Starting today, Mozilla will turn on by default DNS over HTTPS (DoH) for Firefox users in the US, the company has announced. DoH is a new standard that encrypts a part of your internet traffic thats typically sent over an unencrypted plain text connection, and which could allow others to see what websites youre visiting, even when your communication with the website itself is encrypted using HTTPS. Mozilla says it is the first browser to support the new standard by default, and will be rolling it out gradually over the coming weeks in order to address any unforeseen issues.

Whenever you type a website into your address bar, your browser needs to go through a process to convert it into an IP address using a DNS lookup. However, this traffic is normally not encrypted, meaning that its possible for others to see what websites youre visiting. DoH is an attempt to encrypt this information to protect your privacy. Heres a more in-depth explanation from Mozilla that explains it in detail.

Mozilla is motivated in part by ISPs who monitor customers web usage. US carriers like Verizon and AT&T are building massive ad-tracking networks. DoH won't stop the data collection but itll likely make it more difficult.

Although its much harder for others to see your DNS lookups with DoH enabled, the websites will still be visible to the DNS server your browser is connecting to. Thus, Mozilla says Firefox will offer a choice of two trusted DNS providers, Cloudflare and NextDNS, and that Cloudflare will be used as the default. Mozilla has outlined a set of privacy requirements that any DoH provider must abide by in order to be considered a trusted resolver.

Mozilla claims that DoH increases the privacy and security of users online, but the technology has faced fierce criticism from lawmakers and security experts who say that it hampers legitimate attempts by enterprise system administrators and lawmakers to block dangerous web content. Experts also claim the technology doesnt provide the perfect privacy protection that its proponents claim. Only certain parts of the DNS lookup process are encrypted, and internet service providers will still be able to see which IP addresses their users are connecting to, they warn.

When it announced that it would be turning on DoH by default last year, Mozilla said that it would allow for opt-in parental controls and disable DoH if Firefox detects them. It also said that it would disable DoH by default in enterprise configurations.

This controversy means that todays announcement only concerns US-based Firefox users. Mozilla told ZDNet last year that it wouldnt be enabling DoH by default in the UK, where the technology has been criticized by the countrys GCHQ intelligence service, child advocacy groups, and ISPs. In an FAQ on its site Mozilla says its current focus is on enabling the feature in the US only. However, users outside the US will be able to manually turn the feature on by heading into Settings, General, and then scrolling down to Networking Settings.

While Firefox is the first browser to start turning on DoH by default, other browsers such as Chrome, Edge Chromium, and Brave have also started supporting the feature. However, in most cases youll have to dig through their settings in order to enable the feature. Heres a guide from last year on how to do so.

Read the original here:
Firefox turns controversial new encryption on by default in the US - The Verge

from the don't-break-the-internet dept

In Part I of this series on the Department of Justices February 19 workshop, Section 230 Nurturing Innovation or Fostering Unaccountability? (archived video and agenda), we covered why Section 230 is important, how it works, and how panelists proposed to amend it. Part II explored Section 230s intersection with criminal law.

Here, we ask what DOJs real objective with this workshop was. The answer to us seems clear: use Section 230 as a backdoor for banning encryption a backdoor to a backdoor in the name of stamping out child sexual abuse material (CSAM) while, conveniently, distracting attention from DOJs appalling failures to enforce existing laws against CSAM. We conclude by explaining how to get tough on CSAM to protect kids without amending Section 230 or banning encryption.

Banning Encryption

In a blistering speech, Trumps embattled Attorney General, Bill Barr, blamed the 1996 law for a host of ills, especially the spread of child sexual abuse material (CSAM). But he began the speech as follows:

[Our] interest in Section 230 arose in the course of our broader review of market-leading online platforms, which we announced last summer. While our efforts to ensure competitive markets through antitrust enforcement and policy are critical, we recognize that not all the concerns raised about online platforms squarely fall within antitrust. Because the concerns raised about online platforms are often complex and multi-dimensional, we are taking a holistic approach in considering how the department should act in protecting our citizens and society in this sphere.

In other words, the DOJ is under intense political pressure to do something about Big Tech most of all from Republicans, who have increasingly fixated on the idea that Big Tech is the new Liberal Media out to get them. Theyve proposed a flurry of bills to amend Section 230 either to roll back its protections or to hold companies hostage, forcing them to do things that really have nothing to do with Section 230, like be "politically neutral" (the Hawley bill) or ban encryption (the Graham-Blumenthal bill), because websites and Internet services simply cant operate without Section 230s protections.

Multiple news reports have confirmed our hypothesis going into the workshop: that its purpose was to tie Section 230 to encryption. Even more importantly, the closed-door roundtable after the workshop (to which we were, not surprisingly, not invited) reportedly concluded with a heated discussion of encryption, after the DOJ showed participants draft amendments making Section 230 immunity contingent on compromising encryption by offering a backdoor to the U.S. government. Barrs speech said essentially what we predicted he would say right before the workshop:

Technology has changed in ways that no one, including the drafters of Section 230, could have imagined. These changes have been accompanied by an expansive interpretation of Section 230 by the courts, seemingly stretching beyond the statutes text and original purpose. For example, defamation is Section 230s paradigmatic application, but Section 230 immunity has been extended to a host of additional conduct from selling illegal or faulty products to connecting terrorists to facilitating child exploitation. Online services also have invoked immunity even where they solicited or encouraged unlawful conduct, shared in illegal proceeds, or helped perpetrators hide from law enforcement. ...

