 26, 2018

Belgium Says No To Facebook Tracking Code

A court in Belgium has told Facebook to stop using tracking code to follow and record internet use by people surfing in Belgium, until it complies with the country’s own privacy laws.

What’s The Problem?

According to Belgium’s privacy watchdog, the Belgian Commission for the Protection of Privacy (CPP), Facebook placed tracking code in the form of ‘cookies’ on third-party websites. This would mean that Facebook’s actions did not comply with Belgium’s privacy laws because:
  • It tracked people without consent.
  • It tracked people who were not Facebook users.
  • It (presumably) stored the tracked personal data that it obtained illegally in the first place.

What Now?

If Facebook fails to comply with Belgium’s CPP it could face fines of £221,000 per day.

Industry Standard


Facebook is reported to have expressed disappointment at the verdict and has stated that it is simply using the same industry standard cookies and pixels that other EU businesses use to help them grow their business.

Ongoing


This latest case appears to be the latest round in a long-running, ongoing dispute between the social media giant and the CPP. For example, back in November 2015, the CPP won a case against Facebook concerning the tracking of people with a ‘datr cookie’ when they visited pages on the site and clicked on like or share, even if they had never registered for an account, or if they had but weren’t even logged in.

Facebook was able to appeal and win an overturning of the verdict because it was judged that Belgian courts didn’t have international jurisdiction over Facebook Ireland i.e. because the data collected by the cookies was stored on servers in Dublin, the European base of Facebook’s operations.

The CPP then indicated that it would try to appeal against Facebook’s successful appeal through Belgium’s court of cassation, using a Yahoo case as an example. With Yahoo, for example, it was ruled back in 2015 that finding against Yahoo wouldn’t have to mean intervention outside of Belgium, and that, since Yahoo actively participated in the economic life of Belgium by using the domain name .be or displaying ads based on users’ location e.g. in Belgium, it voluntarily submitted itself to Belgian law.

What Does This Mean For Your Business?

This story has commercial, legal and political aspects to it. Cookies can provide useful information and functions for businesses e.g. helping to personalise user browsing experiences, and gathering information about users of the company website - usually with an initial registration of consent by users of a website.

With this Facebook case, as web users, we may feel uneasy that trusted companies may be tracking all-comers without consent. This kind of story reminds us all about the importance of privacy and security, and its worth remembering that cookies sent over the web without encryption i.e. if the website doesn’t have HTTPS in front of the domain, could be a security risk because they are readable by anyone on a network and could sensitive data e.g. credit card details, e-mail address and more. Google, for example, has just announced that from July, Chrome will be labelling websites without HTTPS as ‘Not Secure’ to try and combat this kind of risk.

The legal aspect of this case relates to which country has jurisdiction over the actions of a company whose services are used in that country, but the HQ and the data storage are in another country. This is another long-running legal argument e.g. Apple’s tax breaks in Ireland.

Many see the EU and people like the EU’s commissioner for competition, and measures like greater regulation and taxation as being useful to curb some of the more suspect behaviour of the big US Internet companies in Europe.

The introduction of GDPR should also provide greater protection for EU citizens in terms of online privacy and security. The UK will soon not be an EU member, but will have its own similar Bill added to UK law, but this could produce more legal grey areas.

There is clearly a political dimension to this story too as Belgium seeks to hold a powerful overseas company to account, and it wouldn’t be the first time that an EU country has tried to do this.

Facebook In Authentication Spamming Row


Facebook is facing criticism for allegedly using sign-ups to 2 factor



authentication as an opportunity to send spam SMS notifications.

What 2FA?


Facebook has been allowing users to sign up for SMS-based two-factor authentication to mitigate the risk of phishing attempts and to help protect people from having their accounts compromised.

Spam Too

Unfortunately, in addition to receiving the authentication texts / security tokens that they expected, some sign-ups have also reported receiving what are essentially extra spam texts from Facebook with links to other things happening on the social network.

To make matters even worse, any replies to the spam texts e.g. requests to stop the texts, were reported to have been posted onto the user’s Facebook profile page.

Facebook Sorry

After complaints were received, Facebook released a statement saying that it was sorry for any inconvenience caused, and that it was not their intention to send non-security-related SMS notifications to the phone numbers that customers had submitted as part of the two-factor authentication service.

With regards to posting customer replies to the spam texts on their own Facebook profiles, Facebook explained that this was a throwback to a time before the ubiquity of smartphones when Facebook supported posting to profiles via text message. Facebook admitted, however, that this feature is now less useful, and that it would soon be deprecated.

Bad Publicity In Europe

This incident comes on top of plenty of recent bad publicity in Europe for Facebook. Firstly, after a dispute dating back to 2015 where Facebook fell foul of Verbraucherzentrale Bundesverband (vzbv), or Federation of German Consumer Organisations, a German court has just ruled that Facebook didn’t do enough to alert people to the pre-ticked privacy settings on its mobile app. It also found that eight clauses in Facebook's terms of service were invalid, including terms that allow Facebook to transmit data to the US and use personal data for commercial purposes.

In a separate long-running spat, this time in Belgium, Facebook lost in a court case with Belgium’s privacy watchdog, the Belgian commission for the protection of privacy (CPP), where it was ruled that Facebook failed to comply with Belgian privacy laws. This time, it was found that Facebook had been using cookies to track people who may or may not have been Facebook users without their consent, and then stored the tracked personal data that it obtained illegally in the first place.

What Does This Mean For Your Business?

As well as highlighting how it appears that the behaviour of some big US Internet companies in Europe are being closely monitored (and needs to be), it highlights how data privacy laws and courts differ in different countries.

This story also brings into focus the importance of the imminent introduction of GDPR in May this year, which should go some way to making data privacy and security laws more uniform and consistent across the EU region. Even though the UK won’t be in the EU soon, GDPR will apply initially, and then the Data Protection Bill (DPB) will replace the Data Protection Act 1998, and will essentially transfer the EU’s GDPR into UK law for the future.

On the subject of GDPR, businesses should be reminded that we have now passed what is known as ‘X-Day’ (100 days from GDPR’s introduction), and that businesses and organisations need to quickly adopt an automated, classification-based, policy-driven approach so that they can meet the regulatory demands within the short time frame available.

In relation to the Facebook case of ‘accidental’ spam after sign-ups for the SMS-based two-factor authentication service, this behaviour would contravene GDPR because, under GDPR, the users would have only given consent for the 2FA service, and not for anything else. GDPR may, therefore, make companies think very seriously about what SMS and email messages they send to user groups based on their initial consent. The whole area of consent and GDPR is something that will need more discussion and clarification to help businesses understand the new boundaries for their online marketing.

GDPR Extortion Prediction

A report by Security Company Trend Micro has predicted that, as cyber criminals are now focusing more on maximising financial return, the introduction of GDPR this year could give them potentially lucrative extortion opportunities.

How?

The point that this report is making is that, with the prospect of massive fines under GDPR e.g. fines up to €20 million, or 4% of their global turnover, criminals could extort large sums of money from companies with the threat of a cyber attack that could lead to data security breach, which could in turn lead to a fine under GDPR. It has been suggested that criminals could first determine the penalty under GDPR that could result from an attack, and then demand a ransom of slightly less than that fine.

What’s Happening?

