Security

Ubicoustics Overhears Everything You Do … And Understands

Researchers in the US have presented a paper based on their research that identified a real-time, activity recognition system capable of interpreting collected sounds that could well be used by home smart speakers.

Identify Other Sounds, and Issue Responses

Researchers at Carnegie Mellon University in the US claim to have discovered a way that the ubiquity of microphones in modern computing devices, and software that could use a device’s always-on built-in microphones could be used to identify all sounds in room, thereby enabling context-related responses from smart devices. For example, if a smart device such as an Amazon Echo were equipped with the technology, and could identify the sound of a tap running in the background in a home, it could issue a reminder to turn the tap off.

Ubicoustics

The research project, dubbed ‘Ubicoustics’, identified how using an AI /machine learning based sound-labeling mode, drawing on sound effects libraries, could be linked to the microphone (as the listening element) of a smart device e.g. smart-watches, computers, mobile devices, and smart speakers.

As Good As A Human

The sound-identifying, machine-learning model used in the research system was able to achieve human-level performance in recognition accuracy and false positive rejection. The reported accuracy level of 80.4%, and the misclassification level of around one sound in five sounds, means that it is comparable to a person trying to identify a sound.

As well as being comparable to other high-performance sound recognition systems, the Ubicoustics system has the added benefit of being able to recognise a much wider range of activities without site-specific training.

Applications

The researchers noted several possible applications of the system used in conjunction with smart devices e.g. sending a notification when a laundry load finished, promoting public health by detecting frequent coughs or sneezes and enabling smart-watches to prompt healthy behaviours after tracking the onset of symptoms.

Privacy Concerns

The obvious worry with a system of this kind is that it could represent an invasion of privacy and could be used to take eavesdropping to a new level i.e. meaning that we could all be living in what is essentially a bugged house.

The researchers suggest a potential privacy protection measure could be to convert all live audio data into low resolution Mel spectrograms (64 bins), thereby making speech recovery sufficiently difficult, or simply running the acoustic model locally on devices so no audio data is transmitted.

What Does This Mean For Your Business?

The ability of a smart device to be able to recognise all sounds in a room (as well as a person can) and to deliver relevant responses could be valued if used in a responsible, helpful, and not an annoying way. It doesn’t detract from the fact that, knowing that having a device with these capabilities in the home or office could represent a privacy and security risk, and has more than a whiff of ‘big brother’ about it. Indeed, the researchers recognised that people may not want sensitive, fine-grained data going to third-parties, and that operating a device with this system but without transmission of the data could provide a competitive edge in the marketplace.

Nevertheless, it could also represent new opportunities for customer service, diagnostics for home and business products / services, crime detection and prevention, targeted promotions, and a whole range of other possibilities.

New Facebook Rules For Political Ad Transparency In The UK

After the US and Brazil, the UK has become the next country to be subject to Facebook’s new rules that require those who wish to place a political advert on the social media platform to verify their identity and say who is funding the advert.

Verification

The new rule in the UK means that anyone who wishes a place an advert relating to a live political issue or promoting a UK political candidate, referencing political figures, political parties, elections, legislation before Parliament and past referenda that are the subject of national debate, will need to prove their identity, and prove that they are based in the UK. This will require them to have their passport / driving licence / resident permit checked by and authorised third-party organisation. The adverts they post will also have to carry a “Paid for by” disclaimer to enable Facebook users to see who they are engaging with when viewing the ad.

Political Advert Archive Too

The “Paid for by” link next to each political advert is linked through to a publicly searchable archive / library of political adverts. The archive / library shows a range of the ad’s budget and number of people reached, and the other ads that Page is running, and previous ads from the same source.

An advert archive of this kind was first launched by Facebook in the US back in May with the plan of making any ads published after May 7th 2018 available to view for up to seven years.

Why?

