As we have recently mentioned on our blog, October is National Cyber Security Awareness Month. And I’m sure we will post more to raise awareness of the risks you personally face, the risks to the institutions you do business with, and to the government itself.
Today, though, I want you to start to broaden your outlook on this issue. While you are getting acquainted with new threats like nation-state funded attacks, cyber-terrorism, and hactivism, I’d also ask you to look at some of the things our legislatures have been proposing in the name of cybersecurity. This includes early efforts to protect critical industry sectors our energy grid or banking systems against cyberattack, and requirements that we move beyond passwords when we access Web sites where we perform transactions or access personal data. As all these initiatives come with costs, none have universal support. But some cybersecurity proposals have generated more controversy than others, including: like the SOPA and PIPA bills that coddled the media industry by conflating digital piracy with cybersecurity and whose proposed remedies would have create a regime of censorship, or the federal development and control of a so-called “Internet Kill Switch“.
There will continue to be a lot going on here legislatively, and anything that changes the government’s role in the Internet will affect you as well. So let’s make also do our job as responsible, informed citizens. Let’s make October National Cybersecurity Policy Awareness Month. Let’s get educated, and involved.
My last post was about how we’re steadily moving towards consumer online privacy regulations over the collection and use of personal online data by businesses. At the same time, however, we’re seeing the US government relentlessly expanding their efforts to monitor people online – and in ways that may completely negate any efforts to regulate the privacy practices of businesses.
It is the fear over cyberterrorism (a term you can’t expect the average person to understand) that is driving many to cede their privacy rights to the government. There are two competing cybersecurity bills working their way through Congress: the Cybersecurity Act of 2012 and the Secure IT Act. They differ fundamentally in areas of jurisdiction (the NSA versus the DHS) and whether the voluntary approach promoting and fostering public-private collaboration is sufficient, or a whether a regulatory approach is also required. But what they have in common is the aggregation and analysis of data on unprecedented scales.
In the background to all this, the Obama administration has just expanded the ability of the National Counterterrorism Center (NCTC) to retain data on people for five years (previously, it was 6 months) – even if they are not suspected of terrorist activity. The NCTC receives data from many other agencies.
So at the same time one side of the US government (the consumer protection side) is restricting what personal data businesses can collect, another side (the cybersecurity side) is moving not only to expand its own access to and control over personal data, but also to enlist in its efforts those very same businesses whose data collection efforts the FTC is otherwise trying to restrain: ISPs and mobile carriers, search engine and web portal companies, social media companies, etc. This opens a very wide door to abuse of any consumer privacy efforts currently underway with the FTC.
Monday, the FTC released a report publishing principles and recommendations for consumer privacy. The report, “Protecting Consumer Privacy in an Era of Rapid Change” (summary and full report[PDF]) provides what the FTC considers best business practices around privacy. These best practices are not regulations, but they are intended to serve as guidelines for legislators in drafting privacy regulations. And they can also serve as a framework for the federal government’s own privacy policies and personal data practices.
At the core of the report, and in broader privacy circles, we see discussions center around three foundational elements of privacy: knowledge, consent, and control.
- Knowledge. The collection and use of information should be transparent. Consumers should know what is being collected, how it is being collected, how it is being used, and how it is being shared.
- Consent. Consumers should be presented with a mechanism for agreeing to these practices. The recommendations did not mandate an “opt-in” versus “opt-out” approach: whether the default policy if the consumers don’t take any specific action would be not to collect (“opt-in”) or to collect (“opt-out”). But the report does advance the notion that it is insufficient for organizations to provide an all or nothing approach, where conditions on use of a service or product requires you to submit to full data collection.
- Control. Consumers should have choices as to whether and to what degree, to participate in data collection, and how that data could be used; and companies should make those choices simple for consumers to understand and to execute.
Consumer attitudes about privacy and data collection is undergoing a fundamental change, driven by online data collection practices. Historically in the US, businesses have traditionally been given broad latitude in their actions as long as they are not fraudulent or deceptive. However, we’re witnessing a full 180-degree turn in consumer attitudes, which is what’s behind the FTC’s actions. Consumer concern over personal data collection and use by businesses is reaching critical mass, and it’s driven by concern over Internet powerhouses such as Google and Facebook, mobile carriers and ISPs, and the shadow worlds of online advertising networks and data brokers. Restraints on businesses over their privacy practices are inevitable.
Unfortunately, not all the consumer privacy news these days is good. More about that in my next post.
