Security

10 Million Affected by Dixons Carphone Data Breach

Dixons Carphone has announced that, after a review following a hack of its customers’ data, 10 million customers rather than the original estimate of 1.2 million have actually been affected.

What Happened?

Back in June, Dixons Carphone announced that a hacking attempt, which had actually taken place in July 2017, had been made on one of the processing systems of Currys PC World and Dixons Travel stores. The original announcement put the figures at an attempted theft of the details of 5.9 million credit and debit cards, with only 105,000 cards without chip-and-pin protection being leaked, and an estimated 1.2 million personal data records being accessed / compromised.

Millions More

This latest shocking announcement puts the number of customers thought to be affected at 10 million!

Dixons Carphone has apologised to customers, and has offered an assurance that the company is fully committed to making their personal data safe.

No Bank Details & No Fraud

Despite the large numbers of customers affected by the breach, Dixons Carphone has been quick to point out that no bank details were taken, and it has found no evidence that fraud had resulted from the breach.

Working With Cyber-Security Experts

The company has stated that it has been working hard with cyber-security experts since the breach and has put in further security measures to keep customer data safe in future.

The updated security measures taken have been reported to include closing off the unauthorised access, adding new (unspecified) security measures, and launching an immediate investigation.

Also, Dixons Carphone is reported to be in the process contacting all of its customers to apologise and advise on what steps they can take to protect themselves.

Other Woes

The massive data breach is one of many woes that the company has been experiencing in recent times. Back in May, it was announced that Dixons Carphone highlighted people not renewing their handsets as frequently and a declining market for long-term mobile contracts as 2 main reasons for the planned closure of 92 of its 700 stores. The company was forced to act after a warning that the next year’s profits could be down £82 million led to shares in the company falling 20.7%. Share values had already fallen by 30% over the previous 12 months,

Market commentators have noted that a fall in the value of the pound (in the wake of Brexit) has made mobile handsets more expensive. Also, technical innovation has slowed, giving shoppers less reason to update their phones, meaning that they have been hanging onto their current handsets for longer.

What Does This Mean For Your Business?

We’re getting so used to hearing about data breaches where millions of people have been affected that we’re in danger of accepting it as normal. It’s important to remember that all companies, particularly with GDPR now in place, have at least a legal responsibility to protect the personal data of their stakeholders to the best of their abilities.

All businesses must surely be aware that cyber-criminals are now using sophisticated and multi-level methods to find their way into whatever weaknesses they can find on a daily basis, and large, well-known companies with millions of customers (and millions of valuable customer details) are obviously going to be prime targets. We should be thinking, therefore, that a large company that is, no doubt, aware of the cyber threats in the business environment, allowing the details of over 10 million customers to be taken, and customers only finding out and receiving an apology a year later isn’t acceptable.

Data protection should now be a priority issue in the boardroom, and even though some companies may be going through difficult times financially, data protection is not an area where they can really afford to let their guard down. The damage to reputations, the loss of customers, and fines from the ICO can now be enough to threaten the existence of a business, and even without the moral and ethical perspective, this should be enough of a motivator to keep businesses pushing to stay at least one step ahead of today’s known cyber threats.

Fake News Crowding Threat Outlined

UK MPs in the Digital, Culture, Media and Sport Committee (DCMSC) have been investigating the challenges and potential threat to democracy posed by ‘fake news’ crowding out real news, and have published their findings in a “Disinformation and ‘fake news’: Interim Report”.

Difficult To Identify & ‘Crowding Out’ Real News

Tory MP Damian Collins made the news this week by highlighting one of the main challenges which is that people struggle to identify “fake news”, and the DCMSC reports focused on how this challenge has been capitalised on by those seeking to influence elections.

The government is also concerned that the sheer volume of disseminated misinformation / fake news is beginning to crowd our real news.

UK Legal Framework Not Fit To Cope

The main points of the report are that fake news poses a threat to democracy, that the UK legal framework is not currently fit to cope with it, and that action needs to be taken by the Government and other regulatory agencies to build resilience against misinformation and disinformation.

The DCMSC Report

The 89 page report which has been published online here https://publications.parliament.uk/pa/cm201719/cmselect/cmcumeds/363/363.pdf covers the issues of the definition, role and legal responsibilities of tech companies, data targeting, based around the Facebook, GSR and Cambridge Analytica allegations, Russian influence in political campaigns, SCL influence in foreign elections, and digital literacy (and how it should be made the fourth pillar of digital education alongside reading, writing and maths).

