Archive for Data Security

Scale of Police Computer Misuse Uncovered

A Freedom of Information (FoI) request made by think tank Parliament Street has revealed that 237 serving officers and members of staff have been disciplined for computer misuse in the last two financial years.

Sackings and Resignations

The FOI request, which was responded to by 23 forces also revealed that 6 employees resigned and 11 were sacked over failures in adhering to IT best practices e.g. for disclosing personal information.

Took Photos of Screen and Shared

In Hertfordshire, two incidents out of 16 disciplinary cases involved employees taking photographs of the screen of a (confidential) police computer system and sharing those photos via social media.

Most Cases

The most individual computer misuse incidents were recorded by Surrey Police with 50. Second in the misuse ranking was the Metropolitan police where 18 people were disciplined (4 were accused of misusing social media) and one staff member was sacked for misusing the Crime Reporting Information System.

Greater Manchester Police managed to take the third position in the incidents rankings with 17 for misuse of force systems.

Other Incidents

Other incidents uncovered by the FoI request included 3 officers getting sacked from Gwent Police (for researching the crime database for a named person, disclosing confidential information, and for unlawful access to information) and 3 getting sacked form Wiltshire Police force for using the police databases without lawful access to the information. Also, one member of Nottinghamshire Police was disciplined for using the police computer system to search for information about a civil dispute they were involved in.

Case In July

These incidents were reminiscent of the case from July this year whereby a serving Metropolitan police officer was given 150 hours of community service and ordered to pay £540 after pleading guilty to crimes under the UK’s Computer Misuse Act, which included using a police database to monitor a criminal investigation into his own conduct.

What Does This Mean For Your Business?

We all must adhere to data protection laws (GDPR) and best practices to ensure that company computer systems are used responsibly and legally.  The irony of the information uncovered with the FoI request is that hundreds of those persons who are entrusted to uphold and enforce the law appear to be prepared to risk their jobs, break the law and betray public trust.  The fact that hundreds of police have been caught (there may be many more who haven’t) misusing police systems which contain large amounts of sensitive personal data raises serious questions about privacy and security.

This may indicate that police forces need to offer more education and training to employees about data protection and the correct (and legal) use of police computer systems as well as tightening up on monitoring, access control and validation/authorisation.

Microsoft Edge Gets Business Upgrade

Billed as “the browser and search engine for business”, Microsoft’s new Chromium-powered version of Edge (and now more serious competitor to Google’s Chrome) is set to be released in January with new business-focused capabilities.

Chromium Source

Back in December 2018, Microsoft announced that it was adopting the Chromium open source project, which is the web rendering engine that powers Google Chrome.  This forms the basis for the new, upgraded version of Edge which many see as a serious attempt by Microsoft to make it more relevant, particularly to larger business customers, and compete more seriously with Google’s Chrome.

January 2020

The new business-focused version of Edge has only been released as ‘Beta version 79’ (the final Beta before it becomes a general “Release Candidate”), with the general release of the download of the stable version for Windows and macOS scheduled for 15 January 2020.

More Productive At Work

One of the key challenges that Microsoft says it’s trying to address with the improved version of Edge is difficulty in finding and accessing corporate information that is known to exist on company intranets.  With this in mind, Microsoft says that it has added “new experiences” to Microsoft Search in Bing such as enabling users to type in the address bar to search for people on the company Intranet, using natural language, such as by their title, team name and office location.

Also, users will be able to:

  • Search for office location and find answers that show floor plans for directions.
  • Get definitions for company acronyms.
  • Use a broad set of question and answers to find internal company information.

What Else?

Other business-focused features that the new version of Edge will offer are:

  • Expansion of Microsoft Graph connectors which expands the reach of Microsoft Search for 365 customers by adding over 100 connectors including Salesforce.com, ServiceNow, and Box. This will mean that business users can find more using Microsoft Search.
  • The ability to easily access Search in Bing on a mobile phone so that workers can search for company information on the go.
  • SmartScreen and Tracking prevention to protect users from phishing schemes, malicious software and new types of malware (crypto-jacking).
  • A new InPrivate mode for Microsoft Edge and Bing (for searching and browsing) to help improve privacy and security
  • A ‘Collections’ feature for Microsoft Edge to help users to collect web content, organise research and export that content into Word and Excel for analysis and collaborative working.

