tag:theconversation.com,2011:/us/topics/data-encryption-54250/articlesData encryption – The Conversation2022-05-26T17:28:01Ztag:theconversation.com,2011:article/1824052022-05-26T17:28:01Z2022-05-26T17:28:01ZA unified cybersecurity strategy is the key to protecting businesses<figure><img src="https://images.theconversation.com/files/463775/original/file-20220517-12-jaiiza.jpg?ixlib=rb-1.1.0&rect=8%2C0%2C2986%2C1949&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Organizations have significantly increased their use of data and the internet because of the pandemic, leading to new cyberattack and cybersecurity risks.</span> <span class="attribution"><span class="source">THE CANADIAN PRESS/Jonathan Hayward</span></span></figcaption></figure><p>Following the changes the pandemic has brought about in the business world, organizations have significantly <a href="https://www.forbes.com/sites/forbesbusinesscouncil/2021/02/17/the-internet-overcoming-current-challenges-to-increase-digital-transformation/">increased their use of data and the internet.</a> This, in turn, has increased the prevalence of <a href="https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html">cyberattacks and cybersecurity risks</a>.</p>
<p>Accounting firm PricewaterhouseCoopers recently released a report estimating that about <a href="https://www.pwc.com/ca/en/services/consulting/cybersecurity-privacy/cyber-threat-intelligence/year-in-review.html">62 per cent of Canadian organizations were impacted by ransomware incidents</a> and attacks in 2021.</p>
<p>Since these risks have crucial implications for companies and their investors and clients, cybersecurity spending saw a major increase. <a href="https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/">Global cybersecurity spending grew</a> to more than $120 billion in 2017 from $3.5 billion in 2004.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/cyberattacks-are-on-the-rise-amid-work-from-home-how-to-protect-your-business-151268">Cyberattacks are on the rise amid work from home – how to protect your business</a>
</strong>
</em>
</p>
<hr>
<p>The Center for Strategic and International Studies estimates that <a href="https://www.forbes.com/sites/jonathanponciano/2022/03/07/extremely-destructive-russian-cyberattacks-could-cost-us-billions-of-dollars-in-economic-damage-goldman-warns/?sh=1d7d3bff2dc0">malicious cyber activity costs the world $945 billion annually</a>, while Cybersecurity Ventures estimates that <a href="https://www.cnbc.com/video/2021/03/09/cybercrime-could-cost-10-point-5-trillion-dollars-by-2025.html">global cybercrime costs could increase to $10.5 trillion by 2025</a>.</p>
<p>As a result, <a href="https://sfmagazine.com/post-entry/november-2017-cybersecurity-stakeholders/">investors, clients, suppliers and employees</a> are demanding better management and protection of corporate data, along with better <a href="https://www.osler.com/en/resources/regulations/2022/demonstrable-accountability-moving-beyond-tick-the-box-compliance-in-privacy-legislative-schemes">cybersecurity accountability and transparency</a> to mitigate increased cyber risks.</p>
<p>In an article soon to be published in the <a href="https://www.springer.com/journal/10997"><em>Journal of Management and Governance</em></a>, we argue that better cybersecurity and data protection can be achieved through a formal program put together after a careful auditing process. We outline the objectives of such a program below.</p>
<h2>A shared responsibility</h2>
<p>The responsibility of cybersecurity management no longer falls just on the shoulders of IT departments, but is now <a href="https://hbr.org/2021/01/cybersecurity-is-not-just-a-tech-problem">the responsiblity of the entire business</a>. We argue that all firm departments should be involved in cybersecurity programming and planning.</p>
<p>Management and directors should be directly involved in carrying out <a href="https://doi.org/10.1007/s10551-020-04717-9">best practices to mitigate cybersecurity risk</a>. Firm managers should lead by example by <a href="https://hbr.org/2019/11/companies-need-to-rethink-what-cybersecurity-leadership-is">embedding security throughout their company’s operations</a> and responding rapidly to cyber threats as they arise. </p>
<figure class="align-center ">
<img alt="A man adjusting the networking cables on a circuit board." src="https://images.theconversation.com/files/463778/original/file-20220517-26-fotye6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/463778/original/file-20220517-26-fotye6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=441&fit=crop&dpr=1 600w, https://images.theconversation.com/files/463778/original/file-20220517-26-fotye6.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=441&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/463778/original/file-20220517-26-fotye6.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=441&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/463778/original/file-20220517-26-fotye6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=555&fit=crop&dpr=1 754w, https://images.theconversation.com/files/463778/original/file-20220517-26-fotye6.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=555&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/463778/original/file-20220517-26-fotye6.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=555&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Investors, clients, suppliers and employees are demanding better management and protection of corporate data, along with better cybersecurity accountability and transparency.</span>
<span class="attribution"><span class="source">THE CANADIAN PRESS/Nathan Denette</span></span>
</figcaption>
</figure>
<p><a href="https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-ra-changing-role-of-the-board-on-cybersecurity-noexp.pdf">Corporate board members</a> should ensure the necessary cybersecurity protections are in place for their companies, and approve and review the cybersecurity governance and data protection program regularly. </p>
<p>At the very least, <a href="https://www.forbes.com/sites/betsyatkins/2022/03/18/cybersecurity-and-the-role-of-the-board/?sh=55e57baf72b3">every board should have one cyber expert</a> with proven, up-to-date credentials on its panel. This will lead to better protection for company investors, clients, suppliers and employees.</p>
<h2>Auditing is the first step</h2>
<p>The first step in creating such a program is to <a href="https://cyber.gc.ca/en/tools">assess the current effectiveness</a> of an organization’s cybersecurity risks and data management through a program like the Canadian government’s <a href="https://cyber.gc.ca/en/cyber-security-audit-program">Cyber Security Audit Program</a> or one of the <a href="https://www.nist.gov/cyberframework/assessment-auditing-resources">U.S. government’s auditing resources</a>. These publicly available tools help auditors assess the cybersecurity of their organizations.</p>
<p>As part of the audit, businesses should also hire <a href="https://carbidesecure.com/resources/business-penetration-test/">third-party hackers to test the security</a> of their systems through a penetration test. Hackers bring a unique insight to the audit process, and are capable of finding gaps that security professionals might overlook. </p>
<p>During a penetration test, hired <a href="https://us.norton.com/internetsecurity-emerging-threats-black-white-and-gray-hat-hackers.html">white- or grey-hat hackers</a> carry out an authorized cyberattack to try and find vulnerabilities in a business’s cybersecurity defences. Once detected, businesses can tighten their security to prevent these vulnerabilities from being exploited.</p>
<p>This assessment would provide businesses with a road map for creating a cybersecurity action plan to ensure the protection of sensitive information systems, and the data and privacy of a company’s employees, investors and clients.</p>
<h2>Creating the program</h2>
<p>A comprehensive cybersecurity and data protection plan should cover a wide variety of areas, including the <a href="https://www.techopedia.com/definition/31435/password-manager">creation and safeguarding of passwords</a>, <a href="https://www.techopedia.com/definition/5553/remote-access">remote</a> and <a href="https://www.techopedia.com/definition/5413/access-security">restricted access</a>, <a href="https://www.techopedia.com/definition/25837/email-encryption">email encryption</a>, social media, <a href="https://www.techopedia.com/definition/5416/anti-virus-software">anti-virus measures</a>, <a href="https://www.techopedia.com/definition/13595/contingency-plan">contingency plans</a>, <a href="https://www.techopedia.com/definition/13601/data-breach">data breach</a> responses and training programs.</p>
<figure class="align-center ">
<img alt="A hand unlocking a photo screen. In the background an open laptop sits on a table." src="https://images.theconversation.com/files/463776/original/file-20220517-24-jq3xbq.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/463776/original/file-20220517-24-jq3xbq.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/463776/original/file-20220517-24-jq3xbq.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/463776/original/file-20220517-24-jq3xbq.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/463776/original/file-20220517-24-jq3xbq.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/463776/original/file-20220517-24-jq3xbq.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/463776/original/file-20220517-24-jq3xbq.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">A cybersecurity program should provide a clear data use policy and the steps that are to be taken after theft, data loss or cyberattacks.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>Crucially, it would also involve the creation of an <a href="https://cyber.gc.ca/en/guidance/developing-your-it-recovery-plan-itsap40004">IT disaster recovery and emergency plan</a>. Businesses must be prepared for any number of disasters, including power outages and cyberattacks, and be able to act accordingly to recover any lost data.</p>
<p>We also recommend that companies create a whistleblowing policy, since <a href="https://acfepublic.s3.us-west-2.amazonaws.com/2022+Report+to+the+Nations.pdf">42 per cent of occupational fraud is reported through tips</a> and more than half of those tips come from employees. A good whistleblower policy will include a hotline for complaints and <a href="https://doi.org/10.1007/s10551-017-3663-7">ensure confidentiality and protection for all whistleblowers</a>. </p>
<p>Ultimately, a high quality cybersecurity and data protection program will help firms adjust their management protocols and be better prepared for future cybersecurity risks. The internet is only becoming more and more integral to business operations as the years pass. If companies want to stay abreast of new technological developments, they will need to make cybersecurity central to their organizations.</p><img src="https://counter.theconversation.com/content/182405/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Camélia Radu receives funding from CRSH and CPA Canada-CAAA. </span></em></p><p class="fine-print"><em><span>Nadia Smaili receives funding from SSHRC. </span></em></p>An integrative cybersecurity and data protection program will help firms adjust their management protocols and be better prepared for future cybersecurity trends.Camélia Radu, Associate Professor in Accounting, Université du Québec à Montréal (UQAM)Nadia Smaili, Professor in Accounting (forensic accounting), Université du Québec à Montréal (UQAM)Licensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1711862021-11-10T11:22:51Z2021-11-10T11:22:51ZFacebook will drop its facial recognition system – but here’s why we should be sceptical<figure><img src="https://images.theconversation.com/files/430501/original/file-20211105-10492-raehl0.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5002%2C3332&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Artem Oleshko/Shutterstock</span></span></figcaption></figure><p>Facebook has <a href="https://about.fb.com/news/2021/11/update-on-use-of-face-recognition/">announced</a> that it will stop using its facial recognition system – the artificial intelligence software which recognises people in photos and videos and generates suggestions about who to “tag” in them.</p>
<p>Facial recognition systems, like Facebook’s, identify people by matching faces to digital representations of faces stored on a database. Facebook has more than a billion of these representations on file but now says it will delete them. </p>
<p>This announcement came barely a week after Facebook’s parent company rebranded itself from <a href="https://www.bbc.co.uk/news/technology-59083601">Facebook to Meta</a>. The name change reflects the company’s focus on the “metaverse”, a vision for the internet which uses technology like virtual reality to integrate real and digital worlds.</p>
