Archive for Data Security

New Chrome 69 Creates Better Passwords, Among Other Features

Chrome 69, the latest version of the Google browser which is now 10 years old, has a number of value-adding new features, including the ability to automatically generate strong passwords.

Improved Password Manager

This latest version of Chrome has an improved password manager that is perhaps more fitting of the browser that is favoured by 60% of browser users, many of whom still rely upon using very weak passwords. For example, the most commonly used passwords in 2017 were reported to be 123456, password, 12345678 and qwerty.

The updated password manger in Chrome 69 hopes to make serious inroads into this most simple of human errors by recommending strong passwords when users sign up for websites or update settings. The Chrome 69 password manager will suggest passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it will be able to add these. Users will be able to manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 will then store the password on a laptop or phone so that users don’t have to write it down or try and remember it (as long as they are using the same device).

Other Features

Other new and improved features of Chrome 69 include:

Faster and more accurate form-filling: Google says that because information such as passwords, addresses and credit card numbers are saved in a user’s Google account and can be accessed directly from the from the Chrome toolbar, Chrome can make it much easier and faster to fill-out online checkout forms.

Combined search and address bar (improvements): In Chrome 69, users will have a combined search and address bar (the Omnibox), which shows the answers directly in the address bar without users having to open a new tab, thereby making it more convenient. Also, if there are several tabs open across three browser windows, for example, a search in the Omnibox will tell users if that website’s already open and will allow navigation straight to it with “Switch to tab”. Google says that users will soon also be able to search files from your Google Drive directly in the Omnibox too.

CSS Snap: This feature allows developers to create smoother browsing experiences. It does this by telling the browser where to stop after each scrolling operation, and is particularly useful for displaying carousels and paginated sections to guide users to the next slide or section.

Put The www. Back!

There was some controversy and protests from some Chrome users over the way that, in order to take account of the limited space on mobile screens, and for greater security (to stop confusion with phishing URLs), version 69 of Chrome has been made to no longer show the www. part of a URL (and the m. on mobiles) in the address bar. It is worth mentioning at this point that Apple’s Safari also hides URL characters. Some critics of Google’s move to this system have said that it could confuse users into thinking that they’re at the wrong website.

Other Criticism

Some more cynical / informed commentators have suggested that the change in URL display is actually more to do with AMP system and AMP cache which benefits the advertising side of Google’s business.

What Does This Mean For Your Business?

The changes in Chrome 69 that encourage and facilitate the use of much stronger passwords may be a little overdue, but it has to be good news for the security of all Chrome users. The speedier form-filling will also be a time-saver in an age where many people now carry out many of their daily transactions online and on mobile devices.

Even though stronger passwords are a good thing, security has now moved on again from those, because they have been found to be less secure than biometrics and other access methods.

The new Chrome 69 has been released, but so has the beta version of Chrome 70, and it remains to be seen how security is upgraded yet again in subsequent versions as cyber-crime threats become more wide-ranging and sophisticated.

UK Government Guilty of Mass Surveillance Human Rights Breach

The European Court of Human Rights in Strasbourg has found the UK government guilty of violating the right to privacy of citizens under the European convention because the safeguards within the government’s system for bulk interception of communications were not strong enough to provide guarantees against abuse.

The Case

The case which led to the verdict, was brought against the UK government by 14 human rights groups, journalism organisations, and privacy organisations such as Amnesty International, Big Brother Watch and Liberty in the wake of the 2013 revelations by Edward Snowden, specifically that GCHQ was secretly intercepting communications traffic via fibre-optic undersea cables.

In essence, although the court, which voted by a majority of five to two votes against the UK government, accepted that police and intelligence agencies need covert surveillance powers to tackle threats, those threats do not justify spying on every citizen without adequate protections.

Three Main Points

The ruling against the UK government in this case centred on three points – firstly the regime for bulk interception of communications (under section 8(4) of RIPA), secondly the system for collection communications data (under Chapter II of RIPA), and finally the intelligence sharing programme.

The UK government was found to breach the convention on the first 2 points, but the ECHR didn’t find a legal problem with GCHQ’s regime for sharing sensitive digital intelligence with foreign governments. Also, the court decided that bulk interception with tighter safeguards was permissible.

