Internet Security

Adult Site Visits on Work Computer Lead to Network Infection

The extensive online porn-accessing habit of an employee of a US government department known as the US Geological Survey (USGS) is being blamed for a government computer network becoming infected with malware.

9,000 Pages

In an investigation, highlighted in a paper (published online) by the US Office of the Inspector General, it was discovered that the unnamed employee is alleged to have accessed 9,000 pages on adult pornography websites.

Infected

It is believed that the infection of the government network happened after the employee used their work laptop to visit pornographic websites, some of which originated in Russia and contained malware, thereby compromising and infecting the laptop. It was from this laptop that the malware was able to spread to the government network.

The employee is also reported to have saved images from the infected websites onto an unauthorised USB device, and to a personal Android phone that was connected to the government-issued computer. This resulted in the Android phone also becoming infected with malware.

Stealing Information

The big risk with malware is, of course, that it is designed to steal information and spread to other systems, and in the case of ransomware, for example, to destroy files, lock-down systems, and extort money.

Malware

In the UK, a government report from April this year found that nearly half the businesses in the UK have fallen victim to cyber attacks or security breaches in the last year, and that the most common breaches involved fraudulent emails e.g. phishing, attempts by scammers to impersonate the organisation online, as well as viruses and malware. The annual Verizon data breach investigations report from April showed that ransomware is the most popular form of malware used in cyber-attacks, and this type of malware is responsible for 40% of all successful malware attacks. The use of ransomware has doubled over the last year.

What Does This Mean For Your Business?

In this case, the use of USB devices and government computers for personal use was against the rules, but this didn’t appear to be actively monitored and / or enforced. As the government department discovered to their cost, and too late, it may have been better to address such obvious security vulnerabilities by restricting web access to certain types of websites (and monitoring this), disabling USB connections on government-issued computers, providing IT security training, and developing a well-communicated IT security policy.

This story also highlights the risks of policies such as ‘bring your own device’ in businesses. BYOD policies allow employees to bring in their personally owned laptops, tablets, smart-phones and even storage devices, and use them to access company information and applications, and solve work problems. Unfortunately, as shown in this story and in a study by SME card payment services firm Paymentsense back in May, BYOD schemes and using USB storage devices can increase the cyber-security risks for businesses and organisations. The most popular types of BYOD security incidents in the last 12 months include malware, which affected two-thirds (65%) of SMEs, and viruses (42%).

These days, secure cloud storage and storage on secure company systems are provided, and this, combined with adequate security training and forbidding the use of USB ports (closing USB ports) on company computers could be ways of minimising this kind of security risk for many businesses.

Ubicoustics Overhears Everything You Do … And Understands

Researchers in the US have presented a paper based on their research that identified a real-time, activity recognition system capable of interpreting collected sounds that could well be used by home smart speakers.

Identify Other Sounds, and Issue Responses

Researchers at Carnegie Mellon University in the US claim to have discovered a way that the ubiquity of microphones in modern computing devices, and software that could use a device’s always-on built-in microphones could be used to identify all sounds in room, thereby enabling context-related responses from smart devices. For example, if a smart device such as an Amazon Echo were equipped with the technology, and could identify the sound of a tap running in the background in a home, it could issue a reminder to turn the tap off.

Ubicoustics

The research project, dubbed ‘Ubicoustics’, identified how using an AI /machine learning based sound-labeling mode, drawing on sound effects libraries, could be linked to the microphone (as the listening element) of a smart device e.g. smart-watches, computers, mobile devices, and smart speakers.

As Good As A Human

The sound-identifying, machine-learning model used in the research system was able to achieve human-level performance in recognition accuracy and false positive rejection. The reported accuracy level of 80.4%, and the misclassification level of around one sound in five sounds, means that it is comparable to a person trying to identify a sound.

As well as being comparable to other high-performance sound recognition systems, the Ubicoustics system has the added benefit of being able to recognise a much wider range of activities without site-specific training.

