All posts by Paul Stradling

News

Tech News : LinkedIn Shuts Down In China Over Censorship Row

Microsoft’s LinkedIn will be replaced with a “no social feed” version in China after criticism from the US that it has been complicit in the censorship of posts and profiles from Western journalists.

Accusations From Home

The accusations that LinkedIn appeared to be appeasing and complicit with the Chinese Communist Party and its censorship rules can be traced back to June. After Bing showed no results for a search for the key phrase “Tank Man” on the anniversary of the Tiananmen Square massacre, and censorship notifications were sent to journalists, Republican Senator (Florida) Rick Scott suggested that Microsoft was actively censoring American journalists on behalf of the Chinese Communist Party.

Also, LinkedIn has blacklisted the accounts of several journalists, one of whom had previously written a book about China’s treatment of Tibetan refugees.

Since 2014

Microsoft launched a “localised version” of LinkedIn in China back in 2014 with the hope of getting into the vast Chinese market, which, at the time was the second-largest and one of the most important economies in the world. LinkedIn aimed to link what equated to one in five of the world’s knowledge workers with the rest of LinkedIn’s 277 million members in over 200 countries and territories, thereby enabling Microsoft to take a huge competitive leap forward.

Challenging Operating Environment

The recent accusations from the US, however, coupled with an admission by LinkedIn senior vice-president Mohak Shroff that “We’re facing a significantly more challenging operating environment and greater compliance requirements in China” have forced a change for LinkedIn. In a blog post, Mr Shroff also alluded to the hurdles of censorship and compliance with Chinese Communist Party Rules, saying “While we’ve found success in helping Chinese members find jobs and economic opportunity, we have not found that same level of success in the more social aspects of sharing and staying informed. We’re also facing a significantly more challenging operating environment and greater compliance requirements in China.“

LinkedIn To Be Replaced With ‘InJobs’

The replacement for the failed, localised version of LinkedIn is due to be launched later in the year. LinkedIn says that ‘InJobs’ will be a “standalone jobs application for China” that will not include a social feed or the ability to share posts or articles.

Was Censorship A Requirement From The Beginning?

When LinkedIn launched in China back in 2014, it said “As a condition for operating in the country, the government of China imposes censorship requirements on Internet platforms” and that “extending our service in China raises difficult questions”.

Punished In March

LinkedIn had its new user registration suspended back in March by the Chinese regulator, allegedly for failing to censor political content.

Other big (US based) tech companies have also encountered serious setbacks and criticism when trying to break into the Chinese market. For example, Google faced criticism after announcing that it has been developing a censored version of its search engine to run inside China.

What Does This Mean For Your Business?

Recent years have seen poor political and diplomatic relations between the west and China, particularly with the US restrictions on doing business with Chinese companies introduced during the Trump presidency. This has had an impact on many businesses who trade with China, and the big tech companies are finding that in order to get a piece of the vast Chinese market, they must face difficult challenges and compromises. These include pressures not to deal with a regime that has been accused of human rights abuses, the tightening grip of Chinese government and regulator rules, competition with favoured Chinese companies, challenges posed by the country’s heavily controlled internet, and perhaps being forced to censor their own platforms according to local rules in order to stay in operation within the country. For example, as well as recent accusations that LinkedIn censored journalists, Amazon’s Audible service and Apple’s China-based store have both had to remove apps in mainland China for reading the holy books of Islam and Christianity which has, of course impacted on the makers of the apps as well as generating potentially awkward publicity for Amazon and Apple. For Microsoft, however, the solution to remaining operational in China, staying on-side with authorities has simply been to chop off the worries that the social platform could cause and stay with a re-named, more government-friendly service. Clearly, while the Chinese government maintains a strong grip on the Internet and other platforms that could present conflicting views, and while relations with China and the west remain relatively poor, this is unlikely to be the last difficult decision that a big tech company will have to make about the way forward (or not) for its future in China.

News

Tech News : 30 Countries Pledge To Act On Ransomware

The international Counter-Ransomware members from 30 countries have issued a joint statement outlining their intent to take action to counter the growing threat posed by ransomware.

What Is Ransomware?

Ransomware is a form of malware that encrypts the important files on a computer and the user (often a business/organisation) is given a ransom demand, the payment of which should mean that the encrypted files can be released. In reality, some types of ransomware delete many important files anyway and paying the ransom does not guarantee that access to files will be returned to normal. Ransomware is primarily a profit-seeking crime which also commonly leverages money laundering networks to move ransomware proceeds.

How Big Is The Problem?

A recent White House fact sheet stated that “the global economic losses from ransomware are significant. Ransomware payments reached over $400 million globally in 2020, and topped $81 million in the first quarter of 2021, illustrating the financially driven nature of these activities.”

