Monday, April 30, 2018

GDPR: Don’t Get Caught Out By Your Logfiles

With all the focus on the more visible elements of GDPR compliance ahead of the Regulation’s introduction of May 25th, one EU Working group is warning businesses not to forget what’s stored in the logfiles of their Internet-facing servers.

What Are Logfiles and Why Should We Care?

Logfiles record either events that occur in an operating system or other software, or messages between different users of communication software.

As well as being useful to an organisation e.g. for providing clues about hostile activity affecting the network from within and without, and providing information for identifying and troubleshooting equipment problems, logfiles on Internet-facing computers can also potentially provide information to hackers and cyber-criminals that could compromise your system and data security.

Report Suggestions

A draft report by the Internet Engineering Task Force's Internet Area Working Group (IETF's INTAREA) says that changing data regulations have meant that what were established best practices have now become poor practices. The draft, therefore, offers a checklist as a set of updates to RFC6302 designed to help plug this potential GDPR compliance black spot. The “Recommendations for Internet-Facing Servers” draft suggests that sysadmins adopt a data minimisation approach to configuring their server logs, and suggestions include:
  • Full IP addresses should only be stored for as long as they are needed to provide a service;
  • Logs should only include the first two octets of IPv4 addresses, or first three octets of IPv6 addresses.
  • Inbound IP address logs shouldn't last longer than three days, because that lets logging cover a weekend before it's flushed.
  • Unnecessary identifiers should not be logged e.g. source port number, timestamps, transport protocol numbers, and destination port numbers,
  • The logs should be protected against unauthorised access.
It should be said that any legally-mandated logging e.g. to comply with local telecommunications data retention laws, isn't covered by the draft.

Cookie Consent Pop-Ups

We are all used to seeing cookie consent pop-ups when we arrive at websites, but the “implied consent” website owners have assumed existed once people clicked “I Agree” to cookies may no longer apply under GDPR. This is because GDPR is consent specific, and there is no way “implied consent” can get you water-tight compliance. What this means is that cookie consent pop-ups may soon be on legally shaky ground when it comes to GDPR compliance.

What makes this issue more complicated is the fact that the EU had intended to publish an updated ePrivacy Regulation, with the commencement of GDPR, to relax the cookie popup requirements, but didn’t do so. This means that data privacy rules on this matter will be governed by the old ePrivacy Directive and GDPR at the same time, with GDPR having the precedence.

What Does This Mean For Your Business?

This story shows that with GDPR just around the corner, some of the finer areas of compliance are starting to come under the spotlight. Yes, data protection, data security and privacy are the responsibility of all of us, not just the ‘technical people’, but when it comes to having to deal with server-logs, there clearly is a need for a technical focus to ensure all-round general compliance. Hackers, by nature, are generally technically proficient, and can employ multi-level and sophisticated attack techniques. It makes sense, therefore, that companies make attempts to plug known technical weak-spots such as those highlighted in this draft.

The cookie consent pop-up issue highlights the complicated area of consent that many companies have anticipated with the introduction of GDPR. The important point to remember is that GDPR is consent specific. Consent can’t simply be implied, and consent must also be unambiguous, informed, a statement or clear affirmative action, and freely given. Also, under GDPR, a data subject has the right to withdraw their consent at any time.

Martin Lewis Fights Facebook In Court

MoneySavingExpert’s (MSE) founder and TV consumer champion Martin Lewis (OBE) has commenced UK High Court proceedings against Facebook to sue the tech giant for defamation over a series of fake adverts bearing his name.

What Happened?


Mr Lewis alleges that 50 fake ads bearing his name appeared on the Facebook social media platform over the space of a year, and that the fact that the ads were not from him
, and could / did (in some cases) direct consumers to scammer sites containing false information may have caused serious damage to his reputation, and did cause some people to lose money.

Mr Lewis prepared for the first day of the court action against Facebook (on Monday 23rd April) by giving an interview to BBC radio explaining why he was taking the action, and offering to stop the court action altogether if Facebook ‘took responsibility’ for what he believes were its damaging actions against his reputation.

It is alleged that the adverts featured Mr Lewis’s face alongside endorsements that Mr Lewis says that he did not make. Mr Lewis has publicly stated many times that he does not appear in any adverts, therefore, any advert bearing his name must be a fake.

Long Fight


Mr Lewis has stated in a press release about the case that he has been fighting to stop the adverts from appearing on Facebook over the last year and that, even when they were reported to Facebook, many of the ads were left up for days or weeks, and when they are taken down, scammers were able to new, nearly identical campaigns very soon afterwards.

Mr Lewis is personally suing Facebook (not on behalf of MSE), and has published details of the legal action on the MSE website, saying “I will issue high court proceedings against Facebook, to try and stop all the disgusting repeated fake adverts from scammers it refuses to stop publishing with my picture, name and reputation.”

Mostly ‘Get-Rich-Quick Schemes’

The fake adverts are reported to have been mostly for ‘get-rich-quick schemes’ e.g. titled ‘Bitcoin code’ or ‘Cloud Trader’, which are reported to be fronts for binary trading firms based outside the EU. Martin Lewis has stated online that binary trading is a financially dangerous, near-certain money-loser, which the regulator the Financial Conduct Authority (FCA) strongly warns against.

Not For His Own Financial Benefit

Although Mr Lewis has said that he is seeking exemplary and substantial damages, he has said that this is because he wants to show Facebook that they can’t just pay damages as a kind of cost of business and then simply “carry on regardless”.
Mr Lewis has said that any money he does receive in damages from the court case will go not to him, but to anti-scam charities.

What Does This Mean For Your Business?

This case is compelling for many reasons. Firstly, it appears clear from what Mr Lewis has said publicly about his side of things that the fake adverts are bound to be damaging to a person whose public role is to fight for consumer rights, and is reported to have been damaging to other innocent victims of the scam ads e.g. the lady who reportedly had over £100,000 taken from her by the ad scammers. It’s in everyone’s interest that the activities of scammers are stopped.

Secondly, it will be interesting to see how successful Martin Lewis personally will be in taking on a rich tech giant that some commentators may see as being almost behaving as though it were above the law of some of the countries that it operates in. Since Martin Lewis is a consumer ‘champion’ and influencer when it comes to many financial products, it is likely that he will have a great deal of public sympathy and media attention which could give him extra bargaining power.

Thirdly, one key aspect of this case is which businesses Facebook is actually in rather than what business it thinks it’s in. For example, Mr Lewis is arguing that Facebook claims to be a platform not a publisher – and yet the problem has arisen not just from posts on a web forum, but from Facebook being paid to publish, promulgate and promote what may be fraudulent enterprises i.e. acting like a publisher. If Mr Lewis wins the case, it may be that Facebook will need to re-examine whether or not it now has to see itself as a publisher, and may be forced to change its system.

WhatsApp Raises Age To 16 For GDPR

Facebook’s WhatsApp messaging service is raising its minimum age in Europe to 16 to comply with GDPR which comes into force on May 25th.

Was 13

Up until now, the minimum age has been 13, and that minimum age will remain for the rest of the world, in line with its Facebook parent company. WhatsApp, founded in 2009, has an estimated 1.5 billion users.

Just Asking

Users will be asked to confirm their minimum age by the new WhatsApp Ireland Ltd in the next few weeks, when they will be prompted to agree to new terms of service and a privacy policy. Some critics have pointed out that even though users will be asked if they are 16 or over, it is unclear from the information that the service holds about users how their age can be accurately checked and verified and, therefore, how the new rule can be enforced.