Applications

The researchers noted several possible applications of the system used in conjunction with smart devices e.g. sending a notification when a laundry load finished, promoting public health by detecting frequent coughs or sneezes and enabling smart-watches to prompt healthy behaviours after tracking the onset of symptoms.

Privacy Concerns

The obvious worry with a system of this kind is that it could represent an invasion of privacy and could be used to take eavesdropping to a new level i.e. meaning that we could all be living in what is essentially a bugged house.

The researchers suggest a potential privacy protection measure could be to convert all live audio data into low resolution Mel spectrograms (64 bins), thereby making speech recovery sufficiently difficult, or simply running the acoustic model locally on devices so no audio data is transmitted.

What Does This Mean For Your Business?

The ability of a smart device to be able to recognise all sounds in a room (as well as a person can) and to deliver relevant responses could be valued if used in a responsible, helpful, and not an annoying way. It doesn’t detract from the fact that, knowing that having a device with these capabilities in the home or office could represent a privacy and security risk, and has more than a whiff of ‘big brother’ about it. Indeed, the researchers recognised that people may not want sensitive, fine-grained data going to third-parties, and that operating a device with this system but without transmission of the data could provide a competitive edge in the marketplace.

Nevertheless, it could also represent new opportunities for customer service, diagnostics for home and business products / services, crime detection and prevention, targeted promotions, and a whole range of other possibilities.

New Tech Laws For AI Bots & Better Passwords

It may be no surprise to hear that California, home of Silicon Valley, has become the first state to pass laws to make AI bots ‘introduce themselves’ (i.e. identify themselves as bots), and to ban weak default passwords. Other states and countries (including the UK) may follow.

Bot Law

With more organisations turning to bots to help them create scalable, 24-hour customer services, together with the interests of transparency at a time when AI is moving forward at a frightening pace, California has just passed a law to make bots identify themselves as such on first contact. Also, in the light of the recent US election interferences, and taking account of the fact that AI bots can be made to do whatever they are instructed to do, it is thought that the law has also been passed to prevent bots from being able to influence election votes or to incentivise sales.

Duplex

The ability of Google’s Duplex technology to make the Google Assistant AI bot sound like a human and potentially fool those it communicates with is believed to have been one of the drivers for the new law being passed. Google Duplex is an automated system that can make phone calls on your behalf and has a natural-sounding human voice instead of a robotic one. Duplex can understand complex sentences, fast speech and long remarks, and is so authentic that Google has already said that, in the interests of transparency, it will build-in the requirement to inform those receiving a call that it is from Google Assistant / Google Duplex.

Amazon, IBM, Microsoft and Cisco are also all thought to be in the market to get highly convincing and effective automated agents.

Only Bad Bots

The new bot law, which won’t officially take effect until July 2019 is only designed to outlaw bots that are made and deployed with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving.

Get Rid of Default Passwords

The other recent tech law passed in California and making the news is a law banning easy to crack but surprisingly popular default passwords, such as ‘admin’, ‘123456’ and ‘password’ in all new consumer electronics from 2020. In 2017, for example, the most commonly used passwords were reported to be 123456, password, 12345678 and qwerty (Splashdata). ‘Admin’ also made number 11 on the top 25 most popular password lists, and it is estimated that 10% of people have used at least one of the 25 worst passwords on the list, with nearly 3% of people having used the worst password, 123456.

The fear is, of course, that weak passwords are a security risk anyway, and leaving easy default passwords in consumer electronics products and routers from service providers has been a way to give hackers easier access to the IoT. Devices that have been taken over because of poor passwords can be used to conduct cyber attacks e.g. as part of a botnet in a DDoS attack, without a user’s knowledge.

Password Law

The new law requires each device to come with a pre-programmed password that is unique to each device, and mandates any new device to contain a security feature that asks the user to generate a new means of authentication before access is granted to the device for the first time. This means that users will be forced to change the unique password to something new as soon as the device is switched on for the first time.

What Does This Mean For Your Business?

