Internet Security

‘Five Eyes’ Demand Back Door Access To Encrypted Services … Or Else

Posted on by Andy Miller

The frustration of the so-called ‘Five Eyes’ governments in not being allowed access to end-to-end encrypted apps such as WhatsApp has boiled-over into the threat of enforcement via legislative (or other) measures.

Who Are The ‘Five Eyes’?

The so-called ‘Five Eyes’ refers to the intelligence alliance of the governments of the UK, US, Canada, Australia, and New Zealand. Dating back to just after World War 2, the alliance is now secured by the UKUSA Agreement, a treaty for joint cooperation in signals intelligence.

What’s The Problem?

The argument from the government perspective is that end-to-end encryption in apps such as WhatsApp and services such as Google is preventing them from gaining access to conversations of criminals, terrorists and organized crime groups, and that tech companies are refusing to build ‘back doors’ into these services to enable governments to snoop.

The argument from tech companies that use end-to-end encryption in their services is that they are private companies with a duty and responsibility to protect the personal details of their customers, to protect the free speech that takes place on their platforms, and to prevent the likely loss of customers / users and damage to their brand and image if they were known publicly to be allowing government snooping. Also, tech companies argue that if ‘back doors’ are built into supposedly encrypted and secure services, then they are no longer secure or fully encrypted, and they could be accessed by cyber-criminals, thereby posing a security threat to users.

Example

Former Home Secretary Amber Rudd (since replaced by Sajid Javid) was particularly vocal about the subject, and pressed for a back door to be built-in to WhatsApp and other encrypted messaging services after the London terror attacks in 2017 and after it was discovered that terrorist Khalid Masood, who killed four people outside parliament had used WhatsApp a few minutes before he launched his attack.

Also, an assessment by the UK’s National Crime Agency (NCA) earlier this year said that that encryption impacts how effective law enforcement organisations can be in gathering intelligence and collecting evidence. This is particularly topical in the UK now, since Facebook recently refused to give the login details of a murder suspect to police, who are investigating the murder of Lucy McHugh.

Threats From The Five Eyes

The Five Eyes are reported to have warned that if the tech industry does not voluntarily establish lawful access to their products e.g. back doors they may pursue enforcement, via legislative or other measures in order to guarantee entry.

The Five Country Ministerial (FCM) has also concluded that the industry needs to implement functions that prevent illicit and harmful content from being uploaded in the first-place, and build user safety into the design of all online platforms.

What Does This Mean For Your Business?

While it sounds reasonable and understandable that law enforcement and intelligence services would like to be able to have access to encrypted apps and services in the interests of national security in fighting terrorism and reducing crime, building in back doors to encryption means that it’s no longer encrypted and secure. These ‘back-doors’ could also, therefore, be accessed by cyber-criminals, thus causing a security threat to millions of users, most of whom aren’t terrorists or criminals. A security breach (e.g. using a back-door) could also cause major damage to the app / service-providing company in fines, lost customers/revenue and bad publicity.

There is also an argument that the privacy of users of currently encrypted apps and services could be compromised in a ‘big brother’ style way as governments and intelligence agencies are given carte blanche to snoop, and are unlikely to be transparent about just what they are snooping on. Many privacy campaigners feel that we already have enough surveillance e.g. CCTV and the power granted by the Investigatory Powers Act (aka the ‘Snoopers Charter’).

Tech companies have good commercial and other reasons for not budging in their stance, while governments can also provide convincing arguments for the building of back-doors. As with so many other powerful private companies such as the tech companies, it may take the threat of (or actual) imposed regulation and legislation to make them give any ground in an argument that is likely to run further yet.

Google Search Results Biased Says Trump

Posted on by Andy Miller

President Donald Trump has criticised Google for what he sees as hiding “fair media” coverage of him in its search engine results in a way that amounts to left-wing political bias and negativity.

Tweeting Again

The US President’s latest swipe at a tech giant accused Google of prioritising negative news stories from the “national left-wing media”.

He went so far as to say that his perceived promotion by Google of mainstream (left-wing) media outlets such as CNN, and the suppression of conservative political voices amounted to a dangerous action and a “very serious situation”.

Prompted By Fox News Report?

It has long been known that President Trump’s favourite (right-wing) news channel is Fox News. Many commentators believe that it may be no coincidence that his criticism of Google via Twitter followed the morning after a feature about the matter on Fox News.