Background

Some of the more worrying examples of the influence of fake news and the interests of some of the players considered by the government committee included:

– Facebook and Cambridge Analytica’s harvesting and sharing of the personal data of 87 million people to influence the outcome of the US 2016 presidential election and the UK Brexit referendum.

-Political donor Arron Banks being accused of misleading MPs about his meetings with the Russian Embassy, and his walking out of an evidence session to avoid scrutiny on the topic.

-Facebook’s deployment of ‘Free Service’ in Burma (data-free Facebook access) which was found by the United Nations to have played a key role in stirring up hatred against the Rohingya Muslim minority in Rakhine State, partly because people could only access news and content via Facebook.

Social Media Companies Made Liable?

The report also contains a recommendation that social media companies should be defined by a new category i.e. not just a ‘platform’ nor a ‘publisher’, and should be made liable to act against harmful or illegal content appearing on their platforms.

Other Recommendations

Other recommendations made in the report include the need to update electoral law, a new tax on social networks could pay for digital literacy programmes in schools, the setting up of a code for political advertising on social media, greater transparency around online advertising, and a “digital Atlantic charter” to protect personal information and rights.

What Does This Mean For Your Business?

The business world is influenced by the political world, and vice versa. It is in the interests of businesses and governments that truly fake news is kept to a minimum and that certain parties (e.g. other nation states) aren’t allowed to exert significant influence on elections and referendums.

That said, states / governments around the world have for many years seen social media as a threat. Some governments have opted for a blanket blocking of social media whereas others have sought ways gain some control over it by focusing on its negative aspects and / or by seeking regulation or even back-door access to users. It seems, however, that some international actors have seen social media as an opportunity for influence (e.g. alleged Russian use of Facebook to influence the US election) and this, in turn, has now helped those governments who feel threatened by it e.g. by enabling them to discredit it as a legitimate news source, and thereby boost the credibility of their own state media.

Facebook has, after its involvement in the Cambridge Analytica scandal and the ‘Vote Leave’ campaign, played into the hands of those who would like to see it operated with greater regulation and control. Scandals like these have even helped the cause of world leaders such as President Trump, who appears able to simply say the phrase ‘fake news’ to counter any stories that could show him in a bad light, whether true or not.

Even our ‘real’ news is slanted in newspapers to reflect the views and allegiances of the owner newspaper, and it is commonplace, but accepted, that newspapers print some stories that are false / contain false information that they later simply issue an apology for, and carry on as normal.

Truth and trust are the victims of fake news, and just as governments are happy to focus on it as a threat and as a means to apply pressure to popular media that they can’t overtly control, they can also now see what a powerful tool and opportunity it can be as another tool for influence.

Adults To Get Same Online Protection As Kids Says Government

The UK government has announced that, in a move to reinforce digital safety for everyone across the country, it will be expanding the scope of the UK Council for Child Internet Safety (UKCCIS) to cover the adult population too.

What Is The UKCCIS?

Formed in 2008, the UKCCIS is now made up of more than 200 organisations drawn from across government, industry, law, academia and charity sectors that have been working in partnership to help keep children safe online. It has been doing this by running an array of campaigns and forwarding policy proposals that aim to improve the online safety and welfare for children in UK schools and colleges.

Some of the help it gives includes providing advice for dealing with ‘sexting’, proposals for the default filtering of online pornography (2012), tackling race and faith targeted bullying, as well as creating a guide for providers of social media and interactive services with examples of good practice, and creating a guide for parents and carers whose children are using social media.

Scope Widened – Same Protection For All

The plans to expand the UKCCIS were announced in the government’s Internet Safety Strategy green paper in October 2017.

The newly proposed widening of the scope of the activities of the UKCCIS with a view to protecting adults as well as children will enable it to focus on tackling issue like cyber-bullying and sexual exploitation, the spread of radicalism and extremism across the internet, mitigating violence against girls and women, hate crime and hate speech, and any online discrimination that contravenes the Equality Act 2010.

Collaborative Approach

It is thought that a collaborative approach among the expanded number of organisations in UKCCIS and the bringing together key stakeholders, from the tech giants to the third sector, coupled with the wider scope of the population should help to bring about a safer online environment for all.