For businesses using bots to engage with customers, if the organisation has good intentions, there should not be a problem with making sure that the bot informs people that it is a bot and not a human, As AI bots become more complex and convincing, this law may become more valuable. Some critics, however, see the passing of this law as another of the many reactions and messages being sent about interference by foreign powers e.g. Russia, in US or UK affairs.

Stopping the use of default passwords in electrical devices and forcing users to change the password on first use of the item sounds like a very useful and practical law that could go some way to preventing some hackers from gaining easy access to and taking over IoT devices e.g. for use as part of a botnet in bigger attacks. It has long been known that having the same default password in IoT devices and some popular routers has been a vulnerability that, unknown to the buyers of those devices, has given cyber-criminals the upper hand. A law of this kind, therefore, must at least go some way in protecting consumers and the companies making smart electrical devices.

How Business Emails Are Vulnerable

Research by digital risk management and threat intelligence firm Digital Shadows has revealed that company credentials and emails that can be easily accessed on the web are making it easier for cyber-criminals to target businesses with attacks.

What’s Are The Problems?

According to the research, businesses may be suffering targeted attacks because several key problems that are caused by the results of previous hacks and breaches, and by current poor security practices. These problems are that:

  • Around 12.5 million company email archive files are publicly accessible due to misconfigured archive storage drives e.g. FTP and Amazon S3 buckets. Business emails contain sensitive personal and financial information e.g. the research uncovered 27,000 invoices, 7,000 purchase orders and 21,000 payment records. These things are valuable to cyber-criminals as they help them to target attack methods such as phishing.
  • Improper backing-up of email archives has contributed to their exposure online.
  • Criminal forums e.g. on the dark web, now contain some 33,568 finance department email addresses that have been exposed in third-party breaches, 27,992 of which have passwords associated with them. These forums also contain large numbers of the business of email access credentials, some of which are reported by the research to be worth $5,000 for a single username and password pair to cyber-criminals.
  • Email hacking services can be purchased for as little as $150, with results available in a week or less. The researchers were even offered a 20% share of the proceeds that could be harvested from exploiting email vulnerabilities.

What Does This Mean For Your Business?

Business email credentials have a high potential return on investment to cyber-criminals, and therefore have a high value, which is why many cyber-criminals feel that it is worth looking for them and paying substantial amounts for them on criminal forums. The high value may mean that criminals may even collaborate to target larger organisations. Hacks and breaches over time, together with the subsequent buying and selling of the stolen email credentials may mean that many businesses are exposed to multiple types of email attack such as phishing, and man-in-the-middle attacks without even knowing it.

One thing the research does show is that by tightening up email security practices, businesses could reduce the risks that they face. Measures that companies could take to help reduce such risks include:

  • Including business email compromise (BEC) in business continuity planning and disaster recovery planning.
  • Strengthening wire transfer / BACs controls by e.g. building-in manual controls and as well as multiple-person authorisations to approve significant amounts.
  • Improving staff training to enable them to follow practices that minimise company email and other security risks.
  • Continuously monitoring for any exposed credentials (particularly those of finance department emails), and conducting assessments of executives’ digital footprints e.g. using Google Alerts to track new web content related to them.
  • Preventing email archives from being publicly exposed e.g. by making sure that archive storage drives are configured correctly.
    Being very careful where contractors back-up emails on network-attached storage (NAS) devices is concerned. Making users have passwords, disabling guest / anonymous access, and insisting on NAS devices that are secured by default could help.

Goodbye Skype Classic, Hello Blockchain-as-a-Service

Just as November will see Microsoft asking Skype users to switch from Skype Classic to version 8, tech commentators are predicting that Microsoft and other companies will be looking to start reaping the financial benefits of offering blockchain as a service (BaaS).

Skype Classic Replaced By Version 8

Microsoft has announced that it will be moving all users of the Classic version of its Skype video call software to version 8 of the software from 1st November for desktop, and 15th November for mobile and tablets.