Extras For IT Professionals

The new version of Edge will also include some new features for IT professionals including the expansion of the Microsoft FastTrack deployment program to deploy the new Microsoft Edge in Q1 2020, the expansion of the App Assure program to cover Microsoft Edge in Q1 2020, and a new security baseline for the new Microsoft Edge.

What Does This Mean For Your Business?

The migration to Chromium last year was a clear sign that Microsoft was looking to make Edge browser a much more serious competitor to Google’s Chrome.  Microsoft has identified some key challenges that businesses (with Intranets and programs like Salesforce) have with accessing important company information through a browser search.  Microsoft has, therefore, incorporated some very business-focused, productivity-boosting solutions in this version of Edge that can help office and mobile/remote workers.  Focusing on the needs of business-users could help Microsoft maintain its position at the top of the business OS market as well as giving its Edge browser a long-overdue boost.

Office 365 Voicemail Phishing Scam Warning

Security company McAfee has reported observing a phishing scam which uses a fake voicemail message to lure victims into entering their Office 365 email credentials into a phishing page.

How The Attack Works

According to McAfee’s blog, the first step in the phishing scam is the victim being sent an email informing them that they have missed a phone call.  The email includes a request to login to their account to access their voicemail.

The email message actually contains an HTML attachment which, when loaded, re-directs the victim to a phishing website. Although there are slightly different versions of the attachment, the most recent examples are reported to contain an audio recording which is designed to make the victim believe they are listening to the beginning of a legitimate voicemail.

Once re-directed to the bogus Microsoft account login page, the victim will see that their email address has already been loaded in the login field, thereby helping to create the illusion that this is their real Microsoft login page.

If the victim enters their password, the deception continues as they are shown a page saying that their login has been successful, and they are being re-directed to the home page.

Three Different Phishing Kits

Cybercriminals frequently buy-in phishing kits to launch their attacks. These are collections of software tools, created by professional phishers, that can be purchased and downloaded as a set. These phishing kits make it much easier for those with limited technical and coding skills or phishing experience to launch a phishing attack.

McAfee reports that as many as three different phishing kits are being used to make the fake websites involved in this scam. These are:

  1. Voicemail Scmpage 2019 – being sold on an ICQ channel, and used to harvest your email, password, IP Address and location details.
  2. Office 365 Information Hollar – similar to Voicemail Scmpage 2019 and used to harvest the same data.
  3. A third unnamed kit, which McAfee says is the most prevalent malicious page they have observed in the tracking of this particular campaign.  McAfee says that this kit appears to use code from 2017 malicious kit that was used to target Adobe users.

File Names For The Attachments

To help you spot this phishing attack McAfee has listed list the file names for attachments in the phishing email as being:

  • 10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]
  • 14-August-2019.html [Format: DD-Month-YYYY.html]
  • Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]
  • Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]

What Does This Mean For Your Business?

Reports indicate that this phishing attack has proved quite successful up until now, partly because the pages and steps appear authentic (and load the users email address as real login page does), and it uses social engineering and urgency (with audio) in a way that may prompt may people to suspend their critical faculty long enough complete the few short actions that it takes to give their details away.

The advice to businesses is, therefore, to be vigilant and to not open emails from unfamiliar sources or with unfamiliar attachments.  You may also want to use Two-Factor Authentication (2FA) where possible, and enterprise users may wish to block .html and .htm attachments at the email gateway level so that they don’t reach members of staff, some of whom may not be up to speed with their Internet security knowledge.

There is also a strong argument for not using the same password for multiple platforms and websites (password sharing).  This is because credentials stolen in one breach are likely to be tried on many other websites by other cybercriminals (credential stuffing) who have purchased/acquired them e.g. on the dark web.