<p>The name change probably also had something to do with a desire to detoxify Facebook’s image. In recent years, the social media giant has been embroiled in a number of controversies – perhaps most notably the <a href="https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election">Cambridge Analytica scandal</a>. </p>
<p>This saw an app use <a href="https://www.spectator.co.uk/article/were-there-any-links-between-cambridge-analytica-russia-and-brexit-">Facebook’s platform</a> to harvest personal data belonging to millions of Facebook users, which was then passed to Cambridge Analytica, a now defunct British consulting firm. In 2018, the UK’s data protection watchdog, the Information Commissioner’s Office, <a href="https://www.bbc.co.uk/news/technology-54722362">fined Facebook £500,000</a> for its role in the scandal.</p>
<p>More recently we’ve heard former Facebook product manager Frances Haugen claim that the platform harms children, stokes division and undermines democracy in pursuit of fast growth and “<a href="https://www.npr.org/2021/10/05/1043377310/facebook-whistleblower-frances-haugen-congress?t=1635978244222">astronomical profits</a>”.</p>
<p>We might wonder whether the facial recognition move, too, is an attempt to present a new, responsible image focused on respecting and protecting users’ privacy.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/class-action-against-facebook-over-facial-recognition-could-pave-the-way-for-further-lawsuits-95215">Class action against Facebook over facial recognition could pave the way for further lawsuits</a>
</strong>
</em>
</p>
<hr>
<h2>Our data is like gold</h2>
<p>Facebook is free to join and use so it relies on another valuable product to cover its expenses – people’s data.</p>
<p>As part of my team’s <a href="https://researchportal.port.ac.uk/en/publications/localising-social-network-users-and-profiling-their-movement">research</a>, we got permission from a group of Facebook users, and had crawlers (bots that systematically browse the internet) collect their posts and pictures – or posts and pictures which featured them. Using machine learning algorithms on this data, we were able to profile their habits and predict with high accuracy things like where they would be the next day.</p>
<p>In a <a href="https://researchportal.port.ac.uk/en/publications/facewallgraph-using-machine-learning-for-profiling-user-behaviour">related study</a>, we looked at Facebook wall posts and, again using machine learning, we were able to build a psychological profile of users based on their posts. That is, we could ascertain when they were sad, happy, and so on.</p>
<p>If I can gather data from Facebook using a relatively simple program and come up with accurate conclusions, imagine what Facebook can do with its vast amount of data – including from our face templates – and artificial intelligence.</p>
<figure class="align-center ">
<img alt="A woman on public transport using her phone." src="https://images.theconversation.com/files/430503/original/file-20211105-19-1rfn6nf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/430503/original/file-20211105-19-1rfn6nf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=348&fit=crop&dpr=1 600w, https://images.theconversation.com/files/430503/original/file-20211105-19-1rfn6nf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=348&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/430503/original/file-20211105-19-1rfn6nf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=348&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/430503/original/file-20211105-19-1rfn6nf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=438&fit=crop&dpr=1 754w, https://images.theconversation.com/files/430503/original/file-20211105-19-1rfn6nf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=438&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/430503/original/file-20211105-19-1rfn6nf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=438&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">In a sense, Facebook is powered by our data.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/young-woman-using-smartphone-subway-1038574906">Rawpixel.com/Shutterstock</a></span>
</figcaption>
</figure>
<p>Amid privacy concerns about the technology, in 2019, Facebook made the facial recognition feature <a href="https://www.vox.com/recode/22761598/facebook-facial-recognition-meta?scrolla=5eb6d68b7fedc32c19ef33b4">opt-in</a>. Last year, Facebook agreed to pay a US$650 million settlement (roughly £480 million) after <a href="https://theconversation.com/class-action-against-facebook-over-facial-recognition-could-pave-the-way-for-further-lawsuits-95215">a lawsuit</a> claimed its facial recognition system violated Illinois’ Biometric Information Privacy Act.</p>
<p>While many might construe Meta’s announcement as a positive development, I see it as a convenient distraction from, or perhaps a countermeasure to, the <a href="https://www.theguardian.com/technology/2021/apr/12/facebook-fake-engagement-whistleblower-sophie-zhang">whistleblower</a> <a href="https://www.npr.org/2021/10/05/1043377310/facebook-whistleblower-frances-haugen-congress?t=1635978244222">testimonies</a> presenting a company that puts profits before user safety. </p>
<p>It’s also worth pointing out that Facebook is struggling to retain <a href="https://www.socialmediatoday.com/news/internal-documents-show-facebook-usage-among-young-users-is-in-steep-declin/607708/">young users</a>, so they’re probably looking for ways to attract this important group to the platform.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/facebook-the-metaverse-and-the-monetisation-of-higher-education-171036">Facebook, the metaverse and the monetisation of higher education</a>
</strong>
</em>
</p>
<hr>
<h2>It’s not gone completely</h2>
<p>Meta’s <a href="https://about.fb.com/news/2021/11/update-on-use-of-face-recognition/">announcement</a> specified facial recognition technology would be limited to “a narrow set of use cases” moving forward. This could include verifying a user’s identity so they can gain access to a locked account, for example.</p>
<p>As such, Meta is <a href="https://www.nytimes.com/2021/11/02/technology/facebook-facial-recognition.html">reportedly</a> <a href="https://www.ft.com/content/dd906710-f0b0-42ef-9d89-309018e72aa7">keeping DeepFace</a>, the algorithm behind its facial recognition technology. Meta spokesperson Jason Grosse said the company <a href="https://www.nytimes.com/2021/11/02/technology/facebook-facial-recognition.html">hasn’t ruled out</a> using facial recognition technology in future products. Notably, Grosse has also reportedly said the commitment to stop facial recognition <a href="https://www.vox.com/recode/22761598/facebook-facial-recognition-meta?scrolla=5eb6d68b7fedc32c19ef33b4">doesn’t apply</a> to its metaverse products. </p>
<p>Grosse told the publication Recode:</p>
<blockquote>
<p>We believe this technology has the potential to enable positive use cases in the future that maintain privacy, control, and transparency, and it’s an approach we’ll continue to explore as we consider how our future computing platforms and devices can best serve people’s needs […] For any potential future applications of technologies like this, we’ll continue to be public about intended use, how people can have control over these systems and their personal data, and how we’re living up to our responsible innovation framework.</p>
</blockquote>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/metaverse-five-things-to-know-and-what-it-could-mean-for-you-171061">Metaverse: five things to know – and what it could mean for you</a>
</strong>
</em>
</p>
<hr>
<p>It’s important to understand that when a person engages in a virtual reality environment in <a href="https://theconversation.com/metaverse-five-things-to-know-and-what-it-could-mean-for-you-171061">the metaverse</a>, they will generate a range of biometric data, well beyond facial scans. For example, depending on the system, it may be possible to detect and collect eye movements, body movements, blood pressure, heart rate, and details about the users’ environment. </p>
<p>Ultimately, the artificial intelligence accompanying the metaverse will be much more sophisticated and likely bring with it a new set of data privacy issues.</p><img src="https://counter.theconversation.com/content/171186/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Stavros Shiaeles does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The commitment applies to the social network, but not necessarily to the metaverse.Stavros Shiaeles, Senior lecturer in Cyber Security, University of PortsmouthLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1667972021-09-14T12:10:46Z2021-09-14T12:10:46ZApple’s plan to scan your phone raises the stakes on a key question: Can you trust Big Tech?<figure><img src="https://images.theconversation.com/files/420919/original/file-20210913-21-1ot6o2l.jpg?ixlib=rb-1.1.0&rect=0%2C13%2C4628%2C3062&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Apple has developed the means to scan images on your phone. Can you trust the company to protect your privacy?</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/iphone-smartphones-seen-displayed-on-a-large-screen-outside-news-photo/1235057270">Sheldon Cooper/SOPA Images/LightRocket via Getty Images</a></span></figcaption></figure><p>Apple’s plan to <a href="https://www.apple.com/child-safety/">scan customers’ phones and other devices</a> for images depicting child sexual abuse generated a <a href="https://arstechnica.com/tech-policy/2021/08/apple-photo-scanning-plan-faces-global-backlash-from-90-rights-groups/">backlash</a> over privacy concerns, which led the company to <a href="https://techcrunch.com/2021/09/03/apple-csam-detection-delayed/">announce a delay</a>.</p>
<p>Apple, Facebook, Google and other companies have long scanned customers’ images that are stored on the companies’ servers for this material. Scanning data on users’ devices is a <a href="https://www.lawfareblog.com/normalizing-surveillance">significant change</a>. </p>
<p>However well-intentioned, and whether or not Apple is willing and able to follow through on its promises to protect customers’ privacy, the company’s plan highlights the fact that people who buy iPhones are not masters of their own devices. In addition, Apple is using a complicated scanning system <a href="https://www.eff.org/deeplinks/2021/08/apples-plan-think-different-about-encryption-opens-backdoor-your-private-life">that is hard to audit</a>. Thus, customers face a stark reality: If you use an iPhone, you have to trust Apple. </p>
<p>Specifically, customers are forced to trust Apple to only use this system as described, run the system securely over time, and put the interests of their users over the interests of other parties, including the most powerful governments on the planet.</p>
<p>Despite Apple’s so-far-unique plan, the problem of trust isn’t specific to Apple. Other large tech companies also have considerable control over customers’ devices and insight into their data. </p>
<h2>What is trust?</h2>
<p>Trust is “the willingness of a party to be <a href="https://doi.org/10.5465/amr.1995.9508080335">vulnerable to the actions of another party</a>,” according to social scientists. People base the decision to trust on experience, signs and signals. But past behavior, promises, the way someone acts, evidence and even contracts only give you data points. They cannot guarantee future action. </p>
<p>Therefore, trust is a matter of probabilities. You are, in a sense, rolling the dice whenever you trust someone or an organization.</p>
<p>Trustworthiness is a hidden property. People collect information about someone’s likely future behavior, but cannot know for sure whether the person has the ability to stick to their word, is truly benevolent and has the integrity - principles, processes and consistency - to maintain their behavior over time, under pressure or when the unexpected occurs. </p>
<h2>Trust in Apple and Big Tech</h2>
<p>Apple has stated that their scanning system will <a href="https://www.cnbc.com/2021/08/09/apple-will-reject-demands-to-use-csam-system-for-surveillance-.html">only ever be used for detecting child sexual abuse material</a> and has multiple strong privacy protections. The <a href="https://www.apple.com/child-safety/pdf/CSAM_Detection_Technical_Summary.pdf">technical details of the system</a> indicate that Apple has taken steps to protect user privacy unless the targeted material is detected by the system. For example, humans will review someone’s suspect material only when the number of times the system detects the targeted material reaches a certain threshold. However, Apple has given little proof regarding how this system will work in practice.</p>