The recent trends in cyber crime are what have led to this latest chilling prediction. For example, the fact that cyber criminals appear to be abandoning exploit kits and indiscriminate attacks in favour of more strategic attacks with maximised financial gain is a trend that has become more apparent. This trend coupled with the fact that, although the number of reported breaches in 2017 was lower than in 2016, the amount of data compromised by cyber attacks increased, have led security commentators to believe that criminals will seek to exploit GDPR as a money-making weapon.

Predictions Started Last Year

Predictions that the threat of GDPR fines could be exploited by criminals first surfaced in the media last November when researcher Mikko Hypponen made the point that GDPR fine figures could give cyber-criminals who are using ransomware, or hackers stealing data, a price point to set the ransom at because now they know how much money they should be asking.

Hypponen argued that because the criminals know what data is worth / what covering-up a data breach may be worth to some companies (probably large, well-known ones), these companies may be actually willing to pay anything less than the full amount of the fine to avoid serious damage to their reputation, loss of customers and more.

According to Hypponen, ransoms could, therefore, be set at up to 2% or 3% of the targeted organisation’s global annual turnover. This could equate to millions of dollars in some cases.

Threat Of Reporting Too


As well as the threat of a ransom to avoid a direct, deliberate attack that would result in a fine, security commentators have also suggested that hackers / scammers could steal data with advanced ransomware and then blackmail the victims with the threat of reporting them to the data protection commissioner. This is because ransomware can affect the availability, access, and recovery of personal data.

Other Trends

Other Trends uncovered in the recent Trend Micro Report include:
  • A 32% increase in new ransomware families from 2016 to 2017.
  • A doubling of business email compromise (BEC) attempts between the first and second half of 2017.
  • Rapidly rising rates of cryptocurrency mining malware (100,000 detections in October).
  • A 22% increase from 2016 in BEC attempts to trick company employees into approving money transfers to criminal accounts, mostly targeting the chief financial officer (CFO).
  • More attacks on vulnerable internet of things (IoT) devices, with software vulnerabilities also continued to be targeted (1,009 new flaws discovered and disclosed in 2017).

What Does This Mean For Your Business?


As well as being an opportunity to get the (data) house in order and to enhance competitiveness (GDPR compliant companies are more likely to want to deal with other compliant companies), the size of the fines and now the potential activities of extortionists are risks for the coming years for UK businesses. Even though these predictions relate to more daring and sophisticated crimes, companies should still make sure that they are at least covered against more basic attempts e.g. by keeping up to date with software patching, and covering all known vulnerabilities.

Ways that companies could protect themselves against hacking / ransomware threats include only giving users access to what they need and taking away admin privileges, backing up all critical files effectively and securely, and testing those backups to make sure that information can be restored in a usable form. Training of staff e.g. chief financial officers (CFOs) or anyone involved in payment, and establishing a clear process for checking and chain of command could reduce the risk of BEC attempts and socially engineered attacks. Businesses would also be wise to make sure that their Business Continuity and Disaster Recovery Plans are kept up to date in the light of emerging threats.

More security commentators are also now warning businesses against the potentially devastating combination of security oversights, increasingly aggressive threats and, perhaps, carelessness in some aspects of cyber and data security.

Facebook Postcards To Combat Election Interference

Following disclosures of how Facebook was used by advertisers who may
have been seeking to influence the US election result, Facebook has suggested that in future in the US, those backing candidates with advertising campaigns will receive a ‘snail mail’ postcard sent by Facebook with a verification code.

Ads Mentioning A Candidate


The measure is reported to be only applicable to those who run adverts mentioning a specific candidate, rather than paying to promote a political message e.g. a policy. The verification code sent on the post card can then be used to confirm the advertiser lives in the United States.

Won’t Solve Everything

Facebook’s global director of policy programs, Katie Harbath, has reportedly acknowledged that the postcard idea may not solve all the all problems, but it is the most effective solution that the company could come up with for the time bring to stop similar illegal activity happening on its platform.

How Bad Was It?

Back in November, Facebook released figures ahead of its Senate hearing showing that Russia-based operatives uploaded 80,000 posts to Facebook in the last 2 years. Taking into account posts published between June 2015 and August 2017, it is believed that 29 million Americans saw the posts directly, and that 26 million American users may have seen, and perhaps been influenced by, liked and shared messages and comments that could have originated in Russia.

Also, US Special Counsel Robert Mueller said recently that no fewer than 13 Russians and three Russian companies are believed to have committed criminal offences by using social media to interfere in the US election.

What Does This Mean For Your Business?

It does seem a little ironic that one of the world’s most famous Internet companies must resort to ‘snail mail’ to solve a major problem, but as the company says, it seems like the only effective option for now. It would also be easy to see how this overt, but fairly limited option could be gotten around by e.g. determined state sponsored players.

The bigger picture of the whole election result influence story (i.e. which party / candidate wins) is that it has a big effect on the business environment as well as on society. It is not a surprise that one country could seek to influence events in another, but it is a surprise to some people that tech companies and social media companies are still able to offer such a powerful voice and a channel to all.

The challenge that tech companies such as Facebook and Google (with YouTube) face is that they need to protect the idea that they reject censorship and interference from governments, while still being seen to be acting responsibly and proactively, while also protecting their brands and monetising elements of their business at the same time.

The election revelations have just served to add fuel to the arguments of governments and politicians, both in the US and the UK, that they don’t have more of an influence over social media and tech companies e.g. with the end-to-end encryption debate in the UK, and that they often only come up against lawyers for these companies rather being able to be seen to be publicly grilling the owners of these tech giants themselves.

A Quarter Of Councils Have Been Hacked

A freedom of information request by privacy campaign group Big Brother
Watch has revealed the shocking statistic that a quarter of all UK councils have had their IT systems breached in the past five years.

37 Attempted Cyber Attacks Every Minute

The ‘Cyber Attacks In Local Authorities’ report from Big Brother Watch shows that local governments are subject to cyber attack attempts at the staggering rate of 37 per minute!

Thankfully, only a tiny fraction of the attacks launched are successful although this still represents a serious problem. For example, 114 councils experienced at least one incident between 2013 and 2017.

High Stakes

The nature of the work of UK Councils is such that they hold a large amount of up-to-date personal data for people in their areas, so one successful breach can have very serious consequences.

Not Disclosing Breaches


One particularly worrying aspect of council behaviour exposed by the report is that, from the data gathered, few seem to have reported losses and breaches of data, which is something that organisations will be required to do within 72 hours under GDPR when it comes into force in May.

Human Error - Training Needed


As in so many companies and organisations, human error is often a factor in breaches. In 2015, for example, Big Brother Watch has exposed how local authorities committed 4 data breaches a day, all thought to be predominantly caused by human error.

Big Brother Watch has also revealed that that, despite the number and seriousness of the breaches, little action has been taken by UK councils to increase staff awareness and education in matters of cyber security and data protection. For example, it has been disclosed that 75% of local authorities do not provide mandatory training in cyber security awareness for staff, and that16% do not provide any training at all!

What Does This Mean For Your Business?


Some commentators have been quick to point out that bearing in mind how much sensitive data councils hold about citizens, and the incredible amount of attempted cyber attacks against them, they could be making more of an effort and an investment to beef-up security.

Other commentators have noted that cuts to council budgets e.g. with austerity measures may have played their part in limiting cyber security effectiveness in UK councils.

