Over 100 world leaders have gathered in Washington D.C. for the signing of an unprecedented agreement.
An Unprecedented VPN Agreement
The agreement named Non-negotiable Obligation to Log Only Governments, or “NO LOG” for short, proactively aims to apply the following rules for any future VPN providers based on the moon:
Forbid VPN providers from logging user activities, including “harmless logging”.
Prevent all government surveillance programs such as the Five, Nine and Fourteen Eyes Alliance from demanding user data from servers based on the moon.
Log and publish all government requests for demanding user data immediately upon receiving such a request.
President Donald Trump also went on a tangent about how we must build a wall around the moon to deter migrants from “taking our cheese”.
To enforce this agreement, the 100 countries have started an Initial Coin Offering (ICO) to start an organization headquartered on the moon named “Lunar VPN Foundation”. The foundation promises to build a decentralized AI-powered VPN platform that would leverage 6G Internet capabilities to enable smart DNS routing. The ICO would fund the building of a new data center along with daily trips to Bali for all senior members of the staff.
GoBestVPN.com is a website dedicated to ranking the best VPNs on the market. This goes hand-in-hand with our vision of having a free and secure Internet for everyone. Our 17-step review process is the most in-depth and the most extensive in the industry.
On Thursday night, German politicians and celebrities fell prey to what could be the biggest data breach in social media in the country’s history.
No, it wasn’t on Facebook. This time, it was Twitter.
A now-suspended account going by the name “G0d” leaked the information in a series of tweets that went largely unnoticed until last week when the hackers uploaded the information on a larger scale.
The information, which was in the form of an advent calendar, included street and email addresses, personal phone numbers, credit card and bank account information, and even private chats among family members. Yikes.
News outlets in Germany stated that those affected included the Merkel Christian Democrats (CDU), Christian Social Union (CSU), the Social Democrats (SPD), the Greens, the Left Party, and the Free Democratic Party (FDP).
That’s basically everyone, including Angela Merkel, the Chancellor of Germany.
It’s worth noting that these are the country’s leading left and centrist parties. Why? We’ll get into that in just a little bit.
A move by the far-right?
Arne Schoenbohm, the President of the German Federal Office for Information Security, said authorities had been aware of individual cases in December when the material was put onto the Twitter account but that it only became alarming when it was posted on a large scale this week.
Interestingly, he added that about 1,000 people were involved, and confirmed that one party in parliament wasn’t affected. He declined to name which party.
All the same, the party he was referring to turns out to be Alternative for Germany (AfD), a far-right party. Remember the note we made moments ago on leftists and central parties? This is where it matters.
This won’t be a surprise to anyone, but the left and right have had a long-standing feud involving the management of the government, and this particular “hacktivism” has people speculating that the far-right was behind it.
Hacktivism or future political gain?
Hacktivism is the use of technology to promote a particular political agenda or change in social norm. Perpetrators of these acts are called hacktivists.
They use sensitive and confidential information to obtain favorable odds or threaten political figures through coercion, similar to this one.
Just three years ago, the German government promised to strengthen its cybersecurity following a breach by Russian hackers on its state security systems.
One proposed method is to enforce using a VPN, although finding a good VPN for government needs might be too much of a risk, so building their own network may be the ideal solution.
So, was it the Russians again?
Tom Kellermann, the Chief Cybersecurity Officer of Carbon Black, a cybersecurity company based in Massachusetts, certainly thinks so.
In a statement, he indicated that the breach had all the indications of Russian state-backed hackers, saying it made sense that the far-right was spared from the fiasco: “It’s in Russia’s best interests for the far-right politicians to be successful.”
The Kremlin has consistently denied involvement.
Of course, it’s possible that hacktivists want to use the material for the upcoming German elections.
Lukasz Olejnik, an independent cybersecurity adviser and research associate at the Center for Technology and Global Affairs at Oxford University, stated that he finds it interesting that this has happened now when there’s still a lot of time before the next German elections.
He added that it’s premature to speculate that the hack specifically targets the election process. However, it’s possible that someone has collected additional material to potentially leak in the future, say, during the election.