The segment featured details of a report by Paula Bolyard who said she had performed test searches in Google on many different computers registered to different users, and that she found that 96% of the news articles presented by Google for the phrase “Trump news” were from left-wing news outlets. This is the exact figure that President Trump reported in his tweets. While Ms Bolyard accepted that this was not a scientific experiment, she noted that it did suggest a “bias against right-leaning content.”.

Paula Bolyard is also a supervising editor at PJ Media, the conservative news site.

Search Not Used To Set A Political Agenda

Google’s response has been to re-iterate that its search feature, which is controlled by automatic algorithms, is not used to set a political agenda, and that the results of searches aren’t biased toward any political ideology.

Google’s search algorithms are reported to take into account over 200 different factors, and these algorithms are regularly changed and improved to make sure that they find the most relevant links to user queries as quickly as possible.

One possible explanation for sites such as CNN.com and NYTimes.com ranking highly in searches is the fact that they are likely to have many readers linking to them, and they are very popular sites.

What Does This Mean For Your Business?

Google (Alphabet Inc) is a private company, and as one U.S. member of Congress Ted Lieu pointed out in a tweet responding to President Trump’s tweets, courts would not tolerate governments trying to dictate the free speech algorithms of private companies.

It is, however, important to note that President Trump’s comments can have a direct and fast effect on any countries / industries / businesses that he focuses on. For example, as well as shares of Alphabet falling 0.3% after Mr Trump’s accusations, President Trump’s warning against countries doing business with Iran forced the EU to bring in a blocking statute to protect EU firms and a means to allow EU businesses affected by the sanctions to sue the US administration.

Many see these latest comments as a continuation of President Trump’s criticism of news media coverage of him, a desire exert control over what’s being said, and as a way to apply more pressure to tech companies to clamp down on anything that could point to any foreign interference in and disruption of US politics, especially in the wake of accusations of Russian influence and Facebook being used to spread messages that may have affected the US election result. Facebook and Twitter have also been in the US administration’s firing line over accusations of removing content from some conservatives, and being called upon to remove conspiracy driven content and hate speech.

This is a war of words with economic consequences that is likely to continue.

New Australian Law Gets The Thumbs-Down From Tech Firms

Posted on by Andy Miller

In Australia, a new draft bill proposing ways for tech firms, software developers and others to assist security agencies and police has been given the thumbs-down by a major industry group over its ambiguity, and the potential security risks it could create.

What Bill?

The new “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018” is a Bill for an Act to amend the law relating to telecommunications, computer access warrants and search warrants, and for ‘other purposes’.

The bill proposes that a ‘technical assistance request’ may be given to a tech company e.g. a social media or chat app company asking that provider to offer ‘voluntary’ help in the form of ‘technical assistance’ to the Australian Secret Intelligence Service or an ‘interception agency’ with a view to enforcing / helping to enforce the criminal law, protecting the public revenue, and / or acting in the interests of Australia’s national security, foreign relations, or economic well being.

What Kind of Technical Assistance?

In essence, those who have interpreted and reacted publicly to the contents of the bill have taken it to mean that as part of the Australian government’s fight against the criminal use of encrypted communications (end-to-end encryption), tech firms will be asked to build weaknesses / ‘back doors’ into their products/ services that will enable government monitoring.

For example, the UK government (under then Home Secretary Amber Rudd) were seeking ‘back door’ access to encrypted apps such as Facebook’s WhatsApp on the grounds that terror suspects were known to have used it for communication prior to the Westminster attack. At the time, WhatsApp refused to co-operate on the grounds that end-to-end encryption prevented even its own technicians from reading people’s messages.

WhatsApp has also been blocked three times in Brazil for failing to hand over information relating to criminal investigations.

Worked In Germany

Presumably and ideally, the kind of thing that the new bill would be used for in Australia would be in the same way that German encrypted communications App ‘Telegram” had a back-door built into it which allowed law enforcement agencies to access messages, enabling them to foil a planned suicide attack on a Christmas market in 2016.

Digi Objects

The loudest critic of the new Bill in Australia has been the Digital Industry Group (known as ‘Digi’) whose members include Facebook, Google and Twitter. Their main arguments against the bill are that it is ambiguous and lacks judicial oversight, and building any back-doors for government agencies into encrypted services will also be creating access for criminals to exploit. Big social media tech firms say, for example, that building such potential vulnerabilities into their services could not only leave the majority of their customers vulnerable to attack for the sake of catching a minority, but could also undermine the essential trust in their services.

