“I Say Where Can a Chap Get a Bit of Privacy?” Survey Says Online Privacy and Security a Luxury in UK.

Posted on May 5th, 2014 by Dan Rampe


It wasn’t all that long ago when privacy meant locking the bathroom door. In fact, in some circles, the toilet was euphemistically referred to as “the private office.” Well that was then.

This is now when privacy is often hard to come by — just ask the owner of the L.A. Clipper’s, whose racist remarks allegedly made by him to his girlfriend became front-page news — and online privacy comes at a premium. To be precise, the premium, according to a survey in the UK, should be about £2.50 ($4.20) per month. That’s what 58 percent of people in the UK would pay to secure their online data.

The survey of more than 2000 adults in the UK found that most would rather walk away from using a service than pay for a more secure version. Here are some of the findings as reported in a story in ibitimes.co.uk. (Note the following has been edited to fit our format.)

A survey of 2,000 UK adults, carried out by [one] security company…finds that nearly half would quit services like Facebook (45%), search giants like Google (44%) and email providers like Yahoo (39%) if they thought their personal data was being sold or shared.

“It’s a sad state of affairs that we now think of online privacy as a luxury good,” says [security professional] Rik Ferguson. “Users are clearly telling providers they will vote with their feet rather than pay excessively for privacy and there’s the real possibility of an exodus from certain services if users feel their data is being unethically handled.”

The research found that 58% would pay to secure their data online, but the average people are willing to pay is just £30.30 annually. [$50.99]

According to the survey, over 40% of respondents said they were considering opting out of free email providers to pay for a more secure service – a trend which could have something to do with reports earlier this week that Google was working on end-to-end encryption for its Gmail service.

More than a fifth of respondents had stopped using public Wi-Fi hotspots following numerous reports of privacy issues.

Three-quarters of all respondents said they would be unhappy with private and public service providers selling their data, even if it meant they were getting a better service.

The EU is about to introduce its Data Protection Regulation which is aimed at protecting European citizen’s data but only 37% of respondents felt the new regulation will force organizations to implement more stringent security and even fewer (34%) expect it to stop organizations from illegally collecting customer data.

“In both the public and private sectors it’s a call for organizations to become more transparent about how they use our data. It’s encouraging to see the EU take proactive steps to address these data privacy concerns, though clearly the public is skeptical about how much of an impact this will have on them,” Ferguson said

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.


New AP-GfK Poll Shows American Shoppers Worry About Data Breaches and Identity Theft — Just Not Enough to Do Anything About Them.

Posted on February 4th, 2014 by Dan Rampe

Data Theft

Is it laziness? Is it the human version of a “deer caught in the headlights?” Is it the hope that like the sardine in a school of sardines, you hope the big fish will get the other guy…er…fish? Whatever the reason, the majority of American consumers are concerned about the safety of their personal information, but haven’t done much in the way of protecting themselves. That’s what a new Associated Press-GfK Poll shows. Incidentally, the GfK Group or Gesellschaft für Konsumforschung (Society for Consumer Research) was established in 1934 and is Germany’s largest market research institute.

Anne D’Innocenzio of the Associated Press detailed the poll’s findings:

The poll finds a striking contradiction: Americans say they fear becoming victims of theft after the breach that compromised 40 million credit and debit cards and personal information of up to 70 million customers. Yet they are apathetic to try to protect their data.

In the survey, nearly half of Americans say they are extremely concerned about their personal data when shopping in stores since the breach. Fifty-eight percent say they have deep worries when spending online, while 62 percent are very concerned when they buy on their mobile phones.

But just 37 percent have tried to use cash for purchases rather than pay with plastic in response to data thefts like the one at Target, while only 41 percent have checked their credit reports. And even fewer have changed their online passwords at retailers’ websites, requested new credit or debit card numbers from their bank or signed up for a credit monitoring service.

The poll offers insight into the effects big data breaches can have on consumer behavior. There have been worries that shoppers would dramatically change their habits since December, when Target announced the breach that could wind up being the largest in U.S. history. Weeks later, those concerns were elevated when luxury retailer Neiman Marcus disclosed that it too was the victim of a breach that may have compromised 1.1 million debit and credit cards.

But security experts say the results show that Americans have come to expect that security theft is a possibility when they use their credit or debit cards or provide retailers with phone numbers, emails and other personal information.

“They … just chalk it up to … ‘It’s part of life,’“ says Cameron Camp, security researcher at global security firm ESET who believes people don’t think they will be liable for fraudulent charges.

Experts also say the results show another expectation Americans have: While nearly 4 out of 10 say they have been victimized by personal data theft, most expect credit card companies, banks or retailers to take responsibility when that happens.