Board Member Applications Invited

The UKCCIS website is currently inviting applications for its Executive Board, a new collaborative forum through which government, the tech community, and the third sector plan to work together to ensure the UK is the safest place in the world to be online. The deadline for applications is 3rd September, and the information and links to the application forms can be found here: https://www.gov.uk/government/groups/uk-council-for-child-internet-safety-ukccis

What Does This Mean For Your Business?

All parents, whether they are business owners or not, would undoubtedly prefer to see the Internet as we know it in the UK, made a much safer place for young people to explore and use. This means that someone / something needs to take responsibility for helping to tackle the risks, and a government-led collaboration of hundreds of organisations seems to be as good a way forward as any at the current time.

With the evolving nature of cyber threats and the fact that all age groups are affected by a variety of unpleasant and criminal activity online, it makes sense that the scope of the UKCIS should be expanded to help adults too.

The Internet is a place to trade as well as to learn, communicate and interact, and a safer Internet for all can only be good news for businesses.

Facebook Favours Free Speech Over Fake News Removal

In a recent Facebook media presentation in Manhattan, and despite the threat of social media regulation e.g. from Ofcom, Facebook said that removing fabricated posts would be “contrary to the basic principles of free speech”.

Fake News

The term ‘fake news’ has become synonymous with the 2016 US general election and accusations that Facebook was a platform for fake political news to be spread e.g. by Russia. Also, fake news is a term that has become synonymous with President Trump, who frequently uses the term, often (some would say) to act as a catch-all term to discredit/counter critical stories in the media.

In essence, fake news refers to deliberate misinformation or hoaxes, manipulated to resemble credible journalism and attract maximum attention, and it is spread mainly by social media. Facebook has tried to be seen to flag up and clean up obvious fake news ever since its reputation was tarnished by the election news scandals.

What About InfoWars?

The point was made to Facebook at the media presentation by a CNN reporter that the fact that InfoWars, a site having been known to have published false information and conspiracy theories, has been allowed to remain on the platform may be evidence that Facebook is not tackling fake news as well as it could.

A Matter of Perspective

To counter this and other similar accusations, Facebook has stated that it sees pages on both the left and the right side of politics distributing what they consider to be opinion or analysis but what others, from a different perspective, may call fake news.

Facebook also tweeted that banning those kinds of pages e.g. InfoWars, would be contrary to the basic principles of free speech.

A Matter of Trust

Ofcom research has suggested that people have relatively little trust in what they read in social media content anyway. The research showed that only 39% consider social media to be a trustworthy news source, compared to 63% for newspapers and 70% for TV.

Age Plays A Part

Other research from Stanford’s Graduate School of Education, involving more than 7,800 responses from middle school, high school and college students in 12 US states focused on their ability to assess information sources. The results showed a shocking lack of ability to evaluate information at even as basic a level as distinguishing advertisements from articles. When you consider that many young people get their news from social media, this shows that they may be more vulnerable and receptive to fake stories, and their wide networks of friends could mean that fake stories could be quickly and widely spread among other potentially vulnerable recipients.

Although Facebook is known to have an older demographic now, many young people still use it, Facebook has tried to launch a kind of Facebook for children to attract more young users, and Facebook owns Instagram, partly as a means to try and mop up young users who leave Facebook. It could be argued, therefore, that Facebook, and other social media platforms have a responsibility to regulate some content in order to protect users.

What Does This Mean For Your Business?

Fake news stories are not exclusive to social media platforms as the number of retractions and apologies in newspapers over the years are a testament. The real concern has arisen about social media, and Facebook particularly, because of what appears (allegedly) to have been the ability of actors from a foreign power being able to use fake news on Facebook to actually influence the election of a President. Which party and President is in power in the US can, in turn, have a dramatic effect on businesses and markets around the world, and the opportunities that other foreign powers think they have.

Facebook is also busy fighting another crisis in trust that has arisen from news of its sharing of users’ personal data with Cambridge Analytica, and the company is focusing much of its PR effort not on talking specifically about fake news, but about how Facebook has changed, why we should trust it again, and how much it cares about our privacy.

Meanwhile in the UK, Ofcom chief executive Sharon White, has clearly stated that she believes that media platforms need to be “more accountable” in their policing of content. While this may be understandable, many rights and privacy campaigners would not like the idea that free speech could be influenced and curbed by governments, perhaps to suit their own agenda. The arguments continue.

