WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • Check Point Identifies Security Issue With Zoom URLs

    Check Point Identifies Security Issue With Zoom URLs

    Israeli security firm Check Point has worked with Zoom to fix an issue with Zoom vanity URLs.

    Vanity URLs give companies a way to add their branding to their Zoom URLs. Companies could even add a customized website to the service. Unfortunately for Zoom, the vanity URLs had a serious security flaws.

    According to Check Point’s research, “an attacker could have attempted to impersonate an organization’s Vanity URL link and send invitations which appeared to be legitimate to trick a victim. In addition, the attacker could have directed the victim to a sub-domain dedicated website, where the victim entered the relevant meeting ID and would not be made aware that the invitation did not come from the legitimate organization.”

    This is just the latest in a long string of Zoom security issues that have come to the surface as the platform has gained in popularity. Zoom has been working to close the holes and improve security all around.

    According to Check Point, the vanity URL vulnerabilities “were responsibly disclosed to Zoom Video Communications, Inc. as part of our ongoing partnership and cooperation. This security issue has been fixed by Zoom, so the exploits described are no longer possible.”

  • Google Sued For Tracking Users, Even When They Opt Out

    Google Sued For Tracking Users, Even When They Opt Out

    Google is facing yet another privacy-related lawsuit, this one alleging the company tracks users even after they opt out.

    The lawsuit, filed in the US district court in San Jose, claims that Google uses Firebase to continue monitoring users and tailoring ads to them. Google’s Firebase is used for notifications, alerts, data storage, ads and tracking software glitches, as well as user interactions, such as clicks. Many developers use the tool in their apps.

    According to Reuters, the lawsuit alleges that “even when consumers follow Google’s own instructions and turn off ‘Web & App Activity’ tracking on their ‘Privacy Controls,’ Google nevertheless continues to intercept consumers’ app usage and app browsing communications and personal information.”

    The lawsuit also claims that Google uses Firebase to tailor its ads, effectively using it as an end-run around tracking. The firm filing the lawsuit is seeking class-action status.

    This is not the only lawsuit Google is facing for ignoring opt-out settings. Earlier this year, Arizona Attorney General Mark Brnovich filed a lawsuit against the company for continuing to track users after they opt out.

    Needless to say, this is not a good look for Google when the company is facing increased scrutiny in both the US and the EU for privacy issues and anti-competitive practices.

  • Congressman Lynch Asks Apple and Google to Crack Down on Foreign Apps

    Congressman Lynch Asks Apple and Google to Crack Down on Foreign Apps

    Congressman Stephen Lynch, Chairman of the Subcommittee on National Security, is calling on Apple and Google to provide more transparency regarding foreign apps.

    Amid the ongoing controversy surrounding TikTok, India’s purge of Chinese apps and the bans on Chinese telecommunications firms, there is increased scrutiny on the potential security risks that foreign apps and companies may pose. In particular, where user data is stored is a big concern. For example, TikTok was recently sued for allegedly uploading an individual’s data to China without consent.

    Both Apple and Google confirmed they do not require app developers to disclose where any stored data will be housed, nor are they required to inform users of such arrangements.

    “As industry leaders, Apple and Google can and must do more to ensure that smartphone applications made available to U.S. citizens on their platforms protect stored data from unlawful foreign exploitation, and do not compromise U.S. national security,” Chairman Lynch wrote. “At a minimum, Apple and Google should take steps to ensure that users are aware of the potential privacy and national security risks of sharing sensitive information with applications that store data in countries adversarial to the United States, or whose developers are subsidiaries of foreign companies.”

    We will continue to monitor this story and provide updates as it develops.

  • Microsoft Releases Patch for 17-Year-Old Bug

    Microsoft Releases Patch for 17-Year-Old Bug

    Better late than never—Microsoft has released an update to a major vulnerability that is some 17 years old.

    Microsoft and security researchers are keen to prevent another WannaCry disaster, which has prompted a renewed focus on Windows vulnerabilities. Israeli security firm Check Point has discovered a vulnerability, called SigRed, that has the potential to be just as bad.

    The vulnerability scores a CVSS Base score of 10, meaning it is as bad of a vulnerability as can exist. Microsoft also describes it as “a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.”