In March, The Palo Alto Networks, Unit 42 Ransomware Threat Report showed that the average ransom paid by a victim organisation in Europe, the US and Canada trebled from $115,123 (£83,211) in 2019 to $312,493 (£225,871) in 2020. The report showed that over the same period, the highest value ransom paid doubled from $5m (£3.6m) to $10m (£7.2m), and the highest extortion demand grew from $15m (£10.8m) to $30m (£22m).

Meeting

At the meeting of the Ministers and Representatives from the Counter Ransomware Initiative (held on October 13 and 14), it was recognised that the threat of ransomware is complex and global in nature and requires a shared response and will depend, in part, on the capacity, cooperation, and resilience of global partners, the private sector, civil society, and the general public.

Action

The joint statement outlines the following actions to be taken and to efforts to be made to tackle the ransomware threat:

– Improving network resilience to prevent incidents when possible and respond effectively when incidents do occur. This will involve the sharing of lessons learned and best practices for development of policies to address ransom payments and engaging with private sector entities to promote incident information sharing and to explore other opportunities for collective buy-down of risk.

– Addressing the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable. This will involve using the national anti-money laundering (AML) frameworks to identify and mitigate risks associated with VASPs and related activities, and enhance the capacity of national authorities (regulators, financial intelligence units, and law enforcement) to take action.

– Disrupting the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors, addressing safe havens for ransomware criminals, and continued diplomatic engagement. This will involve cooperation between different stakeholders and international partners in the exchange of information.

– Using diplomacy to promote rules-based behaviour and encourage reasonable steps to be taken to address ransomware operations emanating from a particular territory.

What Does This Mean For Your Business?

Attempts to exploit the vulnerabilities created by remote working in the pandemic, businesses not having effective data backup procedures in place, the costs of downtime perceived as being greater than the cost of paying the ransom, low technical barriers to entry and a high affiliate earning potential, plus the growth of ransomware-as-a-service (RaaS) have fuelled a huge rise in ransomware attacks. Ransomware poses a big risk to critical infrastructure, essential services, public safety, consumer protection and privacy, and economic prosperity, and a bigger effort to tackle the threat is long overdue. The promising aspect of the joint statement by the Ministers and Representatives from the Counter Ransomware Initiative is that they have recognised the need for collaboration and help between multiple governments, agencies and organisations and using multiple means to make a real impression on the problem. Individual businesses can play their own part in protecting themselves through basic security measures. These include keeping antivirus software and Operating Systems up to date and patched (and re-starting the computer at least once per week), using a modern and secure browser, using detection and recovery software (e.g. Microsoft 365 protection and Windows Security), and storing files on cloud services e.g. OneDrive/Google Drive, IDrive, or whatever work-based cloud file storage systems employees are required to use, and having an effective, workable backup in place. Since ransomware relies upon human error to spread, staff should be educated about how to spot and deal with potential ransomware risks e.g., suspicious emails, Organisations should also realise that prevention is better and cheaper than cure and paying a ransom will not guarantee the return of vital files and system control, and that many files are deleted anyway by the attackers.

News

Featured Article : How To Tell If You’re Being Spoofed

Many cybers attacks now take the form of using fake/spoof communication to trick victims into parting with personal (or company) data, or money. We take a look at some of the most popular and widely reported methods and how to avoid falling victim to them.

Phishing

This is a very common form of spoofing attack. Cyber-criminals send their victims emails which appear to be from legitimate organisations or contacts (or in some cases use fake SMS containing links or voicemails). When the victim clicks on the link of the phishing email, they are either directed to a spoof website payment page to steal their details or money, or have malicious software loaded onto their device to allow cybercriminals to take control of that device, log keystrokes, gain access to personal information and financial data (for financial theft and identity theft), or simply direct the victim to a payment page.

How To Spot Phishing Emails

There are several ways to spot phishing emails. Examples of these in which you can identify a phishing email include:

– Online requests for personal and financial information (e.g. from government agencies) are very unlikely to be sent by email from legitimate sources.

– Generic greetings. Scammers are less likely to use your name to personalise the email greeting and title.

– Mistakes in spelling and grammar can be signs of scam emails.

– Check the email address by hovering your mouse (without clicking) over the link in the email. This can quickly reveal if the email isn’t genuine.

– Beware of heavy emotional appeals that urge you to act immediately. These are signs of scam emails that hope to bypass your reasoning and tap into an emotional response.

Vishing Scams

Vishing is a combination of ‘voice’ and ‘phishing’ and describes the criminal process of using internet telephone service (VoIP) calls to deceive victims into divulging personal and payment data.

Vishing scams to (domestic) homes often use recorded voice messages (e.g., claiming to be from banks and government agencies) to make victims respond in the first instance.

The technology used by scammers is now such that voice simulation may even be used in more sophisticated attacks on big businesses.