First in 2019, but not over the years
This is potentially the first major data breach related to political matters this year, but we have had our own share of political breaches over the past years.
France
Germany’s neighbor France had its own trouble in 2017 when its presidential candidate Emmanuel Macron was subjected to a “massive hacking attack” in his campaign which compromised data involving various internal documents, including emails and contracts.
China
Similarly, China also experienced a data breach regarding business moguls and politically-connected elites in 2016. The breach exposed personal identification numbers, birth dates, and addresses.
Interestingly, among those affected were China’s richest man, Wang Jianlin, the Chairman of Dalian Wanda Group, and Jack Ma, the owner of the Alibaba conglomerate, both of which are known to have strong political ties.
US
And who can forget Russia’s involvement with the US?
In July 2018, further details of the Russian hacking of the Democratic National Committee (DNC) emerged, along with Special Counsel Robert Mueller’s indictment of the Russian agents involved.
The hacking was done through e-mail phishing, and information stolen was alleged to be from the DNC, including several members Hillary Clinton’s campaign. It was then subsequently distributed to the detriment of the presidential candidate.
This scandal has jumpstarted the data breach bandwagon this year.
Will we see more of these? We think so. The only question is, who will be the next victim and on what scale?
Vietnam’s new cybersecurity law goes into effect this week, delivering another blow to the fight for privacy and freedom of speech.
Welcome to 2019, folks. The battle continues on, and it’s tougher than ever before.
So, what is Vietnam doing, exactly?
A little bit of background
Before we get into the details of the law, let’s remember that Vietnam is a one-party state, controlled by the Communist Party. This means that the government has held this singular point of view since 1975.
However, Vietnam has begun to invest in more capitalist systems in recent years, even being voted as the #1 fan of capitalism in the world.
For example, unlike its larger communist neighbor China, Vietnam does not block websites like Facebook or Google. In fact, they’re the two most popular websites in the country according to SimilarWeb’s website ranking.
The cybersecurity law
Back in June 2018, Vietnam’s National Assembly passed a highly controversial law which requires “foreign companies” such as Facebook and Google to establish branches or representative offices in Vietnam.
The reason for this? The government of Vietnam wants domestic and foreign companies alike to store local user data so that they can access it.
But that’s not all.
The law also gives unprecedented power to Vietnam’s Cybersecurity Task Force (CTF), an arm of the Ministry of Public Security. Basically, this task force can “request” companies to delete information they think is “offensive” or constitutes an infringement of cybersecurity.
Companies must comply within 24 hours by taking down the targeted content.
Why is this a loss for privacy activists?
Beyond the obvious, there are seriously concerning ramifications.
First of all, the government will have access to user data as well as the ability to enforce companies to take down content it deems unsuitable. Rather than protecting users from government probing, this would have the opposite effect of making user data available to law enforcement agencies.
Though the Vietnamese government claim this law will help them combat cybercrime, the law would also harm freedom of speech, particularly for those holding anti-communist views.
Activists in Vietnam are particularly concerned, including singer and free speech activist Mai Khoi, who was detained earlier in the year for eight hours upon returning to Hanoi after a European tour.
Following the passage of the law, she continued to be vocal about the dangers imposed on free speech and accused Facebook of cooperating with an authoritarian rule.
In her opinion piece for the Washington Post, she wrote: “Facebook should stop government trolls from abusing its platform, report on how it is respecting human rights following the U.N.’s guiding principles framework and make a policy statement refusing to comply with local laws used to silence dissent and violate privacy.”
“Facebook has been a huge force for freedom in Vietnam, but this positive effect is now being reversed as the social media platform is delivered to authoritarianism. I hold Mark Zuckerberg accountable for this,” she added.
How are the companies responding?
The Asia Internet Coalition (AIC), an industry coalition made up of leading internet and technology companies such as Google, eBay, Yahoo, Facebook, Apple, and Twitter, expressed its deep concern about the passage of the law in a statement:
The overly-broad ‘blanket approach’ to data localization requirements will have serious consequences for economic growth, investor confidence and opportunities for local businesses.