Keeping anti-virus and software patches up to date and making sure that staff receive training and education about cybersecurity risks and what procedures should be followed if suspicious emails or other messages are spotted can also help companies to maintain good levels of cybersecurity.

BBC Puts News On ‘Dark Web Browser’ To Avoid Censorship

The BBC has announced that it is making its International news website available via the ‘Tor’ browser (usually associated with the ‘dark web’), in order to get around censorship in other countries.

Blocking by Some Countries

The BBC is concerned that countries including China, Iran and Vietnam have tried to block access to its website or programmes in the past.

With this in mind, and with the BBC wanting to compete in the world broadcasting market and widen its audience, as well as wanting to maintain and extend the perception of its World Service as a trusted news source, the BBC has turned to the Tor browser as a way of stopping states from blocking/censoring its content.

Why Tor?

The ‘Tor’ browser, an acronym for ‘The Onion Router’ because of its many layers of encryption, is most well known as the browser that’s used to access the dark web. In these days of worries about privacy and the prying eyes of and rules imposed by states and their agencies, plus worries about cybercriminals and fraudsters, end-to-end encrypted communications channels have become more valuable and more widely available.

The Tor browser, which came out of a US Naval Research Laboratory (and which is partly funded by the US State Department) can hide a user’s location and identity due to its routing process through multiple node encryption points. Tor can, therefore, be used to browse the web (and dark web) anonymously, and to host hidden websites (with a .onion suffix).

International Edition On Tor

The BBC plans, therefore, to host a version of its international news website within Tor thereby evading restrictions imposed by others states and protecting the identity and quite possibly the safety of any viewers of that news who reside within a state where the BBC news online faces restrictions.

This version of the BBC’s international news website will not feature the BBC iPlayer service but will include foreign language services e.g. BBC Arabic, Persian and Russian.

Soft Power

The BBC’s World Service has been described by many as being part of the UK’s ‘soft power’ i.e. part of the UK’s ability to portray a certain image of itself overseas and to influence the thinking and action of others using the power of attraction as opposed to the power of coercion and threats.

What Does This Mean For Your Business?

In western democracies and capitalist countries where certain freedoms of consumption are seen as good and necessary to maintain the market-based system, there is an interest in wishing to promote these values and beliefs around the world. This can lead to the widening of markets for goods, services and lifestyles as people in less open countries see them online or television, and this can be good news for businesses who are able to export.  Stable, open countries, with good diplomatic and trading relationships and freedom for communications, are good news for businesses who want to export or set up operations in those countries to gain access to bigger markets.

Sates that are seen to perhaps be more oppressive and authoritarian and which use censorship to maintain a certain power balance and message/perception of the outside world are likely to fear news reports and views which conflict with their own.  The BBC has found itself to be a global market media player as well as a national broadcaster with UK state interests and this, coupled with wider use of encrypted message and  web services have turned a browser that once had a dubious reputation (by association with the dark web) into a handy tool for accessing for expanding the corporation’s, the UK’s, and the democratised West’s reach into untapped market areas.  The hope would be that this would benefit the interests of all, including those citizens of censored states that are able to access a ‘trusted’ external news source for the first time in years.

ICO Warns Police on Facial Recognition

In a recent blog post, Elizabeth Denham, the UK’s Information Commissioner, has said that the police need to slow down and justify their use of live facial recognition technology (LFR) in order to maintain the right balance in reducing our privacy in order to keep us safe.

Serious Concerns Raised

The ICO cited how the results of an investigation into trials of live facial recognition (LFR) by the Metropolitan Police Service (MPS) and South Wales Police (SWP) led to the raising of serious concerns about the use of a technology that relies on a large amount of sensitive personal information.

Examples

In December last year, Elizabeth Denham launched the formal investigation into how police forces used FRT after high failure rates, misidentifications and worries about legality, bias, and privacy.  For example, the trial of ‘real-time’ facial recognition technology on Champions League final day June 2017 in Cardiff, by South Wales and Gwent Police forces was criticised for costing £177,000 and yet only resulting in one arrest of a local man whose arrest was unconnected.