Based on US Law Until Now

The age 13 limit up until now has been based upon the US law "Children's Online Privacy Protection Rule" (Coppa), which bans online services from collecting personal information about younger children. This is why the usage of many other popular social media apps e.g. Snapchat, YouTube, Instagram, Pinterest, Twitter, Musical.ly and Reddit are restricted to persons aged 13 and over.

WhatsApp’s parent company Facebook faced criticism after announcing last December that it would be targeting younger children with its ‘Messenger Kids’ service. At the time, Facebook’s primary (stated) motive for the new junior version of its platform was to provide a safer, more age-appropriate version, but some tech and business commentators suggested that it may also be an ideal way for Facebook to recruit its next generation of users, and to capture the attention of 6 to 12-year-olds before Snapchat or a similar social network competitor.

Collecting and Sharing Information

The recent Facebook and Cambridge Analytica scandal has brought the matter of collecting and sharing of our personal data into sharp focus. WhatsApp, however, has said that the new changes do not mean that it will be asking for any new rights to collect personal information in the agreement it has created for the European Union. WhatsApp says that the goal of the change is simply to explain how they use and protect the limited information they have about users.

As well as the age restriction change, WhatsApp is also, therefore, rolling out a feature with the latest version of the app that allows users to download a report detailing the data that WhatsApp holds on them e.g. the make and model of the device they used, their contacts, their groups and any blocked numbers.

Facebook Nominate

Facebook is also updating its data policy to comely with GDPR which involves asking 13 and 15-year-old users to nominate a parent or guardian to give permission for them to share information on the platform. If they won’t / cannot do so, the young users will not be able to see a fully personalized version of the social media platform.

Also, Facebook's Instagram is launching a data download tool to provide users with a file containing the photos, comments, archived stories, contacts and any other personal data that they’ve posted to the service in the past.

Twitter Too

Twitter Inc is also changing its privacy policy so that users can view information they share with the micro-blogging service and show how it’s being used, ahead of the introduction of GDPR. Twitter has said that the changes are to make the privacy policy visually clear and easy to use, and to clarify legalistic or technical language.

What Does This Mean For Your Business?

This story is another clear reminder that the introduction of GDPR is just around the corner as the tech giants, who have more to lose in fines, potential lost customer numbers, and serious reputational damage, make the necessary legal moves to ensure compliance. For Facebook especially, they have faced some very high profile bad publicity this year over their handling and sharing of personal data, so getting their GDPR compliance house in order may be a way to help avoid any further problems.

There is also a very serious ethical element to this story. It is estimated that Facebook has 20 million under-13-year-olds currently  using the network, and there may also be a very large number of children using WhatsApp. Parents may understandably have serious concerns about what content children can have access to and, equally importantly, who can have access to children via social networks. Unsuitable material, commercialisation, bullying (or predatory behaviour by some adults) are just some of the issues to consider.

As well as these concerns, governments (such as the UK) are looking to stop end-to-end encryption in WhatsApp, GDPR is just around the corner, Facebook is now facing more tough questions about its Cambridge Analytica links, Martin Lewis (OBE) is taking Facebook to court for defamation and calling for Facebook to take responsibility for its actions ... the pressure is now seriously on big social media platforms to make some changes, particularly where EU users are concerned.

Half of UK Manufacturers Hit By Cyber Attacks

A new report published by manufacturers’ organisation EEF in partnership with insurance firm AIG and the Royal United Services Institute (RUSI) shows that 48% of UK manufacturers have been subject to a cyber-security incident at some time.

Loss and Disruption

Half of those manufacturing companies who admit to being hit by cyber-criminals have said that the incident(s) caused financial loss or disruption to business.

Challenges

The report highlighted several key challenges that the manufacturing industry faces in making itself less vulnerable to cyber-criminals. These challenges include:
  • The age of equipment and the networked nature of production facilities. Many industrial systems are up to 20 years old and were developed before cyber threats became a big issue. As a result, poorly protected office systems, often the first implemented historically within manufacturing businesses, are particularly vulnerable. Also, a networked building, such as many manufacturing sites, can be hacked and exploited.
  • Many manufacturing companies hold a large amount of classified information e.g. intellectual property (IP) and trade secrets, which makes them targets for (for example) financially motivated, state-sponsored hackers.
  • Having no idea of the nature and size of the risks. 41% of manufacturing companies don’t believe they have access to enough information to assess their true cyber risk, and 12% of manufacturers admit they have no technical or managerial processes in place to even start assessing the real risk.
  • A lack of basic detection that a cyber attack is taking place / has taken place, and a lack of investment in training i.e. 34% do not offer cyber-security training.
  • Feeling that they are not equipped to tackle the risk anyway. For example, 45% are not confident they are prepared with the right tools for the job.
  • A lack of confidence. Although 91% of the 170 UK manufacturing businesses polled are investing in digital technologies, 35% think that cyber vulnerability is inhibiting them from doing so fully.
What Does This Mean For Your Business?

For manufacturing businesses facing the very real threat of sophisticated, multi-level attacks, now is not the time to be left with a vulnerable outdated system. Advice from the report includes following the advice of the Government backed ‘Cyber Essentials’ scheme. This includes the 5 security essentials of using a firewall to secure your Internet connection, choosing the most secure settings for your devices and software, controlling who has access to your data and services, protecting yourself from viruses and other malware by using antivirus software, only downloading apps from manufacturer-approved stores, or running apps and programs in an isolated environment, and continually ensuring that operating systems and software are up-to-date and running the latest security patches.

Clearly, manufacturing companies with old systems may need to bite the bullet and invest in more modern, digitised, and well-protected systems. The report also indicates that greater investment in staff training is needed to help them spot and deal with risks, and to avoid the kind of human error that is needed in many modern cyber-attacks e.g. malware / viruses sent by email, phishing, and other social engineering attacks.

Another opportunity for manufacturing companies to boost cyber-security could also come from cyber-insurance. For example, many cyber insurers offer a comprehensive package of pre-loss services to businesses to carry out a cyber health check which could help to highlight gaps in cyber risk management and help identify what security measures should be prioritised.

New Google ‘Chat’ SMS Message Replacement Rollout Begins

Google has begun the rollout of ‘Chat’, the messaging service that, it is hoped, will replace SMS text messages on Android phones, and bring it into the same ballpark as WhatsApp and Apple’s iMessage.

What’s The Problem?

The SMS messaging system for Android phones has suffered over many years from being simply a succession of poorly supported, different apps all using the same basic the short message service (SMS) from the1990s to send text messages over a mobile network. The result has been that none have been particularly popular among android users, who have been envious of the simplicity and ease other messaging services e.g. iPhone that have better features and send messages over the internet instead of using SMS.

New System, New Features

The solution to the problem for Google has been to take many years to develop a whole new messaging system that is based on a standard called the “Universal Profile for Rich Communication Services” (instead of simply making another app), which allows Android users to send messages and image files over a data network.

The new ‘Chat’ service offers many more features such as group texts, videos, typing indicators and read receipts. Since RCS is a communications standard, it will be up to mobile operators to enable the service, but Android will still have SMS to fall back on anyway.

Carrier-Based Service


Chat is a carrier/network-based service (i.e. not a Google-based service), so one of the key ways that Google has gone about making sure that Chat will work is to try to convince as many carriers as possible to take the new standard, and make the Chat services interoperable between carriers.

If you text someone who doesn’t have Chat enabled, or who is not an Android user, your messages will revert back to SMS, in the same way that an iMessage does.