What Does This Mean For Your Business?

Privacy, security, and freedom from unnecessary surveillance are valued concerns by individuals and businesses, but national security is also an issue, and is something that affects the wider economy. The bill from the Australian government is the latest in a long line of similar requests that the big tech companies are facing from governments around the world. The conundrum, however, is the same. Tech companies are private businesses whose services allow users to share personal data, and they need the trust of their users that privacy and security will be preserved, and yet governments would like access to the private conversations, hopefully just for national security purposes. Also, once a back-door is built-in to an encrypted service (e.g. end-to-end encrypted services), it is no longer really secure, and all users could potentially be at risk. Bills suggesting that help by tech firms would be ‘voluntary’ are also likely to mean that failure to comply voluntarily would undoubtedly have negative consequences for tech firms (e.g. fines).

As freedom and privacy groups would point out, there is also some mistrust over government motives for accessing more of our private conversations and details, and in the wake of the Facebook / Cambridge Analytica scandal for example, there are questions about just who else our details and private conversations and opinions could be shared with and how that could be used. It is also a fact that governments tend not to like communications tools and currencies (e.g. Bitcoin) that they can’t access, control, or regulate.

The ‘big brother’ element to bills like these worries citizens in all countries, and some tech companies, which are certainly not blameless (e.g. on user tracking and data sharing activities) are likely to try and hold out as long as possible from publicly being seen to be co-operating with any wide-scale government surveillance.

Superdrug Customers Informed of Hack

Posted on by Andy Miller

Superdrug is reported to have advised online customers to change their passwords after it was targeted by hackers who claim to have stolen the details of approximately 20,000 Superdrug customers.

Hundreds Compromised – Could Be More

To date, Superdrug has confirmed that 386 customer accounts are known to have been compromised, but that it is still working to try to establish the exact number. It is possible, therefore, that the number could be many more.

Contacted By Hackers

Superdrug is reported to have been contacted by a person representing a hacking group and claiming to have hacked their systems, and this person provided stolen customer information as proof. Superdrug was able to confirm the authenticity of the information from their own record of customer email and log-in details. The hacker is reported to have claimed that the details belonging to 20,000 customers were stolen, and has asked for a ransom from Superdrug.

May Have Got From Elsewhere

Even though the assumption is that the mystery hackers got into Superdrug’s systems to get the customer data, Superdrug is claiming this is not the case and that the hackers got the customer login details from other websites and then used those credentials to access accounts on the Superdrug website.

What Kind of Details?

Superdrug has said that, of the compromised accounts that it knows about, names, addresses, some dates of birth, and some telephone numbers may have been stolen, but that no customer payment card details have been accessed.

Actions

Superdrug has said that it has contacted the Police and Action Fraud (the UK’s national fraud and cyber-crime arm) and is offering them all the information they need for an investigation.

Informed Customers

Those customers whose accounts had been compromised were sent an email by Superdrug explaining the situation, asking them to change their passwords, and advising them to change them regularly in future.

Anger Over Tweet

A tweet sent by Superdrug to confirm that the emails received by affected customers was genuine provoked anger, mostly because it failed to include an apology.

What Does This Mean For Your Business?

Although exact numbers of those affected and exact details of how customer data was obtained and accounts accessed have not yet been confirmed, the fact is that at least several hundred customers of a trusted high street brand have ended up being victims of crime, and Superdrug has (at the very least) a PR battle on its hands.

Sadly, Superdrug is one of many well-known companies with data breaches that have made the headlines, affected many customers, and damaged their own company reputations. For example, a Dixons Carphone breach from last year saw the theft of 10 million customer records.

Not just because of possible fines under GDPR, businesses and organisations should be putting customer data protection very high on the list of their business priorities, as strong data security policies, procedures, practices, and defences protect both the customer, the company and its reputation, and a vital and valuable bond of trust between merchant and customer, and send a message that customer security concerns are taken seriously.

Social Mapper Can Trace Your Face

Posted on by Andy Miller

Trustwave’s SpiderLabs has created a new penetration testing tool that uses facial recognition to trace your face through all your social media profiles, link your name to it, and identify which organisation you work for.

Why?