After the shocking findings of the report, Big Brother Watch issued some recommendations to local authorities which could very well apply to other businesses and organisations. These are:
  • Cyber security should be prioritised, and that rather than investing too much in surveillance technologies, more should be invested in cyber security strategies and in the training of staff.
  • Cyber security incidents should be consistently reported, and that a protocol needs to be established so that incidents are reported quickly and to the right authorities e.g. the police, the ICO, and the National Cyber Security Centre.
  • All staff should receive mandatory training in cyber security because Cyber attacks are not only designed to breach computer systems, but also to exploit humans who are often the weakest cyber security link.

Monday, February 19, 2018

10 Gbps Home Broadband Speed Achieved In Test

Broadband operator Hyperoptic is reported to have achieved home
Broadband speeds of up to 10 gigabits per second (Gbps) in a recent test.

Hyperoptic?


‘Hyperoptic’ is the company name in this case, but the term hyperoptic generally refers to the kinds of super speeds that can be achieved with full fibre / fibre-to-the-building / fibre-to-the-home / 'fibre-to-the-premises' infrastructure and packages.

A First

The result of the test, which was carried out in a home in the former Olympic village in east London (presumably because it is fully fibre linked), is thought to be the first time that such speeds have been brought to a UK home using an existing ISP network rather than a dedicated line.

How Fast Is That?

Quoted broadband speed figures are often not what they seem, but speeds of up 10 gigabits per second would mean that:
  • A standard HD movie file (5GB) could be downloaded in 4 seconds, compared with 6 minutes 40 seconds on a 100Mbps connection.
  • A 25GB Xbox game could be downloaded in 20 seconds, compared with more than 33 minutes on a 100Mbps connection.
  • The latest full 4K ultra high definition movie (75 GB) could be downloaded in just 1 minute, compared to 1 hour 40 minutes on a 100Mbps connection.

Why Do We Need Hyper Speeds?

Spending more time on more powerful gadgets / mobile devices, the growth of the subscription economy for services, the continued growth of online shopping, the growth of the cloud, the popularity of gaming, video and social media programs, the popularity of TV / Film and other media streaming services, the demand to download bigger and better quality files, and the frustration of buffering and slow connections over many years have all stimulated UK demand for better and faster connections. Also, more businesses are looking to future-proof their networks, and they feel that much faster connections are needed for effective global business competitiveness.

As things stand, a recent survey by cable.co.uk found that the UK ranks only 31st in the world for average broadband speeds, with an average broadband speed of just 16.51Mbps.

Trials of Full Broadband In 6 UK Regions

Back in September, the UK government announced that six regions of the UK would be hosting trials of full fibre broadband for businesses, schools and hospitals as part of a £200m scheme by the Department for Digital, Culture, Media & Sport (DCMS).

According to the DCMS, £10 million of the total £200 million budget will be spent on trials for full fibre broadband in Aberdeen and Aberdeenshire, West Sussex, Coventry and Warwickshire, Bristol and Bath & North East Somerset, West Yorkshire and Greater Manchester.

Commitment From Big Providers

The big UK broadband providers are making more of a commitment to the kind of full-fibre connections that could bring much faster speeds. For example, BT has promised to bring full-fibre connections to 3 million premises by 2020, 700,000 of which will be in rural areas. Also, TalkTalk has announced a big investment in infrastructure which will bring full-fibre technology to 3 million homes and businesses.

Criticism

Despite this recent announcement by Hyperoptic, there are many valid criticisms about any big plans for boosting broadband speeds with the widespread use of fibre-optic cables in the UK including:

  1. Even if you have a fibre-optic cable to your home / business premises, there will still be shared traffic points in the network which will slow down your broadband at certain times.
  2. Full fibre-optic, ultra-fast broadband is not likely to be a reality in the UK anytime soon. At the current rate, BT Openreach has stated that only two million premises will have access to ‘full fibre’ by the end of 2020.

What Does This Mean For Your Business?

The test by Hyperoptic is really just a tantalizing view of what could be possible if we all had full-fibre broadband up to our premises, and a fabulous UK fibre infrastructure. Obviously, that could bring considerable value-adding, cost-saving, competitiveness-boosting benefits to UK businesses.

Sadly, the current reality is that businesses don’t have (and look unlikely to have any time soon) access to kind of speeds that overseas companies (e.g. competitors) enjoy, and certainly don’t have access to the speeds that the Hyperoptic test was demonstrating.

Whilst it is good that funding and momentum for the task of delivering faster (fibre or fibre/G.fast) broadband for UK businesses looks to be increasing, the UK has a long way to go, and the reality is that we may only actually have 7% full fibre coverage by 2020.

In terms of what it actually means for a business to be physically connected to a fibre broadband infrastructure, technical commentators say it will be a case of simply having a small box installed on the premises. In terms of costs, it seems likely that faster full-fibre packages will be an opportunity for ISPs to charge more.

UK Government Unveils Online Extremism Blocker

Home Secretary Amber Rudd has unveiled the UK government’s new tool for detecting and blocking online extremist and jihadist content.

Publicly Funded

The new tool was developed by artificial intelligence company ‘ASI Data Science’ based in London, and was funded using £600,000 of public funds.

Tackling A Growing Problem


The tool was developed to tackle the growing problem extremist / jihadist (e.g. IS) content being posted online, and current moderating techniques simply not being able to keep up with the job of detecting and removing it fast enough. For example, as well as the popular video platforms for posting such content, the Home Office estimates that between July and the end of 2017, extremist material appeared in almost 150 web services that had not been used for this kind of propaganda before.

An ASI Data Science spokesperson is reported as saying that there are currently over 100 different (extremist / IS) videos posted on over 400 different platforms online.

The danger is of course, that the material can contribute to the promotion of extremist causes, the radicalisation of people, the recruitment of new terror group members, and inspiring individuals / groups to commit their own acts of terror. Some of the content can also be very disturbing e.g. if viewed by children online.

How The New Tool Works


The new tool is reported to have an AI element which has enabled it to be ‘trained’ to correctly pick out extremist content. For obvious reasons, the exact workings of the tool are being kept secret, but it is understood that the tool uses an algorithm to detect signals that contribute to a level of probability (low to high) that a video is likely to be terrorist propaganda rather than e.g. a legitimate news video. The tool can be applied at the point of upload on a video platform, thereby stopping the propaganda video from being uploaded in the first place.

This tool is reported to be able to accurately detect 94% of IS video uploads, and that it can typically flag 0.005% of non-IS video uploads. On a site with five million daily uploads, for example, it would flag 250 non-IS videos for review / for a human decision to be taken.

Others Have Tried


Facebook and Google are known to have been trying to develop their own terror material filtering tool, and this UK version is thought to be suitable for use by smaller platforms first.

Home Secretary Says.


Home Secretary Rudd is reported as saying that even though the tool has been developed, the UK government won’t rule out taking legislative action too where necessary, and that an industry-led forum such as The Global Internet Forum to Counter Terrorism, launched last year, will also help to tackle the issue.

What Does This Mean For Your Business?


For businesses using the smaller social media and video platforms, this tool could be a practical solution to current moderation problems. For the UK government, it provides some good publicity, a chance to gain back some ground in the online battle with terror groups such as IS, and a way to be seen to be tackling worries of radicalisation of UK citizens. It also provides a way for the Home Secretary to apply more pressure to the popular social media platforms, some of which the UK government has criticised for not taking enough fast action to detect remove extremist content.