It is thought that Google has done enough work with 50+ carriers to ensure that most of them will enable the use of the Chat service this year, which is handy since the global rollout by Google is already underway.

Au Revoir ‘Allo’


Another indicator of Google’s commitment to getting Chat 'out there' is the pausing of its work on its ‘Allo’ messaging service.

Data Plan Instead of SMS

Since Chat messages will be sent over the data network i.e. sent with your data plan instead of your SMS plan, it is expected that charges for messages could be less, although this will be up to the networks.

Security Flaw

One flaw in the Chat service could be the fact that messages are not encrypted, and could, therefore, be a security risk if intercepted.

What Does This Mean For Your Business?

Business and individual users of Android will be pleased to hear that at last there may be a messaging service that is built-in, allows plenty of modern functionality, and is up there with competing services e.g. WhatsApp and iMessage.

Hopefully, the main networks will support the service as soon as possible, and with messages being sent over the data network the hope is also that costs for the service could be kept at a very reasonable level (depending on the network).

The one question mark for many users may, however, be the lack of encryption of the messages, especially at a time when data security is at the forefront of their mind with the introduction of GDPR next month.

Monday, April 23, 2018

Russia Suspected of Hacking Campaign

The UK's National Cyber Security Centre (NCSC), the FBI and the US Department of Homeland Security have warned that Russia may be behind a broad hacking offensive targeting millions of machines that direct data around the net.

Networking Equipment Targeted

US and UK security agencies have issued a joint internet security alert warning and have been reported as suggesting that a surge in global hacks targeting the networking equipment used to move traffic across the net is the result of a Russian state-sponsored campaign.

Why?

Some commentators have suggested that the deterioration between the relationship between Russia and the West resulting from issues like accusations of election meddling, the poisonings in Salisbury, and arguments over the Syrian conflict may have contributed to an online revenge offensive.

As well as the disruption caused, the aim appears to be espionage / the theft of information (which actually dates back at least to the late 1990s), and the threat (so far) of destructive acts of sabotage e.g. disabling parts of the electricity grid. These kinds of suspicions have arisen because many recent hacks appear to be pre-positioning in networks that are part of the critical national infrastructure.

Cyber War Ahead?

While we are being told that we have returned to another 'Cold War' situation, some commentators have suggested that we may be on the brink of a cyber-war with Russia, even though there has not been any real significant cyber-attack or change of behaviour from Russia.

Although Russia has been accused of launching destructive attacks against Ukraine, which had a negative effect on businesses there, and despite the apparent reported increase in cyber-attacks from Russia, it is still difficult for many to say whether Russia has the capability to carry out very destructive cyber attacks. Cyber attacks are often harder to trace and easier to deny than military attacks.

UK’s Own Offensive

It is worth remembering too, that as well as having defences in place, the UK has its own offensive cyber-capability, honed for over a decade, starting in the conflict in Afghanistan. Recently, for example, the UK and the US are reported to have targeted the Islamic State group with cyber attacks, with some degree of success. It would be naive to assume, therefore, that the UK is not planning / undertaking its own activities in Russia e.g. pre-positioning in Russian networks to be able to respond to any Russian cyber aggression.

What Does This Mean For Your Business?

At the moment, it is simply a case that a warning has been issued. If a cyber-conflict does start in a noticeable way, as in real war, it is likely to be individuals, businesses, and other organisations and other services that suffer e.g. service providers, firms running critical infrastructure, government departments and large companies first, followed by other UK businesses. The Internet plays an essential role in modern business and disruption of vital network infrastructure could damage UK businesses and their competitiveness in the home and global market.

UK businesses also face the threat of foreign state-sponsored attacks designed to spy on / steal data, and undermine firewalls and intrusion detection systems used to spot malicious traffic before it reaches users. It has never been more important, therefore, for businesses to configure security systems correctly, apply patches and address any hardware vulnerabilities, and to make sure that their cyber resilience is at its best across all possible channels.

UK Launched Major Cyber Attack Against ISIS

GCHQ’s new director has revealed that last year, the UK has conducted a large-scale cyber-attack against ISIS that was designed to suppress online terrorist propaganda and hinder ISIS's ability to
coordinate attacks.

Growing For A Decade

Confirmation that the attack took place came as part of the first public speech by GCHQ’s new director and former MI5 agent, Jeremy Fleming. During his speech at the National Cyber Security Centre's (NCSC) flagship event in Manchester, Mr Fleming said that the cyber attack is just the latest part in what have been GCHQ’s efforts to grow its online counterterrorism capabilities over more than a decade.

The outcomes of cyber attacks as weapons against any enemy can range from denying online services, disrupting a specific online activity, and deterring individuals or groups, to effectively destroying equipment and networks.

Degraded Infrastructure

The UK’s cyber-attack against ISIS is reported to have degraded the terror group’s online infrastructure, made a significant contribution to coalition efforts to suppress any Daesh propaganda, hindered the terror group’s ability to coordinate attacks, and provided more protection for coalition forces on the battlefield.

Over-Achievers

It seems that this latest big cyber-attack success is only the tip of the iceberg, as a report by Parliament's Intelligence and Security Committee (ISC) has said that GCHQ spies had "over-achieved" in 2017, and that GCHQ had delivered on the first of three stages in its mission to bolster its cyber capabilities thanks to staging almost twice as many potential hacks than its targets.

Russia In The Spotlight

The recent deterioration of the relationship between the West and Russia means that its cyber-behaviour, as well as that of ISIS, is now reported to be more of a focus for GCHQ. In the director’s speech in Manchester, Mr Fleming said that the Russian state should be held accountable for what it does, and that the UK will continue to respond to malicious cyber-activity in conjunction with international partners such as the United States.

Helpful Tool


Another helpful tool that could be used to combat terrorist propaganda online could include the auto-blocker for extremist content that was mentioned by Home Secretary Amber Rudd. The tool, which Home Secretary Rudd would like to see adopted by ISPs can be configured to detect 94% of extremist video uploads.

What Does This Mean For Your Business?

It stands to reason that the UK is launching its own cyber-attacks against what it sees as legitimate targets elsewhere in the world. Cyber-attack and security capabilities are now being used worldwide to support military operations, damage enemy communications and infrastructure and thereby degrade the threat they pose, as well as protecting home infrastructure and vital networks.

Attacks by other states, criminal and terror groups e.g. hacks, DDoS attacks and viruses, can end up impacting many UK businesses, so its good to hear that GCQH, MI5 and other actors are ‘over-achieving’ in their efforts to protect the UK, and reduce the threats that we face in a time of shifting geopolitical and technological landscapes. We can assume, therefore, that the successful actions of our security agencies must be indirectly protecting many of the interests of UK businesses.

Phishing Attack Simulator : Microsoft Goodies

Microsoft has announced a set of business security tools, including a phishing attack simulator, that make it easier and more affordable for businesses to identify and fix vulnerabilities before they become an issue.

Attack Simulator

One of the key tools announced to coincide with the annual RSA conference in San Francisco, is the Attack Simulator. This tool is included in Office 365 Threat Intelligence, and is currently still in preview.

Spear Phishing Simulator

The tool, which simulates display name spear-phishing attacks, password-spray attacks, and brute-force password attacks, enables businesses to determine how end users behave in the event of an attack, and update policies to ensure that appropriate security tools are in place to protect the organization from threats.