Google Chrome’s New ‘Site Location’ Security Feature Activated

The new ‘Site Isolation’ security feature for Google’s Chrome browser has been switched on, and could protect users from log-in credentials theft.

Decade-Long History

The newly switched-on feature actually has a decade-long history in the making. It has been reported that Google invested those engineer-years, mostly in the last 6 years, and a lot of money in producing a DiD (defence-in-depth) feature, and what is a now essential defence against a prolific class of attack.

What Does Site Isolation Do?

It has recently been discovered that all modern chips / processors have security vulnerabilities in them that can contribute to the success of ‘data leakage’ attacks. These vulnerabilities, dubbed Spectre and Meltdown (Meltdown only on Intel chips), can be used by hackers to steal passwords or other confidential data from computers and mobile devices through popular web browsers like Chrome, Internet Explorer, Firefox, and Safari for Macs or iOS.

With Site Isolation enabled, each renderer process contains documents from a maximum of one site which means that all navigations to cross-site documents cause a switch in processes, and all cross-site iframes are put into a different process than their parent frame. This ‘isolation’ of the processes provides effective detection against data leakage attacks like Spectre, which means that the vast majority of Chrome users are now theoretically safer from this one kind of attack. It has also been reported that work is underway to protect against attacks from compromised renderers.

It Does Sap Some Memory

One of the trade-offs that Google has had to make to in order to make this feature effective is greater resource consumption. With Site Isolation on, there is a 10-13% total memory overhead in real workloads due to the larger number of processes. Google is reported to be working on trying to reduce the memory burden.

Even 10-13% is good compared to the 20% memory overhead that was being used when Chrome 63 debuted with Site Isolation.

Not Android Yet – But Soon

Site Isolation is scheduled to be included in Chrome 68 for Android but reports indicate that Google is still working on resource consumption issues before that can be rolled out.

What Does This Mean For Your Business?

The switching on of this feature is, of course, good news for businesses, as it is an additional, free way to strengthen cyber resilience against a popular kind of attack that could have serious consequences. This is of particular importance when businesses are trying to do everything possible to achieve and maintain compliance with GDPR.

Up until now, all businesses have heard is that all modern processors have security flaws in them, and that software patching is the only real answer. Back in May, another 8 flaws, in addition to Spectre and Meltdown, were discovered in processors, dubbed Spectre Next Generation (Spectre NB). At least the switching-on of this Chrome feature is one tangible step in the journey to patch these vulnerabilities before cyber-criminals manage to exploit them all. Hopefully, more, similar features will be introduced across other browsers in the near future.

Cambridge Analytica Re-Born

A new offshoot of Cambridge Analytica, the disgraced data analysis company at the heart of the Facebook personal data sharing scandal, has been set up by former members of staff under the name ‘Auspex’.

Old Version Shut Down

After news of the scandal, which saw the details of an estimated 87 million Facebook users (mostly in the US) being shared with CA, and then used by CA to target people with political messages in relation to the last US presidential elections, CA was shut down by its parent company SCL Elections. CA is widely reported to have ceased operations and filed for bankruptcy in the wake of the scandal.

Ethical This Time

Auspex, which (it should be stressed) is not just another version of CA, but is likely to carry on the same kind of data analysis work, has been set up by Ahmed Al-Khatib, a former director of Emerdata which was also set up after the Cambridge Analytica scandal. Mr Al-Khatib has been reported as saying that Auspex will use ethically based, data-driven communications with a focus on improving the lives of people in the developing world.

Middle East and Africa

The markets in the developing world that Auspex will initially be focusing on are the Middle East and Africa, and the kinds of ethical work that it will be doing, according Auspex’s own communications, are health campaigning and tackling the spread of extremist ideology among a disenfranchised youth.

Compliant

Auspex has been quick to state that it has made changes and that it will be fully compliant from the outset, thereby hoping to further distance itself from its murky origins in CA.

Personnel

One thing that is likely to attract the attention of critics is that, not only is Mark Turnbull, the former head of CA’s political division the new Auspex Managing Director, but that the listed directors of the new company include Alastair Harris, who is reported to have worked at CA, and Omar Al-Khatib is listed as a citizen of the Seychelles.

What Does This Mean For Your Business?