Finally, and importantly, Section 230 immunity is relevant to our efforts to combat lawless spaces online. We are concerned that internet services, under the guise of Section 230, can not only block access to law enforcement even when officials have secured a court-authorized warrant but also prevent victims from civil recovery. This would leave victims of child exploitation, terrorism, human trafficking, and other predatory conduct without any legal recourse. Giving broad immunity to platforms that purposefully blind themselves and law enforcers to illegal conduct on their services does not create incentives to make the online world safer for children. In fact, it may do just the opposite.

Barr clearly wants to stop online services from going dark through Section 230 even though Section 230 has little (if any) direct connection to encryption. His argument was clear: Section 230 protections shouldn't apply to services that use strong encryption. Thats precisely what the Graham-Blumenthal EARN IT Act would do: greatly lower the bar for enforcement of existing criminal laws governing child sexual abuse material (CSAM), allow state prosecutions, and civil lawsuits (under a lower burden of proof), but then allow Internet services to earn back their Section 230 protection against this increased liability by doing whatever a commission convened and controllled by the Attorney General tells them to do.

Those two Senators are expected to formally introduce their bill in the coming weeks. Undoubtedly, theyll refer back to Barrs speech, claiming that law enforcement needs their bill passed ASAP to protect the children.

Barrs speech on encryption last July didnt mention 230 but went much further in condemning strong encryption. If you read it carefully, you can see where Graham and Blumenthal got their idea of lowering the standard of existing federal law on CSAM from actual knowledge to recklessness, which would allow the DOJ to sue websites that offer stronger encryption than the DOJ thinks is really necessary. Specifically, Barr said:

The Department has made clear what we are seeking. We believe that when technology providers deploy encryption in their products, services, and platforms they need to maintain an appropriate mechanism for lawful access. This means a way for government entities, when they have appropriate legal authority, to access data securely, promptly, and in an intelligible format, whether it is stored on a device or in transmission. We do not seek to prescribe any particular solution. ...

We are confident that there are technical solutions that will allow lawful access to encrypted data and communications by law enforcement without materially weakening the security provided by encryption. Such encryption regimes already exist. For example, providers design their products to allow access for software updates using centrally managed security keys. We know of no instance where encryption has been defeated by compromise of those provider-maintained keys. Providers have been able to protect them. ...

Some object that requiring providers to design their products to allow for lawful access is incompatible with some companies business models. But what is the business objective of the company? Is it A to sell encryption that provides the best protection against unauthorized intrusion by bad actors? Or is it B to sell encryption that assures that law enforcement will not be able to gain lawful access? I hope we can all agree that if the aim is explicitly B that is, if the purpose is to block lawful access by law enforcement, whether or not this is necessary to achieve the best protection against bad actors then such a business model, from societys standpoint, is illegitimate, and so is any demand for that product. The product jeopardizes the publics safety, with no countervailing utility. ...

The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. The Department does not believe this can be demonstrated.

In other words, companies choosing to offer encryption should have to justify their decision to do so, given the risks created by denying law enforcement access to user communications. Thats pretty close to a recklessness standard.

Again, for more on this, read Berins previous Techdirt piece. According to the most recently leaked version of the Graham-Blumenthal bill, the Attorney General would no longer be able to rewrite the best practices recommended by the Commission. But he would gain greater ability to steer the commission by continually vetoing its recommendations until it does what he wants. If the commission doesnt make a recommendation, the safe harbor offered by complying with the best practices doesnt go into effect but the rest of the law still would. Specifically, website and Internet service operators would still face vague new criminal and civil liability for reckless product design. The commission and its recommendations are a red herring; the truly coercive aspects of the bill will happen regardless of what the commission does. If the DOJ signals that failing to offer a backdoor (or retain user data) will lead to legal liability, companies will do it even absent any formalized best practices.

The Real Scandal: DOJs Inattention to Child Sexual Abuse

As if trying to compromise the security of all Internet services and the privacy of all users werent bad enough, we suspect Barr had an even more devious motive: covering his own ass, politically.

Blaming tech companies generally and encryption in particular for the continued spread of CSAM kills two birds with one stone. Not only does it offer them a new way to ban encryption, it also deflects attention from the real scandal that should appall us all: the collective failure of Congress, the Trump Administration, and the Department of Justice to prioritize the fight against the sexual exploitation of children.

The Daily, The New York Times podcast, ran part one of a two-part series on this topic on Wednesday. Reporters Michael Keller and Gabriel Dance summarized a lengthy investigative report they published back in September, but which hasnt received the attention it deserves. Heres the key part:

The law Congress passed in 2008 foresaw many of todays problems, but The Times found that the federal government had not fulfilled major aspects of the legislation.

The Justice Department has produced just two of six required reports that are meant to compile data about internet crimes against children and set goals to eliminate them, and there has been a constant churn of short-term appointees leading the departments efforts. The first person to hold the position, Francey Hakes, said it was clear from the outset that no one felt like the position was as important as it was written by Congress to be.

The federal government has also not lived up to the laws funding goals, severely crippling efforts to stamp out the activity.

Congress has regularly allocated about half of the $60 million in yearly funding for state and local law enforcement efforts. Separately, the Department of Homeland Security this year diverted nearly $6 million from its cybercrimes units to immigration enforcement depleting 40 percent of the units discretionary budget until the final month of the fiscal year.

So, to summarize:

Let that sink in. In a better, saner world, Congress would be holding hearings to demand explanations from Barr. But they havent, and the workshop will allow Barr to claim hes getting tough on CSAM without actually doing anything about it while also laying the groundwork for legislation that would essentially allow him to ban encryption.

Even for Bill Barr, thats pretty low.

Filed Under: cda 230, congress, csam, doj, encryption, funding, section 230, william barr

Read the original here:
Barr's Motives, Encryption and Protecting Children; DOJ 230 Workshop Review, Part III - Techdirt

The ability to have private conversations is fundamental to our modern conception of privacy. I have argued time and again in this column that in our current technological and political context, it is critical that we mandate the use of robust end-to-end encryption to ensure that private conversations are secure from eavesdropping by governments and private corporations alike.