Examples of vishing include spoof calls pertaining to be from banks or credit card companies with messages asking the victim to call a certain number to reset their password, exaggerated (almost too good to be true) investment opportunities, bogus charitable requests for urgent causes and recent disasters, calls claiming to be from government agencies (e.g. the tax office), or bogus tech support calls to fix fake problems with computers.

How To Guard Against Vishing

Ways to protect you and your business from falling victim to vishing include:

– Don’t trust caller ID to be 100 per cent accurate, numbers can be faked.

– Don’t answer phone calls to unknown numbers.

– Be wary of unsolicited alleged calls from banks, credit card companies or government agencies.

– Include phishing, vishing, smishing and other variants with your security awareness training for employees.

– Avoid using a gift card or a wire/direct money transfer.

– Don’t give in to pressure.

SMS Spoofing

SMS spoofing involves changing who an SMS message appears to come from by replacing the originating mobile number (Sender ID) with alphanumeric text. Examples of this ploy include impersonating a user that has roamed onto a foreign network and is submitting messages to the home network , or impersonating a bank and including a phishing message that tricks users into clicking on a link.

How To Guard Against Spoof SMS Messages

Some key things to remember to avoid falling victim to spoof SMS messages include:

– Be very sceptical of ‘too good to be true’ offers and remember that organisations such as your bank are extremely unlikely to text you and will never ask for personal details this way.

– Avoid clicking on links in SMS messages. If you receive texts that you have any suspicion about and have questions, go to the website, call (using the number from the official website) or email instead.

– Don’t share your mobile number unless it’s really necessary.

– Beware of SMS messages about verification codes, password resets, or anything that’s asking for personal information.

– Report any SMS spoofing attempts to Action Fraud.

Smishing

Smishing is where an attacker sends a text/SMS message purporting to be from a reputable company, in this case, the Royal Mail or a parcel delivery company/courier service. The idea is that the recipient (who may be expecting a parcel delivery) is fooled into clicking on the link in the text message and this either send sends the attacker personal information (credit card number or password) or downloads a malicious program/malware to the victim’s phone. The malware can be used for snooping on the user’s smartphone data or sending sensitive data (silently) to an attacker-controlled server.

Parcel delivery scams account for more than half of all reported text phishing, or ‘smishing’ attacks in the UK. For example, new data shows that from 15 April to 14 July 2021, 53.2 per cent of reported scam text messages were from attackers posing as postal delivery firms. Also, from 14 June and 14 July, parcel and package delivery scams accounted for 67.4 per cent of all smishing attempts.

How To Protect Yourself Against Smishing Attacks

Ways that you can protect yourself and your business from smishing include.

– (Again) remember that financial institutions never send text messages asking for credentials or transfer of money and credit card numbers, ATM PINs, or banking information should never be sent to someone in text messages.

– Beware of (scam) messages offering fast money (e.g., from winning prizes or collecting cash after entering information).

– A message received from a number with only a few digits is a sign that it probably came from an email address, which is a common sign of spam/scams.

– Avoid storing any banking details on a mobile device (in case of malware).

– Be wary of any delivery-related text messages other than the standard day/time of delivery messages.

– If you receive a smishing text, to protect other users, send the message to your telecom’s number so that it can be investigated. Also, report such messages to Action Fraud (https://www.actionfraud.police.uk/).

Deepfake Videos and Audio

Deepfake videos use deep learning technology and manipulated images of target individuals (found online), often celebrities, politicians, and other well-known people to create an embarrassing or scandalous video e.g., pornography, violent behaviour, or of the victim saying something they would not normally say but could be very damaging to their reputation if believed. The AI aspect of the technology makes the spoof videos very convincing. Deepfake videos are used by criminals to cause damage the reputations of victims and/or to extract ransoms from their target victims.

Deepfake Audio

Deepfake ‘ransomware’ can also involve using AI to manipulate audio in order to create a damaging or embarrassing recording of someone, or to mimic someone for fraud or extortion purposes. For example, in March 2019, a group of hackers were able to use AI software to mimic (create a deep fake) of an energy company CEO’s voice in order to successfully steal £201,000.

Other Spoofing Attacks & Scams

Some other popular spoofing attacks and methods include:

Man-in-the-Middle Attacks

If cyber-criminals are able to gain access to a person’s communications accounts e.g., your email (perhaps using stolen credentials, spyware, malware), they can intercept web traffic between two parties and the communication between the parties to re-route funds or solicit sensitive personal information like credit card numbers or logins.

Extension spoofing

This is where cybercriminals disguise executable malware files to make victims feel as though they can safely click on them (e.g. if received in an email). For example, a .exe file, which would normally be a security red flag, can be made to appear as a .txt (Notepad) file.