<p>After analyzing the “<a href="https://pocketnow.com/neuralhash-code-found-in-ios-14-3-apple-not-the-one-well-use-for-csam-photo-scanning">NeuralHash” algorithm</a> that Apple is basing its scanning system on, security researchers and civil rights organizations warn that the system is likely <a href="https://www.schneier.com/blog/archives/2021/08/apples-neuralhash-algorithm-has-been-reverse-engineered.html">vulnerable</a> to hackers, in contrast to <a href="https://www.theverge.com/2021/8/18/22630439/apple-csam-neuralhash-collision-vulnerability-flaw-cryptography">Apple’s claims</a>. </p>
<p>Critics also fear that the system will be <a href="https://www.theguardian.com/technology/2021/aug/11/techscape-apple-iphone-child-abuse-images">used to scan for other material</a>, such as indications of political dissent. Apple, along with other Big Tech players, has caved to the demands of authoritarian regimes, notably China, to allow government surveillance of technology users. In practice, the Chinese government has <a href="https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html">access to all user data</a>. What will be different this time? </p>
<p>It should also be noted that Apple is not operating this system on its own. In the U.S., Apple plans to use data from, and report suspect material to, the nonprofit <a href="https://www.missingkids.org/">National Center for Missing and Exploited Children</a>. Thus, trusting Apple is not enough. Users must also trust the company’s partners to act benevolently and with integrity. </p>
<h2>Big Tech’s less-than-encouraging track record</h2>
<p>This case exists within a context of <a href="https://theconversation.com/heres-how-tech-giants-profit-from-invading-our-privacy-and-how-we-can-start-taking-it-back-120078">regular Big Tech privacy invasions</a> and moves to <a href="https://www.forbes.com/sites/vianneyvaute/2021/02/18/right-to-repair-the-last-stand-in-checking-big-techs-power-grab/">further curtail consumer freedoms and control</a>. The companies have positioned themselves as responsible parties, but many privacy experts say there is too little transparency and scant technical or historical evidence for these claims. </p>
<p>Another concern is unintended consequences. Apple might really want to protect children and protect users’ privacy at the same time. Nevertheless, the company has now announced – and staked its trustworthiness to – a technology that is well-suited to spying on large numbers of people. Governments might pass laws to extend scanning to other material deemed illegal. </p>
<p>Would Apple, and potentially other tech firms, choose to not follow these laws and potentially pull out of these markets, <a href="https://www.forbes.com/sites/zakdoffman/2021/08/14/apple-iphone-ipad-update-decision-for-ios-15-despite-privacy-backlash/">or would they comply with potentially draconian local laws</a>? There’s no telling about the future, but Apple and other tech firms have chosen to acquiesce to oppressive regimes before. Tech companies that choose to operate in China are <a href="https://www.businessinsider.com/tech-companies-censoring-content-for-china-apple-microsoft-2019-10">forced to submit to censorship</a>, for example.</p>
<h2>Weighing whether to trust Apple or other tech companies</h2>
<p>There’s no single answer to the question of whether Apple, Google or their competitors can be trusted. Risks are different depending on who you are and where you are in the world. An activist in India faces different threats and risks than an Italian defense lawyer. Trust is a matter of probabilities, and risks are not only probabilistic but also situational. </p>
<p>It’s a matter of what probability of failure or deception you can live with, what the relevant threats and risks are, and what protections or mitigations exist. <a href="https://9to5mac.com/2021/08/17/german-parliament-pens-letter-to-tim-cook-with-concerns-over-csam-detection-system/">Your government’s position</a>, the existence of strong local privacy laws, the strength of rule of law and your own technical ability are relevant factors. Yet, there is one thing you can count on: Tech firms typically have extensive control over your devices and data.</p>
<p>Like all large organizations, tech firms are complex: Employees and management come and go, and regulations, policies and power dynamics change.</p>
<p>A company might be trustworthy today but not tomorrow. </p>
<p>[<em>Over 100,000 readers rely on The Conversation’s newsletter to understand the world.</em> <a href="https://theconversation.com/us/newsletters/the-daily-3?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=100Ksignup">Sign up today</a>.]</p>
<p>Big Tech has shown behaviors in the past that should make users question their trustworthiness, in particular when it comes to privacy violations. But they have also defended user privacy in other cases, for example in the <a href="https://www.npr.org/sections/alltechconsidered/2016/03/07/469527566/why-digital-security-is-an-arms-race-between-firms-and-the-feds">San Bernadino mass shooting case and subsequent debates about encryption</a>.</p>
<p>Last but not least, Big Tech does not exist in a vacuum and is not all-powerful. Apple, Google, Microsoft, Amazon, Facebook and others have to respond to various external pressures and powers. Perhaps, considering these circumstances, greater transparency, more independent audits by journalists and trusted people in civil society, more user control, more open-source code and genuine discourse with customers might be a good start to balance different objectives. </p>
<p>While only a first step, consumers would at least be able to make more informed choices about what products to use or buy.</p><img src="https://counter.theconversation.com/content/166797/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Laurin Weissinger receives funding from the Social Science Research Council. </span></em></p>Big Tech makes a lot of promises about protecting privacy, but the reality is that using the industry’s products is a matter of trust.Laurin Weissinger, Lecturer in Cybersecurity, Tufts UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1274422019-12-04T04:25:45Z2019-12-04T04:25:45ZFingerprint login should be a secure defence for our data, but most of us don’t use it properly<figure><img src="https://images.theconversation.com/files/305096/original/file-20191204-70101-q97e32.jpg?ixlib=rb-1.1.0&rect=79%2C12%2C4010%2C2139&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Even though passcode options include swipe patterns and long passwords, many users still use easy 4-digit PINs. This is because people are often lulled into a false sense of security when they use fingerprint login.</span> <span class="attribution"><span class="source">SHUTTERSTOCK</span></span></figcaption></figure><p>Our electronic devices store a plethora of sensitive information. To protect this information, device operating systems such as <a href="https://www.apple.com/au/ios/ios-13/">Apple’s iOS</a> and <a href="https://www.android.com/phones-tablets/">Android</a> have locking mechanisms. These require user authentication before access is granted. </p>
<p>One of the most common mechanisms is fingerprint login, a form of biometric technology first introduced by Apple in 2013 as Touch ID. </p>
<p>Touch ID was introduced <a href="https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf">with the intuition that</a>, if there was an easier and quicker way to log in, users would be encouraged to keep stronger passcodes and passwords without sacrificing ease of access. It was supposed to enhance both the usability and security of the device.</p>
<p>However, in application this hasn’t been the case. And most users remain unaware of this initial purpose.</p>
<h2>Easy targets</h2>
<p>When first unlocking an iPhone after starting it, <a href="https://support.apple.com/en-gb/HT204060">users are asked</a> to enter a strong six-digit passcode, instead of a simpler four-digit PIN. After that, Touch ID can be used to unlock the phone, to avoid having to re-enter the password multiple times. </p>
<p>The catch is, users can choose to ignore the direction and opt for an easy four-digit PIN, and they usually do. </p>
<p><a href="https://www.usenix.org/conference/soups2015/proceedings/presentation/cherapau">Researchers</a> found that among Touch ID users, the majority still used weak login codes, mainly four-digit PINs (which are easy to guess). This was also true among people who didn’t use Touch ID. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/fingerprinting-to-solve-crimes-not-as-robust-as-you-think-85534">Fingerprinting to solve crimes: not as robust as you think</a>
</strong>
</em>
</p>
<hr>
<p>They also found more than 30% of participants weren’t aware they could use passwords with letters (which are stronger) instead of four-digit PINs.</p>
<p>Some participants indicated they used PINs for quicker access, compared to passwords. And most agreed that Touch ID offered usability benefits including convenience, speed and ease of use.</p>
<p>Interestingly, there was also a disconnect between how secure users thought their passcodes were, and how secure they actually were. </p>
<p>In fact, only 12% of participants correctly estimated their passcode’s strength </p>
<h2>Knowledge is key</h2>
<p>It’s important to understand how fingerprint login and other biometric systems work, before we use them. </p>
<p>A biometric is a unique biological characteristic which can be used to identify and verify a person’s identity. Apart from fingerprints, we see this in facial recognition scans, DNA tests, and less commonly in palm prints, and iris and retina recognition.</p>
<p>Biometrics are marketed as being a very secure solution, because the way biometric data is stored is different to the ways PINs and passwords are stored. </p>
<p>While passwords are stored on <a href="https://home.bt.com/tech-gadgets/computing/cloud-computing/eight-things-you-need-to-know-about-the-cloud-11363891172534">the cloud</a>, data from your fingerprint is stored solely on your device. Servers and apps never have access to your fingerprint data, nor is it saved on the cloud.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/iphone-5s-fingerprint-scanning-thumbs-up-or-down-18112">iPhone 5S fingerprint scanning: thumbs up or down?</a>
</strong>
</em>
</p>
<hr>
<p>However, although it’s incredibly hard for cybercriminals to get access to your actual fingerprint data – since it’s encrypted and stored on the device itself – biometric systems are still not completely secure.</p>
<p>For instance, Apple’s fingerprint technology was compromised <a href="https://www.theguardian.com/technology/2013/sep/22/apple-iphone-fingerprint-scanner-hacked">just two days after the launch of Touch ID</a> (integrated into the iPhone 5S) in 2013. And since then, many people have managed to bypass Touch ID security by <a href="https://www.theverge.com/2016/5/2/11540962/iphone-samsung-fingerprint-duplicate-hack-security">using dental mold or play-dough</a>.</p>
<p>Similarly, it was shown that even the 2017 iPhone X’s <a href="https://support.apple.com/en-au/HT208109">Face ID</a> feature <a href="https://www.wired.com/story/hackers-say-broke-face-id-security/">could be compromised</a>.</p>
<p>Users who use Touch ID with a four-digit PIN backup are also at risk. They’re susceptible to “shoulder surfing” attacks, where attackers simply look over a victim’s shoulder to see them input their PIN.</p>
<p>Other types of attacks include password guessing and even thermal fingerprint scanning, which involves using a thermal device to figure out which areas on a screen were most recently pressed, thereby potentially revealing a passcode combination. </p>
<h2>A permanent mark</h2>
<p>The elephant in the room is that once biometric data such as a fingerprint is stolen, it’s stolen forever. Unlike a password, it can’t be changed.</p>
<p>Stolen biometric data can be used to identify users without their knowledge, especially if users are unaware of how their data is stored and collected. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/fingerprint-and-face-scanners-arent-as-secure-as-we-think-they-are-112414">Fingerprint and face scanners aren’t as secure as we think they are</a>
</strong>
</em>
</p>
<hr>
<p>That said, cybercriminals generally prefer to break into people’s devices through mind games, by luring victims into clicking on links or downloading attachments which eventually disclose their login credentials. </p>
<p>In public, a criminal might ask to borrow your phone for a call. In such situations, it’s often easy for them to steal your PIN simply through observation, rather than having to actually break into your device. </p>
<p>Touch ID technology was designed to enhance security and usability, and it would have, if people hailed its initial purpose and kept stronger passcodes. </p>
<p>But they don’t, because often they don’t understand the basis of the technology.
