"One of the trends we’ve seen is how, as the word of the NSA’s spying has spread, more and more ordinary people want to know how (or if) they can defend themselves from surveillance online. But where to start? The bad news is: if you’re being personally targeted by a powerful intelligence agency like the NSA, it’s very, very difficult to defend yourself. The good news, if you can call it that, is that much of what the NSA is doing is mass surveillance on everybody. With a few small steps, you can make that kind of surveillance a lot more difficult and expensive, both against you individually, and more generally against everyone."
"The Fourth Circuit Court of Appeals is in the process of deciding the first legal challenge to government seizure of the master encryption keys that secure our communications with web sites and email servers. The case could decide the future reliability of encryption protocols to protect all Internet communications. While the government wants these keys to decrypt user information, there is really no acceptable way for the Court to order a secure communications service to break its encryption protocol. The danger to innocent users is too great, and there are network effects that would shatter critical trust in SSL implementation as a whole."
"The national and economic security of the United States depends on the reliable functioning of critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued Executive Order 13636 (EO), ‘Improving Critical Infrastructure Cybersecurity’ on February 12, 2013. This Executive Order calls for the development of a voluntary Cybersecurity Framework (‘Framework’) that provides a ‘prioritized, flexible, repeatable, performance-based, and cost-68 effective approach’ for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk."
"Each time you make a phone call with your mobile phone, the (i) date, (ii) time and (iii) duration of your phone call, as well as the (iv) numbers dialed and the (v) location of the antennas (or region (Cell ID)) your mobile phone connects to are retained by your telecommunication service provider. The data is retained in order to ensure the availability of the data for serious crime investigations by law enforcement authorities. The Dutch Minister of Safety and Justice believes that data collection orders from third parties only create ‘minor infringements’ to your right to privacy. Taking this into account, he reasons that the poorly enforced requirement that law enforcement authorities must notify individuals about data collection orders when reasonably possible, causes too much of an administrative burden and should therefore be abolished. […] But ask yourself: do you know exactly what data is retained by telecommunication providers? And does data retention create only ‘minor’ privacy infringements? Is this a valid argument to get rid of the notification requirements?"
"Many attempts have been made to replace the ubiquitous username-and-password authentication scheme in order to improve user security, privacy and usability. However, none of the proposed methods have gained wide-spread user acceptance. In this paper, we examine the users’ perceptions and concerns on using several alternative authentication methods on the Internet. We investigate the adoption of the new German national identity card, as it is the rst eID-enabled card with dedicated features to enable privacy-preserving online authentication. Even though its large-scale roll-out was backed by a national government, adoption rates and acceptance are still low. We present results of three focus groups as well as interviews with service providers, showing that preserving privacy is just one of several factors relevant to the acceptance of novel authentication technologies by users as well as service providers."
"An identity theft service that sold Social Security and drivers license numbers - as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity."
From the blog post by Dan Cooper and Colin Warriner (Inside Privacy):
"Delfi AS owns one of Estonia’s largest news websites. In January 2006, it published an article about changes to a ferry company’s route that attracted many offensive and threatening comments about the ferry owner from users of the site. The ferry owner successfully sued Delfi for defamation, and the Estonian court awarded it 5,000 kroons (EUR 320). The Estonian Supreme Court dismissed Delfi’s appeal in 2009, so Delfi went to the ECHR to complain that being held liable for its readers’ comments violated its freedom of expression under Article 10 of the European Convention on Human Rights."
"This report has been commissioned by BIS to map out the UK’s cyber security industry, and capture its dynamics. […] Within the broad IT sector, there are four major but inter-dependent trends that are reshaping the capabilities of technology and also restructuring the fundamental market dynamics of the industry. These trends are: cloud computing; mobility; social computing; and big data & analytics. These four key trends are driving growth in the IT sector, and their relationship with cyber security is fundamental. Each of these trends both impacts and is impacted by cyber security and that impact can be either positive or negative. Cyber security, then, is tied intrinsically to the shape of the overall IT market."
"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this but except to stop using it until the developers can update it."
"We are entering the era of ubiquitous genetic information for research, clinical care, and personal curiosity. Sharing these datasets is vital for rapid progress in understanding the genetic basis of human diseases. However, one growing concern is the ability to protect the genetic privacy of the data originators. Here, we technically map threats to genetic privacy and discuss potential mitigation strategies for privacy-preserving dissemination of genetic data."
"They started small. They took a single article from USA Today, isolated select phrases, and inputted them into their password crackers. Within a few weeks, they expanded their sources to include the entire contents of Wikipedia and the first 15,000 works of Project Gutenberg, which bills itself as the largest single collection of free electronic books. Almost immediately, hashes from Stratfor and other leaks that remained uncracked for months fell. One such password was ‘crotalus atrox.’ That’s the scientific name for the western diamondback rattlesnake, and it ended up in their word list courtesy of this Wikipedia article. The success was something of an epiphany […]"
"Although the ePrivacy Directive stipulates the need for consent for the storage of or access to cookies the practical implementations of the legal requirements vary among website operators across EU Member States. […] Taking into account the different interpretations of the e-Privacy Directive among stakeholders and the respective practical implementations, the emerging question is: what implementation would be legally compliant for a website that operates across all EU Member States?"
"In this paper, we report on the design, implementation and deployment of FPDetective, a framework for the detection and analysis of web-based fingerprinters. Instead of relying on information about known fingerprinters or third-party-tracking blacklists, FPDetective focuses on the detection of the fingerprinting itself. By applying our framework with a focus on font detection practices, we were able to conduct a large scale analysis of the million most popular websites of the Internet, and discovered that the adoption of fingerprinting is much higher than previous studies had estimated. Moreover, we analyze two countermeasures that have been proposed to defend against fingerprinting and find weaknesses in them that might be exploited to bypass their protection. Finally, based on our findings, we discuss the current understanding of fingerprinting and how it is related to Personally Identiable Information, showing that there needs to be a change in the way users, companies and legislators engage with fingerprinting."
"The three most striking points that we know at this stage are (i) the scale of the monitoring that has been going on, (ii) the number of private actors, including well known internet giants, that have apparently been involved, either actively or passively, and (iii) the development of weaknesses and backdoors in encryption, with far reaching perverse effects and very great damage to the public trust. At this stage, there seems to be little doubt that we are facing an existential challenge to our fundamental rights and liberties. We must therefore be prepared to ‘draw a line in the sand’."