The Cambridge Analytica and Facebook scandal is relatively recent, and the ICO have only just presented their report about the incident. For many people, it may not feel right that personnel from Cambridge Analytica can appear to simply set up under another name and start again. Critics can be forgiven for perhaps not trusting statements about a new ethical approach, especially since Mark Turnbull appeared alongside former CA chief executive Alexander Nix in an undercover film by Channel 4, where Nix gave examples of how his company could discredit politicians e.g. by setting up encounters with prostitutes.

The introduction of GDPR has brought the matters of data security and privacy into sharp focus for businesses in the UK, and businesses will be all too aware of the possible penalties if they get on the wrong side of the ICO.

In the case of the Facebook / Cambridge Analytica scandal, the ICO has recently announced that Facebook will be fined £500,000 for data breaches, and that it is still considering taking legal action against CA’s company’s directors. If successful, a prosecution of this kind could result in convictions and an unlimited fine.

£500,000 Fine For Facebook Data Breaches

Sixteen months after the Information Commissioners Office (ICO) began its investigation into the Facebook’s sharing the personal details of users with political consulting firm Cambridge Analytica, the ICO has announced that Facebook will be fined £500,000 for data breaches.

Maximum

The amount of the fine is the maximum that can be imposed under GDPR. Although it sounds like a lot, for a corporation valued at around $500 billion, and with $11.97 billion in advertising revenue and $4.98 billion in profit for the past quarter (mostly from mobile advertising), it remains to be seen how much of an effect it will have on Facebook.

Time Before Responding

Facebook has now been given time to respond to the ICO’s verdict before a final decision is made by the ICO.

Facebook have said, however, that it acknowledges that it should have done more to investigate claims about Cambridge Analytica and taken action back in 2015.

Reminder of What Happened

The fine relates to the harvesting of the personal details of 87 million Facebook users without their explicit consent, and the sharing of that personal data with London-based political Consulting Firm Cambridge Analytica, which is alleged to have used that data to target political messages and advertising in the last US presidential election campaign.

Also, harvested Facebook user data was shared with Aggregate IQ, a Data Company which worked with the ‘Vote Leave’ campaign in the run-up to the Brexit Referendum.

The sharing of personal user data with those companies was exposed by former Cambridge Analytica employee and whistleblower Christopher Wylie. The resulting publicity caused public outrage, saw big falls in Facebook’s share value, brought apologies from its founder / owner, and saw insolvency proceedings (back in May) for Cambridge Analytica and its parent SCL Elections.

What About Cambridge Analytica?

Although Facebook has been given a £500,000 fine, Cambridge Analytica no longer exists as a company. The ICO has indicated, however, that it is still considering taking legal action against the company’s directors. If successful, a prosecution of this kind could result in convictions and an unlimited fine.

AggregateIQ

As for Canadian data analytics firm AggregateIQ, the ICO is reported to still be investigating whether UK voters’ personal data provided by the Brexit referendum’s Vote Leave campaign had been transferred and accessed outside the UK and whether this amounted to a breach of the Data Protection Act. Also, the ICO is reported to be investigating to what degree AIQ and SCL Elections had shared UK personal data, and the ICO is reported to have served an enforcement notice forbidding AIQ from continuing to make use of a list of UK citizens’ email addresses and names that it still holds.

Worries About 11 Main Political Parties

The ICO is also reported to have written to the UK’s 11 main political parties, asking them to have their data protection practices audited because it is concerned that the parties may have purchased certain information about members of the public from data brokers, who might not have obtained consent.

What Does This Mean For Your Business?

When this story originally broke, it was a wake-up call about what can happen to the personal data that we trust companies / corporations with, and it undoubtedly damaged trust between Facebook and its users to a degree. It’s a good job that the ICO is there to follow things up on our behalf because, for example, a Reuters/Ipsos survey conducted back in April found that, even after all the publicity surrounding Facebook and Cambridge Analytica scandal, most users remained loyal to the social media giant.

Also, the case has raised questions about how our data is shared and used for political purposes, and how the using and sharing of our data to target messages can influence the outcome of elections, and, therefore, can influence the whole economic and business landscape. This has meant that there has now been a call for the UK government to step-in and introduce a code of practice which should limit how personal information can be used by political campaigns before the next general election.
Facebook has recently been waging a campaign, including heavy television advertising, to convince us that it has changed and is now more focused on protecting our privacy. Unfortunately, this idea has been challenged by the recent ‘Deceived By Design’ report by the government-funded Norwegian Consumer Council, which accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not actually benefit their privacy.