With biometric technology, users experience a false sense of security. They remain unaware of the many ways in which their information could still be stolen.</p>
<p>This is why users should educate themselves on how the technologies they use function, and the purpose for which they were designed. Failing that, they risk leaving the back door wide open for cybercriminals.</p><img src="https://counter.theconversation.com/content/127442/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nalin Asanka Gamagedara Arachchilage works as Senior Research Fellow at La Trobe University.</span></em></p>While the data from a fingerprint is very hard to retrieve, cybercriminals can get around biometric technology in various ways. And having a weak passcode is like giving them a hall pass.Nalin Asanka Gamagedara Arachchilage, Senior Research Fellow in Cyber Security at La Trobe University, UNSW SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1231142019-10-25T12:31:52Z2019-10-25T12:31:52Z5 milestones that created the internet, 50 years after the first network message<figure><img src="https://images.theconversation.com/files/297531/original/file-20191017-98648-31lbw.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C3872%2C2590&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">This SDS Sigma 7 computer sent the first message over the predecessor of the internet in 1969.</span> <span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:The_SDS_Sigma-7_The_First_Computer_to_be_Connected_to_the_Internet_(6294434636).jpg">Andrew 'FastLizard4' Adams/Wikimedia Commons</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>Fifty years ago, a UCLA computer science professor and his student sent the <a href="https://www.tweaktown.com/news/54662/first-internet-message-sent/index.html">first message</a> over the predecessor to the internet, a network called <a href="https://www.darpa.mil/about-us/timeline/arpanet">ARPANET</a>.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=335&fit=crop&dpr=1 600w, https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=335&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=335&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=420&fit=crop&dpr=1 754w, https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=420&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=420&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The log page showing the connection from UCLA to Stanford Research Institute on Oct. 29, 1969.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:First-arpanet-imp-log.jpg">Charles S. Kline/UCLA Kleinrock Center for Internet Studies/Wikimedia Commons</a></span>
</figcaption>
</figure>
<p>On Oct. 29, 1969, Leonard Kleinrock and Charley Kline sent Stanford University researcher Bill Duval a two-letter message: “lo.” The intended message, the full word “login,” was <a href="https://www.tweaktown.com/news/54662/first-internet-message-sent/index.html">truncated by a computer crash</a>.</p>
<p>Much more traffic than that travels through the internet these days, with <a href="https://www.internetlivestats.com/">billions</a> of emails sent and searches conducted daily. As a scholar of <a href="https://doi.org/10.1017/CBO9781139021838">how the internet is governed</a>, I know that <a href="https://mitpress.mit.edu/books/ruling-root">today’s vast communications web</a> is a result of <a href="https://heinonline.org/HOL/Page?handle=hein.journals/geojaf16&div=70&g_sent=1&casa_token=&collection=journals">governments and regulators making choices</a> that <a href="https://wwnorton.com/books/9781631493072">collectively built the internet</a> as it is today. </p>
<p>Here are five key moments in this journey.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/vuiBTJZfeo8?wmode=transparent&start=390" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Leonard Kleinrock shows the original document logging the very first ARPANET computer communication.</span></figcaption>
</figure>
<h2>1978: Encryption failure</h2>
<p>Early internet pioneers, in some ways, were remarkably farsighted. In 1973, a group of <a href="https://www.washingtonpost.com/graphics/national/security-of-the-internet/history/">high school students</a> reportedly gained access to ARPANET, which was supposed to be a closed network managed by the Pentagon. </p>
<p>Computer scientists <a href="https://ai.google/research/people/author32412">Vinton Cerf</a> and <a href="https://www.britannica.com/biography/Robert-Elliot-Kahn">Robert Kahn</a> suggested building encryption into the internet’s core protocols, which would have made it far more difficult for hackers to compromise the system.</p>
<p>But the U.S. intelligence community objected, though officials didn’t publicly say why. The only reason their intervention is public is because <a href="https://doi.org/10.1016/0376-5075(83)90042-9">Cerf hinted at it in a 1983 paper</a> he co-authored.</p>
<p>As a result, basically all of today’s internet users have to handle <a href="https://theconversation.com/using-truly-secure-passwords-6-essential-reads-84092">complex passwords</a> and <a href="https://theconversation.com/the-age-of-hacking-brings-a-return-to-the-physical-key-73094">multi-factor authentication systems</a> to ensure secure communications. People with more advanced security needs often use <a href="https://theconversation.com/is-your-vpn-secure-109130">virtual private networks</a> or specialized privacy software like <a href="https://theconversation.com/tor-upgrades-to-make-anonymous-publishing-safer-73641">Tor</a> to encrypt their <a href="https://doi.org/10.1016/B978-192899416-9/50021-7">online activity</a>. </p>
<p>However, computers may not have had enough processing power to effectively encrypt internet communications. That could have slowed the network, making it less attractive to users – delaying, or even preventing, wider use by researchers and the public.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=382&fit=crop&dpr=1 600w, https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=382&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=382&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=480&fit=crop&dpr=1 754w, https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=480&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=480&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Vinton Cerf and Robert Kahn with President George W. Bush at the ceremony where Cerf and Kahn were given the Presidential Medal of Freedom for their contributions to developing the internet.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:CerfKahnMedalOfFreedom.jpg">Paul Morse/White House/Wikimedia Commons</a></span>
</figcaption>
</figure>
<h2>1983: ‘The internet’ is born</h2>
<p>For the internet to really be a global entity, all kinds of different computers needed to speak the same language to be able to communicate with each other – directly, if possible, rather than slowing things down by using translators. </p>
<p>Hundreds of scientists from various governments collaborated to devise what they called the <a href="https://www.networkworld.com/article/3239677/the-osi-model-explained-how-to-understand-and-remember-the-7-layer-network-model.html">Open Systems Interconnection</a> <a href="https://en.wikipedia.org/wiki/OSI_protocols">standard</a>. It was a complex method that <a href="https://www.pearson.com/us/higher-education/product/Tanenbaum-Computer-Networks-4th-Edition/9780130661029.html">critics considered inefficient and difficult to scale</a> across existing networks.</p>
<p>Cerf and Kahn, however, proposed another way, called <a href="https://www.britannica.com/technology/TCP-IP">Transmission Control Protocol/Internet Protocol</a>. TCP/IP worked more like the regular mail – wrapping up messages in packages and putting the address on the outside. All the computers on the network had to do was pass the message to its destination, where the receiving computer would figure out what to do with the information. It was free for anyone to copy and use on their own computers. </p>
<p>TCP/IP – given that it both worked and was free – enabled the <a href="https://www.simonandschuster.com/books/Where-Wizards-Stay-Up-Late/Katie-Hafner/9780684832678">rapid, global scaling of the internet</a>. A variety of governments, including the United States, eventually came out in support of <a href="https://techdifferences.com/difference-between-tcp-ip-and-osi-model.html">OSI</a> but too late to make a difference. TCP/IP made the internet cheaper, more innovative and less tied to official government standards.</p>
<p><iframe id="IaDfV" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/IaDfV/1/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<h2>1996: Online speech regulated</h2>
<p>By 1996, the internet boasted more than 73,000 servers, and 22% of <a href="https://www.people-press.org/1996/12/16/online-use/">surveyed Americans</a> were going online. What they found there, though, worried some members of Congress and their constituents – particularly the rapidly growing amount of <a href="https://www.eff.org/issues/cda230">pornography</a>.</p>
<p>In response, Congress passed the <a href="https://www.britannica.com/topic/Communications-Decency-Act">Communications Decency Act</a>, which sought to regulate indecency and obscenity in cyberspace.</p>
<p>The Supreme Court <a href="https://www.wired.com/1997/06/cda-struck-down/">struck down</a> portions of the law on free-speech grounds the next year, but it left in place <a href="https://theconversation.com/the-law-that-made-facebook-what-it-is-today-93931">Section 230</a>, which stated: “<a href="https://www.law.cornell.edu/uscode/text/47/230">No provider or user of an interactive computer service</a> shall be treated as the publisher or speaker of any information provided by another information content provider.”</p>
<p>Those 26 words, as <a href="https://www.wsj.com/articles/the-twenty-six-words-that-created-the-internet-review-protecting-the-providers-11566255518">various observers have noted</a>, released internet service providers and web-hosting companies from legal responsibility for information their customers posted or shared online. This single sentence <a href="https://www.wired.com/story/fight-over-section-230-internet-as-we-know-it/">provided legal security</a> that allowed the U.S. technology industry to flourish. That protection let companies feel comfortable creating a consumer-focused internet, filled with grassroots media outlets, bloggers, customer reviews and user-generated content. </p>
<p>Critics note that Section 230 also allows social media sites like <a href="https://theconversation.com/the-law-that-made-facebook-what-it-is-today-93931">Facebook and Twitter to operate largely without regulation</a>. </p>
<h2>1998: US government steps up</h2>
<p>The TCP/IP addressing scheme required that every computer or device connected to the internet have its own unique address – which, for computational reasons, was a string of numbers like “192.168.2.201.” </p>
<p>But that’s hard for people to remember – it’s much easier to recall something like “indiana.edu.” There had to be a centralized record of which names went with which addresses, so people didn’t get confused, or end up visiting a site they didn’t intend to.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=652&fit=crop&dpr=1 600w, https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=652&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=652&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=820&fit=crop&dpr=1 754w, https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=820&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=820&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">For years, Jon Postel held the reins to the internet’s address system.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/8212496@N06/2380082505">Jon Postel/Flickr</a></span>
</figcaption>
</figure>
<p>Originally, starting in the late 1960s, that record was kept on a floppy disk by a man named <a href="http://news.bbc.co.uk/2/hi/science/nature/196487.stm">Jon Postel</a>. By 1998, though, he and others were pointing out that such a significant amount of power <a href="https://www.wired.com/2012/10/joe-postel/">shouldn’t be held by just one person</a>. That year saw the U.S. Department of Commerce lay out a plan to transition control to a new private nonprofit organization, the Internet Corporation for Assigned Names and Numbers – better known as ICANN – that would manage internet addresses around the world.</p>
<p>For nearly 20 years, ICANN did that work under a contract from the Commerce Department, though <a href="https://www.theguardian.com/technology/2015/sep/21/icann-internet-us-government">objections over U.S. government control</a> grew steadily. In 2016, the Commerce Department contract expired, and ICANN’s governance continued its shift toward a <a href="https://www.icann.org/community">broader, more globalized structure</a>.</p>
<p>Other groups that manage key aspects of internet communications have different structures. The Internet Engineering Task Force, for instance, is a <a href="https://www.ietf.org/about/participate/get-started/">voluntary technical organization</a> open to anyone. There are <a href="https://www.ietf.org/about/participate/tao/">drawbacks to that approach</a>, but it would have lessened both the reality and perception of U.S. control.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">This 2007 photo shows an Iranian nuclear enrichment facility in Natanz, which was apparently the target of the first known cyberweapon to cause physical damage.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/IRAN-NUCLEAR/56c235b2a1b24a63a73c8f0420940323/63/0">AP Photo/Hasan Sarbakhshian</a></span>
</figcaption>
</figure>
<h2>2010: War comes online</h2>
<p>In June 2010, <a href="https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/">cybersecurity researchers revealed</a> the discovery of a sophisticated cyber weapon called Stuxnet, which was designed specifically to target equipment used by Iran’s effort to develop nuclear weapons. It was among the first known digital attacks that <a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">actually caused physical damage</a>. </p>
<p>Almost a decade later, it’s clear that Stuxnet opened the eyes of governments and other online groups to the possibility of wreaking significant havoc through the internet. These days, nations use cyberattacks with increasing regularity, attacking a range of <a href="https://www.wsj.com/articles/u-s-launched-cyberattacks-on-iran-11561263454">military</a> and even <a href="https://www.forbes.com/sites/zakdoffman/2019/08/10/state-sponsored-cyberattacks-challenge-the-very-concept-of-war-report/#4766a17154d6">civilian</a> targets.</p>
<p>There’s certainly <a href="https://theconversation.com/in-a-world-of-cyber-threats-the-push-for-cyber-peace-is-growing-119419">cause for hope for online peace and community</a>, but these decisions – along with many others – have shaped cyberspace and with it millions of people’s daily lives. Reflecting on those past choices can help inform upcoming decisions – such as how international law should <a href="https://www.lawfareblog.com/international-law-and-cyberspace-evolving-views">apply</a> to cyberattacks, or whether and how to <a href="https://www.forbes.com/sites/cognitiveworld/2019/03/02/artificial-intelligence-regulation-will-be-impossible/#1e98082c11ed">regulate</a> artificial intelligence. </p>
<p>Maybe 50 years from now, events in 2019 will be seen as another key turning point in the development of the internet.</p>
<p><em>Correction: This article was updated Oct. 31, 2019, to clarify the description of ICANN’s governance system.</em></p>
<p>[ <em>Insight, in your inbox each day.</em> <a href="https://theconversation.com/us/newsletters?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=insight">You can get it with The Conversation’s email newsletter</a>. ]</p><img src="https://counter.theconversation.com/content/123114/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Scott Shackelford is a principal investigator on grants from the Hewlett Foundation, Indiana Economic Development Corporation, and the Microsoft Corporation supporting both the Ostrom Workshop Program on Cybersecurity and Internet Governance and the Indiana University Cybersecurity Clinic.