    According to Check Point, every version of Windows Server, from 2003 to 2019, are equally vulnerable. This gives hackers an enormous target to take advantage of. Microsoft has released an update today, as part of Patch Tuesday. All organizations are strongly encouraged to update immediately.

    “We strongly recommend users to patch their affected Windows DNS Servers in order to prevent the exploitation of this vulnerability,” says Check Point. “We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources. In addition, some Internet Service Providers (ISPs) may even have set up their public DNS servers as WinDNS.”

    System admins should waste no time applying this patch, as hackers will waste no time trying to take advantage of SigRed.

  • AMD Takes On Intel Xeon With Threadripper Pro CPU

    AMD Takes On Intel Xeon With Threadripper Pro CPU

    The hits keep on coming for Intel as AMD rolls out its Threadripper Pro CPU, aimed at taking on the Intel Xeon.

    Intel’s Xeon processors are aimed at workstations and offer a number of advanced features not found in their consumer CPUs. In recent years, AMD has been making significant strides against Intel, as the latter has struggled to keep up with demand and move to 10nm processors.

    In particular, AMD’s Ryzen line of CPUs have won almost universal praise, and further illustrated how far Intel has fallen. Now the company has released its Ryzen Threadripper, aimed at the same workstation market as the Xeon.

    “AMD Ryzen Threadripper PRO Processors are purpose-built to set the new industry standard for professional workstation compute performance,” said Saeid Moshkelani, senior vice president and general manager, AMD Client business unit. “The extreme performance, high core counts and bandwidth of AMD Ryzen Threadripper Processors are now available with AMD PRO technology features including seamless manageability and unique built-in data protection5. Even the most demanding professional environment is addressed with the new AMD Ryzen Threadripper PRO line-up, from artists and creators developing breathtaking visual effects, to architects and engineers working with large datasets and complex visualizations, all brought to life on the most advanced professional workstation platform in the world6.”

    AMD is launching the CPU in conjunction with Lenovo, who is offering the chip in the ThinkStation P620.

    “Our customers need class-leading, innovative solutions to power through the most demanding applications,” said Rob Herman, General Manager, Workstation and Client AI Business Unit, Lenovo. “By leveraging the AMD Threadripper PRO Processors for our newest workstation, the ThinkStation P620, we can offer users the smarter solutions to create complex models, render photorealistic imagery or analyze geophysical and seismic interpretations, while offering crucial security and scalability features to ensure safe and effective operation for our professional users.”

    This is great news for IT professionals, AMD and Lenovo. For Intel, this is just the latest in a string of bad news, including the loss of one of their leading chip designers and Apple moving to its own custom silicon.

  • Google Introduces Confidential Computing, a New Way of Encrypting Cloud Data

    Google Introduces Confidential Computing, a New Way of Encrypting Cloud Data

    Google Cloud has introduced Confidential Computing in a bid to help secure data in the cloud.

    Google and Microsoft are both founding members of the Confidential Computing industry group. The goal of Confidential Computing is to encrypt and secure data while it is being used and processed. This is far different than current encryption methods, wherein data must be decrypted in order to access it. In its current incarnation, Google Cloud encrypts data in transit and at rest, but the data must be decrypted to work with.

    Confidential Computing is a game-changer since it keeps data encrypted at every step of the process, including when the data is being accessed.

    “Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing,” write Nelly Porter, Senior Product Manager; Gilad Golan, Engineering Director, Confidential Computing; and Sam Lugani, Lead Security PMM, G Suite & GCP platform. “Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).

    “Confidential VMs, now in beta, is the first product in Google Cloud’s Confidential Computing portfolio. We already employ a variety of isolation and sandboxing techniques as part of our cloud infrastructure to help make our multi-tenant architecture secure. Confidential VMs take this to the next level by offering memory encryption so that you can further isolate your workloads in the cloud. Confidential VMs can help all our customers protect sensitive data, but we think it will be especially interesting to those in regulated industries.”

    This is an exciting development in the realm of cloud security, and specifically for Google Cloud. As the first major cloud provider to offer Confidential Computing, this is a big win for Google as it battles its larger rivals in the cloud space.