According to its (ethical) creators, Trustwave’s SpiderLabs, Social Mapper has been designed to help penetration testers (those tasked with conducting simulated attacks on a computer systems to aid security) and red teamers (ethical hackers) to save time and expand target lists in the intelligence gathering phase of creating the social media phishing scenarios that are ultimately used to test an organisation’s cyber defences.

What Does It Do?

Social Mapper is an open source intelligence tool that employs facial recognition to correlate social media profiles across a number of different sites on a large scale. The software automates the process of searching the most popular social media sites for names and pictures of individuals in order to accurately detect and group a person’s presence. The results are then compiled in a report that can be quickly viewed and understood by a human operator.

How Does It Work?

Social Mapper works in 3 phases. Firstly, it is provided with names and pictures of people. e.g. via links in a csv file, images in a folder or via people registered to a company on LinkedIn.

Secondly, in a time-consuming phase, it uses a Firefox browser to log in to social media sites and search for its targets by name. When it finds the top results, it downloads profile pictures and uses facial recognition checks to try and find a match. The social media sites it searches are LinkedIn, Facebook, Twitter, Google+, Instagram, VKontakte, Weibo, and Douban.

Finally, it generates a report of the results.

What’s The Report Used For?

The report is designed to give the user a starting point to target individuals on social media for phishing, link-sharing, and password-snooping attacks.

For example, a user can create fake social media profiles to ‘friend’ targets and send them links to credential capturing landing pages or downloadable malware, trick users into disclosing their emails and phone numbers e.g. using vouchers and offers to tempt them into phishing traps, create custom phishing campaigns for each social media site, or even to physically look at photos of employees to find access card badges or to study aspects of building interiors.

What Does This Mean For Your Business?

In the right hands, Social Mapper sounds as though it could ultimately help businesses to improve their online security because it helps to create much better quality and more realistic testing scenarios on a larger scale that could uncover loopholes and shortcomings that current testing may not be able to fund.

The worry, however, is that in the wrong hands it could be used by cyber-criminals to quickly gather information about a target business and its employees, thereby enabling potentially very effective phishing and password-snooping campaigns to be created. This detailed information could also be shared among and sold to other criminals which could mean that individuals could be subjected to a number of attacks over time through multiple channels.

The obvious hope is, therefore, that enough checks and security measures will be put in place by its creators thereby not allowing the software to fall into the wrong hands in the first place and be used by criminals against the businesses and organisations that it was designed to help.

Microsoft To Launch App-Testing Sandbox ‘InPrivate Desktop’ Feature

Posted on by Andy Miller

It has been reported that Microsoft is to launch InPrivate Desktop for a future version of Windows 10, a kind of throwaway sandbox that gives Admins a secure way to operate one-time tests of any untrusted apps / software.

Like A Virtual Machine

Although the new feature is still a bit hush-hush, and has actually been removed from the Windows 10 Insider programme, it is believed to act like a kind of in-box, speedy VM (virtual machine) that is then refreshed to use again after it has been used on a particular App.

Why?

The reason for the new feature in the broader sense , is that it fits with moves announced by Microsoft last June 2017 to introduce next-generation security features to Windows 10.

ATP & WDAG

Back in June 2017, Microsoft specifically mentioned the integration of Windows Defender Advanced Threat Protection (ATP) as one of the next-generation security measures. ATP, for example, was designed to isolate and contain the threat if a user on a corporate network accidentally downloaded malicious software via their browser.

A security feature that some commentators have likened InPrivate Desktop to, that was also specifically mentioned last June, was Windows Defender Application Guard (WDAG). Interestingly, WDAG isolates potential malware and exploits downloaded via a users’ browser and contains the threat using virtualisation-based security.

Spec Needed For InPrivate Desktop

Although the exact details of InPrivate Desktop are sketchy, we know that it is likely to be aimed at enterprises rather than individual users and that, as such, it is likely to need a reasonable spec to operate. It has been reported that in order to run the new feature / app at least 4GB of RAM, at least 5GB of free disk space, and two CPU cores will be needed.

When?

There is also still some speculation as to exactly when the InPrivate Desktop feature will make it to Windows 10. Some commentators have noted that it may not make it into Windows 10 ‘Redstone 5’, and looks likely to be rolled-out in a subsequent Windows 10 update which has been codenamed 19H1.

What Does This Mean For Your Business?