Key Points

Some of the key points highlighted by the rulings against the UK government, in this case, are that:

  • Bulk interception is not unlawful in itself, but the oversight of that apparatus was not up to scratch in this case.
  • The system governing the bulk interception of communications is not capable of keeping interference to what is strictly necessary for a democratic society.
  • There was concern that the government could examine the who, when and where of a communication, apparently without restriction i.e. problems with safeguards around ‘related data’. The worry is that related communications data is capable of painting an intimate picture of a person e.g. through mapping social networks, location tracking and insights into who they interacted with.
  • There had been a violation of Article 10 relating to the right to freedom of expression for two of the parties (journalists), because of the lack of sufficient safeguards in respect of confidential journalist material.

Privacy Groups Triumphant

Privacy groups were clearly very pleased with the outcome. For example, the Director of Big Brother Watch is reported as saying that the judgement was a step towards protecting millions of law-abiding citizens from unjustified intrusion.

What Does This Mean For Your Business?

Like the courts, we are all aware that we face threats of terrorism, online sexual abuse and other crimes, and that advancements in technology have made it easier for terrorists and criminals to evade detection, and that surveillance is likely to be a useful technique to help protect us all, our families and our businesses.

However, we should have a right to privacy, particularly if we feel strongly that there is no reason for the government to be collecting and sharing information about us that, with the addition of related data, could identify us not just to the government but to any other parties who come into contact with that data.

The reality of 2018 is that we now live in a country where in addition to CCTV surveillance, we have the right to surveillance set in law. The UK ‘Snooper’s Charter’ / Investigatory Powers Act became law in November 2016 and was designed to extend the reach of state surveillance in Britain. The Charter requires web and phone companies (by law) to store everyone’s web browsing histories for 12 months, and also to give the police, security services and official agencies unprecedented access to that data. The Charter also means that security services and police can hack into computers and phones and collect communications data in bulk, and that judges can sign off police requests to view journalists’ call and web records.

Although businesses and many citizens prefer to operate in a safe and predictable environment, and trust governments to operate surveillance just for this purpose and with the right safeguards in place, many are not prepared to blindly accept the situation. Many people and businesses (communications companies, social media, and web companies) are uneasy with the extent of the legislation and what it forces companies to do, how necessary it is, and what effect it will have on businesses publicly known to be snooping on their customers on behalf of the state.

This latest ruling against the government won’t stop bulk surveillance or the sharing of data with intelligence partners, but many see it as a blow against a law that makes them uneasy in a time when GDPR is supposed to have given us power over what happens to our data.

ICO Highlights Prevalence of GDPR Myths

The Information Commissioner’s Office (ICO) has reported taking 500+ calls per week reporting GDPR data breaches, but one-third of the calls appear to be based on myths and misunderstandings or over-reporting about GDPR matters.

Update After Freedom of Information Request

The update by the ICO about how things appear to be going just three months after the introduction of GDPR came shortly after a Freedom of Information (FOI) by law firm EMW yielded figures that showed that the number of complaints between 25th May and 3rd July 2018 rose to 6,281 versus 2,417 during the same period in 2017.

Over-Reporting

A key problem highlighted by the ICO is that many companies feel that in order to achieve compliance and avoid being penalised, they have to be transparent to the degree that they “over-report” by reporting everything. Also, many of the reports are incomplete.

One common misconception highlighted by the ICO that is leading to unnecessary calls is that instead of reporting suspected data breaches to the ICO within 72 hours ‘from the point of discovery’, many companies appear to believe that the mandatory reporting period is 72 ‘working’ hours.

Fine Fears Unfounded

Another key point that the ICO was keen to make was that even though there have been some high profile cases that have involved big companies receiving big fines since the introduction of GDPR, many thousands of incidents are closed each year without financial penalty but with advice, guidance and reassurance offered instead. Another point that the ICO would like to make known is that the real norm of the work they do is simply audits, advisory visits and guidance sessions.

In fact, ICO Deputy Commissioner James Dipple-Johnstone has been quoted as saying that businesses that take their data protection responsibilities seriously “have nothing to fear from an ICO inspection or investigation”.

Cyber Crime Reports

The ICO has said that almost half of the calls that it received weekly involve some cyber element, and around one-third of calls relate to phishing attacks.