  • UK Reverses Course, Bans Huawei

    UK Reverses Course, Bans Huawei

    In an about-face, the UK has announced it is instituting a complete ban of Huawei equipment from its networks.

    The US has engaged in a campaign to gets its allies to ban Huawei, as it has done. There are widespread concerns about national security risks, as Huawei has much closer ties to Chinese intelligence than many firms. As a result, it is believed the company is a spying and surveillance threat.

    Initially, the UK had opted to include Huawei in its networks, albeit in a lesser role. The company’s equipment was restricted from the more sensitive core network, and could comprise no more than 35% of the UKs’ 5G equipment. In addition, no Huawei equipment could be used near nuclear sites or military bases.

    Even that compromise solution was not popular, however, with both US officials and many in Prime Minister Johnson’s own party urging Downing Street to reconsider. Adding further pressure, the US has been ramping up restrictions on Huawei, including cutting it off from one of its main chip suppliers, TSMC.

    It appears the combination of factors have led the UK to reverse course, as it has announced a total ban on Huawei equipment. According to the government’s statement:

    “Huawei will be completely removed from the UK’s 5G networks by the end of 2027, the government has announced, following new advice produced by the National Cyber Security Centre (NCSC) on the impact of US sanctions against the telecommunications vendor.

    “Ahead of this there will be a total ban on the purchase of any new 5G kit after 31 December 2020.”

    This is sure to hurt Huawei, as the UK was one of the first countries in Europe to welcome the Chinese firm years ago. It also remains to be seen what repercussions there will be, as China has a history of threatening countries over Huawei.

  • UK and Australia Open Joint Investigation Into Clearview AI

    UK and Australia Open Joint Investigation Into Clearview AI

    The UK and Australia have announced a joint investigation into Clearview AI—to cheers of privacy advocates the world over.

    Clearview quickly made a name for itself as a facial recognition firm that had scraped billions of images from millions of websites. Ignoring platform policies and user agreements, Clearview even scraped images from the top social media companies, including Twitter, Facebook and YouTube.

    Things only got worse from there, as the company was found to be monitoring police searches to discourage them from talking to journalists. Despite repeatedly insisting it only sold its software to law enforcement and security personnel, information came to light showing the company had allowed investors and friends to access and use the platform as their own plaything. To top it off, Clearview began selling its software to authoritarian regimes.

    It seems the UK and Australia have had enough, as “the Office of the Australian Information Commissioner (OAIC) and the UK’s Information Commissioner’s Office (ICO) have opened a joint investigation into the personal information handling practices of Clearview AI Inc., focusing on the company’s use of ‘scraped’ data and biometrics of individuals.”

    This is further bad news for the company, but great news for the average consumer and privacy advocate alike.

  • US May Ban Contractors From Using Chinese Equipment

    US May Ban Contractors From Using Chinese Equipment

    The US is ramping up its pressure on Chinese firms, with plans to ban any government contractor from using equipment from five companies.

    Huawei, Hikvision, Hytera Communications Corp, ZTE and Dahua are the five companies that are expected targets of the new regulations. As Reuters points out, the five companies cross a variety of tech sectors. Huawei and ZTE are well-known smartphone and wireless equipment makers. Hikvision and Dahua are top camera and surveillance equipment vendors, and Hytera Communications Corp makes two-way radios.

    If this regulation should pass, it will have far-reaching impacts on the tech industry and government contractors. Each contractor will have to prove they are not using any equipment, goods or services from any of the blacklisted companies, not to mention the cost incurred in replacing any equipment they were using.

    This is just the latest escalation in the battle between the US and Chinese companies, which officials accuse of being a national security risk. This move will likely have an impact on US/China relations, and could well lead to retaliation on the part of Beijing.

  • TikTok Pulling Out of Hong Kong

    TikTok Pulling Out of Hong Kong

    TikTok has announced plans to pull out of Hong Kong in the wake of a new national security law.

    China has been flexing its muscle in Hong Kong, effectively ending the long-standing ‘one country, two systems’ rule. When Britain turned Hong Kong over to Beijing in 1997, its citizens were guaranteed 50 years of autonomy. Despite that, the Chinese government has been trying to exercise more control recently, leading to widespread protests.

