Category Archives: Privacy

Next generation of phishing attacks uses unexpected delivery methods to steal data

Netskope, a specialist in secure access service edge (SASE), has unveiled new research that shows how the prevalence of cloud applications is changing the way threat actors are using phishing attack delivery methods to steal data.  The Netskope Cloud and Threat Report: Phishing details trends in phishing delivery methods such as fake login pages and… Read more »

The post Next generation of phishing attacks uses unexpected delivery methods to steal data appeared first on Cloud Computing News.

New! Parallels Toolbox Presentation Pack for macOS or Windows

Introducing: Parallels® Toolbox Presentation Pack Available on macOS® and Windows 11+ time-saving tools to help optimize your workday. Optimized for presenters, teachers, students, small business owners, chronic multitaskers, and online trainers to have a simple set of tools. Quickly get ready for a presentation with easy access to hide a messy desktop, Launch multiple applications with […]

The post New! Parallels Toolbox Presentation Pack for macOS or Windows appeared first on Parallels Blog.

BSA releases rankings of global cloud policies – UK drops and US rises on leader board

A racehorse and jockey in a horse raceThe BSA | The Software Alliance has released its global ranking of cloud computing policies, assessing the cloud readiness and policies of the world’s 24 leading ICT economies, with the UK dropping down the leader board.

The UK dropped two places in the rankings to ninth, whereas Japan maintained its position at the top of the leader board, and the US improving its position coming in second place. The 24 countries ranked in the research account for roughly 80% of global ICT revenues. Each country is ranked depending on its strengths and weaknesses in seven policy areas; data privacy, security, cybercrime, intellectual property right, support for standards, promotion of free-trade and IT readiness & broadband deployment.

“It’s worrying to see the UK starting to fall behind other faster-moving nations in creating policies which enable cloud innovation,” said Victoria Espinel, CEO of the BSA. “It’s critical for global leading nations like the UK to be on the front-foot in creating robust policy frameworks fit for the digital age to prevent protectionism, so governments, businesses and consumers can benefit from the various benefits cloud computing offers. The report is a wakeup call for all governments to work together to ensure the benefits of the cloud around the globe.”

The UK scored particularly well when it came to intellectual property rights, security and IT readiness, where it ranked fourth, second and first respectively, but badly in the cybercrime valuation, coming in at number 21 out of 24. Within the other areas it hit the middle of the road, and while overall performance was not negative, the UK fell behind due to the speed and efficiency in which other nations are developing their policies.

In the cybercrime section, where the UK was particularly poor, the report highlighted while the UK was in general compatible with the Budapest Convention on Cybercrime, it has not yet implemented laws relating to misuse of devices, as required by Article 6 of the Convention. The report also stated outdated data registration laws are acting as a barrier to some cloud services, as businesses are required to register their data sets with the regulator, which seems to be an unnecessary burden.

Leaderboard

2016 BSA Global Cloud Computing Scorecard – click to enlarge

The US performed favourably across the majority of the ranking categories, particularly on support for industry standards (first), promotion of free trade (first) and IT readiness (third). The US has been recognized by the report as a particular advocate of free trade and harmonization, as well as standardization, as it “continued to remove barriers to international information technology (IT) interoperability”.

Data privacy was the area in which it performed the worst, where it stated there are no single privacy law in the US, as well as numerous policies which have the potential to create a complicated and confusing landscape. Current key sectoral privacy laws include the Federal Trade Commission Act, the Electronic Communications Privacy Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act and the Telephone Consumer Protection Act.

The report also drew attention to the compatibility between the US with the privacy principles in the EU Data Protection Directive, of which there is little. According to the report “US organizations also have a range of voluntary options to ensure their data protection practices are compatible with the principles in the EU Directive”, though these are not backed up by government policy or legislation. This has been a point of discussion throughout the industry, following Safe Harbour being shot down, and its successor receiving criticism from certain corners of the EU.

Russsia privacy law

Russian Privacy Law – click to enlarge

While the report does outline progress in the development of IT and cloud policies throughout the world, it does also bring attention to several nations who have been demonstrating negative trends. Countries such as China and Russia have implemented policy which could be seen to inhibit the growth of cloud computing within their countries, by limiting the ability of cloud computing service providers to adequately move data across borders.

“The Scorecard shows that countries are eager to welcome cloud computing and its myriad economic benefits, and many of them are creating a favourable regulatory and legal environment,” said Espinel. “Unfortunately, the Scorecard also shows some countries are heading down a path of treating cloud computing as the next frontier of protectionism. The report is a wakeup call for all governments to work together to ensure the benefits of the cloud around the globe.”