However, no discussion on encryption is complete unless we also speak about how these systems get misused. As much as encrypted messaging is necessary for investigative journalists, whistle-blowers, and abuse helplines, it is tremendously attractive to criminals looking to take advantage of the fact that messages sent over these networks cannot be traced back to them. As a result, these platforms find themselves being used for criminal activities. Of particular concern is the way in which these networks are used to distribute imagery related to children.

In a paper presented at the Web Conference 2019 in San Francisco, it was suggested that the exponential increase in the proliferation of Child Sexual Abuse Imagery (CSAI) on the internet over the last few years is probably directly correlated to the growth of online sharing platforms. Using data from the National Center for Missing and Exploited Children (NCMEC) in the US, an organization that tracks all CSAI content detected by public and online sharing platforms, the paper reported a median growth in reported CSAI of as much as 51% year-over-year. In the first 10 years of its operation, the NCMEC only received 565,000 reports, while in 2017 alone it received over 9.6 million.

This in itself is a cause for concern. However, what is particularly worrying is the increasing globalization of the problem. Ten years ago, 70% of all CSAI that was reported related to abuse committed in the US. Today, 68% of reports relate to abuse in Asia, 19% to abuse in the Americas, 6% in Europe, and 7% in Africa. India, Indonesia and Thailand account for 37% of all reported CSAI, with India leading the list.

The paper suggests that this increase is a direct consequence of improvements in technology, including smartphones, high bandwidth internet connectivity, low-cost cloud storage, and the plethora of applications we can choose from today for internet messaging. If you consider video content alone, it would not be an exaggeration to suggest that the extraordinary growth in CSAI videos from under 1,000 reports a month in 2013 to more than 2 million reports per month in 2017 is almost entirely on account of the proliferation of smartphones that can, at the press of a button, record a high-definition video and directly upload it onto the internet. As much as 84% of CSAI images and 91% of videos have only ever been reported once, which suggests that there is a prodigious amount of new content that is constantly being created.

To their credit, technology companies have been working on this issue, but so far their efforts have simply not been able to keep pace with the problem. Most companies have large teams of human reviewers who scan through the hundreds of millions of user generated images to identify CSAI. Flagged content is then uploaded to a PhotoDNA technology tool which generates a fingerprint of the image that lets it be identified even if the original image has been transformed to avoid detection. However, this is not enough. PhotoDNA can only detect images that have already been flagged during a manual review. It cannot itself identify new content. Given the volumes of original CSAI being created, it is impossible to have human reviewers to manually flag all the content going online. What is needed is a technological solution, and the paper suggests a number of new techniques that can be used, including scene clustering and facial clustering, which will automatically flag content without any need of human intervention.

What the paper does not specifically address is the fact that as so much of this content is shared over secure messaging networks, the encryption deployed by these applications will effectively stymie their own ability to review the content flowing through them. This means that no matter how good the technology we build to automatically detect CSAI content might be, it will be useless if the content is shared through these messaging systems.

Of the many trade-offs we have to make in the arena of technology policy, this, to me, is probably the hardest. I have long been a strong votary of the need to build encrypted networks to protect essential civil liberties. However, I struggle to reconcile that position with the knowledge that once built, these networks will invariably get used for the most vile of criminal activities. From the statistics in the paper cited earlier, it now appears that the very existence of these networks and the immunity from traceability that they provide have actively encouraged the proliferation of heinous crimes against innocent children.

I am not sure that we will ever be able to devise a truly effective solution that strikes the appropriate balance between these two concerns. As much as policy issues are never binary, technology unfortunately is, and opening even the tiniest of backdoors to allow distributors of CSAI to be tracked down will destroy the protection that encryption offers us all.

Visit link:
Opinion | The trade-off between privacy and content traceability - Livemint

IoT Security Solution for Encryption Market 2025: IoT Security Solution for Encryption

The report covers the IoT Security Solution for Encryption market leaders and adherents in the business with the market elements by region. It will likewise assist with understanding the situation of every player in the market by locale, by fragment with their extension plans, R&D consumption and development techniques.

This report studies the IoT Security Solution for Encryption industry based on the type, application, and region. The report also analyzes factors such as drivers, restraints, opportunities, and trends affecting the market growth. It evaluates the opportunities and challenges in the market for stakeholders and provides particulars of the competitive landscape for market leaders.

This study considers the IoT Security Solution for Encryption value generated from the sales of the following segments:

The key manufacturers covered in this report: Breakdown data in in Chapter:- Cisco Systems,Intel Corporation,IBM Corporation,Symantec Corporation,Trend Micro,Digicert,Infineon Technologies,ARM Holdings,Gemalto NV,Kaspersky Lab,CheckPoint Software Technologies,Sophos Plc,Advantech,Verizon Enterprise Solutions,Trustwave,INSIDE Secure SA,PTC Inc.,AT&T Inc.,

Market Segmentation: Global IoT Security Solution for Encryption Market The market is based on product, end-user, and geographical segments. Based on type, the market is segmented into ,Software Platforms,Service, Based on end-user, the market is segmented into Healthcare,Information Technology (IT),Telecom,Banking,Financial Services, And Insurance (BFSI)/Automotive,

Get a Sample PDF Report: @ https://www.alexareports.com/report-sample/370479

The report studies micro-markets concerning their growth trends, prospects, and contributions to the total IoT Security Solution for Encryption market. The report forecasts the revenue of the market segments concerning four major regions, namely, Americas, Europe, Asia-Pacific, and Middle East & Africa.