    In response, Beijing signed a national security law that gives authorities sweeping powers to punish secession and sedition, as well as search properties and prevent individuals being investigated from leaving the city.

    Tech companies around the world have expressed concern that China may try to use their platforms for censorship or surveillance, by requiring user data to be stored in China. As a result, TikTok is taking action. A spokesperson told Axios that: “In light of recent events, we’ve decided to stop operations of the TikTok app in Hong Kong.”

    The move comes at a time when owner ByteDance is trying to distance TikTok from China. The company operates two similar platforms: TikTok for the world, and a government-approved version in mainland China, called Douyin. Given the allegations that TikTok can’t be trusted to protect user privacy, ByteDance is trying to prove it is not beholden to Beijing.

    The next few weeks will likely be difficult for all of the social media networks as they come to terms with how—or if—they will continue operating in the city.

  • iOS 14 Outs Major Apps For Snooping On Users

    iOS 14 Outs Major Apps For Snooping On Users

    iOS 14 has a number of significant privacy improvements, one of which has been a source of embarrassment for several high-profile apps.

    Privacy was one of the highlights of Apple’s WWDC 2020 Keynote, with the company outlining the steps it is taking to improve the level of privacy it offers customers. One such feature is clipboard monitoring. In short, iOS 14 will alert a user when an app accesses the data currently held in the clipboard. Given that users often copy and paste bank account numbers, credit card numbers, passwords and other sensitive data, this is an excellent new feature.

    Unfortunately for a number of apps, however, they don’t seem to have gotten the memo. In short order, TikTok, LinkedIn and Reddit and several others have all been called out for reading the contents of the iOS clipboard. These apps were all caught accessing the clipboard even when they were not the app involved in the copy and paste function. Basically, once they were opened, they started reading the clipboard’s contents. In the case of TikTok, it appears to have been accessing the clipboard every 1 to 3 keystrokes.

    All three companies have pledged to release an update that will resolve the issue. LinkedIn and Reddit blamed the behavior on bugs, while TikTok said it was a measure designed “to identify repetitive, spammy behavior.” While some users may be willing to give LinkedIn and Reddit a pass, TikTok’s intentional use of the feature does not bode well for a company that is already accused of gross privacy violations.

    Either way, kudos to Apple for helping put an end to this practice. iOS 14 can’t arrive soon enough.

  • British Government May Be Moving Closer to Huawei U-Turn

    British Government May Be Moving Closer to Huawei U-Turn

    The British government may be moving closer to reversing its decision to include Huawei in its 5G rollout.

    Huawei has been under increasing pressure globally amid accusations that it helps the Chinese government spy on governments and organizations around the world. While all Chinese corporations are required to cooperate with the government, Huawei has been accused of having far closer ties with the Chinese intelligence community than most companies.

    Despite ongoing US pressure to exclude Huawei, the British government initially opted to include the Chinese firm in a limited capacity. Recent events, however, have forced the UK to reconsider. US officials have repeatedly warned that including Huawei would force the US to revisit sharing intelligence and military assets with the UK. The US has also taken efforts to restrict Huawei’s supply of semiconductors.

    It appears the increased pressure is having an impact. According to The Guardian, Culture Secretary Oliver Dowden told a defense committee that an emergency review was nearly finished and would likely result in a change of policy.

    “Given that those sanctions are targeted at 5G and extensive, it is likely to have an impact on the viability of Huawei as a provider for the 5G network,” Dowden told the MPs.

    If the UK does reverse course, it will be a significant blow to Huawei, while providing US official with a major win.

  • EARN IT Act Moves Forward After Addressing Encryption Concerns

    EARN IT Act Moves Forward After Addressing Encryption Concerns

    The Eliminating Abuse and Rampant Neglect of Interactive Technologies Act of 2019 (EARN IT Act) has passed the Senate Judiciary Committee after addressing concerns about weakening encryption.

    The EARN IT Act is aimed at protecting children and eliminating online sexual abuse. Many critics, however, were afraid the bill went too far in weakening encryption that law-abiding users rely on.