Russia for example has implemented a legal requirement that data operators store the personal data of Russian citizens on servers based in Russia, as well as personal data information system (irrelevant of the simplicity of the database) must be certified by the Federal Service for Technical and Export Control (FSTEC). In turn this data can only be used on software and hardware which has also been approved by the FSTEC.

The BSA believes will have a negative impact on the company’s digital economy, stating “The local requirements are not compliant with generally accepted international standards, and Russia does not participate in the Common Criteria Recognition Agreement (CCRA).”

Legal reaction to Microsoft’s lawsuit against the US government

Lady JusticeUS government agencies have had a tough time of it in recent weeks. While the FBI’s battle with Apple has been rolling through the headlines, Microsoft’s lawsuit has been kept relatively quiet after an initial splash in the press.

In light of a potentially industry changing event, we took some time to speak to legal experts at Herbert Smith Freehills LLP to understand the impact of the lawsuit on cloud computing as an industry and a technology.

“In Microsoft’s view, the government’s increasing use of so-called “secrecy orders” to obtain access to stored customer information, without that customer’s knowledge, violates US constitutional protections that afford individuals and businesses the right to know if the government searches or seizes their information,” said Joseph Falcone, Partner at Herbert Smith Freehills, in New York.

“One provision of the Electronic Communications Privacy Act (ECPA), however, and the one at issue here, enables a federal court, upon application by the government, to enjoin a cloud services provider from notifying its customer of any governmental demand for that customer’s e-mails and documents.

“Microsoft charges that in most cases, secrecy orders issued pursuant to this provision forbid notification to the customer for unreasonably long, and in many cases indefinite, time periods, whenever the government can convince the court that such notice would result in adverse consequences to the investigation.”

In short, Microsoft’s President and Chief Legal Officer Brad Smith has seemingly set it upon himself to take on one of the worlds’ most powerful entities, in a battle to bring government policy and legislation into the 21st century. Microsoft’s issue is seemingly centred on the idea that government is abusing its power set out in the ECPA, originally written in 1986, long before the widespread use of the internet. The team maintain the position that government cannot use a collection of rules, set years before cloud computing was even an idea.

Joseph Falcone

Joseph Falcone, Partner at Herbert Smith Freehills, in New York.

“The danger of such unlimited secrecy, Microsoft asserts, is also evidenced by the fact that the statute does not require the government to later justify the continued prohibition on providers from communicating to their customers about the government’s action,” said Falcone. The company believes there is a lack of accountability for the US government, enabling its agencies to act without fear of retribution. While tech giants throughout the industry have been on the receiving end of public outcry when discussing privacy and the ethical use of a customer’s data, Microsoft is seemingly taking a lone stance against the US government to reverse the trend.

“Microsoft’s complaint raises a host of US constitutional issues, doctrines and arguments,” said Falcone. “Distilled to their essence, Microsoft’s argument is that it is unconstitutional ‎for the government and the courts to prevent it from telling its customers when authorities seek ‎their e-mails or other stored data.”

In Smith’s blog post detailing Microsoft’s position, he highlighted the government’s current position violates the 1st and 4th constitutional amendments, but he does maintain there are circumstances where secrecy should be an option. The problem here is secrecy has become too routine, leaning towards the default setting as opposed to the exception to the rule.

“There is no way to predict at this point how the court will rule, and any ruling by the district court very likely will be appealed,” said Falcone. “It is also unclear whether the suit will result in any changes to US law or curtail what Microsoft describes as increasing government efforts to obtain electronic data, though Microsoft has signalled that it would support changes.

“Microsoft’s most recent suit is similar to a pending challenge that it lodged to US authorities’ efforts to secure, via a warrant served on Microsoft in the US, the e-mail content from a Microsoft customer whose data was stored in the EU.  In that challenge, as in this one, Microsoft has cast itself as the defender of its customers’ right to privacy and their right to transparent actions by the US government.

“In addition, these actions enable Microsoft to show regulators in the EU and elsewhere that the company is seeking to limit US government efforts to secure electronic data secretly and to secure non-US stored data from the US.”

It would be very difficult to predict which way the lawsuit will go, but it would be fair to assume this is unlikely to be a short-lived story. Any decision made will likely be met by a string of appeals, delaying the impact on the industry for what could potentially be a significant amount of time.

Nick Pantlin

Nick Pantlin, TMT Partner at Herbert Smith Freehills

We recently ran a poll in which our readers told us it is unlikely Microsoft will be successful, only 42% of our readers are backing the Microsoft legal team at this point, however the action itself could possible earn Microsoft new fans around the world, most particularly in Europe. With Safe Harbour now non-existent, and its successor attracting criticism from some quarters, Microsoft’s stance, seemingly protecting its customers from the big bad government, will possibly act as an effective PR tool in the European region.

