Privacy guidance, audits, tools, training and software
DISC InfoSec
#InfoSecTools and #InfoSectraining
Ask DISC an InfoSec & compliance related question
May 08 2022
As data privacy laws expand, businesses must employ protection methods
Data protection is challenging for many businesses because the United States does not currently have a national privacy law — like the EU’s GDPR — that explicitly outlines the means for protection. Lacking a federal referendum, several states have signed comprehensive data privacy measures into law. The California Privacy Rights Act (CPRA) will replace the state’s current privacy law and take effect on January 1, 2023, as will the Virginia Consumer Data Protection Act (VCDPA). The Colorado Privacy Act (CPA) will commence on July 1, 2023, while the Utah Consumer Privacy Act (UCPA) begins on December 31, 2023.
For companies doing business in California, Virginia, Colorado and Utah* — or any combination of the four — it is essential for them to understand the nuances of the laws to ensure they are meeting protection requirements and maintaining compliance at all times.
Understanding how data privacy laws intersect is challenging
While the spirit of these four states’ data privacy laws is to achieve more comprehensive data protection, there are important nuances organizations must sort out to ensure compliance. For example, Utah does not require covered businesses to conduct data protection assessments — audits of how a company protects data to determine potential risks. Virginia, California and Colorado do require assessments but vary in the reasons why a company may have to take one.
Virginia requires companies to undergo data protection assessments to process personal data for advertising, sale of personal data, processing sensitive data, or processing consumer profiling purposes. The VCDPA also mandates an assessment for “processing activities involving personal data that present a heightened risk of harm to consumers.” However, the law does not explicitly define what it considers to be “heightened risk.” Colorado requires assessments like Virginia, but excludes profiling as a reason for such assessments.
Similarly, the CPRA requires annual data protection assessments for activities that pose significant risks to consumers but does not outline what constitutes “significant” risks. That definition will be made through a rule-making process via the California Privacy Protection Agency (CPPA).
The state laws also have variances related to whether a data protection assessment required by one law is transferable to another. For example, let’s say an organization must adhere to VCDPA and another state privacy law. If that business undergoes a data protection assessment with similar or more stringent requirements, VCDPA will recognize the other assessment as satisfying their requirements. However, businesses under the CPA do not have that luxury — Colorado only recognizes its assessment requirements to meet compliance.
Another area where the laws differ is how each defines sensitive data. The CPRA’s definition is extensive and includes a subset called sensitive personal information. The VCDPA and CPA are more similar and have fewer sensitive data categories. However, their approaches to sensitive data are not identical. For example, the CPA views information about a consumer’s sex life and mental and physical health conditions as sensitive data, whereas VCDPA does not. Conversely, Virginia considers a consumer’s geolocation information sensitive data, while Colorado does not. A business that must adhere to each law will have to determine what data is deemed sensitive for each state in which it operates.
There are also variances in the four privacy laws related to rule-making. In Colorado and Utah, rule-making will be at the discretion of the attorney general. Virginia will form a board consisting of government representatives, business people and privacy experts to address rule-making. California will engage in rule-making through the CPPA.
The aforementioned represents just some variances between the four laws — there are more. What is clear is that maintaining compliance with multiple laws will be challenging for most organizations, but there are clear measures companies can take to cut through the complexity.
Overcoming ambiguity through proactive data privacy protection
Without a national privacy law to serve as a baseline for data protection expectations, it is important for organizations that operate under multiple state privacy laws to take the appropriate steps to ensure data is secure regardless of regulations. Here are five tips.
Partner with compliance and legal experts
It is critical to have someone on staff or to serve as a consultant who understands privacy laws and can guide an organization through the process. In addition to compliance expertise, legal advice will be a must to help navigate every aspect of the new policies.
Identify data risk
From the moment a business creates or receives data from an outside source, organizations must first determine its risk based on the level of sensitivity. The initial determination lays the groundwork for the means by which organizations protect data. As a general rule, the more sensitive the data, the more stringent the protection methods should be.