About 38 percent report that they think they have either had someone make unauthorized purchases using their credit or debit cards without it having been physically stolen or that someone had used their personal information to apply for a fraudulent line of credit, the poll says. And just over a third of Americans think their personal information was compromised in the breach at Target.

But the survey shows that just 37 percent say consumers bear most of the responsibility for keeping their data safe, while 88 percent place the burden on the retailers who are collecting it. Six in 10 say the banks that provide credit or debit cards or the credit bureaus should bear most of the responsibility.

Andrea Davis doesn’t believe she was affected by the Target breach, but she recently found unauthorized charges on her American Express credit card. Still, she hasn’t taken steps to make her data more secure because she says she feels protected when she uses her Amex card. In fact, American Express immediately took off the charges after she notified the company. “You feel discouraged, but in the end, everyone gets their money,” says Davis, who lives in Marina del Rey, Calif. “It is what it is.”

The sentiment was different among Americans who’ve been victims of personal data theft. In that group, 52 percent have checked their credit report, while 41 percent have tried to use more cash. Twenty-eight percent have signed up for a credit monitoring service.

Eve Sims signed up for a credit card monitoring service for a monthly fee of $14 about five years ago after she found fraudulent charges from Nigeria on her credit card. “It’s worth it,” she says.

The AP-GfK Poll was conducted Jan. 17 through Tuesday and involved interviews with 1,060 adults. The survey has a margin of sampling error of plus or minus 3.9 percentage points.

The poll used KnowledgePanel, GfK’s probability-based online panel that is designed to be representative of the U.S. population. Respondents were first selected randomly using phone or mail survey methods, and later, completed this survey online. People selected for KnowledgePanel who didn’t otherwise have Internet access were provided with access at no cost to them.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.


What You Say on Facebook Stays on Facebook…Maybe. Lawsuit Accuses Company of Mining Private Messages for Advertisers.

Posted on January 17th, 2014 by Dan Rampe


In mining private messages, has Facebook dug itself a hole? That’s what a federal court is going to have to decide. The question is clear cut. Should a social media user, who pays nothing for the service which earns revenue selling user information to advertisers, have a right to expect his/her information will be kept private?

And, while the question is clear cut, the answer is anything but. Writing on csoonline.com, Antone Gonsalves tackles a case, which one day might end up before the Supreme Court.

The lawsuit filed in federal court in Northern California seeks class-action status for all Facebook users allegedly duped into believing that they could send confidential messages. Specifically, the suit says Facebook has violated the federal Electronics Communications Privacy Act and California privacy laws.

Facebook has allegedly gone wrong by scanning private messages containing links to websites and searching the destinations for clues about the sender that it can sell to advertisers, marketers and other data aggregators.

The plaintiffs argue that Facebook implied the opposite when it launched its integrated email and messaging service in November 2010.

“Facebook telegraphs through the use of the words ‘privately’ and ‘private’ that when a user sends a private message to another party, only the user and the intended recipient will be privy to the contents of that communication,” the suit says.

Plaintiffs Matthew Campbell, Pulaski County, Ark., and Michael Hurley, North Plains, Ore., are seeking the greater of either $100 a day for each day of violation or $10,000 for each affected user, plus damages under California law.

Facebook denies any wrongdoing. “We believe the allegations are without merit and we will defend ourselves vigorously,” the company said in a statement emailed to Computerworld.

Expecting privacy from an ad-driven Web site that needs to check all posted links for malware and spam is ludicrous, Anton Chuvakin, research director for security and risk management at Gartner, said. “Frankly, this is an idiotic suit,” he said. “If the message is really private, as in secret, use encrypted email or hand-deliver it. Why is it on Facebook?”

Of course, the social network has the responsibility of clearly explaining what it does with all user-generated content, so the courts will have to decide whether Facebook was misleading in the use of the word private with its email service.

In the meantime, experts say the suit should remind companies that all business communications should be done through corporate email. Essentially, only information meant to be public should go out on a social network on behalf of the company.

“All social networking companies at this point are making their revenue via advertising and all are using data mining techniques to target ads in one way or another,” Jody Brazil, president and chief technology officer for security management company FireMon, said. “As such, communication must be considered semi-public regardless of how it is posted.”

For easier monitoring of social media use, companies need to have a strict policy that only authorized employees can post content on behalf of the business, privacy expert Rebecca Herold said. In addition, posted content should never contain information about a company’s intellectual property, employees, customers or partners.

“All organizations, in all industries, need to have social media policies in place for not only Facebook, but also for all other social media sites,” Herold said.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.


Is Wikipedia the Answer to Online Privacy? Research Fellow Says Open-Source Hardware and Firmware Could Close NSA/Bigtech Backdoors.