While the US government is the one in the spotlight at the moment, it should be worth noting it is not the only government worldwide to undertake such activities.

“Against the backdrop of the ongoing global battle between public authority access to data for national security purposes and individuals’ right to privacy, the controversial UK Investigatory Powers Bill has been revised and introduced to the House of Commons with a deadline of 31 December 2016 for the legislation to be in place,” said Nick Pantlin, TMT Partner at Herbert Smith Freehills, in London.

“The issue of end-to-end encryption has also been debated in the UK. However, the Bill has clarified the Government’s position on encryption, making it clear that companies can only be asked to remove encryption that they themselves have applied, and only where it is practicable for them to do so. The Government asserts that it is not asking companies to weaken their security by undermining encryption.”

Locking Down the Cloud

Guest Post by Pontus Noren, director and co-founder, Cloudreach.

The good news for cloud providers is that forward-thinking CIOs are rushing to embrace all things ‘cloud’, realising that it provides a flexible and cost-effective option for IT infrastructure, data storage and software applications. The bad news is that the most significant obstacle to implementation could be internal: coming from other parts of the organisation where enduring myths about legal implications, security and privacy issues remain. The reality is that today such fears are largely unfounded. CIOs need help in communicating this to their more reluctant colleagues if they want to make the move to the cloud a success.

Myth No 1: The Security Scare

In many cases, moving to the cloud can in fact represent a security upgrade for the organisation. Since the introduction of cloud-based computing and data storage around ten years ago, the issue of security has been so high profile that reputable cloud providers have made vast investments in their security set-ups – one that an individual organisation would be unable to cost-effectively match due to the far different scale on which it operates.

For example, data stored in the cloud is backed-up, encrypted and replicated across multiple geographically distributed data centres in order to protect it from the impact of natural disasters or physical breaches.  All this takes place under the watchful eyes of dedicated data centre security experts. If you compare this to the traditional in-house approach – which all too frequently sees data stored on a single server located somewhere in the basement of an office – it is not difficult to see which is the most secure option. By working with an established and respected cloud provider, such as Google or Amazon Web Services businesses can benefit from such comprehensive security measures without having to make the investment themselves.

Myth No 2: Data in Danger

Security and data privacy are closely related, but different issues. Security is mainly about physical measures taken to mitigate risks, while ‘privacy’ is more of a legal issue about who can access sensitive data, how it is processed, whether or not it is being moved and where it is at any moment in time.

Concerns around compliance with in-country data protection regulations are rife, especially when dealing with other countries.  Across Europe, for example, data protection laws vary from country to country with very strict guidelines about where data can be stored.  A substantial amount of data cannot be moved across geographical boundaries, so the security practice of replicating data across the globe has far-reaching compliance applications for data protection. However, data protection legislation states that there is always a data processor and data controller and a customer never actually ‘hands over’ its data. This doesn’t change when the cloud is involved – all large and reputable cloud services providers are only ever the data processor. For example, the provider will only ever process data on behalf of its customer, and the customer always maintains its ownership of its data, and role of data controller.

However, much of data protection law predates the cloud and is taking a while to catch up. Change is most definitely on its way. Proposed European legislation aims to make data protection laws consistent across Europe, and with highly data-restricted industries such as financial services now starting to move beyond private clouds into public cloud adoption, further change is likely to follow as organisations start to feel reassured.

So what can CIOs do to change perceptions? It comes down to three simple steps:

  • Be Specific – Identify your organization’s top ten queries and concerns and address these clearly.
  • Be Bold – Cloud computing is a well-trodden path and should not be seen as the future, rather as the now. Having tackled company concerns head on, it is important to make the jump and not just dip a toe in the water.
  • Be Early – Engage reluctant individuals early on in the implementation process, making them part of the change. This way CIOs can fend off ill-informed efforts to derail cloud plans and ensure buy-in from the people who will be using the new systems and services.

The cloud has been around for a while now and is a trusted and secure option for businesses of all sizes and across all sectors. In fact, there are more than 50 million business users alone of Google Apps worldwide. It can hold its own in the face of security and privacy concerns.  CIOs have an important role to play in reassuring and informing colleagues so that the firm can harness the many benefits of the cloud; future-proof the business and release IT expertise to add value across the business.  Don’t let fear leave your organisation on the side lines.

Pontus Noren, director and co-founder, Cloudreach Pontus Noren is director and co-founder, Cloudreach.

 

Keynote Announces New 24/7 Web Privacy Tracking, Compliance Monitoring

Image representing Keynote Systems as depicted...