    The bill addresses the Section 230 protections that limit the liability companies incur from the actions of users on their platforms. In order to maintain their protections, the original bill called for companies to follow mandatory “best practices” outlined by a commission of experts. Many companies and critics warned that these “best practices” could require companies to weaken industry-standard encryption, leaving them little recourse.

    Senator Graham filed an amendment that waters down that provision of the bill, specifically changing the “best practices” to recommendations rather than requirements. In addition, according to The Verge, Senator Patrick Leahy filed an amendment—that was approved—that would “exclude encryption” as a factor that would increase a company’s liability.

    The bill will now move to the Senate floor for a vote by the entire body.

  • California Begins Enforcing New Privacy Law

    California Begins Enforcing New Privacy Law

    Following a six month grace period, California has begun enforcing its new privacy regulation, effective July 1.

    The California Consumer Protection Act (CCPA) was signed into law on January 1. Similar to the EU’s GDPR, the CCPA is a robust set of laws designed to protect individual privacy and give consumers more control over the data companies collect about them. Companies were given a six month grace period before enforcement began, but that grace period ended on June 30.

    The CCPA likely impacts more companies than many realize. It directly applies to companies that do $25 million in annual revenue, companies that derive at least half of their revenue from selling their customers’ data or companies that collect data on at least 50,000 individuals.

    Potential penalties are high enough to ensure compliance. Non-intentional violations could cost as much as $2,500 per incident, while intentional violations could cost as much as $7,500.

    While many companies have struggled to be ready for the new law, privacy advocates have praised it for protecting the interests of consumers.

  • Legislation Would Ban Federal Law Enforcement From Using Facial Recognition

    Legislation Would Ban Federal Law Enforcement From Using Facial Recognition

    Senators Ed Markey and Jeff Merkley have introduced legislation that would ban federal law enforcement agencies from using facial recognition.

    In the wake of several high-profile incidents that have helped spark protests and a renewed focus on racial equality, facial recognition has come under heavy fire. While having some usefulness, facial recognition struggles with bias issues, especially related to race, ethnicity and sex. This doesn’t even begin to address the privacy issues the technology raises. Clearview AI is one company that has increasingly been in the news for blatant abuses of privacy through the use of facial recognition.

    The Facial Recognition and Biometric Technology Moratorium Act, would address these concerns by prohibiting federal law enforcement agencies from using facial recognition tech. In addition, any local or state agencies seeking federal funding would be required to take similar measures.

    “Facial recognition technology doesn’t just pose a grave threat to our privacy, it physically endangers Black Americans and other minority populations in our country,” said Senator Markey. “As we work to dismantle the systematic racism that permeates every part of our society, we can’t ignore the harms that these technologies present. I’ve spent years pushing back against the proliferation of facial recognition surveillance systems because the implications for our civil liberties are chilling and the disproportionate burden on communities of color is unacceptable. In this moment, the only responsible thing to do is to prohibit government and law enforcement from using these surveillance mechanisms. I thank Representatives Jayapal and Pressley and Senator Merkley for working with me on this critical legislation.”

    It’s unknown whether the bill will be able to gain enough support to pass. Should it succeed, however, it could fundamentally alter the privacy debate and have a profound impact on equality.

  • Google Rolling Out Verified Calls to Tell You Why Businesses Are Calling

    Google Rolling Out Verified Calls to Tell You Why Businesses Are Calling

    Google is preparing to roll out a feature that will help cut down spam calls by verifying calls before they’re placed.

    In a support document, Google outlines how Verified Calls will work. Participating businesses will send information to Google’s Verified Calls server, including the name of the business, who they’re calling and the purpose of the call.

    Google then sends this information to the Android Phone app. Once the business actually places the call, Android compares the call with the information Google previously sent. If everything matches up, the Phone app displays a “Verified Call” badge.

    While certainly an intriguing feature, and one with a lot of potential, it remains to be seen how many users want Google knowing exactly why a business is calling them. For those who want to keep Google from knowing too much about their business, the feature can be turned off.