Also, after trials of FRT at the 2016 and 2017 Notting Hill Carnivals, the Police faced criticism that FRT was ineffective, racially discriminatory, and confused men with women.

MPs Also Called To Stop Police Facial Recognition

Back in July this year, following criticism of the Police usage of facial recognition technology in terms of privacy, accuracy, bias, and management of the image database, the House of Commons Science and Technology Committee called for a temporary halt in the use of the facial recognition system.

Stop and Take a Breath

In her blog post, Elizabeth Denham urged police not to move too quickly with FRT but to work within the model of policing by consent. She makes the point that “technology moves quickly” and that “it is right that our police forces should explore how new techniques can help keep us safe. But from a regulator’s perspective, I must ensure that everyone working in this developing area stops to take a breath and works to satisfy the full rigour of UK data protection law.”

Commissioners Opinion Document Published

The ICO’s investigations have now led her to produce and publish an Opinion document on the subject, as is allowed by The Data Protection Act 2018 (DPA 2018), s116 (2) in conjunction with Schedule 13 (2)(d).  The opinion document has been prepared primarily for police forces or other law enforcement agencies that are using live facial recognition technology (LFR) in public spaces and offers guidance on how to comply with the provisions of the DPA 2018.

The key conclusions of the Opinion Document (which you can find here: https://ico.org.uk/media/about-the-ico/documents/2616184/live-frt-law-enforcement-opinion-20191031.pdf) are that the police need to recognise the strict necessity threshold for LFR use, there needs to be more learning within the policing sector about the technology, public debate about LFR needs to be encouraged, and that a statutory binding code of practice needs to be introduced by government at the earliest possibility.

What Does This Mean For Your Business?

Businesses, individuals and the government are all aware of the positive contribution that camera-based monitoring technologies and equipment can make in terms of deterring criminal activity, locating and catching perpetrators (in what should be a faster and more cost-effective way with live FRT), and in providing evidence for arrests and trials.  The UK’s Home Office has also noted that there is general public support for live FRT in order to (for example) identify potential terrorists and people wanted for serious violent crimes.  However, the ICO’s apparently reasonable point is that moving too quickly in using FRT without enough knowledge or a Code of Practice and not respecting the fact that there should be a strict necessity threshold for the use of FRT could reduce public trust in the police and in FRT technology.  Greater public debate about the subject, which the ICO seeks to encourage, could also help in raising awareness about FRT, how a balanced approach to its use can be achieved and could help clarify matters relating to the extent to which FRT could impact upon our privacy and data protection rights.

“Stalkerware” Partner-Spying Software Use Rises By 35% In One Year

Kaspersky researchers have reported a 35 per cent rise in the number of people who have encountered the use of so-called ‘stalkerware’ or ‘spouseware’ software in the first 8 months of this year.

What is Stalkerware?

Stalkerware (or ‘spouseware’) is surveillance software that can be purchased online and loaded onto a person’s mobile device. From there, the software can record all of a person’s activity on that device, thereby allowing another person to read their messages, see screen activity, track the person through GPS location, access their social media, and even spy on the mobile user through the cameras on their device.

Covert, Without Knowledge or Consent

The difference between parental control apps and stalkerware is that stalkerware programs are promoted as software for spying on partners and they run covertly in the background without a person’s knowledge or consent.

Unlike legitimate parental control apps, such programs run hidden in the background, without a victim’s knowledge or consent. They are often promoted as software for spying on people’s partners.

Most Stalkerware needs to be installed manually on a victim’s phone which means that the person who intends to carry out the surveillance e.g. a partner, needs physical access to the mobile device.

Figures from Kaspersky show that there are now 380 variants of stalkerware ‘in the wild’ this year, which is 31% more than last year.

Most In Russia

Kaspersky’s figures show that this kind of surveillance software is most popular in Russia, with the UK in eighth place in Kaspersky’s study.

What Does This Mean For Your Business?