Create policies for data protection
Every organization should have clear and enforceable policies for how it will protect data. Those policies are based on various factors, including regulatory mandates. However, policies should attempt to protect data in a manner that exceeds the compliance mandates, as regulations are often amended to require more stringent protection. Doing so allows organizations to maintain compliance and stay ahead of the curve.
Integrate data protection in the analytics pipeline
The data analytics pipeline is being built in the cloud, where raw data is converted into usable, highly valuable business insight. For compliance reasons, businesses must protect data throughout its lifecycle in the pipeline. This implies that sensitive data must be transformed as soon as it enters the pipeline and then stays in a de-identified state. The data analytics pipeline is a target for cybercriminals because, traditionally, data can only be processed as it moves downstream in the clear. Employing best-in-class protection methods — such as data masking, tokenization and encryption — is integral to securing data as it enters the pipeline and preventing exposure that can put organizations out of compliance or worse.
Implement privacy-enhanced computation
Organizations extract tremendous value from data by processing it with state-of-the-art analytics tools readily available in the cloud. Privacy-enhancing computation (PEC) techniques allow that data to be processed without exposing it in the clear. This enables advanced-use cases where data processors can pool data from multiple sources to gain deeper insights.
The adage, “An ounce of prevention is worth a pound of cure,” is undoubtedly valid for data protection — especially when protection is tied to maintaining compliance. For organizations that fall under any upcoming data privacy laws, the key to compliance is creating an environment where data protection methods are more stringent than required by law. Any work done now to manage the complexity of compliance will only benefit an organization in the long term.
*Since writing this article, Connecticut became the fifth state to pass a consumer data privacy law.
Data Privacy Law: A Practical Guide to the GDPR
Information Privacy Engineering and Privacy by Design: Understanding Privacy Threats, Technology, and Regulations Based on Standards and Best Practices
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
Apr 18 2022
Trans-Atlantic Data Privacy Framework’s Impact on AppSec
Earlier this year, the White House announced that it is working with the European Union on a Trans-Atlantic Data Privacy Framework. According to a White House statement, this framework will “reestablish an important legal mechanism for transfers of EU personal data to the United States. The United States has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.”
This is encouraging news. As The National Law Review pointed out, the EU had concerns about the protection of their citizens’ data from U.S. government surveillance. But it may also be the push needed to advance greater data privacy protections in America.
“The joint statement references the U.S. putting in place ‘new safeguards’ to ensure that intelligence activities are ‘necessary and proportionate’, the definition and practical application of which will be one of the things that privacy campaigners will be looking at closely when the detailed text is drafted and made available,” said Stephen Bailey of NCC Group in an email comment.
Data Privacy and AppSec
The world runs on apps, so it is necessary to look at how the Trans-Atlantic Data Privacy Framework will impact app development and app security.
“For application developers, the single biggest challenge to complying with increasingly rigorous data protection frameworks is getting control of their data, particularly sensitive and personally identifiable information,” explained Chris McLellan, director of operations at the nonprofit Data Collaboration Alliance.
Today, every new app, whether bought or built, traps data in a silo, which can only be connected through the exchange of copies or point-to-point data integration.
“These copies make it incredibly difficult—and in some cases, even impossible—to support GDPR outcomes like ubiquitous data access controls, portability, custodianship, deletion (the right to be forgotten) and precision auditability: Things that could potentially, although they’re unlikely to, be included in the post-Privacy Shield framework. But they are definitely looming on the horizon both internationally and domestically, for example, in California and Utah,” said McLellan.
As data privacy frameworks become more common and we begin to see more joint efforts internationally, organizations have to think about how they share and store data in the future, taking compliance requirements into greater consideration.
Organizations need to get more serious about minimizing their use of data and start implementing strategies that introduce real control to the data they manage, McLellan says. They should be exploring ways now to eliminate data silos and copies that have resulted in rampant data proliferation.