The RSA Conference – the largest gathering of security vendors and the companies who buy their products – was held in San Francisco last month. Avast was in attendance, and I had the pleasure of moderating a panel on mobile security. Mobile security was also one of the top topics permeating the entire event. What I heard on the panel and throughout the conference, and what has been reinforced from my discussions with analysts and consultants to businesses, should have you all pretty worried.
The good news is that businesses want to embrace employees use of mobile phones and tablets. And it’s not just the biggest companies doing so: even small businesses are eager adopters of mobile technologies. After all, employees are more accessible and more productive when they can use their mobile devices for work. However, these are your devices; they are not the company’s and shouldn’t be treated as such. And that’s the challenge.
Businesses have legitimate concerns that these devices are inherently insecure, and that consumers don’t always secure their devices to the same level businesses do their PCs. They are also concerned about all the corporate data that these devices contain or can access, and that their loss or theft can compromise a company. And they are concerned that people will misuse their access to this data now that it’s on their person device.
The problem is that businesses want more security and control over your phone then they should have or even need: even more control than they have over the PCs they provide you.
- Because there are malicious apps, they want to keep a catalog of every app you install and be able to remove those applications without prior notice to you.
- Because mobile devices can hold private corporate data, they want the ability to wipe all data on your phone, also without prior notice to you.
- Because you could potentially misuse the phone by transferring corporate data between a business app (like email) and a personal app (like Facebook), they want to be able to monitor everything you do on that phone: your call logs, your text messages, all your social networking activity, all your browsing activity.
This blatant company disregard for employees’ privacy and property all in the name of security has gotten completely out of hand. One product that was given prominent attention at the conference basically rooted your device to put a monitoring and management layer underneath the operating system. Besides taking any semblance of control of your device away from you, this procedure would likely lead to voiding the warranty for many of your devices, especially Apple devices.
Using your mobile devices for work purposes should not require you giving up all your privacy rights or giving your company effective ownership of your device, without having to pay for it. If your company is letting you use your phone or tablet for work purposes, especially if it’s for more than email, then you should take a close look at your organization’s mobile policies – not just for what you should or should not be doing, but for what your company could be doing.
On the heels of the Zappos cyber robbery last Sunday that left 24M customers fretting over stolen passwords and email addresses, articles are being published about how people can protect themselves online. The number one point is always about passwords. Clean up your passwords. Never Share Your Password. Create different passwords for different accounts.
Sage advice, which we at AVAST support. We even have a dedicated password manager called avast! EasyPass to help you juggle it all. The theft at Zappos and the struggle for greater online privacy made it even more startling when I read about the growing trend among teenagers to share their passwords as an act of trust with their current BFFs. Read more…
T minus 8 hours until we see if the threats of the hacktivist group Anonymous are fulfilled. November 5 is the scheduled demise of Facebook, according to a YouTube “press release” published months ago, and since removed. Last August a rally cry went out to willing hacktivists or guys who want “to protect the freedom of information” to “join the cause and kill facebook for the sake of your own privacy.” It seems that this group has the technical chops to do it too – these are the same folks who brought us publicized attacks on the IMF, Sony and the Iranian government.
However, there is an indication that the big take-down won’t happen. The OP_Facebook account which was fairly active in the beginning has been pretty dead since last month. And the larger group has distanced themselves from the threat. Earlier today on AnonOps, one of the Twitter accounts regularly used by the Anonymous group, they tweeted, “We told you many times ddosing Facebook was a fake operation.”
So the world’s most popular social networking site will probably live to see another day. But maybe the threat of attack issued by Anonymous was designed to make us think about Facebook and their dalliances with individuals’ privacy. Facebook admitted this September that they had been tracking their 750 million users, even after they logged out of Facebook, using browsing monitoring cookies. The stated reasons were for security and fraud prevention.
We hope to see Facebook survive, if only for our thriving avast! antivirus page. It’s a great way to interact with like-minded people and learn a thing or two from you and share things about avast!. If Facebook is still around tomorrow, please share http://www.facebook.com/avast with a friend.
Last few years can be called a “social networking era”. Just remember the rise ups (and depressions) of myspace.com, linked.in etc. These networks are now completely shadowed by FaceBook and Twitter. Even when myspace and similar networks are not that widespread today, they were at the beginning of all. It becomes more and more usual to identify a real ego with social network profile. That’s not too dangerous in its basis, but there’s a big problem – people completely loose a sense for their privacy on internet. This is not an attitude against social networks, it’s only a thought about dangerous habits appearing with the social networking phenomenon. The risk is not the existence of social networks, the risk is how people behave there.