A spear-phishing attack, for example, is used to gain access to users' credentials or financial information, and often involves sending emails, purporting to be from a person of influence in an organisation to other users. The Microsoft attack simulator tool applies machine learning models and impersonation detection algorithms to incoming email messages. The AI system is trained to detect phishing messages. It also uses algorithms to protect against various user and domain impersonation attacks.

Intelligent Security Graph

Microsoft credits its ‘Intelligent Security Graph’ as being the ‘central nervous system’ that is at the heart of its tools for tracking and mitigation of attacks across platforms and services. This combines AI with data gained from analysing web pages, emails and malware threats on Windows 10 and the cloud. This enables Microsoft to warn users of existing and new threats.

Only Access SaaS Service If Your Device Is Healthy

Another important development of Office 365’s Conditional Access service is an update (currently in preview) which combines Conditional Access Information with data from the Windows Defender Advanced Threat Protection (ATP) security scanner to ensure that a user can only access a given SaaS service if their device is healthy.

Security Score

A potentially important new tool that Microsoft has developed for IT admins is an expanded version of the Office 365 Secure Score tool, which gives a single measure for evaluating the risk profile across Office 365 service and their users’ devices.

What Does This Mean For Your Business?


For many businesses e.g. SMEs, up-to-date cyber attack simulators would be beyond their resources. These new tools from Microsoft have been ‘trained’ thanks to AI and real-world analysis via Windows 10, thereby making them an affordable, accessible, and hopefully effective and welcome addition to the security options that businesses have at their disposal.

There is no doubt that human / employee error is at the heart of many successful cyber-attacks. With a phishing attack simulator that allows the creation of a fake phishing email, companies can see, for example, which employees fall for them, and this could serve as a way of identifying who needs extra security extra security training.

The combination of these new tools from Microsoft could provide an effective way that companies of all sizes could take proactive measures to plug gaps in their cyber-security shield, and guard against the kind of breaches that could be expensive and damaging, especially with the introduction of GDPR.

Facebook ... Face Recognition Woes

Facebook is in the news yet again, this time for having to face a class action lawsuit for allegedly gathering biometric information without users' explicit consent, via facial recognition technology.

What Facial Recognition Technology?

A facial recognition technology feature in Facebook’s platform suggests who might be present in uploaded photos, based on an existing database of faces, and uses "tag suggestions" technology.

The feature works by trying to detect any faces in an uploaded photo, standardises and aligns those faces for size and direction, then, for each face, Facebook computes a face signature which is a mathematical representation of the face in that photo. Finally, the face signatures are run through a stored database of user face templates to look for similar matches

What’s The Problem?


The problem in legal terms is that the software allegedly gathers (and presumably stores) biometric information about individuals i.e. makes and stores face templates of them, without them giving their explicit consent for it to do so. This sounds as though it may breach Illinois state law - this is the state from which the class of people in the lawsuit question is made up.

The court order is reported to apply to Facebook users in Illinois for whom Facebook created and stored a face template after 7 June 2011.

What Are The Chances?

Although Facebook reportedly intends to fight the case and believes that it has no merit, the fact that the judge, James Donato, has ruled to certify a class of Facebook users, and has said that Facebook could be expecting billions in statutory damages, does not appear to bode well for Facebook.

Not Available Here

Privacy regulations mean that the facial recognition and tagging feature is not available in Europe or Canada, and can be turned off in settings for US users.

Facebook also said back in December 2017 that users would be notified if a picture of them was uploaded by someone else, even if they hadn't been tagged in it.

Hearing In A Crowd Technology Developed By Google

Just as Facebook appears to be in trouble over voice technology, Google has announced that its research team has just developed technology that can recognise individual voices in a crowd, just as a human can.

The tech giant has made a demonstration video for the technology. The video shows how, with lots of people talking at once in a room, a user can select a particular face and hear the soundtrack of just that person. Users of this technology can also select the context of a conversation, and only references to that conversation are played, even if more than one person in the room is discussing that subject matter.

The AI technology behind the feature was developed using data collated from 100,000 videos of lectures and training videos on YouTube.

What Does This Mean For Your Business?


With GDPR on the way, the case against Facebook's voice recognition technology is another reminder of how businesses need to get to grips with the sometimes complicated area of consent. Video images and face templates of individual faces are also likely to qualify as personal data that consent for collection and storage will be needed for under GDPR. Privacy, as well as security, is a right that is getting even greater protection in law.

The technology from Google that can recognise individual voices, and can follow individual conversations in crowds could unlock valuable business opportunities in e.g. improving the function and scope of hearing aids, or improving video conferencing tools by enabling them to take place in the middle of an office space rather than only in a separate, soundproofed meeting room (provided other visual distractions are minimised). It seems that new technology is beginning to be developed to help tackle age-old human challenges.

Google, The Law and Your 'Right To Be Forgotten'

A businessman has won the "right to be forgotten" by Google after taking his case to the High Court, because he wanted a past crime he had committed to be removed from Google’s search engine results.

What Crime?

The (un-named) businessman was hoping to remove details from Google of a conviction from 10 years ago, and of the six months jail sentence he was given for ‘conspiring to intercept communications'. The businessman was forced to take Google to court after Google refused his requests to have the information removed from its search engine results. The man’s legal argument was that the details of his past conviction were disproportionately impacting his life, and were no longer relevant, and therefore, it was not it was not in the public or the man’s interest for Google to show the details in searches.

What Does The “Right To Be Forgotten” Mean?

The legal precedent for what has become known as ‘the right to be forgotten’ was set by the Court of Justice of the European Union back in 2014. It was the result of a case brought by Spaniard Mario Costeja Gonzalez who had asked Google to remove information about his financial history from its search engine results.

In this particular case, the ‘right to be forgotten’ means that Google has to remove all search results about the businessman’s conviction, including links to news articles.

Had Shown Remorse

The judge ruled in favour of the businessman, stating that he had shown remorse. Google has said that it will respect the judgement made in the case and pointed out that it has removed 800,000 pages from its results following ‘right to be forgotten’ requests.

Not So Lucky

Another businessman who also brought a ‘right to be forgotten’ case against Google, and who had committed a more serious crime of ‘conspiring to account falsely’ was not so lucky, and lost his case. It was decided, in the High Court, that the man, who had spent four years in jail for the crime, had "mislead the public”, and that it would still be in the public interest for Google to keep the information about the man and his crimes in the search engine results.

Less Than Half

Google’s own Transparency Report from May this year revealed that of the 2.4 million requests made since 2014 to remove certain URLs from its search results, Google has only complied with less than half. Google doesn’t actually have to comply with a request, and can refuse to take links down if can demonstrate that there is a public interest in the information remaining in the search results. Google can also re-instate links that it has already taken down in a previous request if it can show that it has grounds to do so.

What Does This Mean For Your Business?

It is good news that powerful international tech companies whose services are widely used, and who have the power to influence opinion and affect lives can sometimes be held accountable to national courts. There is a strong argument that they should not be a law unto themselves, and that they may not always be the best party to judge what is in the public interest.

The ‘right to be forgotten’ is particularly significant because it is something that all EU citizens will have when GDPR comes into force next month. This will impact businesses, many of whom may expect to receive ‘right to be forgotten’ requests, and will need to get their data management in order to both comply with GDPR generally, and to be able to respond quickly to such requests and avoid possible fines.

Monday, April 16, 2018

Facebook Notifies People Affected By Scandal

Facebook has begun notifying any of those users whose data is known to have been harvested and shared with data mining firm Cambridge Analytica.