No Quick Fixes
But, as McLellan pointed out, there are no quick fixes. Unwinding years of “an app for everything and a database for every app” mantra will be difficult, and McLellan believes this is best approached in two stages.
Stage One: Immediately treat the symptoms of data proliferation by evaluating and adopting privacy-enhancing technologies that help organizations anonymize and encrypt data, and better manage consent. “They should also investigate the potential to adopt first-party and zero-party data collection practices that redirect customer and other sensitive data away from the third-party apps (e.g. Google Analytics), over which they have no control,” McLellan explained. “Organizations should also adopt processes and workflows that help them establish ‘purpose-based’ data access requests.”
Stage Two: Organizations should explore ways to address the root causes of data proliferation. Everyone within the organization’s technology teams—CIO, CDO, application development, data and IT teams—should familiarize themselves with emerging frameworks like zero-copy integration, a framework that is on track to become a national standard in Canada.
“It’s the evolution of privacy-by-design and signals the beginning of the end for application-specific data silos and copy-based data integration. Such frameworks are made possible by new categories of technology, including data fabrics, dataware and blockchain that support ‘zero copy’ digital innovation. Many leading organizations, particularly in finance and health care, are already ahead of the curve in adopting this approach,” said McLellan.
Data protection regulations at home and abroad reflect a burgeoning global trend toward citizens and consumers gaining greater control and ownership of data as its rightful owner.
“These regulatory shifts,” said McLellan, “will need to be met by an equally significant shift in how U.S. businesses manage data and build new applications if there’s any hope to comply with new laws as they’re passed.”
Data Privacy: A runbook for engineers
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
Mar 10 2022
Build your DPO career with self-paced online learning
Are you planning a career as a DPO (data protection officer)?
| Are you planning a career as a DPO (data protection officer)? Our unique combined GDPR (General Data Protection Regulation) and DPO training course is now available in a low-cost self-paced online format. Delivered by an experienced data privacy consultant, the Certified GDPR Foundation, Practitioner and Data Protection Officer (C-DPO) Accelerated Self-Paced Online Combination Training Course provides the knowledge to implement and maintain GDPR compliance and fulfil the DPO role. Work at your own pace with self-paced online training – a more affordable, flexible and less disruptive way to study. Designed by GDPR experts, this course features pre-recorded video modules supported by a learner guide and interactive exercises and tests. The course includes essential elements of our GDPR / Data Privacy Roles Learning Path, which provides a unique guide to which training courses and qualifications will help you enhance your GDPR or DPO career. |
Feb 21 2022
BEC scammers impersonate CEOs on virtual meeting platforms
The FBI warned US organizations and individuals are being increasingly targeted in BECattacks on virtual meeting platforms
The Federal Bureau of Investigation (FBI) warned this week that US organizations and individuals are being increasingly targeted in BEC (business email compromise) attacks on virtual meeting platforms.
Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both entities and individuals who perform legitimate transfer-of-funds requests
Cybercriminals are targeting organizations of any size and individuals, in BEC attack scenarios attackers pose as someone that the targets trust in, such as business partners, CEO, executives, and service providers.
Scammers use to compromise legitimate business or personal email accounts through different means, such as social engineering or computer intrusion to conduct unauthorized transfers of funds.
Crooks started using virtual meeting platforms due to the popularity they have reached during the pandemic.
The Public Service Announcement published by FBI warns of a new technique adopted by scammers that are using virtual meeting platforms to provide instructions to the victims to send unauthorized transfers of funds to fraudulent accounts.
“Between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts. A virtual meeting platform can be defined as a type of collaboration technique used by individuals around the world to share information via audio, video conferencing, screen sharing and webinars.” reads the FBI’s PSA.
Crooks are using the virtual meeting platforms for different purposes, including impersonating CEOs in virtual meetings and infiltrating meetings to steal sensitive and business information.
Below are some of the examples provided by the FBI regarding the use of virtual meeting platforms by crooks:
- Compromising an employer or financial director’s email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or “deep fake1” audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
- Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations.