The company says that it will be sending out notifications to those using the older versions of Skype by the end of October to warn them that they may lose functionality if they don’t switch to version 8.

Why?

The reason for the move is to ensure that users of desktop and smaller screens i.e. tablets or mobiles have the same experience of the program. This is because version 8 applications have been optimized to work in conjunction with modern, mobile-friendly cloud services architecture.

Fewer Features, For Now

Microsoft has admitted that the newer version of Skype won’t offer the same features as the previous versions, but the company has said that it plans to re-introduce some of those features.

Meanwhile, Skype’s Insider community is able to access and test the new ‘Skype 14’ via the Microsoft Store.

Making The Most of Blockchain

Tech commentators have noted that Microsoft and many of the other big tech companies, including Amazon and Oracle, are now looking to make the most of the growing blockchain as a service (BaaS) market. Microsoft was one of the first software vendors to offer BaaS on its Azure cloud platform as far back as 2015, but the predictions are that from the end of this year onwards, the market (estimated to be worth $7billion) will start to grow rapidly.

What Is Blockchain?

Blockchain, the open-source, free technology behind crypto-currencies like Bitcoin, is an incorruptible peer-to-peer network (a kind of ledger) that allows multiple parties to transfer value in a secure and transparent way. Blockchain’s Co-Founder Nic Carey describes blockchain as being like “a big spreadsheet in the cloud that anyone can use, but no one can erase or modify”.

Why?

The BaaS market is likely to take off in a much bigger way because it offers enterprises the chance to deploy distributed ledgers without the cost or risk of deploying it in-house, and without needing to find in-house developers.

Big Tech Companies Well-Placed

Tech commentators have noted that as well as Microsoft, big companies who look well-placed to have the resources claim a major stake in the BaaS market include Amazon, Oracle, Salesforce.com, and VMware.

It is also believed that large online real-estate/mortgage companies such as Redfin, Zillow, and LendingTree could benefit from using blockchain-based online services in the transfer of property.

Real-World Blockchain Examples

The benefits of blockchain technology are already being in enjoyed by many companies, and some of the ways that it is currently being deployed include:

  • Walmart’s pilots where the time it takes to trace a food item from shop to farm was reduced, through the use of blockchain, from 7 days to just 2.2 seconds.
  • A pilot project between car-maker BMW and start-up Circulor with a view to eliminating battery minerals produced using child labour. In that project, blockchain is being used to help provide a way to prove that artisanal miners are not using child labour in their cobalt mining activities.
  • Using the data on a blockchain ledger to record the temperature of sensitive medicines being transported from manufacturer to hospital in hot climates. The ‘incorruptible’ aspect of the blockchain data gives a clear record of care and responsibility along the whole supply chain.
  • Using an IBM-based blockchain ledger to record data about wine certification, ownership and storage history. This has helped to combat fraud in the industry and has provided provenance and re-assurance to buyers.
  • Shipping Company Maersk using a blockchain-based system for tracking consignments that addresses visibility and efficiency i.e. digitising a formerly paper-based process that involved multiple interactions.
  • Start-up company ‘Electron’ building a blockchain-based system for sharing information between those involved in supplying energy which could speed up and simplify the supplier switching process. It may also be used for smart grid processes, such as local load-balancing of supply and demand.

Launches

It has also been reported that Hewlett-Packard Enterprise (HPE) has launched a BaaS flexible charging offering, and SAP has also launched BaaS on its Leonardo digital software platform.

What Does This Mean For Your Business?

The fact that we now use mobiles devices more than desktop computers for work and leisure made it more or less inevitable that Microsoft would want to make changes to Skype to make the mobile experience of the program a priority.

The benefits of blockchain technology are just starting to be realised and exploited by many different companies around the world. The BaaS market is, therefore, still at the beginning of the curve, and it makes sense that big tech companies are well placed to be in the market early with their enterprise offerings. BaaS offers businesses the opportunity to harness the power and unique benefits of blockchain without the costs, and difficulties of trying to develop their own in-house offerings. Blockchain has already proven itself to be a technology that can save time and costs, provide fast and secure traceability, visibility and efficiency, and provide a real competitive advantage for companies that are willing to investigate how it could be used to add value to their particular business.