Unlike parental control apps which serve a practical purpose to help parents to protect their children from the many risks associated with Internet and mobile phone use, stalkerware appears to be more linked to abuse because of how it has been added to a device without a user’s consent to covertly and completely invade their privacy.  This kind of software could also be used for industrial espionage by a determined person who has access to a colleague’s mobile phone.

If you’d like to avoid being tracked by stalkerware or similar software, Kaspersky advises that you block the installation of programs from unknown sources in your smartphone’s settings, never disclose the passwords/passcode for your mobile device, and never store unfamiliar files or apps on your device.  Also, those leaving a relationship may wish to change the security settings on their mobile device.

Kaspersky also suggests that you should check the list of applications on your device to find out if suspicious programs have been installed without your consent.

If, for example, you find out that someone e.g. a partner/ex-partner has installed surveillance software on your devices, and/or does appear to be stalking you, the advice is, of course, to contact the police and any other relevant organisation.

Google Leadership Accused Of Developing Internal Surveillance Tool

Some Google employees have accused the company’s leadership of developing a browser-based file extension for all of Google’s in-house computers that could flag-up signs of workers trying to organise meetings and protests.

Google Employees

The story came to light in a memo written by a Google employee that is reported to have been seen and verified by 3 other anonymous Google employees and Bloomberg News.  In the memo it was alleged that a team within the company had developed a surveillance tool, disguised as a calendar, that could be added to the custom Chrome browser used on Google’s computers.

How?

The employee’s memo alleged that the browser extension would be able to report any staff who booked a calendar event which involved the need for more than 10 rooms, or scheduled an event with more than 100 people, and the alleged reason for flagging up these details was to warn the company’s leadership about any attempt to organise workers for the purposes of industrial action e.g. meetings and protests related to labour rights.

Reviewed

Reported employee memos have suggested that work on the tool started in September and that Google’s privacy team approved the tool’s release but also expressed some concerns about the culture at Google.

According to Google, however, the tool was developed over several months and was subject to Google’s standard privacy, security and legal reviews.

Rollout In October

According to reports of a memo posted on an internal staff message board, the surveillance tool is due to be rolled out this month (October), and there is a report of two Google workers in California saying that the tool has already been added to their browsers.

‘Trouble at Mill’

There has been speculation by some commentators that the tool may have been developed in response to recent outbreaks of organised activity by workers concerned about the company’s attitude to their rights, the ethics of some of the company’s projects, and how Google may have handled some complaints.  For example, some workers in the company’s Zurich office held an event about workers’ rights and unionisation, and some Google employees have protested about products such as the ‘Project Dragonfly’ search engine that could allow Google to re-enter the Chinese market by censoring certain terms.  Human rights groups had also been vocal in criticising this idea saying that it appeared to support state censorship.

What Does This Mean For Your Business?

For Google employees, many of whom are used to working in an environment of relative freedom where creativity and collaboration are encouraged, an apparent cultural shift (if indeed that is what is happening) towards a more authoritarian and less trusting approach where ethics could come lower down the list of priorities in the search for profits would be likely to be a shock, and could possibly damage the relationship and the trust between management and workers.  It is unlikely that workers anywhere would respond positively to being subjected to a kind of covert surveillance and internal censorship, particularly if they believed that it was being carried out to curtail certain aspects of their labour rights.  The resulting bad publicity could also damage a company’s brand and therefore, the company’s competitiveness and customer perceptions of the company.

It should be said, however, that the reports of the development of the browser tool in Google rest upon the alleged details of memos, and it is unclear to date how accurate the reports are.

Tough Questions About Libra Cryptocurrency

Facebook’s CEO, Mark Zuckerberg faced a grilling from the US Congress last week over his company’s ‘Libra’ cryptocurrency plans.

Libra

‘Libra’ is Facebook’s new cryptocurrency and global payment system that’s due to be launched in 2020.  Unlike other cryptocurrencies, Libra is backed by a reserve of cash and other liquid assets.  The idea of Libra is that spending the new currency could be as easy and fast as texting as payments can be made by a special phone app and by messaging services such as WhatsApp.  Also, Libra is intended to be of particular value to the one billion+ people around the world (including 14 million in the US) with no access to a bank account, but who could use a mobile phone-based payment system.