The report studies IoT Security Solution for Encryption Industry sections and the current market portions will help the readers in arranging their business systems to design better products, enhance the user experience, and craft a marketing plan that attracts quality leads, and enhances conversion rates. It likewise demonstrates future opportunities for the forecast years 2020-2025.

The report is designed to comprise both qualitative and quantitative aspects of the global industry concerning every region and country basis.

To enquire More about This Report, Click Here: https://www.alexareports.com/send-an-enquiry/370479

The report has been prepared based on the synthesis, analysis, and interpretation of information about the IoT Security Solution for Encryption market 2020 collected from specialized sources. The competitive landscape chapter of the report provides a comprehensible insight into the market share analysis of key market players. Company overview, SWOT analysis, financial overview, product portfolio, new project launched, recent market development analysis are the parameters included in the profile.

The last part investigates the ecosystem of the consumer market which consists of established manufacturers, their market share, strategies, and break-even analysis. Also, the demand and supply side is portrayed with the help of new product launches and diverse application industries. Various primary sources from both, the supply and demand sides of the market were examined to obtain qualitative and quantitative information.

Get discount on this report: @ https://www.alexareports.com/check-discount/370479

Thus, IoT Security Solution for Encryption Market serves as a valuable material for all industry competitors and individuals having a keen interest in the study.

Contact Us:Alexa ReportsPh. no: +1-408-844-4624 / +91- 7030626939Email: [emailprotected]Site: https://www.alexareports.com

Link:
IoT Security Solution for Encryption Market Estimated to be driven by Innovation and Industrialization - Keep Reading

Global Encryption Software Market Report identifies the assessable estimation of the market including Industry Analysis, Size, Share, Growth, Trends, Outlook and Forecasts for 2020-2025, present in the industry space. The report studies historical data, facts, attentive opinions, current growth factors, and market threats with competitive analysis of major Encryption Software Market Players, value chain analysis, and future roadmap.

The essential objective of the report is to gain a comprehensive understanding of the market in terms of its definition, segmentation, market potential, influential trends, and the challenges that the market is facing. In-depth research and assessment have been covered to offer key statistics on the market status of the market manufacturers. The report also covers the competitive landscape and a corresponding detailed study to justify our statistical forecast of the market.

We Have Recent Updates of Encryption Software Market in Sample Copy:@ https://www.acquiremarketresearch.com/sample-request/324586/

Leading Players of Encryption Software are: Dell, Eset, Gemalto, IBM, Mcafee, Microsoft, Pkware, Sophos, Symantec, Thales E-Security, Trend Micro, Cryptomathic, Stormshield

Market Growth by Types: On-premises, Cloud

Market Growth by Applications: Application A, Application B, Application C

Global Encryption Software Market: Regional SegmentationThe chapter on regional segmentation details the regional aspects of the Global Encryption Software Market. This chapter explains the regulatory framework that is likely to impact the overall market. It highlights the political scenario in the market and anticipates its influence on the Global Encryption Software Market.

1. North America (the United States, Mexico, and Canada)2. South America (Brazil etc.)3. Europe (Turkey, Germany, Russia UK, Italy, France, etc.)4. Asia-Pacific (Vietnam, China, Malaysia, Japan, Philippines, Korea, Thailand, India, Indonesia, and Australia)

Inquire for further detailed information of Encryption Software Market Report @https://www.acquiremarketresearch.com/enquire-before/324586/

For better understanding, the facts and data studied in the report are represented using diagrams, graphs, pie charts and other pictorial representations. Furthermore, the report offers a SWOT analysis that studies the elements influencing various segments associated with the market.

Reasons to Invest in This Global Encryption Software Market Report:

1. Highlights key industry priorities to aid organizations to realign their enterprise strategies.2. Develop small business expansion plans by employing substantial growth offering emerging and developed markets.3. Boost the decision-making process by understanding the plans which exude commercial interest concerning services and products, segmentation and industry verticals.4. conserve reduce some time Undertaking Entry-level study by identifying the expansion, dimensions, top players and sections in the international Encryption Software Market.5. Researched overall worldwide market trends and prognosis along with all the factors driving the current market, in addition to those endangering it.

In conclusion, it is a deep research report on Global Encryption Software industry. This Encryption Software market report covers all the aspects of market vendors, product, its multiple applications, offer clients the scope to classify feasible market possibilities to expand markets. In addition to this, the trends and revenue analysis of the global Encryption Software market has been mentioned in this report.

Browse Full Report with Facts and Figures of Encryption Software Market Report at: https://www.acquiremarketresearch.com/industry-reports/encryption-software-market/324586/

About us:

Acquire Market Research is a market research-based company empowering companies with data-driven insights. We provide Market Research Reports with accurate and well-informed data, Real-Time with Real Application. A good research methodology proves to be powerful and simplified information that applied right from day-to-day lives to complex decisions helps us navigate through with vision, purpose and well-armed strategies. At Acquire Market Research, we constantly strive for innovation in the techniques and the quality of analysis that goes into our reports.

Contact Us:

Sally Mach555 Madison Avenue,5th Floor, Manhattan,New York, 10022 USAPhone No.: +1 (800) 663-5579Email ID: [emailprotected]

See the article here:
Encryption Software Market Segmented by Product, Top Manufacturers, Geography Trends & Forecasts to 2025 - Keep Reading

It was a massive tech fail. A systemic disaster. A debacle.

When we hear such words, we tend to assume theres been yet another cybersecurity breach. This time, however, it was something different. But it didnt do much to increase the publics trust in digital technology. In fact, it seemed to do quite the opposite.

The setting was Iowa. The timing was Feb. 3, and then Feb. 4, and then Feb. 5, 6.