- Compromising an employer’s email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.
Below are recommendations provided by the FBI:
- Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
- Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business/individual it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
- Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
- Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
Feb 19 2022
Google Privacy Sandbox promises to protect user privacy online
Google announced Privacy Sandbox on Android to limit user data sharing and prevent the use of cross-app identifiers. The company states that the Privacy Sandbox technologies are still in development.
“Privacy Sandbox on Android will strengthen privacy, while providing tools app developers need to support and grow their businesses. It will introduce new solutions that operate without cross-app identifiers – including Advertising ID – and limit data sharing with third parties.” reads the announcement.
Google is also committed tp fighting and reducing covert data collection.
The goals of the Privacy Sandbox are:
- Build new technology to keep your information private
- Enable publishers and developers to keep online content free
- Collaborate with the industry to build new internet privacy standards
Google will continue to support existing ads platform features for at least two years. The IT giant is inviting developers to review the proposed solution and provide their feedback through the Android developer portal.
“Starting today, developers can review our initial design proposals and share feedback on the Android developer site. We plan to release developer previews over the course of the year, with a beta release by the end of the year. We’ll provide regular updates on designs and timelines, and you can also sign up to receive updates.” concludes the announcement. “We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.”
Feb 17 2022
50 Key Stats About Freedom of the Internet Around the World
Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.
Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.
Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.
To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:
Digital Rights
Freedom of Information
Right to Internet Access
Freedom from Internet Censorship
Net Neutrality
The Bottom Line
The Internet in Everything: Freedom and Security in a World with No Off Switch
Feb 09 2022
Adding Data Privacy to DevSecOps
Colorado and Virginia passed new data privacy laws in 2021. Connecticut and Oklahoma are among the states that could enact new legislation around data privacy protections in 2022. California, which kicked off the conversation around data privacy at the state level, is updating its laws. Couple that with the EU’s GDPR and other data privacy laws enacted worldwide, and it is clear that data privacy has become incredibly important within cybersecurity. And that includes within the DevSecOps process.
It’s been enough of a challenge to integrate security into the DevOps process at all, even though it is now recognized that adding security early in the SDLC can eliminate issues further along in app development and deployment. But adding data privacy? Is it really necessary? Yes, it is necessary, said Casey Bisson, head of product growth at BluBracket, in email commentary. Applications now include more and more personal data that needs protection, such as apps that rely on medical PII. Those apps must have security and privacy baked into each phase of the SLDC via DevSecOps.
“There have been far too many examples of leaks of PII within code, for instance, because many companies don’t secure their Git repositories,” said Bisson. “As more sensitive information has made its way into code, it’s natural that hackers will target code. True DevSecOps will bake privacy concerns into every stage and will make these checks automated.”
Data in the Test Process
In DevSecOps, applications are developed often by using test data. “If that data is not properly sanitized, it can be lost,” said John Bambenek, principal threat hunter at Netenrich, in an email interview. “There is also the special case of secrets management and ensuring that development processes properly secure and don’t accidentally disclose those secrets. The speed of development nowadays means that special controls need to be in place to ensure production data isn’t compromised from agile development.” Beyond test data, real consumer data has to be considered. Ultimately, every organization has information they need to protect so it’s important to focus on data privacy early in development so the team working on the platform can build the controls necessary into the platform to support the privacy requirements the data has, explained Shawn Smith, director of infrastructure at nVisium, via email. “The longer you wait to define the data relationships, the harder it is to ensure proper controls are developed to support them.”