Management of the currency, units of which can be purchased via Libra’s platforms and stored it in a digital wallet called “Calibra” will be the responsibility of an independent group of 21 companies and non-profit organisations called the Libra Association, of which Facebook’s subsidiary ‘Calibra’ is a member.

Problems and Criticism

Facebook has, however, found itself coming in for some tough criticism over its involvement with Libra. This includes:

  • Worries about whether Facebook can be trusted with peoples’ financial details in the light of its part in the personal data-sharing scandal with Cambridge Analytica.
  • Concerns from ‘Group of Seven’ democracies finance chiefs about whether Libra could address “serious regulatory and systemic concerns”.
  • President Trump Tweeting that he’s not a fan of Libra, and bank chiefs like Mark Carney also expressing concerns about Libra.
  • Worries that Libra could be used as a means to bypass rules relating to money laundering and tax evasion (which is believed to have led to PayPal leaving the Libra Association recently).
  • Warnings that Libra could be blocked in Europe (especially in France) unless concerns over risks to consumers and to the monetary systems of countries can be addressed.

Congress Grilling

The grilling of Mark Zuckerberg at the US Congress last week at the top of the House Financial Service Committee’s hearing focused on many of the key concerns.  For example:

  • Republican Nydia Velázquez asked Mark Zuckerberg why Facebook should be trusted after the recent privacy scandals and data breaches/data sharing relating to the Cambridge Analytica affair.
  • Republican Joyce Beatty criticised Mark Zuckerberg over an apparent lack of knowledge of diversity and housing advertisement issues and alleged that Zuckerberg hadn’t read her reports.
  • Republican Patrick McHenry criticised the technology industry and highlighted the current anger towards it.

Prepared Statement Covered Many Concerns

Mark Zuckerberg’s prepared statement for the hearing appears have anticipated and answered the main concerns.  For example, as well as stressing how Facebook is committed to strong consumer protections for the financial information they receive, Mark Zuckerberg addressed three main concerns, saying that:

  1. Where people are concerned that Facebook is moving too fast on the Libra project, Facebook is committed to taking the time to get this right.
  2. Where it has been suggested that Facebook could circumvent regulators and regulations with Libra, Facebook won’t actually be a part of launching the Libra payments system anywhere in the world unless all US regulators approve it.
  3. Libra is not an attempt to create a sovereign currency but, like existing online payment systems, it’s simply intended to be a way for people to transfer money.

So What?

Despite the grilling, many commentators have pointed out that the House Financial Service Committee and Congress don’t actually have the power to do much about the introduction of Libra.  Some commentators have also suggested that the hearing was as much about political grandstanding as it was about Libra and that politicians are finding it hard to stay up to speed with information about cryptocurrencies.

No Regulatory Approval = Facebook Leaves the Association

Mr Zuckerberg stressed just how much he intends to play by the rules with Libra by saying that if the Libra Association moved forward without regulatory approval, Facebook “would be forced to leave the Association.”

What Does This Mean For Your Business?

Banks and governments are unlikely to adopt a favourable attitude to a new type of currency that could potentially unbalance monetary systems, and could potentially get around regulations, scrutiny and control, and could even be used for money laundering and tax evasion. That said, the blockchain-anchored Libra is unlikely to suffer many of the huge fluctuations and problems that other cryptocurrencies like bitcoin have because Libra is backed by real assets.  Also, many of the big financial players are part of the Libra Association e.g. Mastercard and Visa, although it’s clear that Facebook needs to make sure that Libra can meet all regulatory requirements and is squeaky clean if the Association wants to keep these important members.

If, as Mr Zuckerberg says, Libra is simply and innocently another way of paying for things that could lead to a more inclusive society e.g. by helping those without bank accounts, this could benefit not just society but whole economies too.  It looks as though Facebook still has some way to go, however, to convince governments, finance chiefs and other critics that it is the right company to be trusted with a new currency and the financial data of those who use it.