Even governments and cities around the world have realised the benefits and are committing considerable resources to the use of blockchain. For example, Dubai has committed to putting all of its documents on blockchain in the next few years and has founded a public-private initiative called the Global Blockchain Council to foster the development and use of blockchain technology in and between local government teams, local businesses and international start-ups.

Facebook Hack Keeps Getting Worse

As if the recent Facebook hack of 50 million user accounts that was discovered on 25th September wasn’t bad enough, it became apparent that it could also affect “Facebook Login” service, which allows other apps to use people’s Facebook account to login.

What Happened?

On Tuesday 25 September, Facebook engineers discovered that hackers had used a vulnerability in Facebook’s “View As” feature (which lets people see how their profiles appear to others) to steal digital keys known as “access tokens” from any accounts of people whose profiles were searched for using the “View As” feature. This meant that hackers were able to move from one Facebook friend to another, taking control of all those accounts along the way. It is estimated that the staggering number of 50 million user accounts were compromised in this way.

It has been reported that Facebook had noted a spike in the number of people using the “View As” feature in relations to Facebook’s video uploading feature for posting “happy birthday” messages (a known, year-old vulnerability), but didn’t put two and two together at that point. Even though the hack was reported to have been discovered by Facebook on Thursday 25th September, It is now thought that the hack actually took place on 16th September.

Reporting Problems

Even though less than 10% of the 50 million Facebook accounts affected by the security breach were in the European Union, this is still a significant number, and required a report within 72 hours of discovery of the breach to comply with GDPR. It has been reported, however, that Ireland’s Data Protection Commission (DPC) has said that Facebook’s initial notification to the regulator about the breach (on Thursday) didn’t have enough detail, and this could lead to an official investigation and possibly some (substantial) fines. Facebook’s discovery of the breach on the Tuesday, and notification to Ireland DPC on the Thursday meant that, at least it kept within the 72-hour disclosure deadline required under GDPR.

Worse – Other Services Using Login By Facebook Could Be Affected

One of the things that has made the breach even worse than was previously thought is that, if you use Facebook to log into other services, such as Instagram (owned by Facebook), Tinder, Spotify and even Airbnb, the attackers could also use the stolen access tokens to gain the same level of access to any of these, and may have been able to steal all of your profile info, photos, private messages and more. The fact that the hackers have stolen tokens means that they don’t need to enter a username and password to access a site because the token is a signal that they’re already logged in.

Fixed, Says Facebook

Facebook has reported that it has now fixed the flaw by logging everyone out of their accounts and suspending the “view as” feature.

What Does This Mean For Your Business?

This hack was on a massive scale, and was the biggest in Facebook’s history, coming not long after the revelations about Facebook’s sharing of its customer data with Cambridge Analytica for political purposes. This has undoubtedly dealt another blow to Facebook’s reputation but more importantly, it could lead to further problems for Facebook’s users. The fact that the hackers were able to steal tokens, thereby rendering strong passwords and multi-factor authentication useless (which is frightening in itself), means that the attackers could use any personal data and information that they may have harvested from Facebook and other Facebook login sites to target users in future cyber attacks. The information taken could, for example, be used in phishing attacks, fraud, and even blackmail. The information used for blackmail (photos, private messages, etc) could even cause damage to personal and work relationships.

Once again, it seems, we can’t trust a major tech company to adequately protect our personal data and information, even after it has gone to the trouble, over the last few months, of spending large amounts on advertising campaigns to tell us how much it can be trusted. Even though the initial crime appears to be a large-scale hack, the fact is that users could find themselves being the victim of cyber attacks in future because of the information that has been stolen.