Checking If Your Details Have Been Stolen

Some attacks happen because a user’s personal data has been stolen in other attacks and/or traded online. One way to check whether your details have been stolen is to visit https://haveibeenpwned.com/.

What Does This Mean For Your Business?

The message here is that today’s cybercriminals would much rather rely upon human error and spoof scams than go to the time and trouble of trying to hack into secure systems. Human error can be relied upon to be ever-present to a degree, which is why spoofing is so effective. It appears that almost anything can now be faked, and it is up to businesses not just to take the necessary cyber protection measures (anti-virus, 2FA etc) but to educate staff in what spoofing scams they may encounter, how to spot them, and to have policies and procedures in place for dealing with and checking certain types of approaches, messages, and enquiries. It is important that all staff are particularly aware of email threats and can exercise a healthy degree of scepticism and judge

News

Tech Tip – How To Turn On WhatsApp Encrypted Backups

Facebook has just enabled encrypted backups for WhatsApp messages to Google Drive or Apple’s iCloud. The feature, however, is not enabled by default so, if you’d like to backup your important WhatsApp messages, here’s how to turn the feature on:

– In the latest version of WhatsApp, go to ‘Settings’.

– Tap on ‘Chats’ > ‘Chat Backup’ > ‘End-to-end Encrypted Backup’.

– Tap on ‘Continue’ and follow the prompts to create your password or 64-digit encryption key.

– Tap ‘Done’.

News

Tech Insight : What (Actually) Is The ICO?

In this tech-insight, we look at the role of the Information Commissioner’s Office, and how it can be a source of valuable compliance information and help to businesses.

What Is It?

The Information Commissioner’s Office is the UK’s independent, non-departmental public body set up to uphold information rights in the public interest. The ICO also promotes openness by public bodies and data privacy for individuals and is the regulator for Data Protection and Freedom of Information, with key responsibilities under the Data Protection Act 2018 (DPA) and Freedom of Information Act 2000 (FOIA), as well UK GDPR, and other acts. The ICO gives help and advice to individuals and businesses.

Who It Reports To

The ICO reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media, and Sports, and has physical offices in Wilmslow, Cheshire, Cardiff, Edinburgh, and Belfast.

Who?

The current (although outgoing) Information Commissioner is Elizabeth Denham CBE, who was appointed UK Information Commissioner in July 2016. Her previous roles included Information and Privacy Commissioner for British Columbia, Canada, and Assistant Privacy Commissioner of Canada. In March 2018, she was named as the most influential person in data-driven business in the updated DataIQ 100 list and, In March 2019, Elizabeth was appointed chair of the Governance Working Group of the International Conference of Information Commissioners (ICIC), a global forum for information commissioners and ombudspersons with 45 members across all continents.

In August this year, it was announced the preferred new UK Information Commissioner is John Edwards who has been New Zealand’s Privacy Commissioner since February 2014, and who has practiced law in Wellington, New Zealand, for more than 20 years (specialising in information law).

Like What?

The ICO is the body/regulator responsible for Data protection law advice and information-giving, enforcement, monitoring/audits/studies, recommendations, decisions, and somewhere to complain to for matters like:

– Political campaigning practices (data analytics) e.g., transparency, ethics.

– Charity fundraising practices e.g., compliance laws that protect privacy and prevent nuisance phone calls.

– CCTV systems and facial recognition systems, matters of privacy and compliance with data protection laws.

– Credit and the uses of personal information e.g., by credit reference agencies (CRAs).

– Electoral registration.

– Nuisance marketing calls (enforcing the Privacy and Electronic Communications Regulations 20030). Nuisance calls can be reported to the ICO.

– Spam emails and texts (which can be reported to the ICO).

– Cookies.

– Data protection and journalism.

– Data held by the Police.

– Data protection matters for schools, universities, and colleges.

– Public data access rights.

Advice and Help For Businesses

The ICO provides guides to the legislation, resources, and support for businesses about obligations and how to comply under the Acts. Much of it can be found on the ICO website here: https://ico.org.uk/for-organisations/.

Examples of Action Taken

Part of the role of the ICO is to take action to ensure organisations meet their information rights obligations. Examples of action taken by the ICO can be found on their website here: https://ico.org.uk/action-weve-taken/.

Staying Independent Is Important

The outgoing Information Commissioner, Elizabeth Denham CBE, has warned (in a recent statement) that in order for the ICO to be able to hold the government to account, it is important that it preserves its independence in a way that is workable, within the context of the framework set by Parliament.

What Does This Mean For Your Business?

Businesses and organisations must comply with often complicated and changing data protection laws. Although the ICO is responsible for enforcing those laws, its primary role is really to help by giving advice and information, and the website is a useful resource and signposting place for businesses to use and to stay up to date with the latest developments and news. The ICO is also a place for individuals and businesses to complain (perhaps resulting in action with enough complaints) about practices such as spamming (calls, emails, and texts) or not responding to data requests.