</span></em></p>The first internet communication was underwhelming, thanks to a computer crash. But a lot has happened since then – including key decisions that helped build the internet of today.Scott Shackelford, Associate Professor of Business Law and Ethics; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance; Cybersecurity Program Chair, IU-Bloomington, Indiana UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1133682019-03-13T03:59:23Z2019-03-13T03:59:23ZBecoming more like WhatsApp won’t solve Facebook’s woes – here’s why<figure><img src="https://images.theconversation.com/files/263508/original/file-20190312-86682-uptyb5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Although WhatsApp is described as en encrypted messaging service, it's not as secure as you might think. </span> <span class="attribution"><a class="source" href="https://unsplash.com/photos/lZBs-lD9LPQ">rachit tank / unsplash</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span></figcaption></figure><p>Facebook CEO Mark Zuckerberg <a href="https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/">declared</a> last week that the company would shift away from open networks that embody “the town square” towards private, encrypted services that are more like “the digital equivalent of the living room”.</p>
<p>The announcement comes in response to numerous privacy scandals, which have often involved third party apps accessing information about millions of Facebook users for financial and political gain.</p>
<p>Zuckerberg aims to make private messages private and ephemeral – meaning Facebook can’t read our messages, and the data doesn’t stick around on the company’s servers for longer than necessary. His vision involves merging Facebook and the company’s other digital platforms – Instagram, WhatsApp, and Messenger – into a super app, similar to China’s WeChat.</p>
<p>But will these changes actually make Facebook better? Our research on the encrypted messaging platform WhatsApp suggests end-to end encrypted services pose important challenges.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/privacy-pivot-facebook-wants-to-be-more-like-whatsapp-but-details-are-scarce-113195">Privacy pivot: Facebook wants to be more like WhatsApp. But details are scarce</a>
</strong>
</em>
</p>
<hr>
<h2>WhatsApp: a ‘digital living room’</h2>
<p>Facebook acquired the instant messaging service <a href="https://www.businessinsider.com.au/whatsapp-messages-tripled-facebook-acquisition-charts-2018-5">WhatsApp in 2014</a>. It began rolling out end-to-end encrypted messaging on the service in the same year. In theory, that means messages sent via the platform are completely private. No one aside from the sender and receiver is supposed to be able to read them – not even WhatsApp (the platform) itself.</p>
<p>While there has been some take up of WhatsApp in countries such as Australia and the US, it’s much <a href="https://www.statista.com/statistics/291540/mobile-internet-user-whatsapp/">more popular</a> in countries such as India, Brazil, Malaysia, and South-Africa, where it has become the preferred messaging app. </p>
<p>WhatsApp has also become popular among activists and whistleblowers confronting authoritarian state power in <a href="https://www.nytimes.com/2018/03/02/technology/china-technology-censorship-borders-expansion.html">China</a>, <a href="http://asiapacific.anu.edu.au/cap-events/2018-08-01/dark-social-activism-whatsapp-election">Malaysia</a>, and <a href="https://www.eff.org/deeplinks/2012/09/privacy-activism-latin-america">Latin America</a>, where <a href="https://policyreview.info/articles/analysis/internet-surveillance-regulation-and-chilling-effects-online-comparative-case">surveillance of political organising</a> on open platforms has put activists advocating for social change in danger. Our research (to be published in a November 2019 special issue of the internet journal <a href="https://firstmonday.org/ojs/index.php/fm/index">First Monday</a>) shows WhatsApp has played a key role in resistance to state control in Spain, <a href="http://asiapacific.anu.edu.au/cap-events/2018-08-01/dark-social-activism-whatsapp-election">Malaysia</a> and Indonesia. </p>
<p>Despite these positives, we believe becoming more like WhatsApp isn’t a magic bullet solution to Facebook’s privacy and other concerns. Why? Here are three reasons. </p>
<h2>1. Encryption only creates the illusion of privacy</h2>
<p>Since encryption minimises the ability of third parties to “read” the content of messages, it does go some way towards enhancing privacy. But encryption alone <a href="https://journals.sagepub.com/doi/10.1177/2056305118795876">doesn’t necessarily make WhatsApp a secure service</a>, neither does it prevent third parties from accessing chat histories altogether.</p>
<p>In an <a href="https://www.eff.org/deeplinks/2016/10/where-whatsapp-went-wrong-effs-four-biggest-security-concerns">article</a> for the Electronic Frontier Foundation, technology experts Bill Budington and Gennie Gebhart stress that while encryption may well work to protect chat messages, it doesn’t make communication on WhatsApp safer if we take a more holistic approach to the app. They argue WhatsApp “surrounding functionalities” are the threat to privacy: for example, chat history backups are stored unencrypted to the cloud, and WhatsApp web interface can easily be hacked.</p>
<p>In a similar vein, <a href="https://medium.com/@gzanon/no-end-to-end-encryption-does-not-prevent-facebook-from-accessing-whatsapp-chats-d7c6508731b2">blogger and developer Gregorio Zanon says</a> Facebook “could potentially” access WhatsApp chat history because of the way operating systems work on smartphones. Zanon argues that in order for us to do everyday tasks with our phones, from editing a picture to pushing content to Apple Watch, operating systems such as Apple iOS decrypt WhatsApp files and messages stored in our phones. </p>
<p>In his own words:</p>
<blockquote>
<p>Messages are encrypted when you send them, yes. But the database that stores your chats on your iPhone does not benefit from an extra layer of encryption. It is protected by standard iOS data protection, which decrypts files on the fly when needed.</p>
</blockquote>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-law-is-closing-in-on-facebook-and-the-digital-gangsters-112232">The law is closing in on Facebook and the 'digital gangsters'</a>
</strong>
</em>
</p>
<hr>
<h2>2. Metadata means there’s always a digital trail</h2>
<p>Zuckerberg <a href="https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/">claims</a> Facebook could limit the amount of time it stores messages. But media scholars argue it is not the content of messages itself that enables profiles to be built of users for the purposes of targeting advertising, it’s the metadata. This is a key privacy concern.</p>
<p>Metadata includes users’ contacts information and details about messages, such as the time they are sent and the identities and locations of senders and receivers, information that WhatsApp <a href="https://www.forbes.com/sites/thomasbrewster/2017/01/22/whatsapp-facebook-backdoor-government-data-request/#43b5f7de1030">can share</a> with the backing of the legal system.</p>
<p>For example, <a href="https://www.cjr.org/tow_center/whatsapp-doesnt-have-to-break-encryption-to-beat-fake-news.php">researchers</a> have shown that WhatsApp caches popular media files. This allows the company to track forwarded media files reported as problematic, and potentially identify the source without breaking encryption.</p>
<p>Crucial questions around metadata and potential data breaches become even more concerning when considered in light of Facebook’s plan to enable data to be shared across platforms (Facebook, WhatsApp, Instagram, Messenger). There are concerns this may make data less, rather than more, secure.</p>
<p>The proposal is likely to face stiff opposition in Europe, given that the EU’s data protection regulator, the Data Protection Commission (DPC) has <a href="https://www.theguardian.com/technology/2019/jan/28/eu-data-watchdog-raises-concerns-facebook-integration">previously raised concerns</a> around security at Facebook’s plans to integrate services.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/facebooks-cryptocurrency-a-financial-expert-breaks-it-down-113313">Facebook's cryptocurrency: a financial expert breaks it down</a>
</strong>
</em>
</p>
<hr>
<h2>3. Encrypted messages can’t be moderated</h2>
<p>In his <a href="https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/">latest manifesto</a>, Zuckerberg avoids addressing Facebook’s other great problem beyond privacy: content moderation.</p>
<p>Zuckerberg acknowledges <a href="https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/">in his long Facebook post</a> that a problem with encryption is that bad actors can exploit it to do bad things, such as “child exploitation, terrorism and extortion”.</p>
<p>But what might end-to-end encryption mean for the spread of fake news and misinformation? Recent scholarship on <a href="https://www.newmandala.org/disinformation-democracy-indonesia/">Indonesia</a> and <a href="http://globalmedia.mit.edu/2018/11/09/zap-zap-whos-there-whatsapp-and-the-spread-of-fake-news-during-the-2018-elections-in-brazil/?fbclid=IwAR3maE_h1BPtEicM10162MUgUFZukgGkdQAoXnSRmBSStG0XFgHIy9c021A">Brazil</a> has shown that WhatsApp has become a safe haven for producers of fake news, who can’t be easily traced on encrypted services. </p>
<p>To deal with this problem, WhatsApp has limited the number of times messages can be forwarded in countries like <a href="https://www.epw.in/journal/2019/6/insight/whatsapp-rumours-and-lynchings.html">India</a> and <a href="https://www.recode.net/2018/7/19/17594156/whatsapp-limit-forwarding-fake-news-violence-india-myanmar">Myanmar</a>, where WhatsApp hoaxes have led to violence. </p>
<p>A more private, end-to-end encrypted system would partially free Facebook from the burdens involved in having to moderate this kind of content. This is a task the company has been reluctant to pursue, but it has been forced to do it due to its pivotal role as the contemporary “town square”.</p>
<p>Although the app is used to discuss public issues through <a href="https://arxiv.org/abs/1804.00397">public groups</a> of up to 256 people, there is no specific tool on WhatsApp that allows users to flag problematic content.</p>
<p>Questions also remain about the challenges that end-to-end encryption pose for the spread of <a href="https://research.qut.edu.au/dmrc/2018/08/14/dmrc-fridays-seminar-series-2018-september-28/">racist</a>, misogynist, and other discriminatory content. </p>
<p>Clearly there is a lot at stake with Facebook’s proposed changes. We are right to hold the company’s plans up to scrutiny, and ask whether users will be the beneficiary of these planned changes.</p><img src="https://counter.theconversation.com/content/113368/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Amelia Johns is the recipient of an Australia Research Council Discovery Award for project: 'Fostering Global Digital Citizenship: Diaspora Youth in a Connected World'.