Bringing Privacy into DevSecOps
Putting a greater emphasis on privacy within DevSecOps requires two things—data privacy protocols already in place within the organization and a strong commitment to the integration of cybersecurity with data privacy. “An organization needs to start with a strong privacy program and an executive in charge of its implementation,” said Bambenek. “Especially if the data involves private information from consumers, a data protection expect should be embedded in the development process to ensure that data is used safely and that the entire development pipeline is informed with strong privacy principles.” The DevSecOps team and leadership should have a strong understanding of the privacy laws and regulations—both set by overarching government rules and by industry requirements. Knowing the compliance requirements that must be met offers a baseline to measure how data must be handled throughout the entire app development process, Smith pointed out, adding that once you have the base to build upon, the controls and steps to actually achieve the privacy levels you want will fall into place pretty easily. Finally, Bisson advised DevSecOps professionals to shift security left and empower developers to prevent any credentials or PII from being inadvertently accessible through their code before it makes it to the cloud. “DevSecOps teams should scan code both within company repositories and outside in public repos; on GitHub, for instance. It’s so easy to clone code that these details and secrets can easily be leaked,” said Bisson.
Consumers don’t understand how or where in the development process security is added, and it’s not entirely necessary for them to understand how the sausage is made. The most important concern for them is that their sensitive data is protected at all times. For that to happen most efficiently, data privacy has to be an integral part of DevSecOps.
Understanding Privacy and Data Protection: What You Need to Know
#DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement
Jan 13 2022
CPRA Cheat sheet
Jan 10 2022
Eight resolutions to help navigate the new hybrid office model
Here are some resolutions to follow to ensure your organization safely navigates the new hybrid office model.
1. Increase security awareness. The human factor is always the weakest link in cybersecurity. CISOs must stretch communications skills and create new channels to deliver education about information security. They must expand messages beyond phishing warnings to include topics such as laws and regulations that connect security with the business. Information privacy is a key topic.
2. Know who is connecting. Throughout the pandemic, the challenge of secure connectivity has been persistent. The bottom line is that secure VPN, single sign-on, and two/multi factor authentication are a must to validate and only allow in authentic users. Access and security logs must be carefully analyzed to identify any suspicious activity.
3. Secure VPNs and patch updates. VPNs hit the headlines at the start of the pandemic because many companies reinstated VPNs that were previously disabled without patching them first. Hackers took advantage of the situation, scanning for devices that they could exploit. Routine patching must be part of the security model and must be a top priority when it comes to safeguarding a business with work-from-home employees.
4. Secure the cloud. The cloud and “on demand” models have become hugely important for helping users access the applications they need to do work from anywhere. While this shift to the cloud has its productivity benefits, it has not come without its security challenges. It is important to remember that cloud environments are not automatically secure when they are first created. Securing them requires knowledge and time. To keep business safe, security controls must span all environments – providing 360-degree application protection for both the application surface and the cloud application infrastructure.
5. Know your suppliers. The SolarWinds vulnerability highlighted the need for companies to thoroughly evaluate the tools and services they integrate into their operations. This includes the careful installation and configuration of the product or service, tracking patches and new releases from the vendor, and monitoring for any suspicious behavior. In a highly sensitive environment, some companies may choose not to use third-party products or services.
6. Know the enemy. From nation-state attacks and climate hacktivists to disgruntled employees, security teams need to understand the techniques, tactics, and procedures used by malicious actors. By getting to know their adversaries, security will be better prepared to detect and evict threat actors who might be targeting their environment. Many security companies issue threat alerts that can be used to gather the latest intel to inform a security strategy. Continuous monitoring and analysis are required to detect and respond to these threats as soon as possible.
7. Maintain visibility. Companies need to make sure they can maintain visibility and consistency of security control posture across a collection of platforms, infrastructures, and technologies. Having visibility and control via security and development dashboards is a must. These dashboards should provide actionable analytics, automation, and customized controls.
8. Balance the load. Companies need sufficient capacity to balance the load on the network and scale to meet the needs of remote workers. After all, there is no point in having a secure network if every time it is accessed by large numbers of employees it fails because it can’t cope with demand. Since employee productivity depends on applications being available and accessible, CISOs must find appropriate solutions that provide business continuity. Those with multiple data centers should use global load balancing to ensure availability across data centers and the cloud.
CISOs have much to address moving forward in the new year. Fortunately, these eight resolutions can help ensure continuous improvements for safely navigating the new (out-of-) office reality.