On Your News Feed

If you are one of the 87 million people whose data has been shared, 1 million of whom are in the UK, when you log into your Facebook account, you will see a detailed message beginning with the words "We understand the importance of keeping your data safe.”

It is now understood that the data of 2.2 billion Facebook users was actually shared by Facebook, and all of these users will be receiving a message entitled "Protecting Your Information". This message will include a link which will allow them to see what apps they use, and what information they have shared with those apps. Users will also be given the option to stop sharing information with the apps or to stop any access to third-party apps altogether.

It should be noted, however, that Facebook stopped allowing third-party apps from gathering data about the likes, status updates and other information shared by users' friends back in 2015. Also, Facebook has taken action recently to make information such as religious and political views out-of-bounds to apps.

If you don’t trust Facebook to notify you if your information has been shared with Cambridge Analytica, you can check for yourself by following this link: https://www.facebook.com/help/1873665312923476?helpref=search&sr=1&query=cambridge

What Happened?


This relates, of course, to revelations that Facebook shared the data of its users with London-based data mining firm Cambridge Analytica via a personality quiz app, called "You Are What You Like" (later replaced by the "Apply Magic Sauce" app), that had reportedly been developed for legitimate academic purposes. Revelations that the website from the original quiz re-directed uses to a new one with different terms and conditions, thereby enabling users data to be harvested and reportedly used for political purposes by Cambridge Analytica (the same company used by the Trump election campaign) and by Canadian data company AggregateIQ (AIQ) who were involved in the Vote Leave campaign in the UK referendum, have caused wide-scale outrage.

Facebook is also reported to have suspended a data analytics firm involved with targeted advertising and marketing called Cubeyou. Cubeyou is reported to have collected data for academic purposes, and allegedly used it commercially, as part of a partnership with Cambridge University in the UK (who have also found themselves implicated in the scandal).

Game Changer Says ICO Chief

The head of the UK’s Information Commissioner’s Office (ICO), Elizabeth Denham, has said that what happened with Facebook’s data sharing with Cambridge Analytica can be seen as a game-changer in data protection. The ICO has revealed that Facebook is now one of 30 organisations under wider investigation for the sharing and use of personal data and analytics with political campaigns, parties, social media companies and other commercial organisations.

Denham has said that although the Facebook scandal has drawn attention to the ICO’s ‘Your data matters’ campaign, it is too early to say whether the changes the social networking firm is making are sufficient under the law.

What Does This Mean For Your Business?

If you have been directly affected by Facebook’s data sharing you will have been informed in your Facebook account, and you can follow the link (given earlier in this article) to check for yourself.

As ICO Chief Elizabeth Denham has rightly said, this is an important time for privacy rights, particularly since the introduction of GDPR is little more than a month away. The widespread outrage and condemnation of Facebook’s data sharing with Cambridge Analytica highlights how important data protection and privacy rights are to us all. This should serve as a reminder to businesses and other organisations that as well as making sure that they comply with GDPR to avoid negative consequences, GDPR preparation is an opportunity to fully examine the important issue of how data is being used and stored, and where vulnerabilities are, and how simple improvements could be made that could protect and help the business as a whole.

Digital Number Plates

Dubai is once again in the news for being an adopter of new technologies after an announcement that it will be hosting a trial of digital vehicle number plates next month.

Smart Plates

The ‘smart plates’ will have digital screens, GPS and transmitters, and according to the head of the Vehicle Licensing Department at Dubai's Roads and Transport Authority (RTA), the digital plates will make life easier for drivers.
The trial of the new plates is scheduled to start next month and end in November, and one of the key things that is being tested, as well as the Roads and Transport Authority’s (RTA) Tag2Connect (T2C) platform, is thought to be whether any issues / problems may be caused to the hardware and operation of the plates by Dubai's desert climate.

The smart plates system incorporates Blockchain technology, the same technology behind the Bitcoin cryptocurrency.

Why Have Digital Number Plates?


In reality, the plates will have benefits for Dubai’s government as well as for drivers e.g. through being able to track vehicles (via transmitters in the plates), and for the police to gather detailed information quickly about cars and their drivers.

Ways in which drivers could benefit from using the plates include:
  • Allowing real-time communication with other drivers about traffic conditions or any accidents ahead.
  • Contacting the police and ambulance services if the vehicle is involved in a collision.
  • Enabling plates to be changed using the RTA's app or website.
  • Enabling automatic deductions from users' accounts for e.g. payment for fines, parking fees or renewing registration plates.
Other Technologies Adopted In Dubai

Dubai is making a name for itself internationally as a place that is proactive in adopting the latest technology. For example:
  • Back in February 2016, Dubai committed to putting all its documents on Blockchain’s shared open database system by 2020 in order to help to cut through Middle Eastern bureaucracy, speed up civic transactions and processes, and help bring a positive transformation to the whole region.
  • In February last year, it was announced by Dubai's Roads and Transportation Agency, that passengers could be able to use Ehang 184, electric-powered, pilotless, self-flying drone taxis. The app-hailed taxis can travel at 100 mph / 160km/hr top speed, this means that it can travel 31 miles in one trip.
  • Plans for high-speed Hyperloop pods to open by 2020. These pods should be able to transport passengers to the UAE's capital Abu Dhabi in just 12 minutes (covering distances of over 120km / 75 miles).
  • Plans to expand the use of technology in transport, and hopes for self-driving vehicles to be making a quarter of all journeys by 2030.
What Does This Mean For Your Business?

Some may say that given the wealth of Dubai and the speed of its development in recent years, it is not a big surprise that it is able to afford trials and adoption of the latest technology, and that its road network and geography make it well-suited to driverless vehicles, drones etc.

Some commentators, however, have expressed concerns about the tracking of drivers, and potential issues surrounding privacy and information security.

New transport technologies that are planned for Dubai, such as driverless vehicles, have also experienced some bad publicity recently with the woman killed in Arizona last month when she was hit by an autonomous Uber car.

Smart number plates are an example of how smart technology is providing business opportunities, and bringing simpler, more centralised systems around the world. For example, it is thought that the smart plate system in Dubai will bring together on a single platform all stakeholders e.g. manufacturers, dealers, workshops, insurers, licensing authorities, police and vehicles owners. This could be an example of how greater transparency could be brought to an industry using technology.

1 In 10 Fooled By Social Engineering Attacks

A new report by security firm Positive Technologies shows that 1 in 10 employees would fall for a social engineering attack.

What Is A Social Engineering Attack?

Social engineering cyber-attacks rely upon the element of human error e.g. convincing / fooling a person into downloading malicious files, unwittingly corresponding with cyber-criminals, sharing contact information about employees and transferring money to hackers’ accounts, or clicking on phishing links.

Test

The results of the report are based on ‘penetration tests’ which involved sending 3,300 emails to employees containing links to websites, password entry forms and attachments. As the name suggests, a penetration test is an authorised simulated attack on a computer system, which is performed in order to evaluate the security of that system.

Tricked

The results showed that, worryingly, 17% of the messages were successful in convincing the recipients to take actions that would have resulted in a compromise of a workstation and potentially the entire corporate network if the attack was real.
The tests showed that 15% of employees responded to emails with an attachment and link to a web page, while only 7% responded to test emails with an attachment. The most effective method of social engineering identified in the test was reported to be sending an email with a phishing link. In this case, 27% of recipients clicked on a link that led to a web page requesting credentials.

Real Company Names Convincing

The study showed that messages received from what appeared to be the account of a real company resulted in 33% or risky actions being taken by recipients, whereas messages from fake companies only resulted in 11% success.