She is also an Investigator on a team project which has received funding from Facebook's Integrity Foundational Research Award. The project is called 'Decoding the Weaponising of Pop Culture on WhatsApp in Singapore and Malaysia'.</span></em></p><p class="fine-print"><em><span>Emma Baulch receives funding from the Australian Research Council.</span></em></p><p class="fine-print"><em><span>Ariadna Matamoros-Fernández does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Facebook seems to be shifting its focus more towards privacy. But this might have some unexpected repercussions, as highlighted by recent research on the encrypted messaging service WhatsApp.Ariadna Matamoros-Fernández, Lecturer in Digital Media at the School of Communication, Queensland University of TechnologyAmelia Johns, Senior Lecturer, IKM and Digital Studies Program, University of Technology SydneyEmma Baulch, Associate Professor of Media and Communication at Monash University, Malaysia., Monash UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/969092018-08-15T01:22:12Z2018-08-15T01:22:12ZThe devil is in the detail of government bill to enable access to communications data<p>The Australian government has released a draft of its long awaited <a href="https://www.homeaffairs.gov.au/about/consultations/assistance-and-access-bill-2018">bill</a> to provide law enforcement and security agencies with new powers to respond to the challenges posed by <a href="https://theconversation.com/worried-your-emails-might-be-spied-on-heres-what-you-can-do-66574">encryption</a>.</p>
<p>According to the <a href="https://www.homeaffairs.gov.au/consultations/Documents/explanatory-document.pdf">Department of Home Affairs</a>, encryption already impacts 90% of Australian Security Intelligence Organisation’s (ASIO) priority cases, and 90% of data intercepted by the Australian Federal Police. The measures aim to counteract estimates that communications among terrorists and organised crime groups are <a href="https://www.homeaffairs.gov.au/about/consultations/assistance-and-access-bill-2018">expected</a> to be entirely encrypted by 2020.</p>
<p>The Department of Home Affairs and ASIO <a href="https://www.homeaffairs.gov.au/consultations/Documents/explanatory-document.pdf">can</a> already access encrypted data with specialist decryption techniques – or at points where data are not encrypted. But this takes time. The new bill aims to speed up this process, but these broad and ill-defined new powers have significant scope for abuse.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/new-data-access-bill-shows-we-need-to-get-serious-about-privacy-with-independent-oversight-of-the-law-101378">New data access bill shows we need to get serious about privacy with independent oversight of the law</a>
</strong>
</em>
</p>
<hr>
<p>The Department of Home Affairs <a href="https://www.homeaffairs.gov.au/consultations/Documents/explanatory-document.pdf">argues</a> this new framework will not compel communications providers to build systemic weaknesses or vulnerabilities into their systems. In other words, it is not a backdoor. </p>
<p>But it will require providers to offer up details about technical characteristics of their systems that could help agencies exploit weaknesses that have not been patched. It also includes installing software, and designing and building new systems.</p>
<h2>Compelling assistance and access</h2>
<p>The draft <a href="https://www.homeaffairs.gov.au/consultations/Documents/the-assistance-access-bill-2018.pdf">Assistance and Access Bill</a> introduces three main reforms. </p>
<p>First, it increases the obligations of both domestic and offshore organisations to assist law enforcement and security agencies to access information. Second, it introduces new computer access warrants that enable law enforcement to covertly obtain evidence directly from a device (this occurs at the endpoints when information is not encrypted). Finally, it increases existing powers that law enforcement have to access data through search and seizure warrants.</p>
<p>The bill is modelled on the UK’s <a href="http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted">Investigatory Powers Act</a>, which introduced mandatory decryption obligations. Under the UK Act, the UK government can order telecommunication providers to remove any form of electronic protection that is applied by, or on behalf of, an operator. Whether or not this is technically possible is another question.</p>
<p>Similar to the UK laws, the Australian bill puts the onus on telecommunication providers to give security agencies access to communications. That might mean providing access to information at points where it is not encrypted, but it’s not immediately clear what other requirements can or will be imposed.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/end-to-end-encryption-isnt-enough-security-for-real-people-82054">End-to-end encryption isn't enough security for 'real people'</a>
</strong>
</em>
</p>
<hr>
<p>For example, the bill allows the <a href="https://www.asio.gov.au/director-general-security.html">Director-General of Security</a> or the chief officer of an interception agency to compel a provider to do an unlimited range of <em>acts or things</em>. That could mean anything from removing security measures to deleting messages or collecting extra data. Providers will also be required to conceal any action taken covertly by law enforcement.</p>
<p>Further, the <a href="https://www.australia.gov.au/directories/australia/attorney-generals">Attorney-General</a> may issue a “technical capability notice” <em>directed towards ensuring that the provider is capable of giving certain types of help</em> to ASIO or an interception agency. </p>
<p>This means providers will be required to develop new ways for law enforcement to collect information. As in the UK, it’s not clear whether a provider will be able to offer true end-to-end encryption and still be able to comply with the notices. Providers that breach the law risk facing $10 million fines.</p>
<h2>Cause for concern</h2>
<p>The bill puts few limits or constraints on the assistance that telecommunication providers may be ordered to offer. There are also concerns about transparency. The bill would make it an offence to disclose information about government agency activities without authorisation. Anyone leaking information about data collection by the government – as Edward Snowden did in the US – could go to jail for five years.</p>
<p>There are limited oversight and accountability structures and processes in place. The Director-General of Security, the chief officer of an interception agency and the Attorney-General can issue notices without judicial oversight. This differs from how it works in the UK, where a specific judicial oversight regime was established, in addition to the introduction of an Investigatory Powers Commissioner. </p>
<p>Notices can be issued to enforce domestic laws and assist the enforcement of the criminal laws of foreign countries. They can also be issued in the broader interests of national security, or to protect the public revenue. These are vague and unclear limits on these exceptional powers.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/police-want-to-read-encrypted-messages-but-they-already-have-significant-power-to-access-our-data-82891">Police want to read encrypted messages, but they already have significant power to access our data</a>
</strong>
</em>
</p>
<hr>
<p>The range of services providers is also extremely broad. It might include telecommunication companies, internet service providers, email providers, social media platforms and a range of other “<a href="https://www.techopedia.com/definition/29145/over-the-top-application-ott">over-the-top</a>” services. It also covers those who develop, supply or update software, and manufacture, supply, install or maintain data processing devices.</p>
<p>The enforcement of criminal laws in other countries may mean international requests for data will be funnelled through <a href="http://journals.sagepub.com/doi/abs/10.1177/1748048518757141">Australia as the “weakest-link”</a> of our Five Eyes allies. This is because Australia has no enforceable human rights protections at the federal level.</p>
<p>It’s not clear how the government would enforce these laws on transnational technology companies. For example, if Facebook was issued a fine under the laws, it could simply withdraw operations or refuse to pay. Also, $10 million is a drop in the ocean for companies such as Facebook whose <a href="https://www.prnewswire.com/news-releases/facebook-reports-fourth-quarter-and-full-year-2017-results-300591468.html">total revenue last year</a> exceeded US$40 billion.</p>
<h2>Australia is a surveillance state</h2>
<p>As I have <a href="https://www.policyforum.net/undermining-encryption-wont-work-police-enough-powers-anyway/">argued elsewhere</a>, the broad powers outlined in the bill are neither necessary nor proportionate. Police already have existing broad powers, which are further strengthened by this bill, such as their ability to covertly <a href="https://theconversation.com/spyware-merchants-the-risks-of-outsourcing-government-hacking-80891">hack devices</a> at the endpoints when information is not encrypted.</p>
<p>Australia has limited human rights and privacy protections. This has enabled a constant and steady expansion of the powers and capabilities of the surveillance state. If we want to protect the privacy of our communications we must <a href="https://secureaustralia.org.au/">demand</a> it. </p>
<p>The <em>Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018</em> (Cth) is still in a draft stage and the Department of Home Affairs invites public comment up until 10th of September 2018. Submit any comments to assistancebill.consultation@homeaffairs.gov.au.</p><img src="https://counter.theconversation.com/content/96909/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dr Monique Mann is a Board Member of the Australian Privacy Foundation where she Co-Chairs the Surveillance Committee. She is also on the Advisory Council of Digital Rights Watch Australia. While at the Australian Institute of Criminology, she consulted for the Australian Criminal Intelligence Commission on information systems and cybercrime. The views expressed here are those of the author and do not represent the views of any Commonwealth agency.</span></em></p>The broad and ill-defined new powers outlined in the government’s new telecommunications bill are neither necessary nor proportionate – and contain significant scope for abuse.Monique Mann, Vice Chancellor’s Research Fellow in Regulation of Technology, Queensland University of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1013782018-08-14T04:14:36Z2018-08-14T04:14:36ZNew data access bill shows we need to get serious about privacy with independent oversight of the law<figure><img src="https://images.theconversation.com/files/231816/original/file-20180814-2921-15oljsx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://photos.aap.com.au/search/turnbull%20dutton%20parliament">MICK TSIKAS/AAP</a></span></figcaption></figure><p>The federal government today announced its <a href="https://www.homeaffairs.gov.au/consultations/Documents/the-assistance-access-bill-2018.pdf">proposed legislation</a> to give law enforcement agencies yet more avenues to reach into our private lives through access to our personal communications and data. This never-ending story of parliamentary bills defies logic, and is not offering the necessary oversight and protections. </p>
<p>The trend has been led by Prime Minister Malcolm Turnbull, with help from an ever-growing number of security ministers and senior officials. Could it be that the proliferation of government security roles is a self-perpetuating industry leading to ever more government powers for privacy encroachment?</p>
<p>That definitely appears to be the case.</p>
<p>Striking the right balance between data access and privacy is a tricky problem, but the government’s current approach is doing little to solve it. We need better oversight of law enforcement access to our data to ensure it complies with privacy principles and actually results in convictions. That might require setting up an independent judicial review mechanism to report outcomes on an annual basis. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-should-strengthen-its-privacy-laws-and-remove-exemptions-for-politicians-93717">Australia should strengthen its privacy laws and remove exemptions for politicians</a>
</strong>
</em>
</p>
<hr>
<h2>Where is the accountability?</h2>
<p>The succession of data access legislation in the Australian parliament is fast becoming a Mad Hatter’s tea party – a characterisation justified by the increasingly unproductive public conversations between the government on one hand, and legal specialists and rights advocates on the other. </p>