How to keep your home office Safe and Secure
Hybrid Work Management
![Hybrid Work Management: How to Manage a Hybrid Team in the New Workplace (A super-short book about how to analyze, plan, manage, and evaluate your team’s hybrid work arrangement) by [Hassan Osman]](https://m.media-amazon.com/images/I/41XzC+EMOFL.jpg)
Jan 02 2022
NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT
The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:
* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager
NIST Cybersecurity Framework
![NIST Cybersecurity Framework: A pocket guide by [Alan Calder]](https://m.media-amazon.com/images/I/31zbdJvBpPL.jpg)
Data Governance
Dec 06 2021
SECURITY GUIDANCE FOR 5G CLOUD INFRASTRUCTURES
Prevent and Detect Lateral Movement
Security and Privacy Preserving for IoT and 5G Networks: Techniques, Challenges, and New Directions
Related articles:
The Best & Worst States in America for Online Privacy
Wireless Wars: China’s Dangerous Domination of 5G
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
Nov 29 2021
A guide to internet safety for kids
As a resource, the internet is a wonderful place for children to learn, explore ideas, and express themselves creatively. The internet is also key in a child’s social development, helping to strengthen communication skills, for example when playing games or chatting with friends.
However, parents should be aware that all these activities often come with risks. Kids online can be exposed to inappropriate content, cyberbullying, and even predators.
While keeping an eye on what your children see and do online helps protect them against these risks, it’s not easy monitoring your kids without feeling like you’re invading their privacy. Just asking what websites they visit may give the impression that you don’t trust your child.
The key to combatting any big risk is education. It’s important for you and your children to be aware of the dangers, how to protect against them, and how to identify the warning signs. This is why we’ve put together this guide, to help both you and your kids* understand how to navigate the internet safely.
*Look out for our “For Kids” tips below, which you can share with your kids and teens.
A 2020 study by the Pew Research Center found that:
- 86% of parents of a child under age 11 limit their child’s screen time, while 75% check what their child does online.
- 71% of parents of a child age 11 or under are concerned their child has too much screen time.
- 66% of parents think parenting is harder today than it was 20 years ago, with 21% blaming social media in general.
- 65% of parents believe it’s acceptable for a child to have their own tablet computer before age 12.
More on Online Threats to Kids…
Complete Gambling Addiction Guide – Help for Problem Gambling
Nov 19 2021
DuckDuckGo Wants to Stop Apps From Tracking You on Android
At the end of April, Apple’s introduction of App Tracking Transparency tools shook the advertising industry to its core. iPhone and iPad owners could now stop apps from tracking their behavior and using their data for personalized advertising. Since the new privacy controls launched, almost $10 billion has been wiped from the revenues of Snap, Meta Platform’s Facebook, Twitter, and YouTube.
Now, a similar tool is coming to Google’s Android operating system—although not from Google itself. Privacy-focused tech company DuckDuckGo, which started life as a private search engine, is adding the ability to block hidden trackers to its Android app. The feature, dubbed “App Tracking Protection for Android,” is rolling out in beta from today and aims to mimic Apple’s iOS controls. “The idea is we block this data collection from happening from the apps the trackers don’t own,” says Peter Dolanjski, a director of product at DuckDuckGo. “You should see far fewer creepy ads following you around online.”
The vast majority of apps have third-party trackers tucked away in their code. These trackers monitor your behavior across different apps and help create profiles about you that can include what you buy, demographic data, and other information that can be used to serve you personalized ads. DuckDuckGo says its analysis of popular free Android apps shows more than 96 percent of them contain trackers. Blocking these trackers means Facebook and Google, whose trackers are some of the most prominent, can’t send data back to the mothership—neither will the dozens of advertising networks you’ve never heard of.