For UK businesses generally, association with and use of advertising platforms that are free of extremist and unsavoury material is obviously better from a brand protection point of view. It is, however, a fact that Facebook and Google are hugely important for business advertising, and that PPC advertising for example, is unlikely to be affected by whether the chosen video / social media platform adopts such a screening-tool in the near future.

X-Day February 15th - Prepare For GDPR

Network services provider EfficientIP has warned businesses that, in reality, February 15th is the last day that organisations can ensure their real-world compliance with GDPR.

I Thought May 25th Was The Deadline?


May 25th is the actual date that companies and organisations need to ensure that they are compliant with GDPR. However, the point that EfficientIP made in an announcement last week is that, realistically, it actually takes 99 days to detect a data breach. This gives hackers time to ‘exfiltrate’ data, or remove it without detection. Taking this into account, February 15th is exactly 100 days before May 25th 2018, and could, therefore, be regarded as the last day organisations can ensure real-world compliance with GDPR.

Dubbed ‘X-Day’

With this point in mind, some Cyber Security experts have started referring to February 15th as “X-Day” because it is the last day companies can prevent data exfiltration attacks without potential prosecution by regulators.

What Is Data Exfiltration?

Data exfiltration is the unauthorized copying, transfer or retrieval of data from a computer or server. In other words, hackers can use the DNS protocol to very quickly transfer large amounts of personal and sensitive data from your company systems e.g. customer data such as credit card numbers, or company information such as financial records.

EfficientIP have pointed out that most of the companies breached after February 15th 2018 will only discover the attack after GDPR is in force, and will, therefore, (legally) only have 72 hours to publicly disclose the breach.

How Common is Exfiltration?

EfficientIP’s own research shows that as much as 24% of companies have suffered data exfiltration in the past year.

Positive View

Although the EfficientIP is a warning, and companies already know that failing to comply with GDPR will bring large fines, and data breaches can cause irreparable damage to a company and its reputation, there are some very positive reasons for preparing now for GDPR. For example, a recent Veritas survey showed 95% of decision-makers expect a positive outcome from GDPR compliance, and 92% think they would benefit from having better data hygiene.

68% of respondents in the Veritas survey also said that getting GDPR compliant would give them a better insight into their business, which could help to improve the customer experience, and that compliance could actually save the company money.

Getting Motivated


It’s all very well issuing worrying warnings, but companies not yet compliant need to find effective ways to drive the cultural and organisational changes needed to get to grips with GDPR going forward. These motivators, also highlighted in a recent Veritas survey, could include adding compliance to employee contracts (47%), implementing disciplinary action if the regulation is disobeyed (41%), and educating employees about the benefits of GDPR (40%).

What Does This Mean For Your Business?

GDPR is just around the corner and this ‘X-Day’ warning is an indicator that realistically, GDPR compliance shouldn’t be put off any longer.

Data management commentators suggest that companies should adopt an automated, classification-based, policy-driven approach to GDPR so that they can meet the regulatory demands within the short time frame available.

Businesses have now heard all the warnings, and many companies and organisations are now starting come around to the idea of focusing on the positive outcomes and benefits that GDPR compliance will bring such as increased revenues, resulting from improved customer loyalty, heightened brand reputation, and competitive differentiation in the market.

There is also now growing realisation that companies will prefer to have business relationships with GDPR compliant companies to help ensure their own compliance. This means that GDPR compliance will be become a basic necessity to enable companies to compete in a normal way in today’s business environment.

Cryptojacking Discovered On Government Websites

A UK security researcher has discovered that cyber criminals have been using public sector websites, including that of the UK’s Information Commissioner’s Office for cryptojacking.

What Is Cryptojacking?

Typically, cryptojacking involves hackers / scammers installing 'mining script' code such as Coin Hive, into multiple web pages without the knowledge of the website owners. The compromised website then runs the cryptomining code, which is written in JavaScript, inside the victim’s web browser when they visit the website. The scammer is then able to get multiple computers to join their networks so that the combined computing power will enable them to solve mathematical problems. Whichever scammer is first to solve these problems is then able to claim / generate cash in the form of crypto-currency.

If, for example, a website is able to get one million visitors a month, and if the Coin Hive Web Miner for Monero (XMR) is used, it could generate an income of £88 in the Monero crypto-currency.

Modified BrowseAloud Plugin


In this latest discovery by security researcher Scott Helme, criminals were found to be using a modified version of the BrowseAloud plugin to enable crypotojacking through government websites. The BrowseAloud plugin is normally used to make websites more accessible to visually impaired people, but in this case, attackers were found to have planted malicious code to the JavaScript file to use the browser CPU in an attempt to illegally generate cryptocurrency.

It is thought that criminals targeted this plugin because public sector websites need to comply with legal obligations to make their information accessible to people with disabilities.

Which Government Websites?

A recent investigation has discovered that around 5,000 websites are being targeted using this kind of cryptojacking. The government websites affected include the websites of the UK’s Information Commissioner’s Office (ICO), NHS websites, the General Medical Council website, some UK local council websites, the Student Loans Company site, some Australian government department websites, and the even the US Courts website.

What Does This Mean For Your Business?

Many businesses and organisations simply aren’t able to see and take account of all of the ways they can be attacked externally. Also, it’s not always easy to understand what belongs to your organisation, how it is connected to the rest of your asset inventory, and what potential vulnerabilities are exposed to compromise.

The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses. There are, however, some simple measures that your business can take to avoid being exploited as part of this kind of scam.
If, for example, you are using an ad blocker on your computer, you can set it to block one specific JavaScript URL which is https://coinhive.com/lib/miner.min.js. This will stop the miner from running without stopping you from using any of the websites that you normally visit.

Also, a dedicated browser extension called 'No Coin' is available for Chrome, Firefox and Opera. This will stop the Coin Hive mining code being used through your browser. This extension comes with a white-list and an option to pause the extension should you wish to do so.

Coin Hive's developers have also said that they would like people to report any malicious use of Coin Hive to them. Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current scams and what to do to prevent them, are just some of the ways that you could maintain a basic level of protection for your business.

Digital threat management software is also an option that can help companies to continuously discover an inventory of their externally facing digital assets, and to manage the risks across the entire attack surface.

Adopt 'HTTPS' Or Face Being Penalised by Google

Google has announced that websites without ‘HTTPS’ in front of their
domains will be labelled as ‘Not Secure’ in version 48 of Chrome, starting this July.

What Is HTTPS and Why Does It Matter?


HTTPS stands for Hyper Text Transfer Protocol Secure. It is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to, which means that all communications between your browser and the website you visit are encrypted.

In practical and technical terms, having HTTPS in front of your website URL means that:

  • Every unprotected HTTP request could reveal information about the behaviours and identities of your users. With HTTPS, therefore, critical security and data integrity for both your websites and your users' personal information is provided. For example, no one with access to your router or ISP can get in the middle and intercept information sent to websites, spy on what you’re doing, or inject malware into legitimate pages.
  • Intruders (benign and malignant), now target every unprotected resource between your website and users e.g. images, cookies, scripts, and HTML. HTTPS provides a kind of blanket protection. ‘Intruders’ could include intentionally malicious attackers, as well as legitimate but intrusive companies e.g. ISPs or hotels that inject adverts into pages.
  • HTTPS doesn't just block misuse of your website, but it is now also a requirement for many cutting-edge features, and is an enabling technology for app-like capabilities such as service workers, or building progressive web apps.
  • Many older APIs are now being updated to require permission to execute e.g. geolocation API. HTTPS is, therefore, a main component to the permission workflows for both new features and updated APIs.