The rules on political advertising are being introduced in response to interference in the last US election and the UK referendum by state-funded actors from foreign powers (Russia has been accused), who posted adverts and content on Facebook in an attempt to influence the outcomes of both.

For example, the US House Permanent Select Committee on Intelligence (HPSCI) has released evidence of thousands of adverts which ran on Facebook and Instagram leading up to the 2016 US elections. It has emerged that these adverts were purchased by the Russian-based Internet Research Agency (IRA), and ran between 2015 and 2017.

Also, in the UK, it was revealed that Facebook harvested the personal details of 87 million Facebook users without their explicit consent, and shared those details with London-based political Consulting Firm Cambridge Analytica, which is alleged to have used that data to target political messages and advertising in the last US presidential election campaign.

Also, harvested Facebook user data was shared with Aggregate IQ, a Data Company which worked with the ‘Vote Leave’ campaign in the run-up to the Brexit Referendum.

Report Fake News

The new Facebook political advert rules and the searchable archive / library mean that Facebook users will also be able to report a political ad as fake news.

Other Measures

Facebook has made it known that it is taking many other measures to combat fake news and political interference via its platform. This includes an ongoing program of taking down suspect accounts and pages (more than 500 pages and 250 accounts are reported to have been taken down in the last week), and allocating a trustworthiness score to some members to help manage misinformation issues.

Another tech giant, Microsoft, has also been seen to take steps to protect US democracy by introducing a pilot secure email service called ‘AccountGuard’ specifically for use by election candidates.

What Does This Mean For Your Business?

Facebook is likely to have lost a huge amount of trust among users due to a number of high profile issues and scandals, not least of which was its sharing of the personal data of its users with Cambridge Analytica and Aggregate IQ, and how that data was then used for political influence.

With the US mid-term elections just around the corner, and with the UK in a state of uncertainty over the consequences of the referendum vote for Brexit, preventing other states from interfering in the host country’s democratic processes is a hot topic, and something that Facebook doesn’t want to be associated with. Being seen to take positive, pro-active, pro-democratic measures such requiring much greater transparency from political advertisers on its platform could go some way to improving Facebook’s battered reputation in this area.

Facebook still has a long way to go, however, particularly since the recent massive hack, the reverberations of which could go on for a long time in the form of more cyber-crime targeted at Facebook users whose details from Facebook and other apps using the Facebook login were stolen.

Browser Support For Early Versions of TLS To End

The makers of all popular browsers – IE, Edge, Safari, Firefox, and Chrome included – have announced plans to disable Transport Layer Security (TLS) protocol versions 1.0 and 1.1 by default.

TLS

Transport Layer Security (TLS) 1.0 and 1.1 are the early versions of encryption used to secure connections to HTTPS websites. Their job is to provide confidentiality and integrity of data in transit between clients and servers.

This week, and not unexpectedly, all the big browser manufacturers released co-ordinated announcements that TLS 1.0, which will be 20 years old next January, and TLS 1.1 will no longer be supported by their browsers. Newer, updated versions of the security protocol will be favoured instead.

Why?

The reasons given for dropping these versions of the protocol are that:

  • They are now rarely used. For example, Microsoft announced that fewer than “one per cent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1.”. Apple, more accurately puts the figure at less than 0.36% of all connections.
  • 20 years is a is a long time for a security technology to stand unmodified, and newer successor versions of TLS are more advanced, provide better performance and are more secure, e.g. TLS 1.3.
  • The finalization of TLS 1.3 by the Internet Engineering Task Force (IETF) in August 2018, means that the proportion of legacy TLS connections will drop even further, and TLS 1.2 is also required for HTTP/2, which should bring performance improvements for the web. Also, vulnerabilities in 1.0 and 1.1 versions will no longer be addressed by the IETF.
  • Old versions of TLS rely on MD5 and SHA-1, both now broken, and thought to contain other flaws.

When?