Facebook ‘News’ Tab on Mobile App

Facebook has launched the ‘News’ tab on its mobile app which directs users to unbiased, curated articles from credible sources in a bid to publicly combat fake news and help restore trust in its own brand.

Large US Cities For Now

The ‘News’ tab on the Facebook mobile app, which will initially only be available to an estimated 200,000 people in select, large US cities, is expected by Facebook to become so popular that it could attract millions of users.

What?

The News tab will attempt to show users stories from local publishers as well as the big national news sources.  The full list of publishers who will contribute to the News tab stories has not yet been confirmed, although online speculation points to the likes of (U.S. publishers initially) Time, The Washington Post, CBS News, Bloomberg, Fox News and Politico.  It has not yet been announced when the service will be available to UK Facebook users. It has been reported that Facebook is also prepared to pay many millions for some of the content included in the tab.

Why?

Facebook has been working hard to restore some of the trust lost in the company when it was found to be the medium by which influential fake news stories were distributed during the UK Brexit referendum, the 2017 UK general election, and the U.S. presidential election.  There is also the not-so-small matter of 50 million Facebook profiles being shared/harvested (in conjunction with Cambridge Analytica) back 2014 in order to build a software program that was used to predict and generate personalised political adverts to influence choices at the ballot box in the last U.S. election.

Facebook CEO, Mark Zuckerberg, was made to appear before the U.S. Congress in April to talk about how Facebook is tackling false reports, and even recently a video that was shared via Facebook (which had 4 million views before being taken down) falsely suggested that smart meters emit radiation levels that are harmful to health. The information in the video was believed by many even though it was false.

Helping Smaller Publishers Too

Also, Facebook acknowledges that smaller news outlets have struggled to gain exposure with its algorithms, and that there is an opportunity to deliver more local news, personalised news experiences, and more modern digital-age, independent news.  It is also likely that, knowing that young people get most of their news from online sources but have been moving away to other platforms, this could be a good way for Facebook to retain younger users.

Working With Fact-Checkers

Back in January, for example, Facebook tried to help restore trust in its brand and publicly show that it was trying to combat fake news by announcing that it was working with London-based, registered charity ‘Full Fact’ who would be reviewing stories, images and videos, in an attempt to tackle misinformation that could “damage people’s health or safety or undermine democratic processes”.

Personalisation

The News tab will also allow users to see a personalised selection of articles, the choice of which is based upon the news they read. This personalisation will also include the ability to hide articles, topics and publishers that users choose not to see.

The Human Element

One of the key aspects of the News tab service that Facebook sees as adding value, keeping quality standards high, and providing a further safeguard against fake news is that many stories will be reviewed and chosen by experienced journalists acting as impartial and independent curators.  For example, Facebook says that “Unlike Google News, which is controlled by algorithms, Facebook News works more like Apple News, with human editors making decisions.”

Not The First Time

This is not the first time that Facebook has tried offering a news section, and it will hopefully be more successful and well-received than the ‘Trending News’ section that was criticised for bias in the 2016 presidential election and has since been phased out.

What Does This Mean For Your Business?

Only last week, Mark Zuckerberg found himself in front of the U.S. Congress answering questions about whether Facebook can be trusted to run a new cryptocurrency, and it is clear that the erosion of trust caused by how Facebook shared user data with Cambridge Analytica and how the platform was used to spread fake news in the U.S. election have cast a long shadow over the company.  Facebook has since tried many ways to regain trust e.g. working with fact-checkers, adding the ‘Why am I seeing this post?’ tool, and launching new rules for political ad transparency.

Users of social networks clearly don’t want to see fake news, the influences of which can have a damaging knock-on effect on the economic and trade environment which, in turn, affects businesses.

The launch of this News service with its human curation and fact-checking could, therefore, help Facebook kill several birds with one stone. For example, as well as going some way to helping to restore trust, it could increase the credibility of Facebook as a go-to trusted source of quality content, enable Facebook to compete with its rivals e.g. Google News, show Facebook to be a company that also cares about smaller news publishers, and act as a means to help retain younger users on its platform.