Naming and Shaming

Google’s Chrome Security Product Manager, Emily Schechter, has announced on the Google Blog that, as from July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. Google has played down this more direct move as being simply another step in a progression that has seen it gradually marking a larger subset of HTTP pages as “not secure” over the last year. Those companies and organisations that have not yet got their secure certificates may, however, be left thinking that this looks more like a naming and shaming.

Google isn’t the only company to adopt this kind of tactic. Mozilla took a similar approach sites using HTTP back in December with Firefox Nightly version 59.

Cost

The cost of secure certificates varies e.g. popular host GoDaddy offers HTTPS for one website for around £44 per year (£55 when you renew it). Google’s blog post avoids discussion of the cost, and focuses more on the benefits, the risks of not getting one, and makes the point that secure certificates are now more affordable than ever.

According to Google’s figures, many sites have already switched to HTTPS, with a reported 68% of Chrome traffic on Android and Windows now protected, 78% of Chrome traffic on Chrome OS and Mac now protected, and 81 of the top 100 sites on the web now using HTTPS by default.

What Does This Mean For Your Business?


Clearly, any thought that a secure certificate will only be needed by websites that directly take payments is likely to be wrong. Google is committed to making HTTS the default standard - on its blog it says ‘a secure web is here to stay’. The fear for businesses, in addition to the fear of cyber attacks, is that if you don’t have HTTPS for your business website soon, it could suffer in the search engine rankings, and potential customers could be scared away by visual warnings that the site is somehow, suddenly not secure. For smaller businesses this could be particularly damaging.

If having HTTPS reduces the risk of cyber crime then the benefits of buying a secure certificate will outweigh the cost, but for many smaller businesses, this may feel like they are being forced to pay an extra cost each year, and it may also force cyber criminals to change their tactics e.g. move more into social engineering attacks, and perhaps turn to AI-powered attack methods.

Monday, February 12, 2018

Too Much Technology Is A Workplace Distraction

The results of a survey by Microsoft indicate that constant contact
with technology such as emails, messages and notifications in the workplace can reduce productivity, make workers less productive, and increase stress levels.

It’s All Down To The Company’s ‘Digital Culture’


The survey, which involved the opinions of 20,000 workers from 21 European nations, found that how technology is viewed and deployed in the workplace can make a big difference in worker productivity and well-being. Microsoft’s findings therefore, indicated that a company's chosen "digital culture" can improve workers' productivity and help them feel more involved in the business.

Too Much


It will come as no surprise to many people reading this that too much exposure to and emphasis on technology (e.g. large amounts of updates and notifications arriving via social media during the day) makes people less productive and more distracted.

The Microsoft report makes the point that one of the reasons why only 11.4% of European workers said they felt highly productive at work may be that even though there is an abundance of technology around, that doesn't necessarily translate into impact.

Productivity comes from creative interchange rather than people simply working on computers, and Management Scientists now believe that technologies can overload people and make them less productive by making them focus too much on trying to deal with the technology itself, rather than working at using the technology to improve the delivery of a product or service.

‘Technostress’

Management Science experts now recognise the existence of 'technostress', which can occur when workers have to deal with the adverse consequences of adopting novel computer systems or software.

What Does This Mean For Your Business?


The main message for businesses is that simply introducing lots of interruptive and / or novel technology to the working environment can actually cause stress and make workers less productive. Businesses need to pay attention to building the right kind of digital culture. For example, organisations first need to know what they want to do with the software and systems they have adopted, and give staff the correct training and other help to use it.

A planned and managed digital culture with supporting conditions, such as appropriate email response times and measuring whether people are happy with the tech they use to do their day-to-day jobs, can help workers to get the most out of technology. This can lead to higher productivity, fewer staff feeling disengaged, and can ultimately benefit the aims and objectives of the business.

Facial Recognition Arrest Claims Via Twitter

South Wales Police have taken to social media to announce news of the
latest arrests made using Automated Facial Recognition (AFR) technology.

First Used At Champions League Finals Week

The AFR system was first used by South Wales Police last June at the Champions League final at the Millennium Stadium in Cardiff. AFR incorporates facial recognition, uses slow time static face search, and links to specialist software that can compare a camera image of a face to 500,000 custody images from the Police Record Management system in order to find a match.

Ironically, the first arrest made in Cardiff at the time using AFR was actually a local man whose arrest was unconnected to the Champions League, and who was identified by a van-mounted camera days after the match.

Police Tweets

The latest announcements of AFR-related arrests have made the news because they relate to the use of AFR at the recent Six Nations rugby tournament, the announcements have been delivered via Twitter, and have been seen by some media commentators as being boastful in style.

For example, Project leader Scott Lloyd took to Twitter to publicise the first identification and arrest made "within an hour", and the drugs arrest of another man on a warrant using AFR Cardiff City Centre a short time later. Mr Lloyd also announced another “UK policing first” with the arrest of a third person, identified from night club CCTV a month earlier.

Controversy

The increased use of AFR at events has, however, been criticised by groups such as Big Brother Watch for infringing peoples’ rights, having no clear basis for its use, and for edging the UK closer to a ‘surveillance state’.

There have also been reports of a possible 35 false matches and one wrongful arrest after the London Metropolitan Police used AFR at the last Notting Hill Carnival.

What Does This Mean For Your Business?

So far, AFR has proven to be a relatively expensive system for the number of arrests it has delivered (£177,000 for its use in Cardiff for 1 arrest), and it has generated a lot of negative publicity and suspicion. It is little wonder, therefore, that a police spokesperson has been only too happy to take to an immediate way (Twitter) of announcing every arrest as it happens in an attempt to boost public confidence in the system, and to demonstrate some value for money.

With the introduction of GDPR this year, however, questions will no doubt be asked about the security and privacy of the images captured by the AFR system, as personal images do fall under the category of personal data.

Despite the findings of a study from YouGov / GMX of August 2016 that showed that UK people still have a number of trust concerns about the use of biometrics for security, biometrics actually represents a good opportunity for businesses to stay one step ahead of cyber criminals. This is because biometric authentication / verification systems are thought to be far more secure than password-based systems, which is the reason why banks and credit companies have already started using them.

All this said, facial recognition systems are widely believed to have value-adding, real-life business applications. For example, last May, a ride-hailing service called Careem (similar to Uber but operating in more than fifty cities in the Middle East and North Africa) announced that it was adding facial recognition software to its driver app to help with customer safety.

Firefox Users Advised To Update

Cisco’s security team has advised Firefox users to install Mozilla’s latest update for its web browser after a potentially serious security vulnerability was discovered.

Malicious Code Danger

According to Cisco’s researchers (and confirmed by Mozilla), the vulnerability has been caused by “insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software”.

This means that unless Firefox users install the latest security patch update, they run the risk of remote hackers exploiting the vulnerability by persuading them to access a link or file that submits malicious code to the affected browser software.

Take Control Of The System

This kind of exploit could then enable an attacker to execute arbitrary code with the privileges of the user. If a user has elevated privileges, for example, this could even mean that the attacker could compromise the entire system. Once an entire system has been taken over, the attacker is then free to install programmes, create new accounts with full user rights, and to view, change or delete data.

Which Firefox Versions Are Affected?

The vulnerability is reported to affect Firefox web browser versions 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The Android Firefox browser app and Firefox 52 ESR are not affected.