<p>If the government says it needs new laws to tackle “terrorism and paedophilia”, then the rule seems to be that other side will be criticised for bringing up “privacy protection”. The federal opposition has surrendered any meaningful resistance to this parade of legislation.</p>
<p>Rights advocates have been backed into a corner by being forced to repeat their concerns over each new piece of legislation while neither they nor the government, nor our <a href="https://www.oaic.gov.au/">Privacy Commissioner</a>, and all the other “commissioners”, are called to account on fundamental matters of principle.</p>
<p>Speaking of the commissioner class, Australia just got a new one last week: the <a href="https://www.pmc.gov.au/public-data/national-data-commissioner">Data Commissioner</a>. Strangely, the impetus for this appointment came from the <a href="https://www.mhs.gov.au/media-releases/2018-05-01-government-response-productivity-commission-inquiry-data-availability-and-use">Productivity Commission</a>. </p>
<p>The post has <a href="http://dataavailability.pmc.gov.au/governance-national-data-system">three purposes</a>: </p>
<ol>
<li>to promote greater use of data, </li>
<li>to drive economic benefits and innovation from greater use of data, and </li>
<li>to build trust with the Australian community about the government’s use of data.</li>
</ol>
<p>The problem with this logic is that purposes one and two can only be distinguished by the seemingly catch-all character of the first: that if data exists it must be used. </p>
<p>Leaving aside that minor point, the notion that the government needs to build trust with the Australian community on data policy speaks for itself. </p>
<h2>National Privacy Principles fall short</h2>
<p>There is near universal agreement that the government is managing this issue badly, from the <a href="http://www.abc.net.au/news/2017-10-19/abs-annual-report-censusfail/9064970">census data management issue</a> to the <a href="https://theconversation.com/my-health-record-the-case-for-opting-out-99302">“My Health Record” debacle</a>. The growing commissioner class has not been much help.</p>
<p>Australia does have <a href="https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-17-australian-privacy-principles">personal data protection principles</a>, you may be surprised to learn. They are called “Privacy Principles”. You may be even more surprised to learn that the rights offered in these principles exist only up to the point where any enforcement arm of government wants the data. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/94-of-australians-do-not-read-all-privacy-policies-that-apply-to-them-and-thats-rational-behaviour-96353">94% of Australians do not read all privacy policies that apply to them – and that’s rational behaviour</a>
</strong>
</em>
</p>
<hr>
<p>So it seems that Australians have to rely on the leadership of the Productivity Commission (for economic policy) to guarantee our rights in cyber space, at least when it comes to our personal data.</p>
<h2>Better oversight is required</h2>
<p>There is another approach to reconciling citizens’ interests in privacy protection with legitimate and important enforcement needs against terrorists and paedophiles: that is judicial review.</p>
<p>The government argues, unconvincingly <a href="https://www.theguardian.com/australia-news/2018/jul/26/my-health-record-greg-hunts-warrant-claims-contradicted-by-police-union">according to police sources</a>, that this process adequately protects citizens by requiring law enforcement to obtain court-ordered warrants to access information. The record in some other countries suggests otherwise, with judges almost always waving through any application from enforcement authorities, <a href="https://www.zdnet.com/article/fisa-court-denied-record-surveillance-orders-trump-first-year/">according to official US data</a>.</p>
<p>There is a second level of judicial review open to the government. This is to set up an independent judicial review mechanism that is obliged to annually review all instances of government access to personal data under warrant, and to report on the virtues or shortcomings of that access against enforcement outcomes and privacy principles. </p>
<p>There are two essential features of this proposal. First, the reviewing officer is a judge and not a public servant (the “commissioner class”). Second, the scope of the function is review of the daily operation of the intrusive laws, not just the post-facto examination of notorious cases of data breaches.</p>
<p>It would take a lengthy academic volume to make the case for judicial review of this kind. But it can be defended simply on economic grounds: such a review process would shine light on the efficiency of police investigations. </p>
<p>According to <a href="https://www.theguardian.com/uk-news/2018/jun/14/number-terrorism-related-arrests-uk-record-levels">data released by the UK government</a>, the overwhelming share of arrests for terrorist offences in the UK (many based on court-approved warrants for access to private data) do not result in convictions. There were <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715701/annex-a-flow-chart-mar2018.pdf">37 convictions out of 441 arrests</a> for terrorist-related offences in the 12 months up to March 2018. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/explainer-what-is-differential-privacy-and-how-can-it-protect-your-data-90686">Explainer: what is differential privacy and how can it protect your data?</a>
</strong>
</em>
</p>
<hr>
<p>The Turnbull government deserves credit for its recognition of the values of legal review. Its continuing commitment to posts such as the <a href="https://www.inslm.gov.au/">National Security Legislation Monitor</a> – and the appointment of a <a href="https://www.lawyersweekly.com.au/wig-chamber/21918-silk-picked-to-monitor-national-security-laws">high-profile barrister</a> to such a post – is evidence of that. </p>
<p>But somewhere along the way, the administration of data privacy is falling foul of a growing bureaucratic mess. </p>
<p>The only way to bring order to the chaos is through robust accountability; and the only people with the authority or legitimacy in our political system to do that are probably judges who are independent of the government.</p><img src="https://counter.theconversation.com/content/101378/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Greg Austin does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The succession of data access legislation in the Australian parliament is fast becoming a Mad Hatter’s tea party. We need better oversight, and fast.Greg Austin, Professor UNSW Canberra Cyber, UNSW SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/999262018-07-19T10:42:01Z2018-07-19T10:42:01ZUS health care companies begin exploring blockchain technologies<figure><img src="https://images.theconversation.com/files/227898/original/file-20180716-44097-1lcqnm6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Finding ways to link health care data in a secure and confidential way.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/medicine-doctor-stethoscope-hand-touching-icon-649070965">PopTika/Shutterstock.com</a></span></figcaption></figure><p>The sprawling U.S. health care industry has trouble managing patient information: Every doctor, medical office, hospital, pharmacy, therapist and insurance company needs different pieces of data to properly care for patients. These records are <a href="https://www.cms.gov/Medicare/E-Health/EHealthRecords/index.html">scattered all over on each business’s computers</a> – and some no doubt in filing cabinets too. They’re not all kept up to date with current information, as a person’s prescriptions change or new X-rays are taken, and they’re not easily shared from one provider to another.</p>
<p>For instance, in Boston alone, medical offices use more than <a href="https://www.technologyreview.com/s/608821/who-will-build-the-health-care-blockchain/">two dozen different systems</a> for keeping electronic health records. None of them can directly communicate with any of the others, and all of them present opportunities for hackers to steal, delete or modify records either individually or en masse. In an emergency, doctors may not be able to get crucial medical information because it’s stored somewhere else. That can result in direct <a href="https://doi.org/10.1001/jama.2018.1171">harm to patients</a>. </p>
<p>There might be a way out, toward a health care system where patients have accurate and updated records that are secure against tampering or snooping, and with data that can be shared quickly and easily with any provider who needs it. In <a href="https://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=2667484">my work</a> on health care innovation at the <a href="http://law.slu.edu/healthlaw">Center for Health Law Studies</a>, at Saint Louis University School of Law, I have been following the rise of a technology that may help us address the weaknesses in today’s health care record-keeping: blockchain.</p>
<h2>A secure system to store private information</h2>
<p><a href="https://theconversation.com/demystifying-the-blockchain-a-basic-user-guide-60226">Blockchain systems</a>, best known in connection with <a href="https://www.nature.com/news/the-future-of-cryptocurrencies-bitcoin-and-beyond-1.18447">cryptocurrencies</a> like Bitcoin, are networks of databases stored in different places that use <a href="https://www.technologyreview.com/s/610781/in-blockchain-we-trust/">securely encrypted messages</a> to connect with each other over the internet. Information can’t be deleted, but it can be updated – though only by authorized users, whose identities are recorded along with their actions. </p>
<p>That would keep years of patient data secure and make any human errors in data entry easy to track down and correct. Patients themselves could review and update information, and even add new information they collect or observe about their own conditions. Both <a href="https://www.blockchain-council.org/blockchain/where-is-blockchain-hosted-why-it-is-difficult-to-hack-it/">hacking and fraud would be extremely difficult</a>.</p>
<p>There are many <a href="https://medium.com/swlh/top-5-dlt-blockchain-protocols-to-consider-in-your-project-dae7fc6d381d">blockchain systems, each with its own security methods and practices</a>, but developers are working to <a href="https://www.afponline.org/trends-topics/topics/articles/Details/interoperability-the-holy-grail-of-blockchain">help them connect with each other</a>, working out how to make the process of collecting records much cheaper and faster than today.</p>
<h2>Helping patients and practitioners</h2>
<p>Blockchain can also help other areas of the health care industry. The <a href="https://www.cdc.gov/ophss/chiic/forums/CDC-Blockchain-Overview_-v16_tgs_2_2018-508.pdf">Centers for Disease Control and Prevention</a> are developing blockchain-based systems to share data on threatening pathogens, analyze outbreaks, and manage the response to public health crises. Some commentators have even suggested that a blockchain system might help track <a href="https://www.technologyreview.com/s/608959/why-the-cdc-wants-in-on-blockchain/">opioid use and abuse</a>. </p>
<p>Clinical trials, too, may benefit from blockchain. Today, <a href="https://doi.org/10.1186/s13063-017-2035-z">patchy data</a> and inefficient communication among all players involved in clinical trials <a href="http://fortune.com/2018/03/20/human-clinical-trials/">pose serious problems</a>. The drug discovery and development processes could see similar benefits.</p>
<p>Pharmaceutical companies currently monitor drug shipments and delivery through an inefficient web of <a href="http://fortune.com/2017/09/21/pharma-blockchain/">scattered databases</a>. In 2017, Pfizer and other drugmakers announced their support for <a href="https://www.ethnews.com/pfizer-and-genentech-turn-to-ethereum-blockchain">MediLedger</a>, seeking to transfer those tasks to a blockchain – which Walmart is already doing to <a href="https://newfoodeconomy.org/blockchain-food-traceability-walmart-ibm/">track its food shipments</a>.</p>
<h2>First steps in the US</h2>
<p>In addition to the major pharmaceutical companies’ supply-tracking experiment, other major U.S. health-care companies are beginning to explore blockchain technology. In early 2018, five of the country’s largest health-care companies <a href="http://www.modernhealthcare.com/article/20180402/NEWS/180409999">started using a blockchain system</a> to <a href="https://www.cnbc.com/2018/04/02/insurers-will-study-blockchain-to-fix-their-provider-lists.html">collect data on health-care providers’ demographics</a>. </p>
<p>What’s most striking about this collaboration – including a <a href="https://www.reuters.com/article/us-starrinvestment-acquisition-multiplan-idUSBREA1G0P620140218">medical claim processor</a> and a <a href="http://newsroom.questdiagnostics.com/index.php?s=30664">national medical testing lab</a> – is that it includes major health insurers that directly compete against each other: Humana and the UnitedHealth Group. That signals a potential shift toward industry-wide approaches to handling health care data.</p>