The Vietnamese government gave companies like Google and Facebook a one-year deadline to comply with the law. At the moment, it’s unclear what the companies’ plans are.
However, Facebook did say that it “remains committed to its community in Vietnam and in helping Vietnamese businesses grow at home and abroad.”
Unless more drastic action is taken, the law would continue on as is, and companies will either have to comply or pull out from the region.
Government VS. the Internet
With the sweeping powers it grants the government to monitor online activity, this vote means there is now no safe place left in Viet Nam for people to speak freely. – Clare Algar, the Director of Global Operations for Amnesty International
Facebook is already dealing with the aftermath of the 2016 elections in which they played a role in enabling Russian agents to influence the U.S. national election.
This new law further complicates Facebook’s role and responsibility in aiding foreign governments potentially to the detriment of U.S. interests, as well as the right to privacy.
It also trails a new law passed in China, which similarly requires foreign companies to host data on its local servers, enabling the Chinese government to pry on otherwise protected information of Chinese citizens.
In the battle for privacy, we are now seeing intrusive government legislation that forces companies to cede user data and forego protections for its users in order to remain in business.
On the other hand, as seen with the passage of the GDPR in Europe, the government can also actively protect privacy and freedom of speech by enforcing specific rules on companies like Facebook and Google.
Companies can’t play it both ways.
Either they should make a stance and commit to protecting privacy for its users, or admit that they’re putting their business interests first by complying to these infringements on privacy.
2018 was a big year for privacy – lots of big data breaches, Facebook scandals, and international security concerns, just to name a few.
Here are the biggest data breaches this year worth capturing and keeping in mind as we go into 2019.
5 Biggest Data Breaches of 2018
Aadhaar Data Breach: When the government can’t protect its 1 billion citizens (January 2018)
Aadhaar, a 12-digit unique identity number for residents of India based on their biometric and demographic data like fingerprints and iris scans, was breached sometime in 2017.
It was a matter of national security that left 1 billion citizens of India vulnerable to intrusions of privacy such as identity theft, possible phishing scams, and hacks on personal information.
In November 2017, the Unique Identification Authority of India (UIDAI) assured residents that their personal data on the Aadhaar was secure and that there had been no data breach.
However, an investigation by the Tribune revealed that it was extremely easy to enter any Aadhaar number and obtain information such as names, email addresses, phone numbers, and other confidential information upon payment of a mere 500 rupees (500 Rs) through a portal provided by an anonymous “agent.” These agents operated on WhatsApp groups to sell this access.
Consequently, the recent breach has heightened unease over the inability of the Indian government to protect the privacy of its citizens, as government websites in the past have also accidentally leaked information.
MyFitnessPal: Data breach of 150M users due to lack of verification (March 2018)
In February, MyFitnessPal, a health and fitness app acquired by Under Armour in 2015, was hit by a data breach which involved roughly 150 million of its users.
After the company discovered this breach, its CEO and founder Kevin Plank announced in late March that “the investigation indicates that the affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.”
Under Armour prompted its users to change their passwords immediately. It also encouraged users to monitor their accounts for any suspicious activity in connection with the said breach. UA’s shares experienced a roughly 5% drop – which is the average figure following a breach of this kind, according to a study by Ponemon.
This follows similar breaches on companies like Equifax and Yahoo, where the barrier to entry is low for hackers to gain access to the user database.
Cambridge Analytica: How much power is too much? (March 2018)
Earlier this year, Facebook revealed that data analytics firm Cambridge Analytica used personal information obtained from its users in early 2014 to build a system that targeted certain US voters with personalized political propaganda.
An app called “This Is Your Digital Life,” built by Cambridge University academic researcher Aleksandr Kogan, was responsible for the data breach.
In a Facebook post, founder and CEO Mark Zuckerberg told its users that “in 2015, we learned from journalists at The Guardian that Kogan had shared data from his app with Cambridge Analytica. It is against our policies for developers to share data without people’s consent, so we immediately banned Kogan’s app from our platform, and demanded that Kogan and Cambridge Analytica formally certify that they had deleted all improperly acquired data.”