$13.5 Million In Customer Tokens Lost To Bancor Hackers

Hackers are reported to have stolen $13.5 million of user crypto-currency tokens from the Israeli start-up and decentralized crypto-currency trading platform Bancor.

What Happened?

It has been reported that on Monday, hackers were able to access and compromise a wallet on the Bancor platform that is used to upgrade smart contracts. These smart contracts have been likened to digital vending machines which manage crypto-currency transactions so there is no need for a middle-man.

This compromised wallet was then used by the hackers to steal different types of crypto-currency tokens from Bancor’s customers. The stolen tokens are reported to comprise 24,984 ($12.5 million) in Ethereum tokens, and 229, 356, 645 NPXS (approx. $1 million).

The total loss in the hack would have included an extra 3,200,00 of Bancor’s own token BNT (approx. $10 million), had Bancor not frozen the $10 million of its own Bancor tokens (BNT) as soon as it found out about the hack.
Bancor, which raised over $150 million in an ICO last year, is reported to have taken its exchange offline while it conducts an investigation of the incident.

Criticism

Following reports of the incident, some commentators have criticised Bancor for advertising itself as decentralized, and yet responding to the hack with strategies like those of a centralised system.

Centralised exchanges have received criticism for demanding large fees up front to list tokens, while not appearing to use those fees to help security, judging by the number and frequency of hacks.

User of MyEtherWallet Crypto-currency Also Hit By Hack

In the same week as customers of Bancor took a hit form a hack, so did one of the internet’s most popular services for managing crypto-currencies, MyEtherWallet. MyEtherWallet (MEW) is used to access crypto wallets and also to send and receive tokens to and from other wallets.

For the MEW hack, it has been reported that the hackers compromised ‘Hola’ for about 5 hours. Hola is a free VPN that plugs into browsers, and claims to have nearly 50 million users. Compromising Hola meant that any users who navigated to MEW and accessed their wallet with the VPN switched on are likely to be those who fell victim to the hackers.

What Does This Mean For Your Business?

Many businesses and individuals have been deterred from investing in and using crypto-currencies after the bad press surrounding the Bitcoin bubble and the associated crypto-jacking schemes, media reports of multiple hacks to different exchanges / platforms and crypto-currencies, and a general lack of knowledge and confidence about crypto-currencies. The Bancor and a MyEtherWallet hacks are just two more indications of the many existing security issues (particularly with centralised systems), and may be two more reasons why businesses may shy away from all things crypto-currecncy.

The fact is, however, that crypto-currencies could have many advantages for some businesses, such as the speed and ease with which transactions can take place due to the lack of central banking and traditional currency control. Some crypto-currencies e.g. Ripple, are actually products of banks. Crypto-currencies generally mean easier, faster and more convenient cross-border and global trading, but traditional currencies tend to have the backing of assets or promises of assets of some kind. Crypto-currencies, therefore, tend to be less trusted and more volatile in the markets and governments and banks don’t like the fact that they have no real control over them.

In the case of the MEW hack, this is also an example of why it is better to pay for a VPN service rather than use a free one.

Tech Giant GDPR Privacy Settings ‘Unethical’ Says Council

The ‘Deceived By Design’ report by the government-funded Norwegian Consumer Council has accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not benefit their privacy.

Illusion of Control

The report alleges that, far from actually giving users more control over their personal data (as laid out by GDPR), the tech giants may simply be giving users the illusion that this is happening. The report points to the possible presence of practices such as:

– Facebook and Google making users who want the privacy-friendly option go through a significantly longer process (privacy intrusive defaults).

– Facebook, Google and Windows 10 using pop-ups that direct users away from the privacy-friendly choices.

– Google presenting users with a hard-to-use dashboard with a maze of options for their privacy and security settings. For example, on Facebook it takes 13 clicks to opt out of authorising data collection (opting in can take just one).
– Making it difficult to delete data that’s already been collected. For example, deleting data about location history requires clicking through 30 to 40 pages.

– Google not warning users about the downside of personalisation e.g. telling users they would simply see less useful ads, rather than mentioning the potential to be opted in to receive unbalanced political ad messages.

– Facebook and Google pushing consumers to accept data collection e.g. with Facebook stating how, if users keep face recognition turned off, Facebook won’t be able to stop a stranger from using the user’s photo to impersonate them, while not stating how Facebook will use the information collected.