The culprit was a smartphone app that didnt enable caucus chairs to report voting results. The backup hotline system didnt work well either, requiring long holds and some hang-ups. That prevented the campaigns and media from receiving and reporting those results to the public. At least one candidate apparently viewed this as an opportunity to get free air time. Others were furious. Meanwhile, the delay helped feed conspiracy theories. And the situation created further distrust of political institutions, electronic voting and digital technology in general.

Were just two months into 2020. But at least one other significant event impacting consumer trust in digital technology occurred this year. This one is largely seen as a positive development. Im referring to the California Consumer Privacy Act. The CCPA took effect Jan. 1 of this year. This newly enacted rule gives California residents greater control over their personal data. Under CCPA, these individuals can request and expect to receive the data organizations have on them. California residents can demand organizations delete their data. People who live in California also can forbid organizations from sharing their data with third parties.

Our research indicates such measures may engender consumer trust in technology and organizations using it. We surveyed more than 1,000 Americans as part of our research effort. Forty percent said their trust is higher when they can request their data be deleted. Forty-one percent said a feeling of personal data control equates to a greater sense of trust.

Twenty-eight percent believe they have more control over their data than they did a year ago. We learned that 26% feel they have less control of their data, or none at all. And 46% think they have the same personal data control as a year ago.

As in politics, the nation is divided in this arena.

More than half of the survey group said they were willing to accept personal data security risk to do online shopping (60%) or banking (55%) or to make digital payments (54%). More than half (54%) said they are not willing to do the same for the convenience of online voting.

A third (33%) said they are less confident about U.S. election security now than they were during the last presidential election year. More than half the country 59% said they are unsure or definitely will not trust the 2020 election results.

The nCipher results also suggests that Americans are pretty evenly divided on whether electronic voting (30%), paper ballots (35%) or a combination of the two (30%) are best. At least that was the breakdown prior to the Iowa caucuses, when paper ballots saved the day.

At this time in which government and other organizations clearly need to build trust in how they handle and secure data, it may be useful to revisit advice from our former leaders. President Theodore Roosevelt famously said: Speak softly and carry a big stick. In todays digital world, its important to secure and safeguard the privacy of personal data. Encryption and key management in this scenario can act as the big stick.

Nearly half (49%) of Americans said they trust that a company is safeguarding their personal data when it uses encryption. About a third said encrypted ballots (31%) and/or encrypted voter registration data (33%) would increase their trust in election security. Strong data security in the form of encryption can build or rebuild trust in our governments and democracy, in businesses, and in the technologies that Americans use every day.

Americans can play their part in cybersecurity and personal data privacy by practicing good password hygiene. But, as most of us know, thats not always easy.

Nearly three-fourths (74%) of Americans said it is somewhat, very or just plain frustrating when they have to log in to applications at work multiple times a day. More than three-fourths (78%) said they have had to change their password because they forgot it on at least a few occasions. More than a fourth (28%) said they use the same passwords for work and personal uses.

These types of challenges helped inform Entrust Datacards decision to release its Passwordless SSO Authentication solution, which turns employee smartphones into biometrics-protected virtual smart cards that allow instant proximity-based login to both workstations and applications. The solution eliminates passwords and puts an end to the risk of bad actors stealing user credentials and compromising critical information.

Outside of the workplace, the average person can more effectively and securely shoulder the burden of passwords by using a password manager app. And Americans can protect themselves and their neighbors by following security and data privacy best practices.

There is at least one part of this FDR inaugural address that applies here. This is preeminently the time to speak the truth, the whole truth, frankly and boldly.

The truth is that we must all do our part to protect and secure data and devices. Doing so will go a long way in building trust in our always-on, data-driven world.

Please click here for more information about nCiphers security solutions. If youre attending RSA, visit nCipher and Entrust Datacard at booth S-2139.

You can also follow nCipher on Twitter, LinkedIn, and Facebook.

Read more from the original source:
Americans, data, elections, encryption and the matter of trust - Security Boulevard

In April 2019, the UK issued an Online Harms White Paper to announce its campaign to rein in harmful speech on social media sites such as Facebook and TikTok. The public consultation period has ended and a full consultation response is expected in Spring 2020. (Initial Consultation Response here.) Legislation to criminalize freedom of speech will follow quickly.

Also read: Cryptocurrency Is Agorism in Action

The United Kingdom has become the first Western nation to move ahead with large-scale censorship of the internet Boris Johnson has unveiled rules that will punish internet companies with fines, and even imprisonment, if they fail to protect users from harmful and illegal content. Couched in language that suggests this is being done to protect children from pedophiles and vulnerable people from cyberbullying, the proposals will place a massive burden on small companies. Further, they will ultimately make it impossible for those not of the pervasive politically correct ideology to produce and share content. Mark Angelides, Britain allows the internet to be censored, a warning for the U.S.

The bills exact language is not known, but its thrust is clear. Internet companies with user-generated content will need to enforce anti-harm rules in order to avoid fines, imprisonment, or their sites being blocked. Home Secretary Priti Patel explained, It is incumbent on tech firms to balance issues of privacy and technological advances with child protection.

The main target of attack is end-to-end encrypted (E2EE) messages that can be read only by a sender and a recipient by using unique cryptographic keys as decoders. Third parties cannot access the content. E2EE is the most effective privacy tool that is both easy to use and available to everyone, often for free. To comply with UK law, however, companies will need to eschew encryption or to install backdoorsportals that allow someone to enter a system in an undetected manner.

Angelidess warning to the U.S. is timely because Congress is considering a similar measure: the EARN It Act. Again, the Acts justification is to protect children and to thwart evil-doers. After all, who else needs encryption? According to the United Nations, everyone.