Phishing attacks are still such a popular method of cyber-crime because many companies have been focusing on malware detection and may not have trained and educated their staff about the risks, how to spot phishing attacks, and what to do about them.

What Does This Mean For Your Business?

Of course, organisations need to take their data protection responsibilities seriously to protect customers and the company itself, but part of dealing with that responsibility correctly is being clear on what GDPR actually requires a company to do; how and when. This is why GDPR requires (via mandatory appointment under Article 37) organisations / companies to have a data protection officer (DPO) i.e. someone tasked with the responsibility and security leadership role to oversee data protection strategy and implementation, and to ensure proper compliance with GDPR requirements. Part of the responsibilities of a DPO are to educate the company and train employees about GDPR and how it applies to them and their work. A DPO is required to have expert knowledge of data protection law and practices, and having a person on hand to consult about GDPR matters would be a good way to prevent unnecessary calls and complaints being made to the ICO, and to prevent unnecessary concerns, misunderstandings and mistaken beliefs prevailing within the company that could lead to other problems.

Only 32% of Emails Clean Enough To ‘Make It’

A bi-annual study by FireEye has found that less than a third of over half a billion emails analysed were considered clean enough not to be blocked from entering our inboxes.

Phishing Problem Evident

The study found that even though 9 out of 10 emails that are blocked by email security / anti-virus didn’t actually contain malware, 81% of the blocked emails were phishing attacks. This figure is double that of the previous 6 months.

Webroot’s Quarterly Threat Trends Report data, for example, shows that 1.39 million new phishing sites are created each month, and that this figure was even as high as 2.3 million in May last year. It is likely that phishing attacks have increased so much because organisations have been focusing too much of their security efforts on detecting malware. Also, human error is likely to be a weak link in any company, and phishing has proven to be very successful, sometimes delivering results in a second wave as well as the first attack. For example, in the wake of the TSB bank system meltdown, phishing attacks on TSB customers increased by 843% in May compared with April.

A recent KnowBe4 study involved sending phishing test emails to 6 million people, and the study found that recipients were most likely to click on phishing emails when they promised money or threatened the loss of money. This highlights a classic human weakness that always provides hope to cyber-criminals, and the same criminals know that the most effective templates for phishing are the ones that cause a knee-jerk reaction in the recipient i.e. the alarming or urgent nature of the subject makes the recipient react without thinking.

Increase In Malicious Intent Emails

The FireEye study also highlighted the fact that there has been an increase over the last 6 months in the emails sent to us that have malicious intent. For example, the latest study showed that one in every 101 emails had malicious intent, whereas this figure was one in every 131 in the previous 6 months.

Biggest Vulnerability

As FireEye noted after seeing the findings of their research, email is the most popular vector for cyber attacks, and it is this that makes email the biggest vulnerability for every organisation.

What Does This Mean For Your Business?

It is very worrying that we can only really trust less than one third of emails being sent to businesses as being ‘clean’ enough and free enough of obvious criminal intent to be allowed through to the company inbox. It is, of course, important to have effective anti-virus / anti-malware protection in place on email programs, but phishing emails are able to get past this kind of protection, along with other methods such as impersonation attacks like CEO fraud. Organisations, therefore, need to focus on making sure that staff are sufficiently trained and educated about the threats and the warning signs, and that there are clear procedures and lines of responsibility in place to be followed when emails relating to e.g. transfer of money (even to what appears to be the CEO) are concerned.

Cyber-criminals are getting bolder and more sophisticated, and companies need to ensure that there is no room for weak ‘human error’ links of the front line.

Microsoft Launches ‘AccountGuard’ Email Service For Election Candidates

A new kind of pilot secure email service called ‘AccountGuard’ has been launched by Microsoft, specifically for use by election candidates, and as one answer to the kind of interference that took place during the last US presidential election campaign.

Ready For The Midterm Elections

The new, free email service (which people must useOffice 365 to register for) is an off-shoot of Microsoft’s ‘Defending Democracy’ Program. This program was launched in April with the aim of protecting campaigns from hacking, through increased cyber resilience measures, enhanced account monitoring and incident response capabilities.

The AccountGuard pilot has been launched in time for the US Midterm elections which are the general elections held in November every four years, around the midpoint of a president’s four-year term of office.