With support stopping for previous versions of Windows, and with all of us being forced into using Windows 10’s SaaS model, it makes sense that Microsoft adds more features to protect users, particularly businesses.

Adding malicious code to apps has been a method increasingly used by cyber-criminals to sneak under the radar, and having a secure space to test and isolate dubious / suspect apps will give Admins an extra tool to protect their organisation from evolving cyber-threats. It is extra-convenient that the testing feature / app sandbox will already be built-in to Windows 10.

IBM Makes Test Version of New Stealth AI Malware ‘DeepLocker’

Posted on by Andy Miller

IBM has announced that it has created its own stealth, ultra-evasive AI malware called ‘DeepLocker’ that can evade all traditional cyber-security protection, hide in normal applications, and only strike when it is sure it has reached its intended target.

Why?

Cyber-criminals are becoming ever-more sophisticated in their methods, and the resources available to them have increased e.g. as hackers have also worked in state-sponsored activities. Also, the world of Artificial Intelligence (AI) has come along leaps and bounds in recent years, and the fear is that cyber criminals could soon be deploying their own AI-powered malware. IBM has, therefore decided to create its own version in order to see how it works and behaves, and thereby gain valuable information which could help it to reduce risks, and find ways counter such attacks.

DeepLocker

One of the things that makes DeepLocker so different to other malware that tends to take a scattergun approach to infection is that it can hide itself and its intent until it reaches a specific target.

This is down to DeepLocker using deep neural network (DNN) AI model, a sophisticated computer system modelled on the human brain and nervous system. This DNN provides a kind of ‘black box’ that totally conceals the “trigger conditions”, and makes attack almost impossible to decipher and reverse engineer. DeepLocker’s AI can, therefore, even convert its own concealed trigger condition (which has been transformed into a deep convolutional network), into a “password” or “key” to unlock its own attack payload when it identifies its victim. In this sense, it contains three layers of attack concealment.

Hides & Identifies

According to IBM, DeepLocker can hide itself completely in normal ‘carrier’ applications such as video conference software. This enables it to fly completely under the radar and avoid detection by most antivirus and malware scanners. It also allows it to be spread widely and without providing any clues that there is a threat.

What Does This Mean For Your Business?

Malware attacks have cost businesses, organisations and whole economies vast amounts of money and untold disruption and problems in recent times. Evasive malware has been evolving for many years now as cyber-criminals try to find their way around better security measures and more sophisticated sandboxes. AI attacks using ultra-evasive, stealth methods of the nature of DeepLocker represent the next frightening wave of attack that organisations and businesses will have to face. It is a good thing, therefore, that IBM has tried to take the initiative and gain a march on cybe- criminals who will undoubtedly seek to weaponise AI, by creating its own version in order to learn lessons in advance that could provide at least some level of protection and recommendations for counter-measures.

Google’s G Suite Will Warn Of State-Sponsored Attacks

Posted on by Andy Miller

Google has announced that it will be adding a feature to G Suite that will let businesses / organisations know if their users are being targeted by a government-backed cyber attack.

What Is G Suite?

G Suite is the package of cloud-based services designed to aid collaborative working, formerly known as Google Apps for Work. It was introduced in 2006, and has since been expanded to include apps like Gmail, Hangouts, Calendar, Google+; Drive, Docs, Sheets, Slides, Forms, and the digital interactive whiteboard Jamboard.

The New Alert Feature

The new feature, which will be added to the Admin console, will mean that Admins can choose to receive an email alert when Google detects a state-sponsored / government-backed attack attempt on a user’s account or computer e.g. via phishing, malware, or any other known method.

The alert feature will be turned off by default, but Admins can choose to turn the alerts on via Admin Console > Reports > Manage Alerts > Government backed attack.

If Admins choose to turn the feature on and make the alerts the default, they can decide who gets notified when attacks are suspected. In the first instance, alerts will be sent by email to Super Admins, but this can be changed to share the information with others via the same Console link.

Also, the feature allows Admins to choose what actions they want to take to secure an account on receiving the alert, and Admins can let the user know about the alert and any actions they have taken.

The launch of the new feature will go to both Rapid Release and Scheduled Release, will be available to all G Suite editions, and will be introduced in a gradual rollout (up to 15 days for feature visibility).

Warnings Since 2012

Even though this is a newly designed feature, Google has been warning users of any suspected targeting of their accounts by government-backed attackers since 2012.