How Can You Protect Your Systems?


The advice appears to be that Firefox users should download the browser update patch as soon as possible. The advisory information can be found here https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/ and the patch can be found on the Mozilla website here: https://www.mozilla.org/en-US/firefox/new/?scene=2

Administrators can also help to safeguard systems by using an unprivileged account when browsing the Internet, and by monitoring critical systems.

What Does This Mean For Your Business?

The recent Malwarebytes annual State of Malware report showed that the UK is now the most targeted region in the world for cyber threats, so it is important for businesses to take action to patch any known vulnerabilities as soon a possible.

Since an exploit via Firefox of this kind would first require malicious software to be downloaded, users should remember, businesses should instruct all staff members not to open any email messages from suspicious or unrecognised sources. If users cannot verify that links or attachments included in email messages are safe, they should also be advised not to open them. Businesses should make it a matter of email policy and good practice that users should first verify if any unsolicited links are safe to follow.

Staying up to date with patching known vulnerabilities is an important part of the basic cyber security of business systems. For example, back in August 2017, the Fortinet Global Threat Landscape Report found that not only are 9 out of 10 businesses being hacked through un-patched vulnerabilities, but that many of these vulnerabilities are 3 or more years old, and already have patches available for them. In the case of Firefox, therefore, the patch should be downloaded immediately.

Bitcoin Battered

Cryptocurrency Bitcoin’s value has now dropped to $6,000, a fall of $13,000 since November 2017.

What Is Bitcoin?


Bitcoin is a digital web-based currency that operates without the need for central banks and uses highly secure encryption to regulate the currency units and to verify transfers of funds. Bitcoin, which was first produced in 2009, uses the ‘Blockchain’, an open and programmable technology that can be used to record transactions for virtually anything of value that can be converted to code and is often referred to as a kind of ‘incorruptible ledger’.

In order to receive a Bitcoin, a user must have a Bitcoin address i.e. a 'purse' (of which there is no central register).

Bubble

Warnings of a Bitcoin ‘bubble’ were being delivered last year after its value rocketed from $1,000 to £19,000 in the space of less than a year.

Why The Fall In Value?

Several factors have led to the rapid fall in value since November last year. These include:
  • Tightening legislation and government opposition. Back in September, for example, China ordered exchanges to cease trading in the cryptocurrency as a way to gain control of the cryptocurrency through forced licensing. Also, China and South Korea have now banned initial coin offerings, Japan and Australia have taken steps to tighten Bitcoin regulations, and US restrictions look set to follow.
  • Negative predictions by currency experts. The news reports of the Bitcoin ‘bubble’ plus financial regulators in the UK and France warning investors that they could lose their money if they buy digital currencies issued by companies, known as "initial coin offerings".
  • Banks and Credit Card Companies banning cryptocurrency purchases using credit cards. With less people able to buy cryptocurrencies, this has had the most recent downward effect on the value of Bitcoin.
  • Cyber criminals cashing-in. Crime is toxic to reputations, and Bitcoin has been increasingly targeted by criminals. For example, Slovenian-based Bitcoin mining marketplace NiceHash reported the theft of Bitcoin to an estimated value of $80m back in December, and an escalation of ‘crypto-jacking'. This happens where people’s devices are taken over by criminals trying to mine crypto-currencies such as via the Android phone-wrecking Trojan malware, dubbed 'Loapi'. Bitcoin has been widely publicised as having link with crime e.g. to evade traditional money laundering checks and other regulations. Bitcoin is often named as the currency that ransomware scammers request their victims to pay with because of the anonymity that it offers. Some currency commentators have even suggested that the recent surge in the value of Bitcoin towards the end of last year was partly caused by European banks buying Bitcoin to pay off ransomware as a short-term way to deal with cyber-security.
  • Investors purchasing alternatives. As investors look for alternatives to the volatile Bitcoin bubble, this has had a negative effect on the value of Bitcoin, and a brief positive effect on the value of other cryptocurrencies.

What Does This Mean For Your Business?


From an investment point of view, Bitcoin is clearly risky. There are other cryptocurrency alternatives e.g. Ripple, Ethereum, Litecoin, but they all appear to have been tarred with the same brush as Bitcoin, particularly with the announcement that credit cards can’t be used to buy them.

Many of the possible advantages of cryptocurrencies to businesses e.g. to use for fast global trading and investing outside of bank controls, delays and red tape, are currently being overshadowed by the actions of banks and governments.

Cryptocurrencies may be currently in a dip, but the importance of other new technologies to businesses such as AI and driverless vehicles is finally being reflected in the value of the shares of companies who are leading the charge in those technologies, which are likely to provide many global business opportunities going forward.

Virgin Credit Cards : No To Crypto

Shortly after Lloyds Bank announced that it would be banning
customers from buying crypto-currencies such as Bitcoin using their credit cards, Virgin Money is now adopting the same policy.

Why?

The volatility of cryptocurrencies such as Bitcoin have led Lloyds, and now Virgin Money to try to protect their customers from running up large debts following a sharp fall in the value of a digital currency they’ve bought. Several of the biggest issuers of credit cards in the US including Bank of America, Citigroup, JP Morgan, Capital One and Discover, have also banned customers from using their cards to buy digital currency.

Bitcoin is a perfect example of how volatile a digital currency can be. For example, at the start of 2017, one Bitcoin was worth $1,000, reached highs of around $19,000 at the end of last year, and has since plummeted to $8,291.87, its worst performance since April 2013.

The rapid rise in the value of Bitcoin last year, was also accompanied by consumers being targeted by adverts and information which acted as a temptation and incentive to invest with the promise of big returns, with many investors being inexperienced in currency investments, and unaware of the potential risks. Facebook, for example, has recently announced that it will now block any advertising that promotes crypto-currency products and services.

Bank Could Lose

Some money commentators have made the point that although the move by Lloyds and now Virgin Money could offer some protection for customers, the banks are also helping themselves because if a person buys anything on credit, such as large amounts of cryptocurrencies, it's the bank that stands to lose if the person can't repay the debt.

Bitcoin, for example, also operates outside of the control of banks, which may be another reason why banks may not like it.

Used By Criminals?

The police and the UK government have also taken the opportunity presented by the announcements of Lloyds and Virgin Money to make the point that digital currencies are also popular among criminals because they can use them to evade traditional money laundering checks and other regulations.

Prime Minister Theresa May, for example, has stated that action against digital currencies may be needed because of their connection to criminal activity. At the risk of sounding cynical, some money commentators have pointed out that governments tend not to like some crypotocurrencies because they are beyond their control, and they can’t (yet) make revenue from them. For example, the Chinese government has long battled with the challenges posed by Bitcoin.

What Does This Mean For Your Business?


This move by two banks, with more likely to follow, sets a new precedent. Banks don’t like unsecured risks being taken with their money, and buying cryptocurrencies on credit appears to represent a far greater risk to them than traditional gambling which you can still use a credit card for (although it will be treated as a high interest cash loan).

It’s also worth remembering that banks and governments are likely to be less happy about things that they can’t control, regulate, and raise revenue from.

Even though criminals are known to use cryptocurrencies such as Bitcoin for just these reasons (and the anonymity), it is also worth pointing out that Bitcoin actually has many attractive advantages for businesses such as the speed and ease with which transactions can take place, which is actually due to the lack of central bank and traditional currency control. Using Bitcoin also means that cross-border and global trading is made much easier and faster.