Who Can Use AccountGuard?

Microsoft says that its AccountGuard service can be used by all current candidates for federal, state and local office in the United States and their campaigns; the campaign organisations of all sitting members of Congress, national and state party committees, any technology vendors who primarily serve campaigns and committees, and some non-profit organisations and non-governmental organizations. Microsoft AccountGuard is offered free of charge and is full service, coming with free email and phone support.

Three Core Offerings

AccountGuard has three core offerings. These are:

  1. Unified threat detection and notification across accounts. This means providing notification about any cyber threats in a unified way across both email systems run by organisations and the personal accounts of these organizations’ leaders and staff who opt in. This part of the service will only be available only for Microsoft services including Office 365, Outlook.com and Hotmail to begin with, and Microsoft says it will draw on the expertise of the Microsoft Threat Intelligence Center (MSTIC / MSTIC).
  2. Security guidance and ongoing education. Registering for Microsoft AccountGuard gives organisations best practice guidance and materials. These are in the form of off-the-shelf materials and in-depth live sessions.
  3. Early adopter opportunities. This means access to private previews of the kind of security features that are usually offered by Microsoft to large corporate and government account customers.

Similar To Google

Some commentators have highlighted similarities between the AccountGuard idea and Google’s Advanced Protection Program (APP), also launched this year, although APP is open to anyone, requires log in with hardware authentication keys, and locks out third-party app access.

What Does This Mean For Your Business?

When you think about it, what Microsoft appears to be admitting is that its everyday email programs are simply not secure enough to counter many of the threats that now look likely to come from other states when elections are underway. Microsoft’s other, non-political business customers who are also at risk from common cyber attacks e.g. phishing, may feel a little left out that they are apparently not being offered the same level of security.

Also, protecting democracy sounds like quite a grand aim for a service provider offering an email service. Microsoft does, however, accept that it can’t solve the threat to US democracy on its own and that it believes this will require technology companies, government, civil society, the academic community and researchers working together. Microsoft also acknowledges that AccountGuard is limited to protecting those using enterprise and consumer services, and that attacks can actually reach campaigns through a variety of other ways. Microsoft also appears to be hinting that it may be thinking of expanding AccountGuard to industry as well as government depending on how the pilot works.

Is Google Getting Details of YOUR Purchases From MasterCard?

Reports of a data-sharing deal with credit company MasterCard could mean that some details of your credit card purchases could be shared with Google, and used to improve their online advertising service.

What Deal?

According to reports from Bloomberg, after four years of negotiations, Alphabet Inc.’s Google and MasterCard Inc. have brokered a “business partnership”. The deal, not surprisingly, is reported to have cost Google millions of dollars.

It has been reported that this alliance between the two companies may have given Google access to data that would allow it to get a much clearer view of retail spending by enabling the tracking of whether the Google ads run online actually led to a sale at a physical store in the U.S.

How Could This Work?

Some commentators have envisaged that the way the deal could work for Google is that, if an (anonymous) Google account clicks an advert, and goes on to purchase the product offline within 30 days, Google could include that potentially useful information in a summary to the advertiser in question. In other words, Google gets to offer its advertisers another layer of information about the effectiveness of their advertising.

What Do Google and MasterCard Say?

According to Bloomberg, Google has said this is a beta product that was only launched last year, and has double-blind encryption technology built-in to it anyway, thereby stopping Google or MasterCard from viewing their respective users’ personally identifiable information. A spokeswoman for Google is also reported to have said that there is no revenue sharing agreement with its partners.

MasterCard is reported to have said that it offers its own media measurement services to retailers, but that it relies upon the merchant supplying their own advertising campaign details and spending data for the duration of any campaign. MasterCard is reported to have said that it only supplies merchants and their designated service providers with trends that are based on aggregated and anonymised data e.g. average ticket size and sales volumes.

Both Google and MasterCard have said that any data used as part of this alliance is anonymised.

What Does This Mean For Your Business?

In an omni-channel retail environment, it would make some sense that retailers / advertisers would like to extend the scope of how they can measure their advertising and its ultimate effectiveness. For Google, it’s important to find another way to use its power, data assets, and financial might to find another way to add value, another point of differentiation, and an extra competitive advantage to its online advertising services.