News

Tech News : Proposed Ban For Mass Facial Recognition & ‘Predictive’ Policing

The European Parliament has adopted a resolution calling for a ban on the use of AI-based predictive policing systems and the processing of biometric data that leads to mass surveillance.

Areas

The resolution seeks to ban the use of facial recognition technology and AI in several key areas:

– Police use of facial recognition technology in public places.

– Private facial recognition databases (e.g. Clearview AI)

– Predictive policing and social scoring systems.

What Is Clearwater AI?

Clearwater AI is a US-based facial-recognition company started by Australian Hoan Ton-That and a former aide of ex-New York City Mayor Rudy Giuliani. The AI-software system, which is used by hundreds of law enforcement agencies, has been criticised for using a database that includes billions of photos scraped from social media websites (possibly in violation of social media platform rules). Concerns have also been voiced that, like other systems, it may have a racial bias.

What Is Predictive Policing?

So-called ‘predictive policing’ tools use algorithms and historic data to predict where certain types of crime (e.g. burglaries and street violence) are likely to occur and to predict the likelihood of known individuals exhibiting certain behaviours or characteristics in the future.

What Are Social Scoring Systems?

An example of a social scoring system can be found in China where the Chinese Communist Party operate a “social credit system” for individuals and organisations. A person’s/organisation’s social score can move up and down depending on their behaviour. Bad behaviour, for example, could include questionable shopping habits, buying too many video games, bad driving, posting on social media, or smoking in non-smoking zones. It has been reported that bad behaviour online, for example, could lead to the punishment of throttling a person’s Internet speed.

What Happens Now?

The European Parliament resolution gives an overview of the argument and indicates the way that voting may go for what will become the AI Act. It is thought that since the AI Act’s lead negotiator, Brando Benifei, and co-negotiators are known to support a blanket ban on facial recognition, there is a strong chance that AI in criminal law and its usage by the police and judicial authorities in criminal matters will have bans and regulations in place soon in the EU.

What Does This Mean For Your Business?

The case for AI-based facial recognition systems being used in mass surveillance and predictive policing is supposed to help tackle crime in an intelligent, targeted way. The reality (to date) however, has been cases of misidentification, examples of racial bias, strong resistance from freedom groups on matters of privacy, questions about value for money, and questions about ethics. Also, there is a strong feeling that the use and rollout of this technology has happened before the issues have been studied properly and legislation/regulations put in place to offer protection to citizens. Allegations about how Clearwater AI’s database was scraped from social media, as well as worries about the idea of predictive policing and big brother-like social-scoring-systems have all been factors in prompting the need to slow things down and get some rules in place.

News

Tech News : What’s Going On With Facebook?

After experiencing two outages in a week, one lasting more than six hours, and a whistleblower at a Senate Committee hearing alleging potentially harmful effects from Facebook’s algorithms, some are asking ‘what’s going on with Facebook?’

Whistleblower

Recently identified former Facebook employee turned whistleblower, Frances Haugen, was found to be behind a series of leaks reported in the US Wall Street Journal alleging that Facebook has been putting profit over safety. She added to the points made in the articles by alleging in a recent appearance on popular US TV programme ’60 Minutes’ that there were conflicts of interest between what was good for the public and what was good for Facebook.

Allegations

The other reported allegations made by Frances Haugen in newspaper reports and allegations made in the TV interview (which remain unproven) are that Facebook:

– Knew that Instagram was worsening body image issues among teenagers and had a two-tier justice system.

– Uses engagement-based ranking algorithms (in Instagram) knowing that these algorithms can’t adequately identify dangerous content and may even amplify negative content and help to fuel fan violent rhetoric and ethnic violence.

– Hides most of its own data and when asked directly about how it impacts the health and safety of children, it chooses to mislead and misdirect.

– Failed to act on internal research showing that Instagram had a negative impact on the mental health of teenage girls.

– Has repeatedly chosen to optimise displayed content for its own interests (e.g. making more money).

– Has a lack of accountability that may mean that the company continues to make choices that go against the common good.

– Could be likened to tobacco companies (or driving without a seatbelt) because when governments realise it’s harmful, they will take action.

– Prematurely reinstated old algorithms following Joe Biden’s election win, that may have contributed to the 6 January attack on the Capitol Building(s) (i.e. prioritising growth over safety).

– Uses moderation that is mostly focused on English content (nearly 90 per cent), despite most users being non-English speakers.

Senate Sub Committee

Frances Haugen has appeared and testified before a Senate subcommittee on Capitol Hill, repeating the allegations that she believed that Facebook’s products harm children, stoke division, and weaken the US democracy.