Each browser has given slightly different dates for their formal dropping of TLS 1.0 and 1.1. For Microsoft browsers it will be later this year. For Apple support for TLS 1.0 and 1.1 will end in March 2020. For Mozilla, March 2020 will also be the removal date, and for Google browser users on early release channels, the date will be January 2020.

What Does This Mean For Your Business?

It is understandable that, with these versions being very old and unmodified, and not used by many connections, and with newer, more secure and better performance versions available, now is a good time to end default support for TLS 1.0 and 1.1. We are told that the newer successor versions offer greater security and performance and less vulnerability to certain types of attack e.g. BEAST, LogJam and FREAK (Factoring RSA Export Keys). These benefits are, of course, likely to be attractive to most businesses.

News of the co-ordinated killing-off of these 2 versions of the protocol may not be such great news of course, to those who have websites that still only using TLS 1.0 or 1.1, because browsers will soon flag up those websites as insecure or state that they are unable to connect.

Businesses Turning To Zero-Trust Security Model

As a widening attack surface and evolving threats mean that organisations continue to breached despite a large security spend, many businesses are now turning to the ‘zero-trust’ security model.

What Is The Zero-Trust Security Model?

The Zero Trust security model, introduced by analyst firm Forrester Research, is an alternative architecture for IT security that doesn’t work on the traditional assumption that the perimeter is the main focus and that the inside of an organization’s network can be trusted. Zero-trust assumes that untrusted actors exist both inside and outside a company network, and that every user access request has to be authorised, using the principle of “never trust, always verify”. In this way, Zero-trust can address lateral threat movement within the network i.e. stopping insider and other threats from spreading once inside.

Breaches

Almost 70% of organisations are getting breached an average of five times a year, with 81% of breaches being simply linked to weak, default or stolen passwords. Once inside networks, attackers can camouflage their attack behind a legitimate identity like a database administrator, can go on to access and decrypt encrypted information, and be harder to spot and stop because of their apparent legitimacy.

According to some security commentators, this shows that identity, and identity-centric security measures are areas that organisations need to focus on, and this is where architecture such as zero-trust can help.

10 Cyber-Attacks Per Week

More businesses are recognising the need for a better approach to all-round security, particularly in an environment where hacking’s on the up. For example, The UK‘s National Cyber Security Centre has just announced that it has stopped 1,600 attacks over the past two years, many by hostile nation states and that there are now 10 such attacks per week. Also, the NCSC’s Active Cyber Defence (ACD) initiative reports removing 138,398 phishing sites hosted in the UK between September 2017 and August 2018.

Four Pillars of Zero-Trust Security

The zero-trust security model is, therefore, believed to be another step forward in the battle against cyber-criminals. The success of the zero-trust security model is based upon four key ‘pillars’, which are:

  1. Verifying users. This involves identity consolidation which can tackle weak / shared password issues (using single sign-on and one-time passwords), de-facto authentication everywhere, and monitoring user behaviour e.g. time and location factors.
  2. Validating devices.
  3. Limiting access of privileged users where possible.
  4. Applying machine learning to all these factors, and using this to step up the authentication processes wherever necessary. Machine learning also removes the need for manual intervention.

Benefits

Those who have implemented zero-trust security have reported many benefits. These include cost savings due to gains in incident response efficiencies and technology consolidation, and greater confidence in supporting users on mobile devices and rolling out new partner and customer experiences.

Challenge

One main challenge to the growth of the adoption of zero-trust security measures is the mistaken belief that it has to be time-consuming and takes a lot of effort to implement. Security commentators are keen to point out that, in reality, implementing a zero-trust security model is a step-by-step process.

What Does This Mean For Your Business?

It seems that the benefits of the zero-trust model are now becoming widely known by UK businesses and organisations. For example, an IDG study revealed that 71% of security-focused IT decision makers are actively pursuing a zero-trust security model, 10% are currently doing pilots, and around 8% who have implemented it fully.