Chrome Extensions Get Security, Privacy and Performance Boost

Following the introduction last month of Google Chrome 69’s better password protection, Google has announced that Chrome 70 will bring trustworthy extensions by default.

What Are Extensions?

The Chrome extension system, introduced to the browser nearly a decade ago, has enabled the introduction of 180,000 different extensions which are small, bolt-on software programs that allow Google Chrome users to customize their browsing experience through functionality and behaviour that suits their individual needs or preferences.

Extensions are typically built using HTML, JavaScript, and CSS and are available in the Chrome Web Store. Google says that the dual mission of its extension team is to “help users tailor Chrome’s functionality to their individual needs and interests, and to empower developers to build rich and useful extensions”.

What’s Been The Problem?

One of the main problems with Chrome extensions has been that remotely hosted code in some extensions can be changed, used to manipulate websites, and used for criminal purposes. For example, Chrome extensions have increasingly been used to hide malware, even when they’ve been downloaded from the official Chrome store, and Google has reported a 70% increase in malicious extension installs over the last two and a half years.

For Google, this has created a lack of trust among users, has led to worries about transparency and the scope of their extensions’ capabilities and data access, has generated bad publicity, and has made Google’s own extension review process more complex, costly, and time-consuming.

Improvements

Google says that it has already addressed some of the security, privacy and performance concerns through the launch of out-of-process iframes, the removal of inline installation, and advancements in the detection and blocking of malicious extensions using machine learning.

New code reliability requirements also mean that Chrome Web Store will no longer allow extensions with obfuscated code. This is essentially code that’s difficult to understand and can be used to hide malicious code, and its complexity makes Google’s review process more difficult.

Google has also announced that further improvements will be made to Chrome extensions in Chrome 70 that should go even further in addressing these issues. For example, improvements will include:

  • Better controls for host permissions. This means giving users the choice to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page.
  • Required 2-step verification (in 2019) for Chrome Web Store developer accounts, in order to improve security.
  • The introduction of Manifest v3 to make the writing of a secure and performant extension much easier.

What Does This Mean For Your Business?

Google Chrome is the most widely used browser, favoured by 60% of browser users. Bearing in mind the 70% increase in malicious extension installs over the last two and a half years, some would say that these mainly security-based improvements to extensions are certainly necessary, and are long overdue. Bad extensions have proven to be the weak link in a strong browser and have provided a loophole that has been exploited by cyber-criminals enabling them to link computers to botnets, steal personal details, and enable crypto-currency mining on a large scale.

Businesses using Google Chrome should now get some reassurance that Google is plugging the security holes that some extensions have created, which should mean one less thing to worry about for the time-being in the ongoing battle with evolving and potentially costly cyber threats.

New Chrome 69 Creates Better Passwords, Among Other Features

Chrome 69, the latest version of the Google browser which is now 10 years old, has a number of value-adding new features, including the ability to automatically generate strong passwords.

Improved Password Manager

This latest version of Chrome has an improved password manager that is perhaps more fitting of the browser that is favoured by 60% of browser users, many of whom still rely upon using very weak passwords. For example, the most commonly used passwords in 2017 were reported to be 123456, password, 12345678 and qwerty.

The updated password manger in Chrome 69 hopes to make serious inroads into this most simple of human errors by recommending strong passwords when users sign up for websites or update settings. The Chrome 69 password manager will suggest passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it will be able to add these. Users will be able to manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 will then store the password on a laptop or phone so that users don’t have to write it down or try and remember it (as long as they are using the same device).

Other Features

Other new and improved features of Chrome 69 include:

Faster and more accurate form-filling: Google says that because information such as passwords, addresses and credit card numbers are saved in a user’s Google account and can be accessed directly from the from the Chrome toolbar, Chrome can make it much easier and faster to fill-out online checkout forms.

Combined search and address bar (improvements): In Chrome 69, users will have a combined search and address bar (the Omnibox), which shows the answers directly in the address bar without users having to open a new tab, thereby making it more convenient. Also, if there are several tabs open across three browser windows, for example, a search in the Omnibox will tell users if that website’s already open and will allow navigation straight to it with “Switch to tab”. Google says that users will soon also be able to search files from your Google Drive directly in the Omnibox too.