Amazon Echo and Google Home ‘Smart Spies’

Berlin-based Security Research Labs (SRL) discovered possible hacking flaws in Amazon Echo (Alexa) and Google Home speakers and installed their own voice applications to demonstrate hacks on both device platforms that turned the assistants into ‘Smart Spies’.

What Happened?

Research by SRL led to the discovery of two possible hacking scenarios that apply to both Amazon Alexa and Google Home which can enable a hacker to phish for sensitive information in voice content (vishing) and eavesdrop on users.

Knowing that some of the apps offered for use with Amazon Echo and Google Home devices are made by third parties with the intention of extending the capability of the speakers, SRL was then able to create its voice apps designed to demonstrate both hacks on both device platforms. Once approved by both device platforms, the apps were shown to successfully compromise the data privacy of users by using certain ‘Skills and actions’ to both request and collect personal data including user passwords by eavesdropping on users after they believed the smart speaker has stopped listening.

Amazon and Google Told

SRL’s results and the details of the vulnerabilities were then shared with Amazon and Google through a responsible disclosure process. Google has since announced that it has removed SRL’s actions and is putting in place mechanisms to stop something similar happening in future.  Amazon has also said that it has blocked the Skill inserted by SRL and has also put in preventative mechanisms of the future.

What Did SRL’s Apps Do?

The apps that enabled the ‘Smart Spy’ hacks took advantage of the “fallback intent”, in a voice app (the bit that says I’m sorry, I did not understand that. Can you please repeat it?”), the built-in stop intent which reacts to the user saying “stop” (by changing the functionality of that command after the apps were accepted), and leveraged a quirk in  Alexa’s and Google’s Text-to-Speech engine that allows inserting long pauses in the speech output.

Examples of how this was put to work included:

  • Requesting the user’s password through a simple back-end change by creating a password phishing Skill/Action. For example, a seemingly innocent application was created such as a horoscope.  When the user asked for it, they were given a false error message e.g. “it’s not available in your country”.  This triggered a minute’s silence which led to the user being told “An important security update is available for your device. Please say start update followed by your password.” Anything the user said after “start” was sent to the hacker, in this case, thankfully, SRL.
  • Faking the Stop Intent to allow eavesdropping on users. For example, when a user gave a ‘stop’ command and heard the ‘Goodbye’ message, the app was able to continue to secretly run and to pick up on certain trigger words like “I” or words indicating that personal information was about to follow, i.e. “email”, “password” or “address”. The subsequent recording was then transcribed and sent back to SRL.

Not The First Time

This is not the first time that concerns have been raised about the spying potential of home smart speakers.  For example, back in May 2018, A US woman reported that a private home conversation had been recorded by her Amazon’s voice assistant, and then sent it to a random phone contact who happened to be her husband’s employee. Also, as far back as 2016, US researchers found that they could hide commands in white noise played over loudspeakers and through YouTube videos in order to get smart devices to turn on flight mode or open a website. The researchers also found that they could embed commands directly into recordings of music or spoken text.

Manual Review Opt-Out

After the controversy over the manual, human reviewing of recordings and transcripts taken via the voice assistants of Google, Apple and Amazon, Google and Apple had to stop the practice and Amazon has now added an opt-out option for manual review of voice recordings and their associated transcripts taken through Alexa.

What Does This Mean For Your Business?

Digital Voice Assistants have become a popular feature in many home and home-business settings because they provide many value-adding functions in personal organisation, as an information point and for entertainment and leisure.  It is good news that SRL has discovered these possible hacking flaws before real hackers did (earning SRL some good PR in the process), but it also highlights a real risk to privacy and security that could be posed by these devices by determined hackers using relatively basic programming skills.

Users need to be aware of the listening potential of these devices, and of the possibility of malicious apps being operated through them.  Amazon and Google may also need to pay more attention to the reviewing of third party apps and of the Skills and Actions made available in their voice app stores in order to prevent this kind of thing from happening and to close all loopholes as soon as they are discovered.