Facebook Says…

It has been reported that last Friday, Facebook’s vice president for policy and global affairs, Nick Clegg, sent a memo to employees outlining what Haugen was likely to say in the 60 minutes program. The company has denied that it encourages bad content and does nothing about it.

Outages

To make matters worse, Facebook has also suffered two damaging outages in a week. The first was a global outage that took down Instagram, WhatsApp, Messenger, and Oculus (virtual reality/3D) and was reportedly caused by the backbone connection between data centres shutting down during routine maintenance, causing the DNS servers to go offline. The second (last Friday) lasted around two hours and affected Instagram feeds and Messenger.

What Does This Mean For Your Business?

The Cambridge Analytica scandal created some huge trust challenges for Facebook, forced them to answer a lot of questions from the government, caused reputational damage, and appeared to make the company work hard and make changes to rebuild trust. Haugen’s allegations, however, (which have been applauded by some as an act of bravery) appear to suggest that this may not be the case and that there are some further significant, meaningful changes to be made in terms of social responsibility and safeguarding issues. Critics, such as Harvard professor and author Shoshana Zuboff, for example, take the view that Haugen’s revelations have shone a light on how big tech companies like Facebook and others operate a kind of surveillance capitalism where our personal experiences are simply used as free raw material for large-scale behavioural data extraction for profit. Facebook and other tech big companies use secret algorithms as part of their daily operations, so total transparency is always going to seem very unlikely. There was also some speculation online that the timing of the outages (when the whistleblower’s allegations were being widely reported) was suspicious but there is no evidence of this. Now that Facebook is so widely used by businesses (Pages, Ads, and WhatsApp particularly), the six-hour outage would have frustrated and annoyed many business customers, thereby generating some more bad publicity among a customer group that is really important to the social media giant. There’s no doubt it’s been an unbelievably bad week for Facebook, bringing to the surface more of the old trust issues, and it is likely that we have some way to go yet before this story returns to the background.

News

Featured Article : Monetising Movement (Your Geo-Data)

In this feature, we take a look at how a multi-billion-dollar market obtains, uses, and sells our location data.

Report

A GVR report estimates that the global location intelligence market was worth USD 12.2 billion in 2020. This market uses our phone/device location data. There are many different interlinked players in this market ecosystem from app companies, collectors, data aggregators, marketplaces, and location intelligence firms, all of whom buy, compile, sell and use our phone location data, ultimately for advertising, analytics, investment strategy, or marketing purposes. The market’s continued growth has been fuelled by factors like the growing penetration of smart devices and portable navigation devices, web-mapping services, as well as the growth of the IoT and the smartphone app market and network infrastructure.

Why and How Is Location Data Collected?

The answers to this question are connected. Examples of some of the main reasons why, and the ways that our location data is collected include:

– Apps are a major source of location data collection. Smartphone apps e.g., those that give directions, weather/meteorological apps (need to give you local weather conditions) need your location data for good reasons i.e., to operate correctly and deliver appropriate results. Also, video-streaming apps need to check user location to decide whether a person is in a country where it’s licensed to stream certain shows. In any case, it is likely that when you install these apps, you will agree to share your location.

– Software Development Kits (SDKs), for example, are tools and code provided by a company to enable and encourage developers to write code for a platform can have built-in location data supply features. For example, Foursquare makes a free SDK which could (potentially) track location through any app that uses it.

What Happens To The Data After Collection?

Apps sell the data to other players in the location intelligence market. This could be anything from third-party companies that specialise in selling location data, or access to it, to advertisers, marketers, and data brokers, other location data providers, and even governments. For example, vox.com (Feb 2021) reported that app trackers secretly sell location data to the government (or/for its agencies) and that Google can’t stop trackers in its apps from selling location data to the (US) government. Examples of where the data is sold after collection by apps includes:

– Data Aggregators, who collect the data from many thousands of different apps, combine it with data from other sources, and sell that data onwards e.g., AdSquare or Cuebiq.

– Data brokers, who buy and sell and sell the data.

– Data analysis companies e.g., Advan Research, who analyse the data and sell it on.

– Location intelligence firms. These specialised companies sell geolocation analyses to bigger corporate clients e.g., hedge funds and venture capital and private equity firms.

What The Data Is Used For?

Our location data (which may have been aggregated and analysed) is used for many different end purposes, and there are many companies in the location intelligence ecosystem involved in making location monitoring capabilities and tools.

Some examples of how our location data may be used include:

– Property firms, hedge funds and retail businesses using the data for their own advertising, analytics, and marketing.

– Advertisers/advertising platforms using the data for targeting ads.

– Market intelligence companies using the data to highlight patterns and trends.

Examples of how location monitoring capabilities and tools are being developed include:

– Grand View Research (GVR) reports that some of the big investors in location intelligence technologies include Google, ESRI, Qualcomm, AT&T, Intel, and Apple. This area of location intelligence is more concerned with integrating real-time location monitoring capabilities in devices (smartphones, vehicles, and aircraft) to allow businesses to improve marketing or optimise business operations.