To consumers, however, the thought of any of the credit / private purchasing details shared with another private company without their initial express consent may be somewhat alarming. Even with assurances of anonymised data being used, many people’s trust may not extend that far, and may have been damaged by continuous news stories about data breaches at big companies, and the revelations about the Facebook / Cambridge Analytica data sharing scandal. Google was also recently discovered to be recording the locations of its users via their mobile devices, even when they have requested not to be tracked by turning their “Location History” off.

Even though Google has said that Google users can opt-out with their Web and App Activity controls, at any time, you can’t opt-out of your credit card company receiving information from them if you still owe them money.

All-in-all, on the face of it, you could be forgiven for thinking that this looks like a good deal for Google and MasterCard, a good deal for Google’s merchant advertisers, a potentially bad deal for consumers, and hopefully not a good deal for cyber-criminals.

‘Five Eyes’ Demand Back Door Access To Encrypted Services … Or Else

The frustration of the so-called ‘Five Eyes’ governments in not being allowed access to end-to-end encrypted apps such as WhatsApp has boiled-over into the threat of enforcement via legislative (or other) measures.

Who Are The ‘Five Eyes’?

The so-called ‘Five Eyes’ refers to the intelligence alliance of the governments of the UK, US, Canada, Australia, and New Zealand. Dating back to just after World War 2, the alliance is now secured by the UKUSA Agreement, a treaty for joint cooperation in signals intelligence.

What’s The Problem?

The argument from the government perspective is that end-to-end encryption in apps such as WhatsApp and services such as Google is preventing them from gaining access to conversations of criminals, terrorists and organized crime groups, and that tech companies are refusing to build ‘back doors’ into these services to enable governments to snoop.

The argument from tech companies that use end-to-end encryption in their services is that they are private companies with a duty and responsibility to protect the personal details of their customers, to protect the free speech that takes place on their platforms, and to prevent the likely loss of customers / users and damage to their brand and image if they were known publicly to be allowing government snooping. Also, tech companies argue that if ‘back doors’ are built into supposedly encrypted and secure services, then they are no longer secure or fully encrypted, and they could be accessed by cyber-criminals, thereby posing a security threat to users.

Example

Former Home Secretary Amber Rudd (since replaced by Sajid Javid) was particularly vocal about the subject, and pressed for a back door to be built-in to WhatsApp and other encrypted messaging services after the London terror attacks in 2017 and after it was discovered that terrorist Khalid Masood, who killed four people outside parliament had used WhatsApp a few minutes before he launched his attack.

Also, an assessment by the UK’s National Crime Agency (NCA) earlier this year said that that encryption impacts how effective law enforcement organisations can be in gathering intelligence and collecting evidence. This is particularly topical in the UK now, since Facebook recently refused to give the login details of a murder suspect to police, who are investigating the murder of Lucy McHugh.

Threats From The Five Eyes

The Five Eyes are reported to have warned that if the tech industry does not voluntarily establish lawful access to their products e.g. back doors they may pursue enforcement, via legislative or other measures in order to guarantee entry.

The Five Country Ministerial (FCM) has also concluded that the industry needs to implement functions that prevent illicit and harmful content from being uploaded in the first-place, and build user safety into the design of all online platforms.

What Does This Mean For Your Business?

While it sounds reasonable and understandable that law enforcement and intelligence services would like to be able to have access to encrypted apps and services in the interests of national security in fighting terrorism and reducing crime, building in back doors to encryption means that it’s no longer encrypted and secure. These ‘back-doors’ could also, therefore, be accessed by cyber-criminals, thus causing a security threat to millions of users, most of whom aren’t terrorists or criminals. A security breach (e.g. using a back-door) could also cause major damage to the app / service-providing company in fines, lost customers/revenue and bad publicity.

There is also an argument that the privacy of users of currently encrypted apps and services could be compromised in a ‘big brother’ style way as governments and intelligence agencies are given carte blanche to snoop, and are unlikely to be transparent about just what they are snooping on. Many privacy campaigners feel that we already have enough surveillance e.g. CCTV and the power granted by the Investigatory Powers Act (aka the ‘Snoopers Charter’).