  • Comcast Joins Mozilla’s Secure Browsing Initiative

    Comcast Joins Mozilla’s Secure Browsing Initiative

    Comcast has become the first ISP to join Mozilla’s initiative and “provide Firefox users with private and secure encrypted Domain Name System (DNS) services through Mozilla’s Trusted Recursive Resolver (TRR) Program.”

    Mozilla has been one of the companies on the forefront of protecting user privacy. One of the areas they have been focusing on is encrypting DNS traffic, which helps protect browsing activity from collection, interception or manipulation. For this to work, however, it requires partner companies to agree to standard rules about how data is collected, protected and used.

    While companies like Cloudflare and NextDNS have signed on to Mozilla’s TRR Program, Comcast is the first ISP to sign on.

    “We’re proud to be the first ISP to join with Mozilla to support this important evolution of DNS privacy. Engaging with the global technology community gives us better tools to protect our customers, and partnerships like this advance our mission to make our customers’ internet experience more private and secure,” said Jason Livingood, Vice President, Technology Policy and Standards at Comcast Cable.

    “Comcast has moved quickly to adopt DNS encryption technology and we’re excited to have them join the TRR program,” said Eric Rescorla, Firefox CTO. “Bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences. We hope this sets a precedent for further cooperation between browsers and ISPs.”

    This is good news for Comcast and Firefox users. Hopefully Comcast won’t be the last ISP to sign on with Mozilla’s TRR Program.

  • Boston Bans Facial Recognition For Government Use

    Boston Bans Facial Recognition For Government Use

    Boston has joined the growing ranks of US cities that have banned the use of facial recognition by government officials.

    Facial recognition has become one of the most controversial technologies in use. In the wake of George Floyd’s death, organizations have been reevaluating their stand on facial recognition. Companies like Microsoft, IBM and Amazon have changed their policies to exclude selling their facial recognition tech to police.

    Much of this is because of the issues with bias that are prevalent in facial recognition. Despite their best efforts, companies have struggled to keep bias from creeping in on the basis of race, ethnicity and sex.

    These concerns have led cities to take action, banning facial recognition for government agencies. Oakland and San Francisco, California, as well as Cambridge, Massachusetts have already instituted such bans.

    According to Boston.com, “in a unanimous vote Wednesday afternoon, the 13-member body passed an ordinance prohibiting the use of facial recognition technology by Boston police and other city departments, amid evidence that the existing systems misidentify people of color at an exorbitantly high rate.”

    There are some exceptions. Police will still be able to obtain evidence from facial recognition technology, as long as that evidence was gathered by another agency investigating a “specific crime,” and was not at the behest of a Boston city official. Similarly, city officials will not be allowed to use facial recognition provided by third parties.

    Given the current political climate, it’s a safe bet Boston won’t be the last city to take such measures.

  • Sony Announces $50,000 PlayStation Bug Bounty

    Sony Announces $50,000 PlayStation Bug Bounty

    Sony has announced it will pay significant bug bounties for PlayStation 4 bugs.

    Bug bounties are an important part of the cybersecurity and software development scene. Companies pay hackers and researchers bounties to encourage them to find and report bugs and security vulnerabilities. Bounties are often high enough to provide full-time income for dedicated security researchers and hackers.

    In a blog post Sony announced they are taking their program public.

    To date, we have been running our bug bounty program privately with some researchers. We recognize the valuable role that the research community plays in enhancing security, so we’re excited to announce our program for the broader community.

    According to the payout breakdown, PlayStation 4 bugs can pay as much as $50,000. With that kind of money on the line, it’s a safe bet Sony will have no trouble attracting help.

  • Senators Introduce Legislation Attacking Encryption

    Senators Introduce Legislation Attacking Encryption

    Another day, another attack on the encryption standards that protect every single person using the internet and computing devices.

    Senators Lindsey Graham, Tom Cotton and Marsha Blackburn introduced the Lawful Access to Encrypted Data Act in a bid “to bolster national security interests and better protect communities.”

    It’s hard to tell whether the authors are trying to attack encryption, or if they simply don’t understand how it works…or both. Either way, the result is the same: This legislation will gut the end-to-end encryption (E2EE) billions of people rely on.

    Case in point:

    “After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans,” says Graham.

    Similarly:

    ”This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet,” said Cotton.