It’s important to realise that the implementation needn’t be a huge hassle and expense and can be tackled step-by-step, using commercial off-the-shelf technology. This approach to security offers businesses the chance to customise their security for their specific data and assets, and strengthen their infrastructure from the ground up by enabling the identification of vulnerabilities and gaps in their current security models at the root level.

This approach can bring some much-needed benefits, not least of which is a greater feeling of trust and a confidence boost. In terms of more measurable benefits to businesses, a Forrester and Centrify study, for example, has shown that by applying best practices of zero-trust principles, organisations recorded 50% fewer breaches within just two months. These kinds of figures are making this approach to security very attractive to many businesses, particularly those who have fallen victim to costly cyber attacks.

New Tech Laws For AI Bots & Better Passwords

It may be no surprise to hear that California, home of Silicon Valley, has become the first state to pass laws to make AI bots ‘introduce themselves’ (i.e. identify themselves as bots), and to ban weak default passwords. Other states and countries (including the UK) may follow.

Bot Law

With more organisations turning to bots to help them create scalable, 24-hour customer services, together with the interests of transparency at a time when AI is moving forward at a frightening pace, California has just passed a law to make bots identify themselves as such on first contact. Also, in the light of the recent US election interferences, and taking account of the fact that AI bots can be made to do whatever they are instructed to do, it is thought that the law has also been passed to prevent bots from being able to influence election votes or to incentivise sales.

Duplex

The ability of Google’s Duplex technology to make the Google Assistant AI bot sound like a human and potentially fool those it communicates with is believed to have been one of the drivers for the new law being passed. Google Duplex is an automated system that can make phone calls on your behalf and has a natural-sounding human voice instead of a robotic one. Duplex can understand complex sentences, fast speech and long remarks, and is so authentic that Google has already said that, in the interests of transparency, it will build-in the requirement to inform those receiving a call that it is from Google Assistant / Google Duplex.

Amazon, IBM, Microsoft and Cisco are also all thought to be in the market to get highly convincing and effective automated agents.

Only Bad Bots

The new bot law, which won’t officially take effect until July 2019 is only designed to outlaw bots that are made and deployed with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving.

Get Rid of Default Passwords

The other recent tech law passed in California and making the news is a law banning easy to crack but surprisingly popular default passwords, such as ‘admin’, ‘123456’ and ‘password’ in all new consumer electronics from 2020. In 2017, for example, the most commonly used passwords were reported to be 123456, password, 12345678 and qwerty (Splashdata). ‘Admin’ also made number 11 on the top 25 most popular password lists, and it is estimated that 10% of people have used at least one of the 25 worst passwords on the list, with nearly 3% of people having used the worst password, 123456.

The fear is, of course, that weak passwords are a security risk anyway, and leaving easy default passwords in consumer electronics products and routers from service providers has been a way to give hackers easier access to the IoT. Devices that have been taken over because of poor passwords can be used to conduct cyber attacks e.g. as part of a botnet in a DDoS attack, without a user’s knowledge.

Password Law

The new law requires each device to come with a pre-programmed password that is unique to each device, and mandates any new device to contain a security feature that asks the user to generate a new means of authentication before access is granted to the device for the first time. This means that users will be forced to change the unique password to something new as soon as the device is switched on for the first time.

What Does This Mean For Your Business?

For businesses using bots to engage with customers, if the organisation has good intentions, there should not be a problem with making sure that the bot informs people that it is a bot and not a human, As AI bots become more complex and convincing, this law may become more valuable. Some critics, however, see the passing of this law as another of the many reactions and messages being sent about interference by foreign powers e.g. Russia, in US or UK affairs.

Stopping the use of default passwords in electrical devices and forcing users to change the password on first use of the item sounds like a very useful and practical law that could go some way to preventing some hackers from gaining easy access to and taking over IoT devices e.g. for use as part of a botnet in bigger attacks. It has long been known that having the same default password in IoT devices and some popular routers has been a vulnerability that, unknown to the buyers of those devices, has given cyber-criminals the upper hand. A law of this kind, therefore, must at least go some way in protecting consumers and the companies making smart electrical devices.