In 2015, the UN issued a report on encryption and anonymity in the context of human rights. The report found encryption to be key to the right of privacy. In turn, privacy enabled freedom of speech through which people could explore basic aspects of their identity, including religion and sexuality. The reports author David Kaye cautioned against using backdoors because of the unprecedented capacity of authorities, companies, criminals, and the malicious to attack peoples ability to share information safely. Kaye acknowledged the alleged need of law enforcement to read encrypted messages but on a case-by-case basis rather than blanket approach.

This a long-held position for the UN. In 2016, Zeid Raad Al Hussein, UN High Commissioner for Human Rights, published a warning entitled Apple-FBI case could have serious global ramifications for human rights. Zeid cautioned:

Encryption tools are widely used around the world, including by human rights defenders, civil society, journalists, whistle-blowers and political dissidents facing persecution and harassment Encryption and anonymity are needed as enablers of both freedom of expression and opinion, and the right to privacy. It is neither fanciful nor an exaggeration to say that, without encryption tools, lives may be endangered. In the worst cases, a Governments ability to break into its citizens phones may lead to the persecution of individuals who are simply exercising their fundamental human rights.

Amnesty International agrees. A 2016 article, Encryption: A Matter of Human Rights, argued, Forcing companies to provide backdoors to the encryption deployed constitutes a significant interference with users rights to privacy and freedom of expression. Given that such measures indiscriminately affect all users online privacy by undermining the security of their electronic communications and private data, Amnesty International believes they are inherently disproportionate, and thus impermissible under international human rights law.

Why, then, are states rushing to crack open encryption? Because information is power. It is a prerequisite to demanding money and imposing social control. For decades, surveillance functioned from the shadows but now it openly demands access to peoples thoughts and lives. Who else but evil-doers would say no?

U.S. Attorney General William Barr has been loud in his demand that law enforcement be able to access encrypted communicationsusually through a backdoor. Barr wants this access even when there is no cybersecurity risk or alleged crime. He may soon get what he wants so badly.

The EARN It ActEliminating Abusive and Rampant Negligent of Interactive Technologies Actwould establish a National Commission on Online Child Exploitation Prevention to be headed by Barr, who has the authority to overrule it to become a one-man power. As well as child exploitation prevention, the Act asserts a vague mandate and for other purposes. This is a blank check, with only the elimination of election misinformation being specifically mentioned. Republican Lindsey Graham and Democratic Richard Blumenthal are pushing the measure in the Senate on a bipartisan basis.

The draft bill does not mention encryption, but it requires tech companies to assist law enforcement in identifying, reporting, and removing or preserving evidence about child exploitation and for other purposes. E2EE would make it impossible for those companies to provide such assistance.

The EARN It Act would de facto prohibit the E2EE offered by services such as WhatsApp; it would short circuit Facebooks plans to encrypt its messaging apps; companies like Apple would be in legal jeopardy if they refused to insert backdoors in their software and devices.

Legal jeopardy is the Acts enforcement mechanism. A non-compliant tech company would lose Section 230 immunity in both civil and criminal courts for child exploitation and for as-yet-unspecified offenses that occur on its site or over its platform. The free-speech champion Electronic Frontier Foundation (EFF) explained the significance of Section 230 of the Communications Decency Act; it is the most important law protecting free speech online. The protection is based on distinguishing between a platform and a publisher. Section 230 states, No provider or user of an interactive computer service [platform] shall be treated as the publisher or speaker of any information provided by another information content provider.

A platform provides services, tools, and products with which users create their own content; it bears no more legal responsibility for this content than a phone company does for the conversations that flow over it. By contrast, a publisher edits or otherwise controls content, which makes it legally liable.

EFF continued, Section 230 enforces the common-sense principle that if you say something illegal online, you should be the one held responsible, not the website or platform where you said it (with some important exceptions) Without it, social media as we know it today wouldnt exist And it doesnt just protect tech platforms either: if youve ever forwarded an email, thank Section 230 that you could do that without inviting legal risk on yourself.

EARN It not only strips immunity from non-compliant companies, it also weakens the standard by which they can be sued. It is now necessary for a plaintiff to prove that a company knew an offense was occurring in order to sue; EARN It would require a plaintiff only to show that the company acted recklessly. In a keynote address at the 2019 International Conference on Cyber Security, A.G. Barr defined E2EE as inherently irresponsible. The costs of irresponsible encryption that blocks legitimate law enforcement access is ultimately measured in a mounting number of victims men, women, and children who are the victims of crimes crimes that could have been prevented if law enforcement had been given lawful access to encrypted evidence. To Barr, the mere presence of backdoor-free E2EE constitutes recklessness.

The targets of EARN It seem to be the internet giants that have aroused bipartisan rage. At a recent Senate Judiciary Committee hearing entitled Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy, Apple and Facebook were attacked for using warrant-proof encryption that prevented authorities from investigating terrorism, organized crime and child sexual exploitation. Internet giants might not be the main victims of EARN It, however.

EFF explained, Undermining Section 230 does far more to hurt new startups than to hurt Facebook and Google. 2018s poorly-named Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA)the only major change to Section 230 since it passed in 1996was endorsed by nearly every major Internet company. One consequence of FOSTA was the closure of a number of online dating services, a niche that Facebook set about filling just weeks after the law passed. The legal need to screen or filter content placed smaller companies at a competitive disadvantage with the likes of Google.

Unfortunately, an ongoing backlash against Big Tech may propel EARN It through Congress. Moreover, Congress undoubtedly wants to have better control over social media before the 2020 elections. The EARN It Act will arrive with a cry of Save our children! But its impact will be to stifle freedom of speech across the spectrum, to hobble small businesses, and to make all users more vulnerable to criminals, including agents of the state.