Why The New Feature?

Google has introduced this feature for a number of reasons, the main one being that high-level nation-state cyber threats have become much more of a problem for organisations in recent times, either directly or indirectly through cyber-crime groups acting as state proxies.

GCHQ, for example, has reported seeing a crossover between nation states and criminal groups acting on their behalf, often with the same people working on nation-state cyber activities by day and criminal activities by night.

Also, Google wants to increase business confidence in its cloud-based services, and protect its business users from hacking.

Another influence that has prompted the introduction of the new feature is that competitors are offering something similar e.g. Microsoft’s new AccountGuard pilot program (currently only available for accounts from political organisations), introduced as part of its ‘Election Defence Technologies’ and offered by invitation only.

Being able to announce some good news about its security / privacy services for business clients has also been helpful at a time when Google has been criticised by The US Department of Homeland Security for potential problems with Gmail’s new confidentiality mode.

What Does This Mean For Your Business?

This crossover between nation states and criminal groups acting on their behalf has blurred the threat lines in the world of online security and necessitated the addition of this kind of feature. The fact that it has been designed to protect and reassure business users is clearly good news for G Suite users everywhere.

State-sponsored cyber attacks can cause huge damage and disruption to businesses that are directly or indirectly hit, and this can also have a negative knock-on effect on the wider economy too. It is good news, therefore, that businesses / organisations can now receive and manage alerts about potentially serious attacks, and this will add another layer of defence in an environment of evolving worldwide threats.

10 Million Affected by Dixons Carphone Data Breach

Posted on by Andy Miller

Dixons Carphone has announced that, after a review following a hack of its customers’ data, 10 million customers rather than the original estimate of 1.2 million have actually been affected.

What Happened?

Back in June, Dixons Carphone announced that a hacking attempt, which had actually taken place in July 2017, had been made on one of the processing systems of Currys PC World and Dixons Travel stores. The original announcement put the figures at an attempted theft of the details of 5.9 million credit and debit cards, with only 105,000 cards without chip-and-pin protection being leaked, and an estimated 1.2 million personal data records being accessed / compromised.

Millions More

This latest shocking announcement puts the number of customers thought to be affected at 10 million!

Dixons Carphone has apologised to customers, and has offered an assurance that the company is fully committed to making their personal data safe.

No Bank Details & No Fraud

Despite the large numbers of customers affected by the breach, Dixons Carphone has been quick to point out that no bank details were taken, and it has found no evidence that fraud had resulted from the breach.

Working With Cyber-Security Experts

The company has stated that it has been working hard with cyber-security experts since the breach and has put in further security measures to keep customer data safe in future.

The updated security measures taken have been reported to include closing off the unauthorised access, adding new (unspecified) security measures, and launching an immediate investigation.

Also, Dixons Carphone is reported to be in the process contacting all of its customers to apologise and advise on what steps they can take to protect themselves.

Other Woes

The massive data breach is one of many woes that the company has been experiencing in recent times. Back in May, it was announced that Dixons Carphone highlighted people not renewing their handsets as frequently and a declining market for long-term mobile contracts as 2 main reasons for the planned closure of 92 of its 700 stores. The company was forced to act after a warning that the next year’s profits could be down £82 million led to shares in the company falling 20.7%. Share values had already fallen by 30% over the previous 12 months,

Market commentators have noted that a fall in the value of the pound (in the wake of Brexit) has made mobile handsets more expensive. Also, technical innovation has slowed, giving shoppers less reason to update their phones, meaning that they have been hanging onto their current handsets for longer.

What Does This Mean For Your Business?

We’re getting so used to hearing about data breaches where millions of people have been affected that we’re in danger of accepting it as normal. It’s important to remember that all companies, particularly with GDPR now in place, have at least a legal responsibility to protect the personal data of their stakeholders to the best of their abilities.

All businesses must surely be aware that cyber-criminals are now using sophisticated and multi-level methods to find their way into whatever weaknesses they can find on a daily basis, and large, well-known companies with millions of customers (and millions of valuable customer details) are obviously going to be prime targets. We should be thinking, therefore, that a large company that is, no doubt, aware of the cyber threats in the business environment, allowing the details of over 10 million customers to be taken, and customers only finding out and receiving an apology a year later isn’t acceptable.