Emotional Response Sought


Cyber-criminals often use methods that are designed to produce an emotional response that will make people forget about basic security rules. For example, in the tests, an email subject line of ‘list of employees to be fired” resulted in a 38% response, and “annual bonuses” brought a 25% response.

Overly Trusting If Not In IT

One interesting finding highlighted in the report was that 88% of those outside of IT work (and presumably less aware of the risks), such as accountants, lawyers and managers, opened / clicked on suspicious links and even corresponded with attackers. However, 3% of security professionals also responded.

Kept Trying To Open

The study found that some recipients who couldn’t open the malicious files even resorted to trying to open the files or enter their password on a fake site up to 40 times!

What Does This Mean For Your Business?

Clearly, there is a case for better education and training among employees about the variety of methods, and the level of sophistication that cyber-criminals now use in attacks. Employees need to be able to spot potential attacks, and have clear policies, instructions, and help on hand about how to proactively protect the company, and how to respond to certain types of attack. One of the simplest forms of defence against threats entering the company via email is to make it policy never to open suspicious emails / emails from unknown sources.

In reality, attackers now use a combination of methods to breach the defences of companies, plus there are evolving new threats, such as fileless hacking and fileless malware attacks facilitated by the PowerShell scripting language that is already built-in to Windows. Some basic ways that your business can improve security against social engineering attacks are :
  • Blocking delivery of email attachments with extensions that are executable e.g. (.exe, .src), system (.dll, .sys), script (.bat, .js, .vbs), and other files (.js,.mht, .cmd).
  • Authenticating the domain of an email sender e.g. using the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols.
  • Authenticating a sender’s identity using other protocols e.g. Domain-based Message Authentication.
  • Conformance (Dmarc) protocol.
  • Regularly updating the operating system, anti-virus, and other software patches.
  • Implementing an on-demand malware detection system.
  • Scanning files before and after opening them.

Killer Bot Boycott

Reports that the state-run university-based ‘Korea Advanced Institute of Science and Technology’ (KAIST) has been working on military robot research with defence company Hanwa have resulted in threats of a boycott by more than 50 AI researchers from 30 countries.

Killer Robots?

Although the threat of the boycott of KAIST appears to have been effective in exposing and causing KAIST to agree to stop any work related to the development of lethal autonomous weapons (killer robots), the story has raised questions about ethical red-lines and the regulation of technology in this area.

KAIST opened its research centre for the convergence of national defence and artificial intelligence on 20 February, with the reported intention of providing a foundation for developing national defence technology. It has been reported that a now-deleted announcement about the work of the centre highlighted a focus on areas like AI-based command and decision systems, navigation algorithms, large-scale unmanned undersea vehicles, AI-based smart aircraft training systems, as well as smart object tracking and recognition technology.

Fast Exchange of Letters

It has been reported that almost immediately after a letter containing the signatures of more than 50 AI researchers expressing concern about KAIST's alleged plans to develop artificial intelligence for weapons, KAIST sent its own letter back saying that it would not be developing any lethal autonomous weapons.

The President at the university, Shin Sung-chul, went on to say that no research activities that were counter to human dignity, including autonomous weapons lacking meaningful human control, had been conducted. Shin Sung-chul is also reported as saying that KAIST had actually been trying to develop algorithms for "efficient logistical systems, unmanned navigation and aviation training systems”, and that KAIST is significantly aware of ethical concerns in the application of all technologies including AI.

Who / What Is Hanwha Systems?

Hanwha Systems, the named partner from the defence / military world in the project, is a major weapons manufacturer based in South Korea. The company is known for making cluster munitions, which are banned in 120 countries under an international treaty.

Outright Ban Expected

To accompany the welcome re-assurances from KAIST that it will not be researching so-called “killer robots”, it is widely expected that the next meeting of the UN Security Council countries in Geneva, Switzerland will call for an outright ban on AI weapons research and killer bots.

Already Exists

As well as the Taranis military drone, built by the UK’s BAE Systems, which can technically operate autonomously, ‘robots’ with military applications already exist. For example, South Korea’s Dodaam Systems manufactures a fully autonomous “combat robot”, which is actually a stationary turret that can detect targets up to 3km away. This ‘robot’ is reported to have already been tested on the militarised border with North Korea, and is reported to have been bought by the United Arab Emirates and Qatar.

What Does This Mean For Your Business?

Many of the key fears about AI and machine learning centre on machines learning to make autonomous decisions that result in humans being injured or attacked. It is no surprise therefore, that reports of possible research into the development of militarised, armed AI robots play on fears such as those expressed by Tesla and SpaceX CEO Elon Musk who famously described AI as a "fundamental risk to the existence of civilisation.”

Even with the existing autonomous combat turret in Korea there are reported “self-imposed restrictions” in place that require a human to deliver a lethal attack i.e. to make the actual attack decision. Many fear that the development of any robots of this kind represents a kind of Pandora’s box, and that tight regulations and built-in safeguards are necessary in order to prevent ‘robots’ from making potentially disastrous decisions on their own.

It should be remembered that AI presents many potentially beneficial opportunities for humanity when it is used ethically and productively. Even in a military setting, for example, an AI robot that could e.g. effectively clear mines (instead of endangering more humans) has to be a good idea.

The fact is that AI currently has far more value-adding, positive, and useful applications for businesses in terms of cost-cutting, time-saving, and enabling up-scaling with built-in economies.

Apple Claims 100% Renewable Energy At All Data Centres

The latest energy report from Apple has stated that the company has hit a new milestone in green energy usage by making all of its 43 data centre sites across the world operate using 100% renewable energy.

Not Quite What It Seems


Although the effort is admirable, the claim that has led Apple's CEO Tim Cook to stress that the company is committed to leaving the world better than it found it, is not as transparent as it appears.

It is not possible for all the data centres to be connected to a completely renewable energy supply at the moment, so what Apple actually means is that the data centres can be 100% 'renewables powered', thanks to the clean energy that Apple buys and puts back into the power grid that can be offset against its global power consumption.

For example, Apple has explained that, where it can’t create new renewable energy projects due to local constraints, the tech giant purchases renewable energy from newer projects in nearby markets, or through available utility green energy programs.

What About The Manufacturing of Phones and iPads?

Some critics have pointed out that the manufacturing of iPhones, iPads and other machines creates carbon emissions. Apple is reported to be taking steps to tackling this less environmentally-friendly aspect of its work by sourcing lower-carbon materials, and by making suppliers commit to using green energy when making Apple hardware.

6 Years of Effort

Apple’s announcement is the culmination of six years of financing, building, or locating new renewable energy sources e.g. solar and wind farms, near the company’s facilities. According to Apple, it now has 25 operational renewable energy projects, and 15 more in construction, spread across in 11 countries. In contrast, 8 years ago, only 16% of its facilities were powered by renewable energy. That number had increased to 93% by 2015, and to 96% by 2016.

Lisa Jackson Hired To Help

One of the ways that Apple has been able to steer itself to its current position on the environmental high ground was to hire former EPA administrator Lisa Jackson as VP of environment, policy, and social initiatives. Lisa Jackson was better known at the time for serving under President Barack Obama 2009 to 2013 to tackle matters such as climate change, improving air quality, and expanding the conservation of environmentalism.

Goal

Apple’s goal of going 100% green has meant reducing its greenhouse gas emissions (CO2e) by 58% since 2011, thereby preventing 2.2 million metric tons of CO2e from entering the atmosphere.