Tech companies have good commercial and other reasons for not budging in their stance, while governments can also provide convincing arguments for the building of back-doors. As with so many other powerful private companies such as the tech companies, it may take the threat of (or actual) imposed regulation and legislation to make them give any ground in an argument that is likely to run further yet.

Superdrug Customers Informed of Hack

Superdrug is reported to have advised online customers to change their passwords after it was targeted by hackers who claim to have stolen the details of approximately 20,000 Superdrug customers.

Hundreds Compromised – Could Be More

To date, Superdrug has confirmed that 386 customer accounts are known to have been compromised, but that it is still working to try to establish the exact number. It is possible, therefore, that the number could be many more.

Contacted By Hackers

Superdrug is reported to have been contacted by a person representing a hacking group and claiming to have hacked their systems, and this person provided stolen customer information as proof. Superdrug was able to confirm the authenticity of the information from their own record of customer email and log-in details. The hacker is reported to have claimed that the details belonging to 20,000 customers were stolen, and has asked for a ransom from Superdrug.

May Have Got From Elsewhere

Even though the assumption is that the mystery hackers got into Superdrug’s systems to get the customer data, Superdrug is claiming this is not the case and that the hackers got the customer login details from other websites and then used those credentials to access accounts on the Superdrug website.

What Kind of Details?

Superdrug has said that, of the compromised accounts that it knows about, names, addresses, some dates of birth, and some telephone numbers may have been stolen, but that no customer payment card details have been accessed.

Actions

Superdrug has said that it has contacted the Police and Action Fraud (the UK’s national fraud and cyber-crime arm) and is offering them all the information they need for an investigation.

Informed Customers

Those customers whose accounts had been compromised were sent an email by Superdrug explaining the situation, asking them to change their passwords, and advising them to change them regularly in future.

Anger Over Tweet

A tweet sent by Superdrug to confirm that the emails received by affected customers was genuine provoked anger, mostly because it failed to include an apology.

What Does This Mean For Your Business?

Although exact numbers of those affected and exact details of how customer data was obtained and accounts accessed have not yet been confirmed, the fact is that at least several hundred customers of a trusted high street brand have ended up being victims of crime, and Superdrug has (at the very least) a PR battle on its hands.

Sadly, Superdrug is one of many well-known companies with data breaches that have made the headlines, affected many customers, and damaged their own company reputations. For example, a Dixons Carphone breach from last year saw the theft of 10 million customer records.

Not just because of possible fines under GDPR, businesses and organisations should be putting customer data protection very high on the list of their business priorities, as strong data security policies, procedures, practices, and defences protect both the customer, the company and its reputation, and a vital and valuable bond of trust between merchant and customer, and send a message that customer security concerns are taken seriously.

Google Location Tracking, Even When Switched Off?

An Associated Press report has accused Google of recording the locations of its users via their mobile devices, even when they have requested not to be tracked by turning their “Location History” off.

Discovered

The apparent tracking without permission was discovered as part of research, when a Princeton privacy researcher noticed in his account that Google has tracked his many different locations along a route after he had been travelling for several days, despite his Location History being turned off.

Also, research has revealed that, even when Location History is paused / switched off, some Google apps store time-stamped location data without specifically asking your permission. For example, Google stores data about where you are when you simply open the Maps app, automatic daily weather updates on Android can discover roughly where you are, and some searches apparently unrelated to your location can also pinpoint your exact latitude and longitude, and save it to your Google account.

Could Affect Billions

It is thought that this could affect around two billion Android and Apple devices which use Google for maps or search.

What Is “Location History” and Why Have It Anyway?

According to Google, Location History is one of several ways to improve the experience of users, and works for features such as Google Maps e.g. if you agree to let Google Maps record your location over time, it will display that history for you in a “timeline” that maps out your daily movements.

Google says that Location History helps you to find the places you’ve been and the routes you’ve travelled. Google states that, when you choose to enable Location History, it records your location data and places in your Google Account, even when you’re not using Google Maps.

What’s The Problem?

The problem is that Google also states that “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

Also, researchers have discovered that two things (rather than one) need to be opted-out in order to prevent tracking. Users need to disable both “Location History” and “Web & App Activity” in order to opt-out. Some commentators feel that this has not been made clear by Google.