Windows 10 October Rollout Suspended Due To File Deleting Fault

The October rollout of the update to Windows 10 as part of the SaaS model has been suspended due to reports that some customers have experienced mass file deletions.

Eating Files

It has been reported that the rollout of version 1809 October 2018 update for Windows 10 has been temporarily halted after users reported that files had been deleted and over-written.

The update rollout (which is due to be happening in waves over the course of this month) was stopped after users took to Microsoft’s support site and social media to complain, express their anger, and warn other users of what appears to be quite a serious fault.

For example, one user warned others that if documents are saved in the user directory, i.e. users/John, and not on OneDrive, the update deletes everything in that location. Similarly, another user reported that the whole of their “My Documents” folder was deleted by the update, including all of their personal documents (Word docs, spreadsheets, etc). Other issues such as incorrect CPU usage in Task Manager and broken audio drivers have also been reported.

What’s Causing It?

Some tech commentators are blaming the fault on OneDrive, Microsoft’s online file hosting and synchronization service, and a bug in its user profile settings. Engadget, for example, has said that the bug may have slipped through early testing despite reports of the issue appearing on Microsoft’s Feedback Hub some months ago.

The official word is that the exact cause is, as yet, unknown and that users who have already downloaded the update or are enrolled in programs like Windows Insider shouldn’t proceed with version 1809 until Microsoft has released a fix. For the rest of us, it’s a case of making sure that we haven’t downloaded the broken version yet, backing up files now as a precaution, and waiting for the automatic update as normal (which should contain the fix).

On The Upside – More Android Compatibility

Even though the technical fault in the update has dominated the news, with the fix in place, there are some positive aspects and improvements in the update, most notably in Android compatibility. For example, the update allows a better connection between your phone and your Windows desktop by enabling photo syncing and a direct interface to send and receive text messages via your device.

Other Good Points

Also, the latest update will bring a cloud clipboard (across devices), allowing you to copy more than one thing at a time. This will be included as part of Windows Timeline. There will also be new extensions for both Chrome and Firefox to give them the same functionality as Edge.

What Does This Mean For Your Business?

Many tech commentators had predicted that it was likely that there would be some kind of problem with the latest update, but this file-deleting bug is probably much worse than they were expecting and could be devastating, disruptive and costly to businesses that have installed the update but haven’t recently backed-up their files. It is worth, therefore, taking the official advice of backing up files now as a precaution and if you’re part of the Windows Insider programme, not proceeding with version 1809 until the fix has been released.

The Android OS has the biggest worldwide market share, just ahead of Symbian, thanks to its extensive app availability, easy interface, functionality and affordability. With more of us spending more time away from the desktop in the working day, it is helpful, therefore, that the latest Windows 10 update will help sync our Android phones with our desktops.

Since many people don’t use Edge as their main browser, its also good news that the latest Windows update (extensions) will bring greater functionality to Firefox and Chrome.

Facebook Hack Keeps Getting Worse

As if the recent Facebook hack of 50 million user accounts that was discovered on 25th September wasn’t bad enough, it became apparent that it could also affect “Facebook Login” service, which allows other apps to use people’s Facebook account to login.

What Happened?

On Tuesday 25 September, Facebook engineers discovered that hackers had used a vulnerability in Facebook’s “View As” feature (which lets people see how their profiles appear to others) to steal digital keys known as “access tokens” from any accounts of people whose profiles were searched for using the “View As” feature. This meant that hackers were able to move from one Facebook friend to another, taking control of all those accounts along the way. It is estimated that the staggering number of 50 million user accounts were compromised in this way.