Growing The Clean Energy Market Around The Facilities

One of the key ways that Apple has reached its latest milestone target is by growing the clean energy market around the facilities of the company. This has involved working with local utilities and regulators to build places such as new solar or wind farms that pump new green power onto the public grid. This method has worked well in markets where most of the existing energy comes from ecologically unfriendly sources like coal or oil.

What Does This Mean For Your Business?

Some critics would say that with $285 billion in cash reserves, Apple has the money to plough into working towards this environmental goal. However, even though it could afford to buy up existing green power to get to the 100% goal, it has chosen to take adopt an “additionality” standard, which is a preference for sponsoring the creation of new renewable power sources. This, and the idea that it can grow clean energy market around the facilities of the company have been real environmental benefits rather than just paper exercises. Apple has also hired-in expertise to help guide its efforts.

This story is an example of how businesses, albeit a giant (wealthy) tech businesses can choose to operate in a more value-led, socially responsible and ethical way that has wider benefits for society, as well as for the company’s brand image. A greater focus on reducing environmental impact and working to develop more renewable energy sources are things that more companies will need to adopt in the future, and is something that is likely to be valued by customers and other stakeholders.

Monday, April 09, 2018

Wearable Tech Could Help Solve Murder

Police in Australia are reported to be using data recorded by a murder victim's Apple smartwatch to help catch her killer.

Murder


The victim and owner of the smartwatch was Grandmother Myrna Nilsson, who was found dead in the laundry of her Valley View home in Adelaide's north-east in September 2016.

The prime suspect in the murder case is daughter-in-law Caroline Dela Rose Nilsson, who was found gagged and distressed at the scene, and who told Police that her mother-in-law had been followed home by (and had argued at length with) a group of men in a car.

How Could The Watch Data Help?

The Apple watch contains sensors that can measure fitness signals such as heart rate. The watch can also track a person’s movements and, being a watch, it can link the other signals to the exact time.

It is believed that this data could indicate when the victim’s heart rate indicated a loss of consciousness as well as the actual time of death.

Contradiction

Reports about the case so far indicate that while the daughter-in-law’s testimony puts the time of death at around 10pm, and that her mother-in-law allegedly argued with the men for 20 minutes, the data from the watch is not consistent with this version of events.

Reports about evidence uncovered by the Prosecutor in the case, Carmen Matteo, show that watch data shows activity consistent with the victim being ambushed and attacked as she walked into her home just after 6:30pm. The watch is also reported to show activity and heart rate measurements consistent with her body going into shock and losing consciousness.
According to the Apple watch, the deceased must have been attacked at around 6:38pm and had died by 6:45pm, some 3 hours earlier than the time stated by the daughter-in-law.

Bail Denied

The strength and apparent reliability of the watch data has been enough to lead Magistrate Oliver Koehn to deny bail to Ms Nilsson.

What Does This Mean For Your Business?

Our phones and gadgets are now tracking devices, and can store or transmit a lot of data about us and our activities. In the right hands, as in this case and in situations where mobile phone signals have been used in legal cases, this information can be valuable for some very important reasons i.e. in the interest of justice for victims and their families.

In the wrong hands e.g. ‘sports wearables’ possibly leaking our login credentials and transmitting our activity tracking information in a non-secure way such as that identified back in February 2016 in Canadian research by Citizen Lab at the Munk School of Global Affairs, could make us more vulnerable to crime.

This story should also, therefore, be a reminder to manufacturers of wearable technology that security and privacy of the data stored and transmitted about us should always be a priority, and it is in the interest of the manufacturer and the customer that correct safeguards are taken. After all, as this case proves, you never quite know how useful the secure, uncorrupted data from a mobile or wearable device could turn out to be.

Half Of Households Have Broadband Problems

A survey by consumer watchdog ‘Which?’ has revealed that more than half of UK customers across 12 providers, are having problems with their broadband service or price.

Which Providers?

The survey looked at the experiences of 1,900 customers of providers that collectively serve about 90% of UK broadband customers. These providers include BT, Sky, TalkTalk, Virgin Media and Zen Internet.

Price A Big Issue

The company that most respondents (47%) felt most dissatisfied with was Virgin Media. The key complaint with their service appeared to be last year’s price increases. As well as price, Virgin Media customers were also found by the survey to be the most likely to face router issues, and to be left with no internet at all for hours or even days at a time.

30% of respondents also complained about price rises by BT.

SSE - Connection Dropouts

The survey found that broadband provider SSE was the worst offender (25% of its customers) when it comes to the frustration of connection dropouts.

Automatic Compensation Now Available

Although we as customers can essentially do nothing at the time when our broadband goes wrong, or to protect ourselves from price increases (apart from switching providers), one thing that could help us to feel a little better after the event is to receive at least some compensation.

Back in November 2017, the good news was an Ofcom announcement that broadband and landline customers would automatically be able to get money back from their providers when things go wrong, without having to make a claim for it. It was predicted at the time that, under these new rules, the amounts paid in compensation to customers could be nine times higher, and customers could receive an estimated £142 million in payouts.

The bad news was, however, that automatic compensation won’t be available until early 2019.

What Does This Mean For Your Business?


Ofcom research shows that nine in ten adults report going online every day and three-quarters of internet users say it is important to their daily lives. Broadband is now an essential service for business, and many business owners may feel that it doesn’t take a survey for them to know that broadband services in the UK can sometimes be patchy, and often expensive.

Some commentators argue that instead of offering automatic compensation, customers would be better served if broadband providers invested more in making sure that their service was more reliable and offered greater value for money in the first place.

Nevertheless, since current levels of compensation are low, and don’t come close to reflecting the harm caused, when automatic compensation becomes available it will at least be some improvement, particularly for small businesses.
At the moment, better broadband services, particularly for businesses in rural locations, still seem a long way off as the reality is that the UK ranks only 31st in the world for average broadband speeds, and we may only actually have 7% full fibre coverage by 2020.

Robots Not Coming For Your Job Just Yet, Says Report

A report by OECD says that previous forecasts may have exaggerated the impact of automation on jobs because the forecasts relied on a broad grouping together of jobs with the same title.

Previous Forecasts

One of the most influential forecasts of the effects that automation could have on our jobs was the 2013 forecast by Oxford University. Its worrying conclusions at the time included the bleak prediction that 47% of jobs in the US in 2010 and 35% in the UK were at "high risk" of being automated over the following 20 years.

Another report by PwC from May 2017 also claimed that over 30% of UK jobs could be lost to automation by the year 2030. That report also said that 44% of jobs in manufacturing (where there are already many robots e.g. car manufacturing), especially those involving manual work, look likely to go to AI led software or robots.

Not That Bad

The new OECD report, however, paints a much more positive picture, and forecasts of the effects of automation on jobs are not as bad as in the original reports. For example, OECD figures suggest that only 12% rather than 35% of jobs are actually at high risk of being automated in the next 20 years

Why The Difference?

The OECD report forecasts a lesser impact by automation because, unlike the Oxford University report, it didn’t group together jobs with the same title, and, therefore, takes account of the differences between jobs with the same name.

Most And Least At Risk

The OECD report states that there is no measurable evidence that AI has been significantly impacting jobs requiring high levels of education and skill.

It is likely that lower-skilled jobs involving routine tasks are most at risk of automation, whereas jobs involving dealing with complex social relationships, using creativity and complex reasoning, and the physical manipulation of objects in a constantly changing work environment are least at risk of automation.

Geographical Difference

The report also pointed out that jobs in Anglo-Saxon, Nordic countries and the Netherlands are less likely to be automated than those in the south and east of Europe, Germany, Chile and Japan.