Posted on October 15th, 2013 by Dan Rampe

Online Privacy

Logic fairly screams that open-source is the antithesis of privacy. But, that’s not the way Eli Dourado, a research fellow with the technology policy program at the Mercatus Center at George Mason University, sees it. In his piece in The New York Times, Dourado makes a case that backdoor vulnerabilities such as those created by the NSA in conjunction with the likes of Bigtech companies like Google, Apple, Microsoft, AT&T and Verizon, could be slammed shut or at least made harder to pry open in the first place if more independent hi-tech experts were involved.

In the wake of the disclosures about the National Security Agency’s surveillance programs, considerable attention has been focused on the agency’s collaboration with companies like Microsoft, Apple and Google, which according to leaked documents appear to have programmed “back door” encryption weaknesses into popular consumer products and services like Hotmail, iPhones and Android phones.

But while such vulnerabilities are worrisome, equally important — and because of their technical nature, far less widely understood — are the weaknesses that the N.S.A. seems to have built into the very infrastructure of the Internet. The agency’s “upstream collection” capabilities, programs with names like Fairview and Blarney, monitor Internet traffic as it passes through the guts of the system: the cables and routers and switches.

The concern is that even if consumer software companies like Microsoft and telecommunications companies like AT&T and Verizon stop cooperating with the N.S.A., your online security will remain compromised as long as the agency can still take advantage of weaknesses in the Internet itself.

Fortunately, there is something we can do: encourage the development of an “open hardware” movement — an extension of the open-source movement that has led to software products like the Mozilla browser and the Linux operating system.

The open-source movement champions an approach to product development in which there is universal access to a blueprint, as well as universal ability to modify and redistribute the blueprint. Wikipedia is perhaps the best-known example of a product inspired by the movement. Open-source advocates typically emphasize two kinds of freedom that their products afford: they are available free of charge, and they can be used and manipulated free of restrictions.

But there is a third kind of freedom inherent in open-source systems: the freedom to audit. With open-source software, independent security experts can scrutinize the code for vulnerabilities — whether accidentally or intentionally introduced. The more auditing by the programming masses, the better the security. As the open-source software advocate Eric S. Raymond has put it, “given enough eyeballs, all bugs are shallow.”

Perhaps the greatest open-source success story is the Internet itself — at least its “soft” parts. The Internet’s communications protocols and the software that implements them are collaboratively engineered by loose networks of programmers working outside the control of any single person, company or government. The Internet Engineering Task Force, which develops core Internet protocols, does not even have formal membership and seeks contributions from developers all over the world.

But the problem is that the physical layer of the Internet’s infrastructure — the hardware that transmits, directs and relays traffic online, as well as its closely knit software (or “firmware”) — is not open-source. It is made by commercial computing companies like Cisco, Hewlett-Packard and Juniper Networks according to proprietary designs, and then sold to governments, universities, private companies and anyone else who wants to set up a network.

There is reason to be skeptical about the security of these networking products. The hardware firms that make them often compete for contracts with the United States military and presumably face considerable pressure to maintain good relations with the government. It stands to reason that such pressure might lead companies to collaborate with the government on surveillance-related requests.

Because these hardware designs are closed to public scrutiny, it is relatively easy for surveillance at the Internet’s infrastructural level to go undetected. To make the Internet less susceptible to mass surveillance, we need to recreate the physical layer of its infrastructure on the basis of open-source principles.

At the moment, the open hardware movement is limited mostly to hobbyists — engineers who use the Internet to collaboratively build “open” devices like the RepRap 3D printer. But the Internet community, through a concerted effort like the one that currently sustains the Internet’s software architecture, could also develop open-source, Internet-grade hardware. Governments like Brazil’s that have forsworn further involvement with American Internet companies could adopt such nonproprietary equipment designs and have them manufactured locally, free from any N.S.A. interference.

The result would be Internet infrastructure, both hardware and software, that was 100 percent open and auditable. But never, of course, 100 percent secure. The N.S.A. could still try to exploit the Internet’s open hardware. And of course, open hardware would do little to prevent the government from reading e-mail if it still had the cooperation of companies like Microsoft or Google. Open hardware is not a panacea.

Still, open hardware would at a minimum make the N.S.A.’s Internet surveillance efforts more difficult and less effective. And it would increase the difficulty of surveillance not just for the N.S.A. but also for foreign governments that might otherwise piggyback on N.S.A.-introduced security vulnerabilities.

A 100 percent open-infrastructure Internet — a trustworthy Internet — would be an important step in the empowerment of individuals against their governments the world over.

ThreatMetrix™ secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix™ Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.