Also, even though Bitcoin looks too volatile for many to invest in at the moment, the cryptocurrency has lasted through many ups and downs (hacks and government opposition), it is still popular, and its widening popularity and potential uses for its underlying technology ‘Blockchain’ mean that Bitcoin still has a future.

From a consumer / potential individual investor’s perspective, the move by Lloyds, Virgin, and the big US credit card companies does, however, look likely to provide some responsible and sensible protection for the time-being.

Monday, February 05, 2018

UK Most Targeted Region For Cyber Threats

The Malwarebytes annual State of Malware report has revealed that the UK
is now the most targeted region in the world for cyber threats.

Big Rises


The UK has been elevated to the unenviable position at the top of the targets table after a huge 165% increase in UK bound ransomware was recorded, and after a 134% rise in hijacking attempts against British machines. This means that as well as being most at risk, the UK’s ransomware attack rate is now double that of the US.

Why Is The UK Being Targeted?


One reason is that ransomware use worldwide saw a 90+% increase against businesses in 2017 up until the end of year, when ransomware’s use began to decrease as criminals turned more to the use of banking Trojans and cryptocurrency mining. In 2017, the UK was famously hit by the massive WannaCry ransomware attack, which is believed to have originated in North Korea, claimed victims in 150 countries, and led to around 130,000 infections of computers. Older computer systems, such as those in the NHS, were particularly badly affected.

Spyware Increase

The Malwarebytes data also showed a big increase in the use of spyware last year – an increase of 882%.

Move To Trojans

The report data also shows that cyber-criminals are turning to different attack methods as awareness is raised about ransomware and more measures are taken to combat it. For example, Trojans are now being used in more than 20% of global attacks, and the use of banking Trojans doubled in the second half of 2017.

Earlier this month, security researchers discovered a new type of malware (called Android.banker.A2f8a) targeting 232 banking apps on Android devices, stealing login details, hijacking SMSs, as well as uploading contact lists and SMSs on a malicious server. Banking Trojans of this kind can spy on the credentials entered by the user, and intercept incoming and outgoing SMS.

Move To Crypotocurrency Mining

It appears that cyber-criminals are also moving into cryptocurrency mining, using cryptomining tools to exploit malware infected machines in order to generate and steal digital currencies. Criminals were attracted by the rapid growth in the value of cyptocurrencies such as Bitcoin and Malwarebytes is reported to have blocked an average of 8 million drive-by mining attempts each day in September.

A recent report by Ernst & Young has also highlighted the fact that 10% of all funds raised through Initial Coin Offerings (ICOs) are stolen by hackers using techniques such as Phishing.

What Does This Mean For Your Business?

In 2018, some security experts and commentators are predicting a further rise in the use of drive-by mining tools, new mining platforms and new forms of malware to steal virtual currencies. It seems that 2018’s criminals are more likely to be interested in simply stealing than rather than trying to hold businesses to ransom.

The IoT may continue to be a target, and businesses should be careful to guard against supply chain attacks, malware possibly targeting Mac computers, and more weaponised zero-day vulnerabilities. Giving 3rd parties in your company supply chain / value chain access to systems and sensitive data, combined with increased levels of sophistication in hacking tools and strategies, plus increased oversight from regulators, and potentially ‘weak link’ companies in terms of cyber-security now make the risk of supply chain attack very real for companies in 2018.

Businesses need to increase cyber-security awareness and training, and employ a holistic risk-based authentication infrastructure across multiple vectors in order to stay one step ahead of the developing cyber threat.

The use of enhanced technologies, and the assistance of  greater regulation for cryptocurrencies may also help to reduce some of the risks shown in the Malwarebytes report.

Military Bases Exposed By Fitness App

A user activity ‘heat map’ published by fitness tracker Strava has unwittingly revealed the location and structure of military bases in other countries.

How?

The app, made by San Francisco-based Strava, uses a mobile phone’s GPS to track a subscriber’s exercise activity. Although the new version of the app, introduced in November last year, is reported to be built from a billion activities – three trillion points of data, covering 27 billion km (17bn miles) of distance run, jogged or swum, the data used to produce a ‘heatmap’ of user activity is not live data.

The latest heatmap published by the company, showing the paths its users log as they run or cycle, is intended to show the app’s popularity and is actually made from aggregated data from activities recorded between 2015 and September 2017.

Revealed

Unfortunately for Strava, since military personnel engage in regular exercise, and are generally limited to following the same exercise routes in or close to the base where they are stationed, Strava’s heatmap of user activity reveals the outline of military bases and the most popular routes taken by the soldiers there.

Danger

Even though the location and outline of many military bases are already known from satellite imagery, the heatmap from the app exposes the regular routes taken by soldiers when they are most likely not armed and at their most vulnerable. Also, the heatmap could expose the routes taken by other personnel such as aid workers and NGO staffers in more remote areas. All of this could mean that the app is exposing soldiers and other personnel to danger from attack or kidnap by state and non-state actors e.g. in countries such as Syria, Yemen, Niger, Afghanistan or Djibouti.

There is also a danger that hackers could access Strava’s database and find the details of individual users.

UK Personnel at Risk Too


Even though Strava is a US app, it has also been reported that user activity at the UK’s RAF base at Mount Pleasant in the Falkland Islands was also exposed by the app’s heatmap.

Privacy Settings

Privacy settings do exist on the app but the onus is on the user to explicitly opt out of data collection for the heatmap.

US Already Takes Measures To Protect

The US government already takes measures to guard against similar risks to those posed by the app heatmap. For example, it has already published a tract called Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD, and in 2016, banned Pokémon GO from government-issued mobile phones.

What Does This Mean For Your Business?


This is not the first time that the negative aspects of fitness-tracking device companies and their activities have been featured in the news i.e. that the devices are transmitters as well as recorders of data about us. Back in February 2016, a study by a Canadian research team revealed that popular types of fitness trackers actually transmit a signal via bluetooth that could act as an ‘identifier’ signal that could be picked up by beacons that are now being used by retail stores and shopping centres to track, recognise and profile customers.

In the case of Strava, although the company could be forgiven to an extent because of the relatively unforeseen risk that its activities may have caused, there is an argument that a better approach would be to make the device opt-out by default, and to give users the choice to opt-in should they wish to. It may also have been better to avoid publishing any heatmaps, and to simply publish some statistics instead.

In addition to the possible risk to the life of service personnel (and others) that the map has caused, it has also highlighted other important issues relating to fitness-tracking devices and consumer protection e.g. data protection and privacy implications, the risk of hacking the devices, and the need for greater transparency about what is stored and transmitted by the devices.

Companies producing devices that store and transmit personal data need to ensure that they comply with data protection laws, and that they are mindful of potential identifiers and other security risks.

UK’s Digital Snooping Powers Illegal

A legal challenge by Labour MP Tom Watson against the UK government’s
own digital mass surveillance legislation laws introduced in 2014 has led to a court deciding that the laws were illegal.

Legislation

The legislation that was successfully challenged in court was the Data Retention and Investigatory Powers Act (DRIPA), which was actually replaced at the end of 2016 by The Investigatory Powers Act, also known as the Snooper’s Charter.

What Was Wrong With DRIPA?


DRIPA required communications companies to store detailed personal information e.g. people’s mobile phone data, their emails, texts and internet communications.