What Does This Mean For Your Business?

Most businesses are likely to be affected by some aspect of automation e.g. software or mechanical, in the near future, either themselves or through suppliers and stakeholders. There is an inevitability that AI and robotics will alter what jobs look like in the future, but it is also important to remember that they could provide huge advantages and opportunities for businesses in terms of reducing costs, and doing jobs cheaper and faster, while working day and night with no holiday.

As workers, we can try to insulate ourselves from the worst effects of automation by seeking more education / lifelong learning, and by trying to remain positive towards and adapting to changes, and by spotting and taking advantage of niches and other opportunities where we find them. Jobs which are highly varied, require specific human interaction, where people are required to have high levels of education, and where automation may be less acceptable e.g. education, could be less likely to be threatened by being replaced by AI and/or robots.

Exactly how many jobs will be lost to automation in what amount of time is virtually impossible to predict taking into account the advances in technology, together with the fact that AI bots learn, and get better at what they do as a result.

What kind of automation individual businesses adopt will, of course, depends upon a cost / benefit analysis compared to human workers, and whether automation is appropriate and is acceptable to their customers / users.

One interesting point that the new report highlighted was that young people may find it harder to find work in future because entry-level posts may have a higher risk of automation than jobs requiring more experience.

Apple Hire’s Google’s AI Chief To Help Boost Siri

In a bid to develop Siri and catch up with competitors in the digital assistant battle, Apple has hired Google’s top AI man, John Giannandrea.

Falling Behind

The battle to dominate the digital assistant market has been going on for some time now, but industry commentators have noted that Apple’s Siri, which was first introduced on the iPhone 4S in 2011, has fallen behind the competition i.e. Amazon Alexa and Google Assistant.

Siri Problems

The problems that have plagued Apple’s Siri since its early lead and subsequent falling behind in the market are thought to include:
  1. Infighting and internal politics within the Siri team at Apple.
  2. Too many attempts to reorganise the basic underpinning technology.
  3. Press criticism of the poor AI in Apple’s HomePod - the company’s attempt to compete with Amazon’s Echo and Google’s Home smart speakers.
Hiring

Apple has, therefore, sought to quickly boost its expertise in AI and machine learning through hiring-in the top talent.
John Giannandrea joined Google in 2010 and previously worked as Netscape's chief technologist. Mr Giannandrea is widely credited as being responsible for rebuilding the technology that is now at the heart of Google’s landmark products, which include search, translation and voice recognition. He is also recognised as being the person responsible for putting Google on a par with Amazon for technological supremacy in the field of voice-controlled assistants.

As well as hiring Google’s top AI man, Apple is also reported to have posted adverts for 160 other openings for work related to improving Siri.

Other high profile hires by Apple in the AI field in recent times include Carnegie Mellon professor Russ Salakhutdinov who studied at the University of Toronto under Geoffrey Hinton, who helps to oversee the Google Brain lab.

Different Approach

One of the key challenges that Giannandrea and the other news recruits will have to address is how to dramatically improve the AI and machine learning performance of Siri while giving it less detailed data for its AI training. This is because Apple has decided to take a different approach to Amazon and Google in terms of trying to gather less personal data about its users.
Apple believes that it can still produce good AI personalisation results for Siri users with a smaller dataset, and hopes that customers will value its attempts to protect their privacy, and that this will add to the positive differentiation of Siri.

What Does This Mean For Your Business?

The big tech companies can see the future potential value of widening the range of services that can be offered via digital assistants. As well as being able to access them through our mobile devices, smart speakers are now commonplace in many UK homes, and there will soon be business-focused versions.

The hope is that we will use our digital assistants for almost all of our daily activities e.g. paying bills, purchasing, and calling friends and customers. This illustrates why it is so important for Apple to quickly catch up with competitors and to make sure that its digital assistant is at least as capable as Amazon and Google’s offerings in terms of key AI and machine learning.

Apple is in the fortunate position of being able to attract and pay for top Silicon Valley talent, and the hiring of Google’s top man will no doubt be seen as a small victory in itself in the ongoing battle of the digital personal assistants.

UK Universities Are Cryptojacking Targets

The latest attacker behaviour industry report by automated threat management firm Vectra shows that UK higher education institutions are now prime targets for illicit cryptocurrency mining, also known as ‘cryptojacking’.

Cryptocurrency Mining

‘Cryptocurrency mining’ involves installing 'mining script' code such as Coin Hive into multiple web pages without the knowledge of the web page visitor or often the website owner. The scammer then gets multiple computers to join their networks so that the combined computing power will enable them to solve mathematical problems. Whichever scammer is first to solve these problems is then able to claim / generate cash in the form of crypto-currency - hence mining for crypto-currency.

Taking Coin Hive as an example, this crypto-currency mining software is written in Javascript, and sends any coins mined by the browser to the owner of the web site. If you visit a website where it is being used (embedded in the web page), you may notice that power consumption and CPU usage on your browser will increase, and your computer will start to lag and become unresponsive. These slowing, lagging symptoms will end when you leave the web page.

Why Target Universities?

According to Vectra report, the UK’s universities are being targeted by cryptojackers because they have high bandwidth capacity networks, and they host many students on their networks who are not protected. This makes them ideal cyber-crime campaign command and control operations centres.

This means that students who are using the bandwidth e.g. to watch movies online could unwittingly be giving cyber criminals access to computing resources in the background by using websites that host cryptojacking malware.

It is also believed to be possible that the relative anonymity and power of the computing resources at universities are enabling a small number of students to tap into them, and carry out illicit cryptocurrency mining activities of their own.

Other Targets

Higher education institutions are, of course, not the only main targets. The report highlights the entertainment and leisure sector (6%), financial services (3%), technology (3%) and healthcare (2%) as also being targets for cryptojackers. The effects of being targeted by cryptojackers can be increased power consumption and a reduction in hardware lifespans.

What Does This Mean For Your Business?

For higher education institutions, they can only issue notices to students they detect cryptomining, and / or issue a cease and desist order. They can also provide assistance in cleaning computers, and try to advise students on how to protect themselves and the university by installing operating system patches and creating awareness of phishing emails, suspicious websites and web ads. These measures, however, don’t go far enough to address the challenge of better detection, and / or stopping cryptomining from happening in the first place.

Businesses are also struggling to keep up with the increasingly sophisticated activities of cryptojackers and other cyber-criminals, particularly with a global shortage of skilled cyber-security professionals to handle detection and response. In the meantime, the answer for many enterprise organisations has been the deployment of artificial intelligence-based security analytics. Where cryptojacking is concerned, AI is proving to be essential to augmenting existing cyber-security teams to enable fast detection and a response to threats.

The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses. If using AI security techniques are beyond your current budget and level of technical expertise, you may be pleased to know that there are some more simple measures that your business can take to avoid being exploited as part of a cryptojacking scam.

If, for example, you are using an ad blocker on your computer, you can set it to block one specific JavaScript URL which is https://coinhive.com/lib/miner.min.js . This will stop the miner from running without stopping you from using any of the websites that you normally visit.

Also, a dedicated browser extension called 'No Coin' is available for Chrome, Firefox and Opera. This will stop the Coin Hive mining code being used through your browser. This extension comes with a white-list and an option to pause the extension should you wish to do so.

Coin Hive's developers have also said that they would like people to report any malicious use of Coin Hive to them.
Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current scams and what to do to prevent them, are just some of the ways that you could maintain a basic level of protection for your business.