It wouldn’t be an exaggeration to say that this was the biggest scandal of 2018, as it raised questions over Facebook’s role and influence as a tech giant that’s much more than just a social media platform.
Marriott Starwood Hotels: Cyberwar with China continues, 500M guests affected (November 2018)
In a massive breach that affected up to 500 million guests, Starwood Hotels and Resorts, a hotel chain owned by Marriott International, announced in November that hackers had had access to their guests’ reservation database for the past four years.
The extent of the data breach included names, mailing addresses, phone numbers, email addresses, passport numbers, guests accounts, and other vital information such as travel locations and dates.
Since then, the United States connected the breach to possible hacking by Chinese intelligence authorities. The speculation is fueled by stringent relations between the two countries, as China’s involvement in data breaches is nothing new, starting with the hacking of Google in 2009, as well as the U.S. government in 2015.
As a result, US lawmakers are currently considering the proposal of a bill which would ban government employees from using phones manufactured by telecommunication companies Huawei and ZTE, both based in China.
Quora: Finishing the year with a bang – 100M users(December 2018)
Big data breaches continued on towards the end of the year when Quora, a question-and-answer website founded in 2009, was affected by a data breach through unauthorized access on its system by a “malicious third party.”
In its blog post entitled “Quora Security Update,” it disclosed that the account information of 100 million users, including name, email address, encrypted password, data imported from linked networks when authorized by users, public content, and actions may have been at risk.
It advised its users to change passwords immediately and has maintained a system of updating its users on the investigation through email.
Close on the heels of MyFitnessPal, this type of data breach will become more and more common as companies with massive user bases don’t have adequate security measures to guard against potential attacks.
5 Biggest Privacy Wins of 2018
Now, to end on a more positive note, while there have been numerous data breaches in 2018, there were also instances where privacy marked its victory.
The Electronic Frontier Foundation (EFF), a leading non-profit organization, which champions user privacy, free expression, and innovation, has led some of the biggest privacy wins of 2018.
Want Location Tracking Data? Get a Search Warrant
Earlier in June, the Supreme Court of the United States ruled that the Fourth Amendment, which prohibits unreasonable searches and seizures, also applies to cell phone tracking.
The 119-page opinion by Chief Justice Roberts states that the location information collected by telecommunication service providers offers “an intimate window into a person’s life, revealing not only his particular movements, but through them his “familial, political, professional, religious, and sexual associations.”
Such intrusive search now requires a validly obtained search warrant, and rightly so.
Sharing Your Password With Your Family is Definitely Not a Crime
We’ve all skipped reading a website’s terms of use. Who really has the time to pore through a long, dry legal document that lawyers get paid to read? Even privacy maniacs need a break!
Unfortunately, this act of negligence has turned innocent, albeit slightly lazy, users into criminals under an overly broad definition of cybercrime. Even simple actions like sharing a password with a family member, or using a fake or incomplete name would violate certain websites’ terms of use. But by no means should users be charged with criminal intentions because of them.
To combat this travesty, the EFF submitted a brief in 2017 stating that allowing criminal liability under the law for terms of use violations turns a vast number of ordinary individuals into criminals. In January of this year, the Ninth Circuit decided that these innocuous acts certainly don’t violate California or Nevada’s cybercrime laws.
We’re All Equal Under the Law, Even the Government
The EFF has long been wary of Facebook’s policies regarding the use of real or authentic names. It believes that the ability to speak anonymously is one of the great advantages of free speech and that forcing people to disclose their identity through this policy defeats such purpose.
Sometime in July, the American Civil Liberties Union (ACLU) of Tennessee filed a civil rights lawsuit against the Memphis Police Department. The lawsuit uncovered evidence that the police used a fake account on Facebook to gather intelligence on activists.
Fortunately, Facebook recognized the potential threat that this practice will bring to protected speech. In a letter to the Memphis Police Department, it stated that law enforcement authorities are also subject to the policies of the company. Since the fake accounts are in violation of such policies, they have disabled the fake accounts that they identified in their investigation.