Tom Watson has been reported as saying that, back in 2014, DRIPA was rushed through Parliament just before recess, and therefore lacked proper parliamentary scrutiny. This meant that one section was inconsistent with EU law. It was this section that UK judges agreed was illegal because it granted spy agencies and law enforcement access to UK citizens’ phone records and internet activity for reasons other than using the details to fight serious crime, all without seeking or getting approval from a court or independent authority.

What Difference Does This Make?


Even though DRIPA is defunct, many of those who objected to DRIPA have said that in the light of the court’s ruling, the current Investigatory Powers Act should be changed accordingly, and that a system of independent approval for access to communications data needs to be put in place.

Digital rights Charity Liberty is reported as saying that the judgement tells ministers that they are breaching the public’s human rights, and that the latest incarnation of the Investigatory Powers Act must now be changed.

Already Heading That Way Says The Government

The Security minister Ben Wallace is reported as saying that the government had already announced that it would amend the Investigatory Powers Act to address the two areas in which the Court of Appeal found against the previous data retention regime.

Current Snooper’s Charter In Crowdfunded Challenge


The current Investigatory Powers Act is being challenged separately by the charity Liberty with the help of £50,000 crowdfunding. Liberty wants to challenge the Charter on the argument that surveillance of everybody in the UK may not be lawful or necessary, and that whistle-blowers and experts have warned that the powers would actually make it more difficult for security services to do their jobs effectively.

There are also the arguments that the new law puts too much power in the state’s hands, could be an invasion of privacy, and that the government’s storing of large amounts of sensitive information about each of us could in itself be irresponsible and a security risk.

Some critics have also expressed suspicions about the motives of the UK government for introducing the law e.g. to censor and control rather than to protect.

What Does This Mean For Your Business?


The ruling by the European Court of Justice back in December 2016 that DRIPA was unlawful, coupled with this latest agreement by judges with Tom Watson’s challenge will strengthen the need for the UK government to act quickly to make changes to what has been controversial legislation.

Most people would probably agree that people in the UK need to be protected from terrorist attacks, and that children and young people need to be protected from predatory behaviour and the activities of paedophiles online. Although the Investigatory Powers Act may include measures that could help with that, many people and businesses (communications companies, social media companies, web companies etc) are uneasy with the extent of the legislation and what it forces companies to do, how necessary it is, and what effect it will have on businesses publicly known to be snooping on their customers on behalf of the state. The 200,000+ signatures on a petition calling for the repeal of the Investigatory Powers Act after it became law, and the £50,000 crowdfunding raised from the public in less than a week to fight the bill, both emphasise the fact that UK citizens value their privacy and take the issues of privacy and data security very seriously.

Facebook Pushes Local News

In a move to improve the quality and trustworthiness of content, and to increase civic engagement, Facebook has announced that it will be focusing on local news sources.

Misleading News Problems

Even though Mark Zuckerberg has been keen to promote the view that the change to the prominence given to local community news sources in News Feeds will make people more aware of what is happening in their communities and, therefore, more likely to get involved, many commentators see it simply as a further move to distance itself from accusations of spreading misinformation.

What Happened?

After the last US election and accusations of Facebook being used to spread misinformation which may have influenced the result, Facebook released figures ahead of a Senate hearing showing that Russia-based operatives uploaded 80,000 posts to Facebook in the last 2 years. This meant that 29 million Americans may have seen the posts directly, and 26 million Americans have seen, ( and perhaps been influenced by) liked and shared messages and comments that could have originated in Russia.

Since then, Facebook has tried to distance itself from any ways in which it could be used for the spread of misinformation e.g. by adjusting its centrepiece News Feed to prioritize what friends and family share, and by reducing the amount of non-advertising content from publishers and brands (to the alarm of Facebook investors).

What Will The New Change Mean?

This latest change is likely to mean that Facebook will begin to promote or prioritise local over national news.

There will also be a “See First” feature that will allow users to choose which news sources, including local or national publications, they want to see at the top of their feeds.

The update to Facebook’s algorithms will first be rolled out in the United States and expanded to more countries later this year.

What Does This Mean For Your Business?

If you are a local publisher, smaller local business, and / or your business is actively involved in the community, this kind of change could be good news. If you’re a larger brand or publisher (publishing non-advertising content), this is unlikely to welcome news.

For Facebook investors, this change is likely to make them worry that it could cause people to spend less time on Facebook. This would be bad from both a financial and a competitive point of view, since Facebook is facing challenges from other, newer and popular social media platforms e.g. WhatsApp. This may have been one of the reasons why, in December 2017, Facebook launched its ‘Messenger Kids’ standalone app (essentially Facebook for children). Many saw the introduction of Facebook Messenger as a way to bring a new, young generation of users to Facebook’s platform in difficult times, to find a way to compete with other platforms for the attention of other users, and to do so in a way that has the approval and involvement of parents, particularly if children are going to use social networks anyway.

Amazon Announces SMS Messaging Via Alexa

Amazon has announced that it is introducing a service that will allow users of Alexa devices to send text messages to any contact via the digital assistant using just their voice.

Builds Upon Alexa Calling

The new service builds upon the Alexa Calling service introduced last year, which allowed owners of the Echo Dot to call a friend’s landline via the device, and to use it to call or message a friend if they had a smartphone with the Alexa app downloaded (and Alexa Calling enabled).

The difference with this new service is that, as well as being able to use the Alexa Calling service, voice dictated SMS messages can be sent using Alexa to recipients who don’t even have an Alexa device (Amazon Echo) of their own. With the new service, Alexa will decide which route is appropriate and will set up the communication accordingly.

Too Much Information

When the free Alexa calling service was introduced, Amazon faced criticism that the Alexa app tried to import users’ entire address books. This led to Amazon having to introduce contact blocking.

Just Android & Just In The US


Before you get too excited, as of now the new service will initially only be available in the US for Alexa devices that support Alexa calling and messaging, and will only work with Android phones. Amazon has reportedly said that it can’t yet offer a similar feature for iPhone users because Apple doesn’t offer their messaging API to third-parties.

How To Use The Service


User instructions are issued via a pop-up in the Alexa app on Android, and in the ‘Conversations’ tab of the app, users select ‘Contacts’, then ‘My Profile’, and then switch the ‘Send SMS’ feature to on. Messages can then be sent to Android phones by a person using voice on an Alexa device.

The service allows the sender to specify whether they would like to send the message just as a text / SMS, or as a general message which will be sent to Alexa devices first, and then as SMS if the intended recipient does not have an Alexa device.

What Does This Mean For Your Business?

This new service seems to be an inevitable way to build upon the strengths of the Amazon Echo system, is consistent with its ‘Amazon Everywhere’ philosophy, and brings Alexa closer to Siri and Google Assistant in the voice messaging department. Although it takes the communication aspect of Alexa one step further, some critics have pointed at some limitations of the new service which are that it can’t be used to text 911, or to participate in group messages or send MMS, and users are limited to what they can do when they can’t actually see the chats anyway.

For businesses, this service may become especially useful when combined with Amazon’s plans to launch Alexa for Business – a small businesses-focused version of the Echo for the workplace. Amazon’s Echo dominates the voice-assistant market with a more than 70% share, and Alexa for business will have many useful functions from booking meeting rooms, reporting IT issues, providing directions around a building, and answering questions about the business, to enabling employees to make calls, manage calendars, run to-do lists, and set reminders. A voice-activated SMS service via a workplace Echo could, therefore, add value, save time and save costs.