– Industries such as utility and energy, retail, transportation, telecom, and manufacturing use location intelligence tools to help with management and increase productivity and profitability.

Is It Legal?

In consenting to allow apps to use a person’s location (e.g. for its correct operation), this is legal, although it may be the case that there are a number of other T&Cs, most likely in the privacy policy, that users quickly sign-up to that they may not have the time or inclination to read, but may give a wider scope of consent than they would like.

Although consent may be given to apps for sharing location data, and sharing data for specific related purposes, there are many cases where legal objections have been filed and investigations have taken place into who location has been shared with. For example:

– Feb 2019, City of Los Angeles sued The Weather Channel for allegedly using its app to mine users’ private geolocation data and sending it to IBM affiliates and third parties for advertising and commercial purposes unrelated to weather.

– In June 2020, US Members of Congress opened an investigation into a data analytics company Venntel. The company aggregates location data from smartphone apps (games and weather forecast apps) and the investigation related to allegations that the company may have been selling people’s location data to government agencies such as the FBI and Department of Homeland Security.

What Does This Mean For Your Business?

The rapid growth of the Internet, smartphone ownership, the IoT, the growing app market, and the potential for profit have fuelled the development of a whole location intelligence industry and ecosystem. This in itself has created opportunities for many different kinds of businesses that buy, sell, aggregate, analyse, and use location data. Businesses across the world use data and information, which includes a contribution from location data, as the basis for strategies, tactics and campaigns that deliver profits and as such, it is clear to see how our location data helps to feed the business world in a positive way. The questions and uneasiness about location details being gathered, bought, and sold, however, relate more about matters of privacy and ethics. Low consent rates in apps asking for locations, the knowledge that seemingly anonymous data from one source could be combined and aggregated from other sources to potentially identify us/identify more about us, and the idea that privacy policies (that we don’t have time to read) can include things that we would question, all add up to a feeling of uneasiness and mistrust.  Just as tracking cookies are being rejected, questions are now rightly being asked about what apps are sharing, who they are sharing it with, and for what purpose. Location intelligence is an area that has such complex connections between players in the market, that transparency and further regulation is some way off.

News

Tech Tip – How To Check Your Google 2FA Settings

Two-factor authentication (2FA) adds an extra security dimension to accounts, and with Google now heading down the route of automatically enrolling millions of users into 2FA, here’s how to check if 2FA is turned on for your Google account:

– Go to your account settings through myaccount.google.com on your desktop (or phone).

– Click on the Security section (left-hand pane).

– Scroll down to the Signing in to Google section.

– Click on the ‘2-Step Verification’ option.

OR

– Go to Google’s Security Checkup page (https://myaccount.google.com/intro/security-checkup).

– Scroll down to the ‘2-Step Verification’ section and click on the settings to see your current 2FA status plus any recommendations.

News

Featured Article: Domain Security

After a recent report found that poor domain security has left most Global 2000 companies vulnerable to the threats of phishing and brand abuse, we take a closer look at domain security and how businesses can maximise their protection against popular threats.

CSC Research – Domains Dangerously Under-Protected

Recent research by US-based CSC, which describes itself as “a world leader in business, legal, tax, and domain security” has shown that web domains of the Global 2000 companies remain dangerously under protected. The research revealed some worrying statistics, including:

– 81 per cent of companies are not using registry locks. Not using a registry lock means that (for example) a registrar could move your domain to another registrar on its own and/or the domain could be hijacked.

– 70 per cent of homoglyph (i.e. fuzzy match) domains are owned by third parties . This is a tactic known to be commonly used in phishing and brand abuse (refer ‘typosquatting’) . A homoglyph (name spoofing) attack uses processes or domain names that are visually similar to legitimate and recognised names to fool unsuspecting users, who may not notice a minor difference (e.g. Unicode characters from non-Latin character sets) in the domain name, into clicking on a malicious link.

– Only 50 per cent are using Domain-based Message Authentication, Reporting, and Conformance (DMARC) records as an email authentication method.

– 43 per cent are configured with MX (email) records that can be used to send phishing emails or to intercept email.

– 57 per cent of the Global 2000 are relying on off-the-shelf consumer-grade registrars who offer limited domain security mechanisms to protect against domain and DNS hijacking.

Also, the research found that among the 70 per cent of the third-party domains deemed suspicious:

– 56 per cent were pointing to advertising, pay-per-click content, or being used for domain parking (registering a domain name but not linking it to any services e.g., e-mail or a website).

– 38 per cent had inactive web content (there are technical problems, problems with the account, or they don’t have nameservers associated with them).

What Are The Main Risks and Threats To Domain Security?