Data protection should now be a priority issue in the boardroom, and even though some companies may be going through difficult times financially, data protection is not an area where they can really afford to let their guard down. The damage to reputations, the loss of customers, and fines from the ICO can now be enough to threaten the existence of a business, and even without the moral and ethical perspective, this should be enough of a motivator to keep businesses pushing to stay at least one step ahead of today’s known cyber threats.

Fake News Crowding Threat Outlined

Posted on by Andy Miller

UK MPs in the Digital, Culture, Media and Sport Committee (DCMSC) have been investigating the challenges and potential threat to democracy posed by ‘fake news’ crowding out real news, and have published their findings in a “Disinformation and ‘fake news’: Interim Report”.

Difficult To Identify & ‘Crowding Out’ Real News

Tory MP Damian Collins made the news this week by highlighting one of the main challenges which is that people struggle to identify “fake news”, and the DCMSC reports focused on how this challenge has been capitalised on by those seeking to influence elections.

The government is also concerned that the sheer volume of disseminated misinformation / fake news is beginning to crowd our real news.

UK Legal Framework Not Fit To Cope

The main points of the report are that fake news poses a threat to democracy, that the UK legal framework is not currently fit to cope with it, and that action needs to be taken by the Government and other regulatory agencies to build resilience against misinformation and disinformation.

The DCMSC Report

The 89 page report which has been published online here https://publications.parliament.uk/pa/cm201719/cmselect/cmcumeds/363/363.pdf covers the issues of the definition, role and legal responsibilities of tech companies, data targeting, based around the Facebook, GSR and Cambridge Analytica allegations, Russian influence in political campaigns, SCL influence in foreign elections, and digital literacy (and how it should be made the fourth pillar of digital education alongside reading, writing and maths).

Background

Some of the more worrying examples of the influence of fake news and the interests of some of the players considered by the government committee included:

– Facebook and Cambridge Analytica’s harvesting and sharing of the personal data of 87 million people to influence the outcome of the US 2016 presidential election and the UK Brexit referendum.

-Political donor Arron Banks being accused of misleading MPs about his meetings with the Russian Embassy, and his walking out of an evidence session to avoid scrutiny on the topic.

-Facebook’s deployment of ‘Free Service’ in Burma (data-free Facebook access) which was found by the United Nations to have played a key role in stirring up hatred against the Rohingya Muslim minority in Rakhine State, partly because people could only access news and content via Facebook.

Social Media Companies Made Liable?

The report also contains a recommendation that social media companies should be defined by a new category i.e. not just a ‘platform’ nor a ‘publisher’, and should be made liable to act against harmful or illegal content appearing on their platforms.

Other Recommendations

Other recommendations made in the report include the need to update electoral law, a new tax on social networks could pay for digital literacy programmes in schools, the setting up of a code for political advertising on social media, greater transparency around online advertising, and a “digital Atlantic charter” to protect personal information and rights.

What Does This Mean For Your Business?

The business world is influenced by the political world, and vice versa. It is in the interests of businesses and governments that truly fake news is kept to a minimum and that certain parties (e.g. other nation states) aren’t allowed to exert significant influence on elections and referendums.

That said, states / governments around the world have for many years seen social media as a threat. Some governments have opted for a blanket blocking of social media whereas others have sought ways gain some control over it by focusing on its negative aspects and / or by seeking regulation or even back-door access to users. It seems, however, that some international actors have seen social media as an opportunity for influence (e.g. alleged Russian use of Facebook to influence the US election) and this, in turn, has now helped those governments who feel threatened by it e.g. by enabling them to discredit it as a legitimate news source, and thereby boost the credibility of their own state media.

Facebook has, after its involvement in the Cambridge Analytica scandal and the ‘Vote Leave’ campaign, played into the hands of those who would like to see it operated with greater regulation and control. Scandals like these have even helped the cause of world leaders such as President Trump, who appears able to simply say the phrase ‘fake news’ to counter any stories that could show him in a bad light, whether true or not.

Even our ‘real’ news is slanted in newspapers to reflect the views and allegiances of the owner newspaper, and it is commonplace, but accepted, that newspapers print some stories that are false / contain false information that they later simply issue an apology for, and carry on as normal.

Truth and trust are the victims of fake news, and just as governments are happy to focus on it as a threat and as a means to apply pressure to popular media that they can’t overtly control, they can also now see what a powerful tool and opportunity it can be as another tool for influence.