CSS Snap: This feature allows developers to create smoother browsing experiences. It does this by telling the browser where to stop after each scrolling operation, and is particularly useful for displaying carousels and paginated sections to guide users to the next slide or section.

Put The www. Back!

There was some controversy and protests from some Chrome users over the way that, in order to take account of the limited space on mobile screens, and for greater security (to stop confusion with phishing URLs), version 69 of Chrome has been made to no longer show the www. part of a URL (and the m. on mobiles) in the address bar. It is worth mentioning at this point that Apple’s Safari also hides URL characters. Some critics of Google’s move to this system have said that it could confuse users into thinking that they’re at the wrong website.

Other Criticism

Some more cynical / informed commentators have suggested that the change in URL display is actually more to do with AMP system and AMP cache which benefits the advertising side of Google’s business.

What Does This Mean For Your Business?

The changes in Chrome 69 that encourage and facilitate the use of much stronger passwords may be a little overdue, but it has to be good news for the security of all Chrome users. The speedier form-filling will also be a time-saver in an age where many people now carry out many of their daily transactions online and on mobile devices.

Even though stronger passwords are a good thing, security has now moved on again from those, because they have been found to be less secure than biometrics and other access methods.

The new Chrome 69 has been released, but so has the beta version of Chrome 70, and it remains to be seen how security is upgraded yet again in subsequent versions as cyber-crime threats become more wide-ranging and sophisticated.

Find Out What ‘Deep Fakes’ Are and Why They’re A Threat

Deep fakes are digitally manipulated videos that have been created using deep learning technology to make the subject of the video (often a famous person) say anything the video maker wants them to say, even incorporating the style and facial expressions of another person.

Example

An example here is a video that demonstrates the technique, and features a fake video of Barack Obama saying things that he would never normally (publicly) say. Example : https://www.youtube.com/watch?v=AmUC4m6w1wo

Improving Fast

The technique, which had its less than auspicious first uses in pornography, where porn actors were made to look and sound like famous people, has much improved and become arguably more convincing as deep learning and AI have led to more seamless and convincing results.

Style Transfer

The development of the technology used in deep fake videos has improved to the point where even a person’s style can be superimposed and incorporated. An example of this can be seen in videos created by researchers at Carnegie Mellon University, who have been able to use artificial intelligence technology to transfer the facial expressions of one person in a video to another.

See this example on YouTube: https://www.youtube.com/watch?v=ehD3C60i6lw where John Oliver is made to reflect the style of Stephen Colbert, a daffodil is made to bloom (time lapse) the same way as a hibiscus, and Barack Obama is given the same facial expressions and style as Dr Martin Luther King and President Donald Trump.

What’s The Danger?

The danger, according to US lawmakers and intelligence organisations, is that videos could be made by adversarial nation states and used as another tool in disinformation campaigns. For example, at key moments, politicians and other influential figures could be made to appear to make false and /or inflammatory statements that could be believed by less politically aware recipients. In short, these videos could be used to influence opinions e.g. at election-time, and could afford a foreign power a way to interfere that relies upon human error – the same thing that many successful cyber attacks have relied upon.

What Does This Mean For Your Business?

With the US Midterm elections on the way, with allegations of Russian interference and possible collusion still hanging over President Trump’s head, and with some evidence that Facebook was used by a foreign power to try an influence the last US election result, it is understandable that the US government is worried about any tools that could be used to interfere in their democratic process. This is one of the reasons why Microsoft has seized 6 phishing domains that allegedly belong to Russian government hackers, and has introduced a pilot AccountGuard secure email service for election candidates.

If the technology behind deep fake videos keeps improving, it is possible to see it being used as another tool in other types of cyber-crime.