It has been reported that Facebook had noted a spike in the number of people using the “View As” feature in relations to Facebook’s video uploading feature for posting “happy birthday” messages (a known, year-old vulnerability), but didn’t put two and two together at that point. Even though the hack was reported to have been discovered by Facebook on Thursday 25th September, It is now thought that the hack actually took place on 16th September.

Reporting Problems

Even though less than 10% of the 50 million Facebook accounts affected by the security breach were in the European Union, this is still a significant number, and required a report within 72 hours of discovery of the breach to comply with GDPR. It has been reported, however, that Ireland’s Data Protection Commission (DPC) has said that Facebook’s initial notification to the regulator about the breach (on Thursday) didn’t have enough detail, and this could lead to an official investigation and possibly some (substantial) fines. Facebook’s discovery of the breach on the Tuesday, and notification to Ireland DPC on the Thursday meant that, at least it kept within the 72-hour disclosure deadline required under GDPR.

Worse – Other Services Using Login By Facebook Could Be Affected

One of the things that has made the breach even worse than was previously thought is that, if you use Facebook to log into other services, such as Instagram (owned by Facebook), Tinder, Spotify and even Airbnb, the attackers could also use the stolen access tokens to gain the same level of access to any of these, and may have been able to steal all of your profile info, photos, private messages and more. The fact that the hackers have stolen tokens means that they don’t need to enter a username and password to access a site because the token is a signal that they’re already logged in.

Fixed, Says Facebook

Facebook has reported that it has now fixed the flaw by logging everyone out of their accounts and suspending the “view as” feature.

What Does This Mean For Your Business?

This hack was on a massive scale, and was the biggest in Facebook’s history, coming not long after the revelations about Facebook’s sharing of its customer data with Cambridge Analytica for political purposes. This has undoubtedly dealt another blow to Facebook’s reputation but more importantly, it could lead to further problems for Facebook’s users. The fact that the hackers were able to steal tokens, thereby rendering strong passwords and multi-factor authentication useless (which is frightening in itself), means that the attackers could use any personal data and information that they may have harvested from Facebook and other Facebook login sites to target users in future cyber attacks. The information taken could, for example, be used in phishing attacks, fraud, and even blackmail. The information used for blackmail (photos, private messages, etc) could even cause damage to personal and work relationships.

Once again, it seems, we can’t trust a major tech company to adequately protect our personal data and information, even after it has gone to the trouble, over the last few months, of spending large amounts on advertising campaigns to tell us how much it can be trusted. Even though the initial crime appears to be a large-scale hack, the fact is that users could find themselves being the victim of cyber attacks in future because of the information that has been stolen.

Chrome Extensions Get Security, Privacy and Performance Boost

Following the introduction last month of Google Chrome 69’s better password protection, Google has announced that Chrome 70 will bring trustworthy extensions by default.

What Are Extensions?

The Chrome extension system, introduced to the browser nearly a decade ago, has enabled the introduction of 180,000 different extensions which are small, bolt-on software programs that allow Google Chrome users to customize their browsing experience through functionality and behaviour that suits their individual needs or preferences.

Extensions are typically built using HTML, JavaScript, and CSS and are available in the Chrome Web Store. Google says that the dual mission of its extension team is to “help users tailor Chrome’s functionality to their individual needs and interests, and to empower developers to build rich and useful extensions”.

What’s Been The Problem?

One of the main problems with Chrome extensions has been that remotely hosted code in some extensions can be changed, used to manipulate websites, and used for criminal purposes. For example, Chrome extensions have increasingly been used to hide malware, even when they’ve been downloaded from the official Chrome store, and Google has reported a 70% increase in malicious extension installs over the last two and a half years.

For Google, this has created a lack of trust among users, has led to worries about transparency and the scope of their extensions’ capabilities and data access, has generated bad publicity, and has made Google’s own extension review process more complex, costly, and time-consuming.

Improvements

Google says that it has already addressed some of the security, privacy and performance concerns through the launch of out-of-process iframes, the removal of inline installation, and advancements in the detection and blocking of malicious extensions using machine learning.