Dark Patterns

In general, the reports criticised how the use of “dark patterns” such as misleading wording and default settings that are intrusive to privacy, settings that give users an illusion of control, hiding privacy-friendly options, and presenting “take-it-or-leave-it choices”, could be leading users to make choices that actually stop them from exercising all of their privacy rights..

Big Accept Button

The report, by Norway’s consumer protection watchdog, also notes how the GDPR-related notifications have a large button for consumers to accept the company’s current practices, which could appear to many users to be far more convenient than searching for the detail to read through.

Response

Google, Facebook and Microsoft are all reported to have responded to the report’s findings by issuing statements focusing on the progress and improvements they’ve made towards meeting the requirements of the GDPR to date.

What Does This Mean For Your Business?

GDPR was supposed to give EU citizens much more control over their data, and the perhaps naive expectation was that companies with a lot to lose (in fines for non-compliance and reputation), such as the big tech giant and social media companies would simply fall into line and afford us all of those new rights straight away.

The report by the Norwegian consumer watchdog appears to be more of a reality check that shows how our personal data is a valuable commodity to the big tech companies, and that, according to the report, the big tech companies are willing to manipulate users and give the illusion that they are following the rules without actually doing so. The report appears to indicate that these large corporations are willing to force consumers to try to fight for rights that have already been granted to them in GDPR.

New, Improved Wi-Fi Security Standard WPA3 Starts Rollout

The non-profit, global trade group, the Wi-Fi Alliance, has announced the commencement of the rollout of the new Wi-Fi Protected Access (WPA) protocol WPA3 which should bring improvements in authentication and data protection.

What’s Been The Problem?

There are estimated to be around 9 billion Wi-Fi devices in use in the world, but the current security protocol, WPA2, dates back to 2004. The rapidly changing security landscape has, therefore, left many Wi-Fi devices vulnerable to new methods of attack, fuelling the calls for the fast introduction of a new, more secure standard.

WPA2 Vulnerabilities

For example, WPA2 which is mandatory for Wi-Fi Certified devices, is known to be vulnerable to offline dictionary attacks to guess passwords. This is where an attacker can have as many attempts as they like at guessing Wi-Fi credentials without being on the same network. Offline attacks allow the perpetrator to either passively stand and capture an exchange, or even interact with a user once before finding-out the password. Using Wi-Fi on public networks with the current protocol has also left people vulnerable to ‘man-in-the-middle’ attacks or ‘traffic sniffing’.

One key contributor to the vulnerability of using Wi-Fi with the WPA2 standard is the home / business using obvious / simple passwords.

What’s So Good About The New Standard?

The new WPA3 standard has several advantages. These include:

  • The fact that it has been designed for the security challenges of businesses, although it has two modes of operation: Personal and Enterprise.
  • The equivalent of 192-bit cryptographic strength, thereby offering a higher level of security than WPA2.
  • The addition of Easy Connect, which allows a user to add any device to a Wi-Fi network using a secondary device already on the network via a QR code. This makes the connection more secure and helps simplify IoT device protection.
  • WPA3-Personal mode offers enhanced protection against offline dictionary attacks and password guessing attempts through the introduction of a feature called Simultaneous Authentication of Equals (SAE). Some commentators have suggested that it ‘saves users from themselves’ by offering improved security even if a user chooses a more simple password. It also offers ‘forward secrecy’ to protect communications even if a password has been compromised.

In Tandem For The Time Being

The current standard WPA2 will be run in tandem with the new WPA3 standard until the standard becomes more widely used.

Protection Against Passive Evesdropping

In June, the Wi-Fi Alliance also announced the rollout of the Wi-Fi Enhanced Open, a certification program. This provides protection for unauthenticated networks e.g. coffee shops, hotels and airports, and protects connections against passive eavesdropping without needing a password by providing each user with a unique individual encryption that secures traffic between their device and the Wi-Fi network.

What Does This Mean For Your Business?

Wi-Fi security and the security of a growing number of IoT devices has long been a source of worry to individuals and businesses, particularly as the nature and variety of attack methods have evolved while the current security standard is 14 years old.

The introduction of a new, up-to-date standard / protocol which offers greater security, has been designed with businesses in mind, offers more features, and protects the user from their own slack approach to security is very welcome. WPA3 will be particularly welcomed by those who use networks to send and receive very sensitive data, such as the public sector or financial industry.