Stopping Illegal Device Searches at the Border
In September 2017, the EFF filed a lawsuit with its co-counsel ACLU, challenging border device searches on the violation of the right to freedom of speech and unreasonable searches and seizures.
Not surprisingly, the federal court ruled that government searches of cell phones, laptops, and other electronic devices without a warrant when someone crosses the border may violate the First and Fourth Amendments.
“A cell phone search would typically expose to the government far more than the most exhaustive search of a house,” the federal court stated in an opinion.
Right to Free Speech in Domain Names
Yes, you heard that right. The protection of free speech extends even to the use of domain names.
When Jeremy Rubin registered his Internet domain name, “fucknazis.us” for wanting to speak up about white supremacist groups in the US, the government took away his domain name, which meant the shutdown of his website.
A government agency shutting down an Internet domain based on the contents of its name runs counter to the right protected by the First Amendment. The EFF, together with the Cyberlaw Clinic, helped Rubin get back his domain, and prevented the government from banning “dirty words.” His domain has since returned to full operation.
Details of the case can be found directly at https://fucknazis.us/.
With all these things in mind, what can we expect in 2019?
Each year, companies aim to protect the privacy of its users, only to fail miserably. At the end of the day, it’s about business. Money speaks, and while privacy is of paramount concern, exploitation for financial gain will inevitably continue unless it’s prevented by regulation.
Government involvement will only increase, as more and more people become aware of how unprotected their data is on the web. This means we can expect to see more of this participation in 2019. There will be more consumer action in a tangible way.
However, the coming year will also see more data breaches, possibly on an even greater scale. Lawmakers haven’t caught up yet, and too many companies have weak or non-existent security measures. It’s all too easy to fool unsuspecting users into selling their data.
In the 21st century, the measure of a government’s power will include its ability to protect its citizens’ data from both cybercriminals and foreign agents. As we take more of our systems online, we’re ever more vulnerable to major damages caused by hacking.
Overall, 2018 was a pretty good year for regulation. Privacy is finally recognized and accorded the priority it deserves. Further legislation is in the works, and governments around the world are finally catching up to technology.
It can only get better from here. We may be in for a long ride, but at least we’re on the right path.
Starwood Hotels and Resorts, a hotel chain owned by Marriott International, announced on November 30 that there had been a breach of data security involving its guests’ reservation database.
The company, on a dedicated website, said that it had received an alert on September 8, 2018, from an internal security tool regarding an attempt to access its guest reservation database. It learned during an investigation that it has compromised information on up to approximately 500 million guests who made reservations on Starwood since 2014.
Information included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guests (SPG) accounts, birth dates, gender, arrival and departure information, reservation date, and communication preferences.
“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).” It added. The important bit here is that the card numbers were encrypted but they do not reveal whether the keys were also leaked.
The breach has been connected by the United States to a possible hacking by Chinese intelligence authorities which involve its Ministry of State Security, a civilian spy agency controlled by Communists residing in the country.
This speculation is fueled by stringent relations between the two countries, considering that the former had been long wary of the latter’s involvement in rampant data breaches in its territory.
China’s involvement is nothing new, as there had been several incidents involving its alleged sponsored hackers, some of which include the theft of confidential data of millions of citizens in the US Personnel Department and the famous breach of Anthem insurance which compromised data involving names, birth dates, addresses, Social Security numbers, and even income data of 80 million beneficiaries.
However, the core of the country’s involvement centers in the recent controversy involving Chinese telecommunications company Huawei.
Earlier this month, Meng Wangzhou, Huawei’s chief financial officer, was arrested in Vancouver by Canadian authorities on allegations of bank fraud involving Hongkong Shanghai Banking Corporation (HSBC).
Huawei supposedly entered into business with Iran through a subsidiary called Skycom in violation of American sanctions. The Middle Eastern country is subject to strict international regulations by the US government, the purpose of which is to prevent it from developing nuclear weapons, although the country stated that the use of its nuclear energy is purely for domestic consumption.
The arrest is a part of a previous investigation of the US into Chinese companies speculated to be extensions of the country’s government, which included Huawei. Security experts in the US believed that the recent growth on China’s economy was a result of its act of stealing corporate, military and trade secrets through the use of telecommunications equipment and devices.