New code reliability requirements also mean that Chrome Web Store will no longer allow extensions with obfuscated code. This is essentially code that’s difficult to understand and can be used to hide malicious code, and its complexity makes Google’s review process more difficult.

Google has also announced that further improvements will be made to Chrome extensions in Chrome 70 that should go even further in addressing these issues. For example, improvements will include:

  • Better controls for host permissions. This means giving users the choice to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page.
  • Required 2-step verification (in 2019) for Chrome Web Store developer accounts, in order to improve security.
  • The introduction of Manifest v3 to make the writing of a secure and performant extension much easier.

What Does This Mean For Your Business?

Google Chrome is the most widely used browser, favoured by 60% of browser users. Bearing in mind the 70% increase in malicious extension installs over the last two and a half years, some would say that these mainly security-based improvements to extensions are certainly necessary, and are long overdue. Bad extensions have proven to be the weak link in a strong browser and have provided a loophole that has been exploited by cyber-criminals enabling them to link computers to botnets, steal personal details, and enable crypto-currency mining on a large scale.

Businesses using Google Chrome should now get some reassurance that Google is plugging the security holes that some extensions have created, which should mean one less thing to worry about for the time-being in the ongoing battle with evolving and potentially costly cyber threats.

Company Fined £150k For Nuisance-Calling People Who Had Opted-Out

Manchester-based Oaklands Assist UK Ltd has been fined £150,000 by the ICO for making approximately 64,000 nuisance direct marketing calls to people who had already opted out of automated marketing.

Serious Contravention of UK Law & EC Directive

The monetary penalty by the ICO was delivered under section 55A of the Data Protection Act 1998 (DPA) due to a “serious contravention” of Regulations 21 and 24 of the Private and Electronic Communications (EC Directive) Regulations 2003.

The law states that live calls must not be made to any number registered with the Telephone Preference Service (TPS) unless they have specifically consented to the call. It appears, however, that Oaklands Assist UK Ltd completely ignored this, and continued to call those who had opted out via the TPS.

Complaints

It has been reported that Oaklands Assist UK Ltd was one of the most complained-about organisations in June 2017, clocking up 59 complaints. It is understood that the nature of the calls related to questions about accidents that call recipients may have had.

The complaints ranged from reports of:

  • Callers being abusive when asked how they got recipients details and using profane language when hanging up.
  • Callers becoming angry and aggressive when asked to remove recipients details from the call list (when the recipient was on hands-free in the car, with children present).
  • Callers making repeated and often silent calls, and even call recipients complaining of stress, exhaustion and depression as a result of receiving and trying to avoid multiple calls.

No Response

According to the ICO, Oaklands Assist UK Ltd ignored requests for information from the ICO that had been made six months earlier, and only responded when threatened with criminal proceedings by the ICO. Even then, the company was reported to be “vague and obstructive” in their answers.

Tried To Escape

It has also been reported that the ICO had to intervene to prevent Oaklands Assist UK Ltd from being struck off the Companies House register, which is thought to have been a bid by the company to escape the sanction.

Moves are also now afoot by the UK government to make directors of companies personally responsible for penalties such as ICO fines to stop them from evading penalties by dissolving the offending company and simply starting up again under a different name.

What Does This Mean For Your Business?

If you’ve ever had your time wasted and / or perhaps even experienced abuse from callers asking you about the accident that you (haven’t) had, then this action by the ICO will be music to your ears. Of course, you can register with the TPS not to receive unwanted marketing calls but in this case, the company concerned simply ignored that service, and ignored any rules and regulations surrounding making outgoing marketing calls.

Unsolicited calls can be a major disruption to businesses, even if the calls are not abusive or relating to fake accidents or PPI. For example, Ofcom data shows that UK consumers received 2 billion+ calls and texts from claims firms in 2017, and Aviva data shows that this is the equivalent of 6 million calls and texts per day, (mainly aimed at people aged 65 and above). Not only does this disrupt any businesses that receive the calls, but it also makes it more difficult for direct marketers who do play by the rules, and makes consumers simply want to dismiss all marketing calls, favouring non-interruptive communications.