From a user perspective, blocking trackers with DuckDuckGo’s tool is straightforward. App Tracking Protection appears as an option in the settings menu of its Android app. For now, you’ll see the option to get on a waitlist to access it. But once turned on, the feature shows the total number of trackers blocked in the last week and gives a breakdown of what’s been blocked in each app recently. Open up the app of the Daily Mail, one of the world’s largest news websites, and DuckDuckGo will instantly register that it is blocking trackers from Google, Amazon, WarnerMedia, Adobe, and advertising company Taboola. An example from DuckDuckGo showed more than 60 apps had tracked a test phone thousands of times in the last seven days.Most Popular
My own experience bore that out. Using a box-fresh Google Pixel 6 Pro, I installed 36 popular free apps—some estimates claim people install around 40 apps on their phones—and logged into around half of them. These included the McDonald’s app, LinkedIn, Facebook, Amazon, and BBC Sounds. Then, with a preview of DuckDuckGo’s Android tracker blocking turned on, I left the phone alone for four days and didn’t use it at all. In 96 hours, 23 of these apps had made more than 630 tracking attempts in the background.
Using your phone on a daily basis—opening and interacting with apps—sees a lot more attempted tracking. When I opened the McDonald’s app, trackers from Adobe, cloud software firm New Relic, Google, emotion-tracking firm Apptentive, and mobile analytics company Kochava tried to collect data about me. Opening the eBay and Uber apps—but not logging into them—was enough to trigger Google trackers.
At the moment, the tracker blocker doesn’t show what data each tracker is trying to send, but Dolanjski says a future version will show what broad categories of information each commonly tries to access. He adds that in testing the company has found some trackers collecting exact GPS coordinates and email addresses.
“You should see far fewer creepy ads following you around online.”
PETER DOLANJSKI, DUCKDUCKGO
DuckDuckGo Wants to Stop Apps From Tracking You on Android
Oct 19 2021
WFH is here to stay: Five tactics to improve security for remote teams
Working from home comes with a slew of security concerns. Businesses planning to look at remote work as a long-term strategy should take the time to reassess any “band-aid” security solutions that may have been applied at the beginning of the pandemic and look at ways that security can be prioritized permanently.
Sep 19 2021
The digital identity imperative
But creating an identity layer wasn’t imperative for the creators of the internet as they didn’t predict the emergence of online platforms that facilitate people-to-people interaction.
The digital presences most of us have are based on browsing or consumer habits and are siloed within various accounts and social networks. Indeed, they don’t present an accurate picture of our unique identifiers and who we are.
Building an identity layer is complex
Establishing a verified digital identity is a complex process. Authenticating that a person performing an action online is who they say they are, and then validating that they exist is tedious for two major reasons.
The digital identity imperative
Self-Sovereign Identity
Sep 10 2021
Digital Driver’s Licenses: Unintended Consequences
Maryland recently joined seven other U.S. states to permit users to carry “digital driver’s licenses.” Under the program—which initially will work with Apple devices like iPhones—users can download a digital credential—a digital driver’s license—to their phones. The digital ID would be carried in the Apple digital wallet in much the same way as a regular ID is carried in a regular wallet. The digital driver’s license is based on the International Standards Organization (ISO) standard which is described more fully here.
Obviously, there are issues here related to the security of the credential, the degree of authentication necessary to obtain the credential, whether the credential can be simultaneously loaded into multiple devices and whether I can “loan” my driver’s license to my identical twin brother (yes, I have an identical twin brother). Moreover, for the credential to be meaningful, it must permit both local and connected validation—that is, a police officer needs to be able to check to see if you have an apparently valid ID at the scene of a violation or accident without access to online verification and they must also be able to validate the ID against some online database. In addition, we need to decide who has access to the digital validation protocols—police and other traffic enforcement officials? TSA or transportation security officials? The dude at the front desk of the office building? The bouncer at the bar? The server serving alcohol? The resident associate (RA) checking people in at the college dorm? Are there any controls on who can access these credential validation services and for what purpose? A digital credential is much easier to spoof (simply do a screenshot) if there is no ability to validate online. Moreover, the validation must be robust enough to work reasonably well offline—things like a photo ID, a watermark, etc. You know, all the stuff we put on the “real ID” driver’s license.