Op-ed disclaimer: This is an Op-ed article. The opinions expressed in this article are the authors own. Bitcoin.com is not responsible for or liable for any content, accuracy or quality within the Op-ed article. Readers should do their own due diligence before taking any actions related to the content. Bitcoin.com is not responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any information in this Op-ed article.

Images courtesy of Shutterstock.

Did you know you can verify any unconfirmed Bitcoin transaction with our Bitcoin Block Explorer tool? Simply complete a Bitcoin address search to view it on the blockchain. Plus, visit our Bitcoin Charts to see whats happening in the industry.

Wendy McElroy is a Canadian individualist anarchist and individualist feminist. She was a co-founder of the Voluntaryist magazine and modern movement in 1982, and has authored over a dozen books, scripted dozens of documentaries, worked several years for FOX News and written hundreds of articles in periodicals ranging from scholarly journals to Penthouse. She has been a vocal defender of WikiLeaks and its head Julian Assange.

Read this article:
No Backdoor on Human Rights: Why Encryption Cannot Be Compromised - Bitcoin News

An absurdly named bill is set to form the latest attempt to create legislation requiring tech giants to provide a backdoor to encryption.

The Eliminating Abuse and Rampant Neglect of Interactive Technologies Act of 2019 (EARN IT Act) is co-sponsored by Lindsey Graham (R-SC), chairman of the Senate Judiciary Committee, and Senator Richard Blumenthal (D-CT)

The acronym is intended to suggest that tech companies should be required to earn the right to Section 230 protections, which mean that companies proving communication platforms cant be held legally liable for things posted by users.

Reuters reports that the bill seeks to impose conditions on this protection, and that providing a backdoor to encryption is believed to be one of them.

The bill threatens this key immunity unless companies comply with a set of best practices, which will be determined by a 15-member commission led by the Attorney General []

The sources said the US tech industry fears these best practices will be used to condemn end-to-end encryption a technology for privacy and security that scrambles messages so that they can be deciphered only by the sender and intended recipient. Federal law enforcement agencies have complained that such encryption hinders their investigations.

Online platforms are exempted from letting law enforcement access their encrypted networks. The proposed legislation provides a workaround to bypass that, the sources said.

Graham (pictured above) has previously criticized Apple for using strong encryption in iPhones, and suggested that the company either needs to voluntarily provide a backdoor or have one forced on it by law.

Committee chairman Senator Lindsey Graham (R-SC) warned the representatives of the tech companies, Youre gonna find a way to do this or were going to do it for you.

Graham didnt appear to understand the contradictory stance he was taking, saying on the one hand that he appreciated that people cannot hack into my phone while at the same time asking Apple to create a vulnerability that would inevitably be discovered by others and used to do just that.

Apple has persistently come under government pressure to compromise the privacy of iPhone owners, the San Bernardino, California, case being the highest-profile example, followed by the more recent Pensacola, Florida, shooting. Weve previously outlined the arguments for Apples stance, both before and after the San Bernardino shooting.

Currently, the company appears to have opted for a compromise: Refusing to do anything to weaken iPhones, but deliberately using a weaker encryption method for iCloud backups. Apple doesnt use end-to-end encryption for these, meaning it holds a key and is able to provide a copy of most data stored on an iPhone when served with a court order to do so.

It had been suggested that Apple abandoned plans to adopt end-to-end encryption for iCloud backups after pressure from the FBI, though doubt was soon cast on this version of events.

Image: CNN

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

Read the original here:
Backdoor to encryption back on agenda in absurdly named bill - 9to5Mac

Cloud storage and collaboration services like Dropbox are convenient, but not every business is comfortable with the level of security provided. If employees are sharing files with customer information or details of your next product launch, how do you make that more secure? You can hope that employees use a strong password and don't get phished; you can hope that they use multi-factor authentication (MFA); or you can use an identity service like Okta or AzureAD that wraps those services in a single sign-on system and enforces MFA.

Or if you want to be a bit more hands-on about it and get more control over where and when employees can work on cloud files, iStorage's cloudAshur (pronounced 'assure') is a 99 (ex. VAT) rugged hardware key for PCs and Macs that stores encryption keys (AES-ECB or AES-XTS 256-bit) and authenticates the computer when you plug it into a USB port (USB-B rather than USB-C).

Give each employee a key and the cloudAshur software, and both local files and files stored in the cloud and shared with colleagues via cloudAshur can be encrypted. They can only be viewed or edited after the physical key is placed into a USB port, a 7-15 digit PIN typed in on the keypad, and a username and password entered into the cloudAshur software to sign into the cloud account. An attacker who successfully phishes for the cloud storage credentials will only see encrypted .IST files that they can't open or even preview -- and so will the user until they plug in the USB key, enter the PIN and sign in.

The inconvenience of having to do all that just to get some work done is balanced by the way cloudAshur brings together files from different cloud services. You see an extra cloudAshur drive in Explorer or the Finder with virtual folders for each cloud service you use, with the files that have been shared with you, and you drag files you want to encrypt into the folder.

The PIN-protected cloudAshur USB dongle from iStorage lets you share enrypted files with other users -- so long as they have matching devices and have logged into the client app.

You can use cloudAshur individually, to protect your own files, and set it up yourself. But if you want to share encrypted files with colleagues, they need their own cloudAshur that's been provisioned with the same encryption key as yours. That means buying the iStorage KeyWriter software, which uses one cloudAshur as the master key and clones the encryption keys to more cloudAshur devices for other people to use.

You can clone cloudAshur dongles from a master device using the KeyWriter software.