GDPR was introduced to give us more rights where the use of our personal data is concerned, and gives us the right to be forgotten. As consumers, this may make us feel as though it has given us more power, but for businesses it has also created a lot of work in preparation for GDPR, has required extra costs of hiring / appointing / training an in-house DP expert, as well as creating the fear of fines or other problems though not being able to fully comply with the extensive detail of the Regulation. Companies should, however, be more re-assured by recent comments from ICO Deputy Commissioner James Dipple-Johnstone who was quoted as saying that businesses that take their data protection responsibilities seriously “have nothing to fear from an ICO inspection or investigation” and that the real norm of the work of the ICO relating to GDPR is simply audits, advisory visits and guidance sessions.

New Chrome 69 Creates Better Passwords, Among Other Features

Chrome 69, the latest version of the Google browser which is now 10 years old, has a number of value-adding new features, including the ability to automatically generate strong passwords.

Improved Password Manager

This latest version of Chrome has an improved password manager that is perhaps more fitting of the browser that is favoured by 60% of browser users, many of whom still rely upon using very weak passwords. For example, the most commonly used passwords in 2017 were reported to be 123456, password, 12345678 and qwerty.

The updated password manger in Chrome 69 hopes to make serious inroads into this most simple of human errors by recommending strong passwords when users sign up for websites or update settings. The Chrome 69 password manager will suggest passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it will be able to add these. Users will be able to manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 will then store the password on a laptop or phone so that users don’t have to write it down or try and remember it (as long as they are using the same device).

Other Features

Other new and improved features of Chrome 69 include:

Faster and more accurate form-filling: Google says that because information such as passwords, addresses and credit card numbers are saved in a user’s Google account and can be accessed directly from the from the Chrome toolbar, Chrome can make it much easier and faster to fill-out online checkout forms.

Combined search and address bar (improvements): In Chrome 69, users will have a combined search and address bar (the Omnibox), which shows the answers directly in the address bar without users having to open a new tab, thereby making it more convenient. Also, if there are several tabs open across three browser windows, for example, a search in the Omnibox will tell users if that website’s already open and will allow navigation straight to it with “Switch to tab”. Google says that users will soon also be able to search files from your Google Drive directly in the Omnibox too.

CSS Snap: This feature allows developers to create smoother browsing experiences. It does this by telling the browser where to stop after each scrolling operation, and is particularly useful for displaying carousels and paginated sections to guide users to the next slide or section.

Put The www. Back!

There was some controversy and protests from some Chrome users over the way that, in order to take account of the limited space on mobile screens, and for greater security (to stop confusion with phishing URLs), version 69 of Chrome has been made to no longer show the www. part of a URL (and the m. on mobiles) in the address bar. It is worth mentioning at this point that Apple’s Safari also hides URL characters. Some critics of Google’s move to this system have said that it could confuse users into thinking that they’re at the wrong website.

Other Criticism

Some more cynical / informed commentators have suggested that the change in URL display is actually more to do with AMP system and AMP cache which benefits the advertising side of Google’s business.

What Does This Mean For Your Business?

The changes in Chrome 69 that encourage and facilitate the use of much stronger passwords may be a little overdue, but it has to be good news for the security of all Chrome users. The speedier form-filling will also be a time-saver in an age where many people now carry out many of their daily transactions online and on mobile devices.

Even though stronger passwords are a good thing, security has now moved on again from those, because they have been found to be less secure than biometrics and other access methods.

The new Chrome 69 has been released, but so has the beta version of Chrome 70, and it remains to be seen how security is upgraded yet again in subsequent versions as cyber-crime threats become more wide-ranging and sophisticated.