Digital Driver’s Licenses: Unintended Consequences
Sep 09 2021
50 Key Stats About Freedom of the Internet Around the World
50 Key Stats About Freedom of the Internet Around the World
Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.
Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.
Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.
To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:
Digital Rights
Freedom of Information
Right to Internet Access
Freedom from Internet Censorship
Net Neutrality
The Bottom Line
Freedom and the Future of the Internet
Aug 15 2021
List of mandatory documents required by ISO 45001
By Luke Irwin
ISO 45001 is the international standard that contains best practices for OH&S (occupational health and safety). Its goal is to reduce injuries and diseases in the workplace, including the promotion and protection of physical and mental health.
It’s an issue that’s more important than ever. In addition to the 2.78 million deaths and 374 million injuries each year from workplace incidents, countless others face mental health issues.
COVID-19 helped put some of those problems into relief, but it’s something organisations must continue to be vigilant about as the pandemic subsides.
In this blog, we look at the mandatory documentation and records you must complete to comply with ISO 45001 – as well as non-mandatory documents that can support your compliance activities.
Mandatory documentation
- Clause 4.3 Scope of the OH&S management system
- Clause 5.2 OH&S policy
- Clause 5.3 Responsibilities and authorities within OH&SMS
- Clause 6.1.1 OH&S process for addressing risks and opportunities
- Clause 6.1.2.2Methodology and criteria for assessment of OH&S risks
- Clause 6.2.2 OH&S objectives and plans for achieving them
- Clause 8.2 Emergency preparedness and response process
Mandatory records
- Clause 6.1.1 OH&S risks and opportunities and actions for addressing them
- Clause 6.1.3 Legal and other requirements
- Clause 7.2 Evidence of competence
- Clause 7.4.1 Evidence of communications
- Clause 8.2 Plans for responding to potential emergency situations
- Clause 9.1.1 Results on monitoring, measurements, analysis and performance evaluation
- Clause 9.1.1 Maintenance, calibration or verification of monitoring equipment
- Clause 9.1.2 Compliance evaluation results
- Clause 9.2.2 Internal audit program
- Clause 9.2.2 Internal audit report
- Clause 9.3 Results of management review
- Clause 10.2 Nature of incidents or nonconformities and any subsequent action taken
- Clause 10.2 Results of any action and corrective action, including their effectiveness
- Clause 10.3 Evidence of the results of continual improvement
Non-mandatory documents
In addition to mandatory documentation, there are many other parts of ISO 45001 that organisations may find relevant. This includes:
- Clause 4.1 Procedure for determining context of the organization and interested parties
- Clause 5.4 Procedure for consultation and participation of workers
- Clause 6.1.2.1 Procedure for hazard identification and assessment
- Clause 6.1.3 Procedure for identification of legal requirements
- Clause 7.4.1 Procedure for communication
- Clause 7.5 Procedure for document and record control
- Clause 8.1 Procedure for operational planning and control
- Clause 8.1.3 Procedure for change management
- Clause 9.1.1 Procedure for monitoring, measuring and analysis
- Clause 9.1.2 Procedure for compliance evaluation
- Clause 9.2 Procedure for internal audit
- Clause 9.3 Procedure for management review
- Clause 10.1 Procedure for incident investigation
- Clause 10.1 Procedure for management of nonconformities and corrective actions
- Clause 10.3 Procedure for continual improvement
Establishing an OH&S management system
Those looking for more advice tackling occupational health and safety may be interested in Establishing an occupational health & safety management system based on ISO 45001.
This book, written by consultant and trainer Naeem Sadiq, explains how organisations can use ISO 45001’s requirements to create a safer work environment.
You’ll find out the purpose and requirements of each clause in ISO 45001, learn how to build an OH&S management system in a step-by-step approach and receive real-world examples of health and safety issues along with the ideal way to handle that situation.
« Previous Page — Next Page »