Some of the main risks and threats to your domain security include:

– Your registrar being compromised or hackers gaining access to your account with the company where you registered your domain name, or to the e-mail address that “reset password” forms on their websites send emails to. This can allow hackers to transfer the domain to another registrar, gaining complete ownership over it.

– Domain spoofing, used by phishers and malicious third parties to fool users into clicking onto domains that are visually similar to the legitimate domain e.g., Fuzzy matches/typo squatting, Homoglyphs – IDNs, Cousin domains, Keyword match, and Homophones (Soundex).

– Cybersquatting/brand jacking/name jacking i.e., the unauthorised registering and use of a domain name that is identical or similar to trademarks, service marks, company names, or personal names. In the US, this is a crime under the 1999 Anti-Cybersquatting Consumer Protection Act (ACPA).

– Sophisticated DNS attacks that can allow hackers to create confusion and redirect some of your website users to their servers.

– Reverse domain hijacking – i.e. whereby another entity deliberately registers something with the name of your domain/trademark and accusing you of stealing their domain.

– Not having DNS redundancy – i.e. a lack of a failsafe solution or a backup mechanism for DNS outages, such as having a having secondary DNS. A lack of DNS redundancy can leave the business open to threats like a reduced resiliency to DDoS attacks, and the associated problems of down-time, disruption to business continuity, revenue loss and diminished reputation.

– Not using certificate authority authorisation (CAA) records i.e., not designating a specific certificate authority (CA) to be the sole issuer of certificates for your company’s domains. Not using CAA could allow a cybercriminal to use the appointed certificate authority to get a new certificate and could represent a threat to compliance.

– Not authenticating the company’s email channel with DMARC, SPF, or DKIM. Sender Policy Framework /SPF, for example, enables a domain to state which servers can send emails on its behalf, and DMARC is an email validation system. Not authenticating the company’s email channel can leave the business open to threats like having the company’s email domain being used for email spoofing, phishing scams, and other cybercrimes.

– Not staying on top of matters relating domain renewals, thereby potentially allowing a company domain to be purchased and used by another party, perhaps for malicious purposes.

– Not having a security certificate (https). This protocol uses encryption to protects the integrity and confidentiality of data between the user’s computer and the site. The authentication aspect proves that users are communicating with the intended website, and can, therefore, protect against man-in-the-middle attacks and build/maintain user trust, not to mention improving the search engine profile and ranking.

What About GDPR Domain Masking?

The introduction of GDPR meant that the identity of a domain name registrant couldn’t be published in the public WHOIS database (without consent) and without the risk of penalties. This, however, is a two-edged sword, as it gives criminals more anonymity for registering domain names for malicious purposes, and can stop investigators and security professionals from uncovering dangerous/malicious/phishing website owners. There are, however, ways for cybercriminals and investigators to find out the identity of a domain owner.

How To Boost Your Domain Security

Despite significant potential domain security risks and threats, there are a number of measures that you can take to plug this potential gap in your business cyber security strategy. These measures include:

– Choosing a professional, reliable, and reputable business-focused registrar.

– Authenticating your email channel with DMARC, SPF, or DKIM to minimise the incidence of email spoofing and potential phishing.

– Using enterprise-grade DNS hosting. This could mean consolidating your domain, DNS, and digital certificate providers into one enterprise-class provider.

– Incorporating secure domain, DNS, and digital certificate practices into the overall cyber security posture.

– Using a registry lock for your domain to prevent the risks of administrative and technical hijacking.

– Using domain privacy services and ensuring that WHOIS details are redacted.

– Ensuring that there is DNS redundancy (a failsafe/backup for DNS outages e.g., a secondary DNS).

– Adding CAA records to allow for policy enforcement and to mitigate cyber threats such as HTTPS phishing of hijacked sub domains.

– Buying security certificates for domains (https).

– Continuous monitoring of the domain space and key digital channels e.g., marketplaces, apps, social media, and email for any evidence of brand abuse, infringements, phishing, and fraud.

– Minimising third-party risk by looking at/auditing the business practices of the domain registrar to make sure they are not contributing to fraud and brand abuse e.g., through operating domain marketplaces, domain name spinning, and more.

– Maintaining good basic cyber security practices that can prevent hacks or accounts being compromised that could lead to domains being hijacked and more.

What Does This Mean For Your Business?

The security of your company domain(s) is an often overlooked part in the cyber security strategy of a business and yet, a domain is direct, public part of your brand and reputation that (if successfully attacked and compromised) could lead to huge technical, legal, monetary, and reputational damage to your business. Research, such as that by CSC, confirms that businesses are still taking big risks by not addressing domain security, and cyber criminals use domains as a key part of popular attack methods such as phishing. There are, as outlined in the article, basic measures that businesses can take to make sure that their domains are protected, and that threats to domain security are addressed.