There is, of course, an upside and some ways that deep fake technology can be used in a positive way. For example, deep fake could be used to help film-makers to reduce costs and speed up work, make humorous videos and advertisements, and even help in corporate training.

UK Government Guilty of Mass Surveillance Human Rights Breach

The European Court of Human Rights in Strasbourg has found the UK government guilty of violating the right to privacy of citizens under the European convention because the safeguards within the government’s system for bulk interception of communications were not strong enough to provide guarantees against abuse.

The Case

The case which led to the verdict, was brought against the UK government by 14 human rights groups, journalism organisations, and privacy organisations such as Amnesty International, Big Brother Watch and Liberty in the wake of the 2013 revelations by Edward Snowden, specifically that GCHQ was secretly intercepting communications traffic via fibre-optic undersea cables.

In essence, although the court, which voted by a majority of five to two votes against the UK government, accepted that police and intelligence agencies need covert surveillance powers to tackle threats, those threats do not justify spying on every citizen without adequate protections.

Three Main Points

The ruling against the UK government in this case centred on three points – firstly the regime for bulk interception of communications (under section 8(4) of RIPA), secondly the system for collection communications data (under Chapter II of RIPA), and finally the intelligence sharing programme.

The UK government was found to breach the convention on the first 2 points, but the ECHR didn’t find a legal problem with GCHQ’s regime for sharing sensitive digital intelligence with foreign governments. Also, the court decided that bulk interception with tighter safeguards was permissible.

Key Points

Some of the key points highlighted by the rulings against the UK government, in this case, are that:

  • Bulk interception is not unlawful in itself, but the oversight of that apparatus was not up to scratch in this case.
  • The system governing the bulk interception of communications is not capable of keeping interference to what is strictly necessary for a democratic society.
  • There was concern that the government could examine the who, when and where of a communication, apparently without restriction i.e. problems with safeguards around ‘related data’. The worry is that related communications data is capable of painting an intimate picture of a person e.g. through mapping social networks, location tracking and insights into who they interacted with.
  • There had been a violation of Article 10 relating to the right to freedom of expression for two of the parties (journalists), because of the lack of sufficient safeguards in respect of confidential journalist material.

Privacy Groups Triumphant

Privacy groups were clearly very pleased with the outcome. For example, the Director of Big Brother Watch is reported as saying that the judgement was a step towards protecting millions of law-abiding citizens from unjustified intrusion.

What Does This Mean For Your Business?

Like the courts, we are all aware that we face threats of terrorism, online sexual abuse and other crimes, and that advancements in technology have made it easier for terrorists and criminals to evade detection, and that surveillance is likely to be a useful technique to help protect us all, our families and our businesses.

However, we should have a right to privacy, particularly if we feel strongly that there is no reason for the government to be collecting and sharing information about us that, with the addition of related data, could identify us not just to the government but to any other parties who come into contact with that data.

The reality of 2018 is that we now live in a country where in addition to CCTV surveillance, we have the right to surveillance set in law. The UK ‘Snooper’s Charter’ / Investigatory Powers Act became law in November 2016 and was designed to extend the reach of state surveillance in Britain. The Charter requires web and phone companies (by law) to store everyone’s web browsing histories for 12 months, and also to give the police, security services and official agencies unprecedented access to that data. The Charter also means that security services and police can hack into computers and phones and collect communications data in bulk, and that judges can sign off police requests to view journalists’ call and web records.

Although businesses and many citizens prefer to operate in a safe and predictable environment, and trust governments to operate surveillance just for this purpose and with the right safeguards in place, many are not prepared to blindly accept the situation. Many people and businesses (communications companies, social media, and web companies) are uneasy with the extent of the legislation and what it forces companies to do, how necessary it is, and what effect it will have on businesses publicly known to be snooping on their customers on behalf of the state.

This latest ruling against the government won’t stop bulk surveillance or the sharing of data with intelligence partners, but many see it as a blow against a law that makes them uneasy in a time when GDPR is supposed to have given us power over what happens to our data.