As a result, security agencies in the US such as the FBI, CIA, and the NSA, as well as the US Congress, have proposed measures to ensure that Chinese-based companies do not penetrate the US market.
FBI Director Chris Wray, in a testimony made before the Senate Intelligence Committee, said the government was “deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks.”
He added that this would provide the capacity to maliciously modify or steal information, and it provides the capacity to conduct undetected espionage.
US lawmakers, on the other hand, are currently considering the proposal of a bill which would ban government employees from using phones manufactured by Huawei and ZTE, another telecommunications company based in China.
Senator Richard Burr, chairman of the Senate Intelligence Committee, said in a hearing that the focus of his concern is China, and specifically Chinese telecoms like Huawei and ZTE, which are widely understood to have extraordinary ties to the Chinese government.
The Marriott Hack and the scandal involving Huawei prove that data breach is and will be a daily occurrence as we advance technologically. This creates unforeseen consequences that affect not only the United States but the world as a whole. As such, fear of potential data breach can be equated to fear of life itself. However, this does not mean that nothing can be done to prevent it. The unwary public must be made vigilant.
On Wednesday, the U.S. made a significant step forward in establishing data privacy for its citizens. 15 U.S. senators, led by Senator Schatz (D-Hawaii), introduced the Data Care Act, a bill which will standardize and regulate procedures governing the protection and use of data.
In its introductory statement, the bill outlines the duties of online service providers regarding the collection and use of user data. It also aims to prevent providers from using the data in a way that would be harmful to users.
“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” stated Senator Schatz in a press release.
The proposed bill defines the three-fold duty of an online service provider as follows:
Duty of Care: The service provider has a responsibility to secure their user data and notify users of any unauthorized access or breach.
Duty of Loyalty: The service provider will not use the user data in a way that would be detrimental, harmful or highly offensive to the user.
Duty of Confidentiality: The service provider will maintain the confidentiality of the user data through non-disclosure. Exceptions are made for third parties who also adhere to these duties. The bill says that it’s the service provider’s responsibility to make sure their third-party partners are acting in line with these rules through regular audits.
This last part will certainly interest internet users and privacy proponents. The selling and disclosure of user data to third parties is a big concern, and the language of the bill is broad enough for loopholes. This is an area that’ll need to be watched closely as the bill makes its way through Congress.
The law would give the Federal Trade Commission (FTC) the power to enforce the provisions of the bill. It also suggests that while states can commence civil action, the FTC may intervene in such cases.
The introduction of the bill is a headstart for data privacy protection in the United States, a country which is known to house tech giants such as Apple, Microsoft, Google, Facebook, and Amazon.
In the past, the U.S. government has relied on companies to formulate their own rules concerning data transmission and privacy, mandating its citizens to self-regulate when it comes to the protection and confidentiality of their information.
But in the wake of Facebook’s role in transmitting its user data to Cambridge Analytica, data privacy regulations on a federal level may be more needed than ever.
Currently, the U.S. has no comprehensive law governing the collection and privacy of data being transmitted in its territory. Rather, it relies on provisions included in the United States Privacy Act, the Safe Harbor Act, and the Health Insurance Portability and Accountability Act.
Not surprisingly, groups with high stakes in the American tech industry rallied behind the introduction of the bill.
The Center for Democracy and Technology, a non-profit group which works to preserve the Internet, added on to Senator Schatz’s press release. “We commend Senator Schatz for tackling the difficult task of drafting privacy legislation that focuses on routine data processing practices instead of consumer data self-management.”
The Internet Association, an industry trade group representing tech companies such as Google, Amazon, Facebook, and eBay, expressed its support through an open letter. “Internet companies act as responsible stewards of people’s data and agree with Sen. Schatz that federal legislation should promote responsible data practices.”
The move is a positive start, as it will probably spark discussion and debate towards favorably changing the position of Congress on the protection and regulation of data privacy in the U.S. Since the country is home to tech behemoths with a significant presence in numerous other countries around the world, the bill would likely create ripple effects far beyond the U.S. if it gets passed.