    The announcement specifically states:

    “Encryption is vital to securing user communications, data storage, and financial transactions. Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place. This type of ‘warrant-proof’ encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.”

    These statements ignore some of the basic facts involved in the encryption debate. Let’s break this down.

    1. All of the above statements place a great deal of emphasis on a warrant. The encryption debate has never been about tech companies’ willingness or unwillingness to abide by a warrant. The issue, plain and simple, is that you cannot have strong encryption that has backdoors. Experts have been warning about the dangers of weakening encryption for years. They’ve done so here, and here, and here, and here, and here, and here and here, as well as countless other places too numerous to list.

      Ultimately, this is not a case where these senators can ‘have their cake and eat it too.’ Either everyone has strong encryption that protects them, or no one does. Even these senators rely on encryption to conduct their business. Signal is widely considered to be the most secure messaging app on the planet, in large part because of the type of encryption this legislation targets. It is so secure that the Senate specifically encourages Senate staff to use Signal.

      Yet this legislation is so dangerous to the very type of encryption that Signal relies on that the company has already warned that, if it passes, Signal will likely stop being available in the US altogether.

      Again, either everyone has strong encryption or no one does…including the senators targeting encryption.

    2. The legislation wrongly asserts that companies fail to cooperate with law enforcement, “even when criminal activity is clearly taking place.” Again, this is not a matter of intentionally failing to cooperate; it is a technical impossibility.

      Companies simply cannot create strong encryption that can simultaneously be accessed at will, either by the company, law enforcement or anyone else. In many cases, such as Apple, companies cooperate as much as they possibly can, but they cannot change the laws of physics.
    3. The assertion that “‘warrant-proof’ encryption adds little to the security of the communications of the ordinary user” ignores how the technology is frequently used by the “ordinary user.” The fact is, E2EE protects private communication, securing text messages, video chats, emails and voice calls, ensuring people can communicate without fear.

      Businesses rely on E2EE on a daily basis to ensure they can freely discuss internal matters without fear of corporate eavesdropping and espionage. Victims of abuse often rely on these services to communicate with loved ones without their abuser being able to find them. Journalists and activists in areas ruled by oppressive regimes rely on E2EE for their very lives.

    The announcement cites several examples where E2EE thwarted attempts by law enforcement. While true, the question remains: How is that different from any other technology?

    One example encryption proponents cite is shredder manufacturers. Do these companies have to create shredders that reconstitute a document just because some bad actors use paper shredders to cover their tracks? Of course not. While some do use shredders to cover illegal activity, the vast majority of individuals use them for perfectly legal reasons.

    The same is true of E2EE. There will always be those who use any technology for illegal, immoral and unethical reasons. The vast majority, however, will use it as it was intended, for perfectly legal activity.

    If passed, however, this new legislation will punish the whole on behalf of the few.

  • UK Set to Adopt Apple/Google API For Contact Tracing

    UK Set to Adopt Apple/Google API For Contact Tracing

    The UK has reversed course, adopting Apple and Google’s API for its contact tracing efforts.

    Contact tracing has been touted as one of the main components to successfully combatting the coronavirus pandemic. Efforts to roll out the technology have split along two lines. Some countries have focused on solutions that store data in a centralized, government database, while others have adopted the privacy-focused API that Apple and Google created.

    Initially, the UK went with the centralized approach, but is now going with the API instead.

    “Following rigorous field testing and a trial on the Isle of Wight, we have identified challenges with both our app and the Google/Apple framework,” says the Department of Health and Social Care.

    “This is a problem that many countries around the world, like Singapore, are facing and in many cases only discovering them after whole population roll-out.

    “As a result of our work, we will now be taking forward a solution that brings together the work on our app and the Google/Apple solution. This is an important step, allowing us to develop an app that will bring together the functionality required to carry out contact tracing, but also making it easy to order tests, and access proactive advice and guidance to aid self-isolation.”

    While the press release does not specifically mention privacy, it likely played a role in the overall decision. As a rule, centralized solutions have not been widely adopted by users, who view them with suspicion due to privacy concerns. Apple and Google’s solution, on the other hand, is built around a decentralized, privacy-first approach that many are more comfortable with.