If you do that, your organisation can also use the iStorage cloudAshur Remote Management Console (RMC) software to manage users and devices. This gives an admin much more control: you can see who is using the devices and where they are, (including a log of times and files accessed) and if you see unauthorised use you can disable the cloudAshur remotely. You can also set the times and physical locations where the keys can be used, if you want to limit them to business hours and business locations. You can only set one location , using a postcode and a radius around it, which isn't convenient if you want to allow people to work from your different office locations but not from home (and there are no exceptions for VPN connections).

You can also add extra security with the cloudAshure RMC software; encrypting file names so they don't give away any clues, blacklisting known bad IP addresses (annoyingly, you can only do that individually, rather than by specifying the far shorter list of IP addresses you want to allow) and blocking specific file types. The latter is referred to as 'blacklisting', which is confusing when it's next to the IP control setting; we'd also like to see iStorage join other vendors in moving to less contentious terms like 'block' and 'approve'.

The cloudAshur Remote Management Console (RMC) lets you manage users and devices.

Getting the PIN wrong ten times in a row locks the device. You can use the RMC software to change how many wrong attempts you want before this brute-force protection kicks in, and you can use the admin PIN to create a new user PIN. You can also set a one-time recovery PIN that you can give a remote user so they can create their own new PIN. Getting the admin PIN wrong ten times in a row deletes the user PINs and the encryption key. You can't set up the device without changing the default admin PIN -- a fiddly sequence of pressing the shift and lock keys on the device individually and in combination and watching the three colour LEDs blink or turn solid. Even with the limitations of a numeric keyboard, this seems unnecessarily complex.

If someone loses a device or leaves the company without giving it back, you can remotely kill the cloudAshur hardware; you can also temporarily disable a key if it's misplaced (and having both options stops users delaying reporting a key they hope to track down because having to get it reset or replaced will be inconvenient). You can also reset and redeploy a key, so if someone leaves the company you can safely reuse their key (and at this price, you'll want to).

A security system isn't much use if it can be physically cracked open and tampered with. The cloudAshur packaging comes with security seals over both ends of the box, although we were able to peel them off carefully without leaving any marks on the packaging, so a really dedicated adversary who managed to intercept your order could replace them with their own security seal.

The case is extruded aluminium that would be hard to open without leaving marks: iStorage says the design meets FIPs Level 3 for showing visible evidence of tampering and the components are coated in epoxy resin so they can't be swapped out.

The number keyboard is polymer coated to stop the keys you use for your PIN showing enough wear to give attackers a hint. The keys have a nice positive action, so you know when you've pressed them, and the lanyard hole on the end is large enough to fit onto a keyring or security badge lanyard. There's an aluminium sleeve to protect the key from water and dirt -- the device is IP68 rated. The sleeve also stops the battery getting run down if the keypad gets knocked in your bag.

Using cloudAshur isn't particularly complicated, but it is a bit more work than just using a cloud storage service. There are drawbacks like the inability to see previews in the cloud site to check you're opening the right file, and not being able to work offline -- even with a cloud service that syncs files to your device. And any mistakes about the times and locations where people can work could inconvenience employees on business trips.

The biggest threat with cloudAshur may not be hackers but employees who find it too much extra work and just don't encrypt files. This means you'll need to explain why you're asking them to carry a dongle and jump through these extra hoops.

Overall, cloudAshur is fairly well designed and offers a useful security boost -- as long as you can persuade employees to actually use it.

RECENT AND RELATED CONTENT

diskAshur2 and datAshur Pro, First Take: Secure but pricey mobile drives

Kingston IronKey D300 encrypted USB flash drive gets NATO Restricted Level certification

IronKey D300: Ultra durable USB flash drive with built-in encryption

Enterprise companies struggle to control security certificates, cryptographic keys

Google Cloud sets out new encryption controls as it looks to grow in Europe

Read more reviews

Read more from the original source:
cloudAshur, hands on: Encrypt, share and manage your files locally and in the cloud - ZDNet

The European Commission doesnt want its staff using WhatsApp or iMessage for internal communications. Instead, they must start using end-to-end-encrypted messaging app Signal as part of a push toward greater security.

Signal has been selected as the recommended application for public instant messaging, noted an instruction that reportedly appeared on internal EC messaging boards in early February.

Signal was developed in 2013 with a focus on privacy. On Signal, conversations are fully encrypted by default, along with metadata with information such as who you are talking to. Messages can be made to self-destruct and can also be sent anonymously. Evidence of how little data it holds was seen in 2016. That year, Signal was subpoenaed and only had access to data about when an account was created and the last date a user accessed its servers.

Its like Facebooks WhatsApp and Apples iMessage but its based on an encryption protocol thats very innovative, Bart Preneel, cryptography expert at the University of Leuven, told Politico, which first reported the story. Because its open-source, you can check whats happening under the hood, he added.

The use of Signal by EU staff is recommended primarily for communication sent by staff to people outside the institution.

Apple and WhatsApp are no slouches when it comes to privacy, either. Apple in particular has been particularly outspoken aboutprivacy as a fundamental human right. Over the years, Apple has taken a hard stance against lawmakers demands to add backdoors to encryption.

Interestingly, while the EU is seemingly keen to keen correspondence private, its not always been unanimously on the side of privacy. A December 2019 article for Politico notes that:

Some European Union governments are mulling a revisit of so-called data retention rules, requirements that telecom providers keep hold of peoples online messages for a set period of time in case law enforcement agencies need to access them.

The fact that the EU is promoting Signal one the one hand, while some lawmakers are battling against strong encryption on the other is interesting.In the US, Apple has faced multiple legal challenges when it comes to its pro-privacy stance on encryption. That battle is still ongoing and has still not yet been settled.

Signal is available to download via the App Store.

Source: Politico

See the original post here:
Signal is the European Union's encrypted messaging app of choice - Cult of Mac