Keynote Systems today announced a new on-demand service for addressing growing Web privacy issues stemming from online behavioral targeting. The new service, called Keynote Web Privacy Tracking, goes beyond traditional monitoring and identifies third party tracking in violation of a site’s own stated privacy policy.

Keynote Web Privacy Tracking provides comprehensive insight into third parties that violate a company’s privacy policies across a website. Using a real browser, Keynote’s service monitors websites and records all of the tracking activity present, for example, cookies being placed on the browser. Keynote then matches that activity against a database of over 600 tracking companies and over 1,000 tracking domains, providing details on what privacy policies are being violated. Additionally, the Keynote Referrer Chain feature provides a detailed record for how the third-party violator came to be on the site, and an audit trail of each handoff in the ad request.

While there are already website privacy testing solutions on the market, Keynote Web Privacy Tracking is the first to apply a proven 24/7 monitoring technology to address the growing concerns over the impact of third party trackers on Internet privacy.

By monitoring websites around the clock from up to 70 geographic locations and covering 28 countries in the United States and Europe, Keynote Web Privacy Tracking provides an unmatched breadth of coverage for understanding the precise location and size of potential privacy issues, including risks arising from variations in how ad networks deliver geo-targeted content. Once privacy violations are found, Keynote goes one step further by providing detailed and actionable records that enable a site owner to manage policy violations with the ad network directly responsible for bringing a violator to the website. Keynote’s solution also features one-click analysis and reporting – once a site operator finds someone violating a company’s own stated privacy policy, with the click of a button a site operator can drill-down for further information.

Keynote Web Privacy Tracking has a comprehensive tracking database that provides site operators with detailed information for each third party tracker on their site. Site owners can then export the Keynote Web Privacy Tracking Report and share with co-workers and ad network partners to take immediate corrective action that reduces their exposure to privacy violations.

“Keynote Web Privacy Tracking is an ideal solution that site operators can begin leveraging immediately to address their lack of visibility into which third parties are violating the site’s own stated privacy policies,” said Vik Chaudhary, vice president of product management and corporate development at Keynote. “Our data will allow them to take very fast remedial action. Also, we believe our cutting edge 24/7 privacy compliance monitoring service will help address the increasing concerns of the many U.S. government agencies examining the issue. This includes the FTC, as well as government agencies in Europe, which may soon hold site operators legally accountable for ensuring consumer privacy on their website.”

“Online websites know that they need to publicize and enforce a strong privacy policy in order to comply with regulations, maintain goodwill with users, and ensure repeat traffic,” said Ian Glazer, research vice president at Gartner, Inc. “However those tasked with managing privacy within the organization often lack visibility into their potential privacy risk. Privacy professionals are engaging a new breed of tools to help them identify the continued risk that comes with third party cookies.”

Scott Crawford, research director with Enterprise Management Associates said, “With regulators and individuals alike becoming increasingly vocal about the responsible handling of sensitive personal data, organizations that develop and deploy Web applications must take those concerns more seriously than ever before.” Crawford continued, “Keynote’s new product provides organizations with more granular and precise insight into how sensitive information is used and privacy requirements met, not only by a business’s own applications, but also by those who provide services such as advertising placement, which could jeopardize the business’s relationships with its customers if private data is not handled properly.”

The results of an in-depth and comprehensive analysis of the online behavioral tracking on 269 Websites, to be publicly released by Keynote in the near future, found that 86 percent of the sites analyzed included third-party tracking of site visitors and, as a consequence of these third parties, over 60 percent of those sites violated one or more of the industry’s most common tracking-related privacy standards.

“The number of websites that allow visitors to be tracked by third parties may be surprising to some, but as consumers begin to understand that their online behavior can be recorded, website publishers will have to work even harder to ensure consumers’ privacy expectations are met,” said Ray Everett, Keynote’s director of privacy services.

Keynote Web Privacy Tracking detects the third parties collecting user information on each company’s site across all pages monitored by Keynote. Keynote then cross-checks each tracker against a database of over 600 ad networks and 1,000 tracking domains. Tracking companies that do not commit to an industry best practice for Web privacy are then flagged as a violator of the selected policy.

Policies checked by Keynote Web Privacy Tracking include:

  • Provide customers an Opt-out
  • Promise to Anonymize Data
  • Subject to Industry Overview from Recognized Organizations

“Ultimately, the burden of policing third-party trackers falls on the shoulders of website publishers,” Keynote’s Everett concluded. “A publisher is responsible for the content of their website, including the practices of the advertisers appearing on it. Monitoring the constantly changing advertising ecosystem is a daunting task, but the consequence of failure is the placing of your brand’s reputation at tremendous risk.”