The Issues

The issues with this are that:

– In the UK, for example, this may constitute a lack of transparency, openness and fairness under GDPR about what users are being told is happening to their data and what is actually happening.

– Users appear to have chosen to opt-out of something / not give their consent to something that relates to their privacy and the security of their personal data, and yet have not been opted-out completely by the company (possible issues of GDPR compliance).

– Some commentators have described it as ‘sneaky’ and it could certainly be an issue that affects the trust of users.

– Location data of this kind has been used by police (in the US) to track suspects, and could also potentially be used by other players e.g. cyber criminals if they had access to the user’s account. This could put users at risk.

– Location data can also be used to target people with location-based advertising. This may be something that users would like to avoid.

What Can You Do To Avoid Being Tracked In This Way?

The Associated Press has produced a guide which details what actions you can take to avoid being tracked by Google, even if your Location History on your mobile device is paused / turned off: The guide can be found here: https://www.apnews.com/b031ee35d4534f548e43b7575f4ab494/How-to-find-and-delete-where-Google-knows-you’ve-been

What Does This Mean For Your Business?

This story should be a reminder, particularly since the introduction of GDPR, that people value their privacy and security, and that businesses now have a strong legal responsibility to take this seriously. Transparency, fairness, and openness are vital when telling your customers what you’re doing /what you plan to do with their data. The issue of consent i.e. your customers choosing to withdraw consent and your business complying fully with those requests should be now be treated very seriously, and there must be consistency with what your company says it is going to do and what actually happens.

Sadly, it appears that all too often, large organisations / companies don’t appear to be handling our data in a way that we would like or have requested. For example, Facebook’s sharing of the personal data of 87 million users with Cambridge Analytica caused widespread outrage, and recently the ‘Deceived By Design’ report by the Norwegian government-funded Consumer Council has accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not benefit their privacy.

It may be that we have to wait a little longer and see a few more big tech companies being properly held to account before things start to really change for the better for users.

Microsoft To Launch App-Testing Sandbox ‘InPrivate Desktop’ Feature

It has been reported that Microsoft is to launch InPrivate Desktop for a future version of Windows 10, a kind of throwaway sandbox that gives Admins a secure way to operate one-time tests of any untrusted apps / software.

Like A Virtual Machine

Although the new feature is still a bit hush-hush, and has actually been removed from the Windows 10 Insider programme, it is believed to act like a kind of in-box, speedy VM (virtual machine) that is then refreshed to use again after it has been used on a particular App.

Why?

The reason for the new feature in the broader sense , is that it fits with moves announced by Microsoft last June 2017 to introduce next-generation security features to Windows 10.

ATP & WDAG

Back in June 2017, Microsoft specifically mentioned the integration of Windows Defender Advanced Threat Protection (ATP) as one of the next-generation security measures. ATP, for example, was designed to isolate and contain the threat if a user on a corporate network accidentally downloaded malicious software via their browser.

A security feature that some commentators have likened InPrivate Desktop to, that was also specifically mentioned last June, was Windows Defender Application Guard (WDAG). Interestingly, WDAG isolates potential malware and exploits downloaded via a users’ browser and contains the threat using virtualisation-based security.

Spec Needed For InPrivate Desktop

Although the exact details of InPrivate Desktop are sketchy, we know that it is likely to be aimed at enterprises rather than individual users and that, as such, it is likely to need a reasonable spec to operate. It has been reported that in order to run the new feature / app at least 4GB of RAM, at least 5GB of free disk space, and two CPU cores will be needed.

When?

There is also still some speculation as to exactly when the InPrivate Desktop feature will make it to Windows 10. Some commentators have noted that it may not make it into Windows 10 ‘Redstone 5’, and looks likely to be rolled-out in a subsequent Windows 10 update which has been codenamed 19H1.

What Does This Mean For Your Business?

With support stopping for previous versions of Windows, and with all of us being forced into using Windows 10’s SaaS model, it makes sense that Microsoft adds more features to protect users, particularly businesses.

Adding malicious code to apps has been a method increasingly used by cyber-criminals to sneak under the radar, and having a secure space to test and isolate dubious / suspect apps will give Admins an extra tool to protect their organisation from evolving cyber-threats. It is extra-convenient that the testing feature / app sandbox will already be built-in to Windows 10.