<h2>Europe takes the lead</h2>
<p>Europe offers some examples and useful guides for U.S. efforts to use blockchains in health care.</p>
<p>In 2016, the European Union began funding a <a href="http://www.myhealthmydata.eu/consortium/">multinational collaboration with privacy companies and leading research universities</a> to build a <a href="http://www.myhealthmydata.eu">blockchain system that would aggregate and share biomedical information</a> between health care organizations and individual patients all across the EU. Among other things, this would offer patients secure personal health data accounts online, accessible from computers and mobile devices.</p>
<p>Using a <a href="https://www.carechain.io/#members">similarly collaborative approach</a>, Sweden recently began rolling out an interoperable blockchain health data platform called <a href="https://www.carechain.io/">CareChain</a>. CareChain is being publicized as “infrastructure that is owned and controlled by no one and everyone.” Companies and individual people can use the system to store health information from disparate sources. The system also lets <a href="https://www.carechain.io/files/CareChain_The_Infrastructure_Consortium.pdf">developers create apps and services</a> that can access the information, to analyze users’ data and offer them tips, ideas and products to improve their health.</p>
<p>Offering an idea of what’s possible is Estonia, which since 2012 has been <a href="https://e-estonia.com">using blockchain</a> technology to secure health care data and transactions, including putting <a href="https://e-estonia.com/solutions/healthcare/e-health-record/">95 percent of health data</a> in electronic form. All of the country’s health care billing is handled electronically, and <a href="https://e-estonia.com/solutions/healthcare/e-prescription/">99 percent</a> of its prescriptions are digital.</p>
<p>That’s a future the U.S. could look forward to, as it experiments on its own and learns from the experience of these existing projects.</p><img src="https://counter.theconversation.com/content/99926/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Ana Santos Rutschman does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The strengths of blockchain technologies could help address the weaknesses of health care systems to store and secure medical records.Ana Santos Rutschman, Assistant Professor of Law, Saint Louis UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/959512018-05-25T16:56:55Z2018-05-25T16:56:55ZGDPR: ground zero for a more trusted, secure internet<figure><img src="https://images.theconversation.com/files/220465/original/file-20180525-51102-a4jra3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/diversity-people-connection-digital-devices-browsing-392365027">Shutterstock</a></span></figcaption></figure><p>Most of us have been bombarded recently by a barrage of emails from companies begging us to “stay in touch” or “opt in” or informing us of a “policy update”. On May 25, an historic date for the internet, the EU’s <a href="https://gdpr-info.eu/">General Data Protection Regulation</a> (GDPR) comes into force. For some, it is the start of a more citizen-focused world, for others it will see the collapse of their digital marketing strategy.</p>
<p>The number and scope of serious data breaches have dramatically increased in the last few years. In 2013, around three billion Yahoo user accounts were <a href="http://www.bbc.co.uk/news/business-41493494">affected by a hacking attack</a>. Recently it was revealed that 143m customers of the credit score agency <a href="https://www.theregister.co.uk/2018/05/08/equifax_breach_may_2018/">Equifax</a> were hit by a similar breach. And on top of this, we see breaches of privacy in the mass harvesting of data from Cloud service providers, as highlighted by the <a href="https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election">Facebook/Cambridge Analytica</a> debacle. No wonder there is an increasing lack of trust in how companies capture and process our data.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/220455/original/file-20180525-51130-104ymc.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/220455/original/file-20180525-51130-104ymc.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=344&fit=crop&dpr=1 600w, https://images.theconversation.com/files/220455/original/file-20180525-51130-104ymc.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=344&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/220455/original/file-20180525-51130-104ymc.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=344&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/220455/original/file-20180525-51130-104ymc.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=433&fit=crop&dpr=1 754w, https://images.theconversation.com/files/220455/original/file-20180525-51130-104ymc.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=433&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/220455/original/file-20180525-51130-104ymc.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=433&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Even Spotify has got in on the GDPR action.</span>
<span class="attribution"><a class="source" href="https://www.spotify.com/uk/">Spotify</a></span>
</figcaption>
</figure>
<h2>A new dawn</h2>
<p>GDPR replaces the EU’s 1995 <a href="https://whatis.techtarget.com/definition/EU-Data-Protection-Directive-Directive-95-46-EC">Data Protection Directive</a>, which set out minimum standards for processing data. With the new regulations, individuals are afforded the power to compel companies to reveal (or delete) any personal data they hold, and failure to adhere to the new rules will result in <a href="https://www.gdpr.associates/what-is-gdpr/understanding-gdpr-fines/">stiff penalties</a>, with a maximum fine of 4% of a company’s turnover. For a company like Facebook, this could mean around US$1.6 billion.</p>
<p>Many companies already work within audit/compliance regimes. In the finance industry, for example, this is typically the <a href="http://www.theukcardsassociation.org.uk/security/What_is_PCI%20DSS.asp">Payment Card Industry Data Security Standard</a> (PCI-DSS). But these regulations have often failed to stem the tide of data breaches within companies, necessitating more robust standards. At the core of GDPR there are four foundation elements:</p>
<h2>Consent and how your data is used</h2>
<p>As GDPR ensures that consent is explicit, the days of consent by default are over, and the need for users to opt out of mailing lists will become a thing of the past. Individuals have the right to withhold consent, request access to their personal information or delete it altogether from a site. Currently the general feeling is that few users are actually following up on the consent request emails, which means companies may experience problems with their current digital marketing strategies, as they see their contact lists collapse.</p>
<h2>Response to breaches</h2>
<p>In the past, companies have failed to respond promptly to data breaches, especially in the time taken to inform users, and are guilty of being vague about what they report. GDPR aims to overcome this by forcing companies to report within 72 hours, and have faster methods of investigating a breach. This is likely to see the rise of 24/7 security operation centres (SOCs) which continually monitor the data infrastructure for signs of a breach. With the current average time to detect a data breach measured in months, this will be a significant challenge for many companies.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/220308/original/file-20180524-51135-2vrpg2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/220308/original/file-20180524-51135-2vrpg2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=401&fit=crop&dpr=1 600w, https://images.theconversation.com/files/220308/original/file-20180524-51135-2vrpg2.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=401&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/220308/original/file-20180524-51135-2vrpg2.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=401&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/220308/original/file-20180524-51135-2vrpg2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/220308/original/file-20180524-51135-2vrpg2.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/220308/original/file-20180524-51135-2vrpg2.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Some of the focus areas of GDPR.</span>
<span class="attribution"><span class="source">Author Provided</span></span>
</figcaption>
</figure>
<h2>Encryption</h2>
<p>The real wake-up call for new regulation is that much of the internet is not trusted by users, who are concerned it does not embed security properly. Data must now be protected within encryption – encoding information so that it can only be accessed by an authorised user – wherever it relates to personally sensitive data. Companies must understand the scope of a data breach in terms of the information that can be extracted from a leak. If the data is encrypted, it will make it much more difficult to reveal the information. </p>
<p>In the past, the industry has generally struggled to implement encryption and rights protection on documents, but GDPR will force a move towards encryption by default and demand tighter controls on devices that access sensitive documents. The <a href="https://www.techrepublic.com/article/microsoft-outlook-rolling-out-end-to-end-encryption-to-protect-business-email/">recent moves</a> by Google and Microsoft to lock down their email systems with improved security sees some of the first proper attempts to integrate encryption and access control into documents accessed over the Cloud. </p>
<h2>Protecting your privacy</h2>
<p>Under GDPR, a particular challenge for many companies will be the separation of personally identifiable information (PII) – name, date of birth, phone number – from other elements of data. If we take the example of health records, a patient’s community health index number (CHI) will be stored under a “pseudo-anonymiser” – an identifier that disguises the connection between someone’s identity and their information.</p>
<p>This involves not just electronic separation on different databases, but physical separation on different systems. The merging of this information must then take place on a different system, and one that is highly trusted. But many see the concept of pseudo-anonymisation as weak from a privacy point of view, as details can often be mapped back to a particular ID if additional information is known.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/220424/original/file-20180525-117628-13v0o9p.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/220424/original/file-20180525-117628-13v0o9p.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=378&fit=crop&dpr=1 600w, https://images.theconversation.com/files/220424/original/file-20180525-117628-13v0o9p.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=378&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/220424/original/file-20180525-117628-13v0o9p.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=378&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/220424/original/file-20180525-117628-13v0o9p.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=476&fit=crop&dpr=1 754w, https://images.theconversation.com/files/220424/original/file-20180525-117628-13v0o9p.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=476&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/220424/original/file-20180525-117628-13v0o9p.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=476&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The pseudo-anonymiser process.</span>
</figcaption>
</figure>
<p>So will we see an improvement in our online world in terms of protection and security? Well, definitely some, though many of the changes will happen behind the scenes with improved processes and security methods. But what we should notice is companies taking computer security more seriously. We should see simpler terms and conditions, better reporting on data breaches and companies demonstrating a more reassuring and responsible attitude to our data.</p>
<p>GDPR moves us truly into a more equal information age, where we are finally moving away from the weaker legacy systems of the past to build a more trusted, secure and resilient internet for the future.</p><img src="https://counter.theconversation.com/content/95951/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bill Buchanan does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Will GDPR usher in a fresh start for the internet? A look at the four main foundation elements and how they affect you.Bill Buchanan, Head, The Cyber Academy, Edinburgh Napier UniversityLicensed as Creative Commons – attribution, no derivatives.