DCMS publishes consultation on NIS Directive for Digital Service Providers

By | News, Security

The Department for Digital, Culture, Media and Sport (DCMS) has published a targeted consultation to seek views on how the Government intends to implement the Network and Information Systems (NIS) Directive in relation to Digital Service Providers (DSPs) in the UK. This follows the publication of the Implementing Act for DSPs by the European Commission in January 2018.

The Government states that the UK will define DSPs in the same way as set out in the Directive, which means that DSPs will encompass “online marketplaces”, “online search engines”, and “cloud computing services”.

As the Government has previously stated, the Information Commissioner’s Office (the ICO) will be responsible for regulating DSPs in the UK in the context of the NIS Directive. As part of this role, the ICO will produce guidance to help DSPs establish whether they are in scope of the Directive. The consultation states that the ICO will also, after 10 May 2018 when the Directive comes into force, “establish a system in order for UK DSPs to register themselves with the ICO.” The Government states that this system “is necessary in order for the ICO to know who is required to meet the requirements of the Directive and who they need to regulate”, and that it is considering making registration mandatory.

The ICO will also publish guidance to ensure that DSPs understand their obligations under the Directive. This guidance will take into account the Technical Guidelines for the implementation of minimum security measures for Digital Service Providers published by the European Network and Information Systems Agency (ENISA) in 2017. This, according to the Government, will ensure that there is a consistent approach across Europe.

The ICO, along with the other relevant regulatory authorities, will have the power to recover the costs of regulating the NIS Directive. In this context, the Government expects that the ICO, in line with common practice in other regulations such as the GDPR, will levy an annual fee on DSPs, in addition to recovering direct costs involved in any regulatory investigations. The consultation states that the amount of this fee has not yet been determined and will be published by the ICO in due course.

The closing date for responses to the consultation is 29 April 2018.

Malaysian penalty for “fake news”: 10 years in jail

By | Content Issues, International, News

The Malaysian government has brought forward a bill in Parliament that sets the penalty for publishing so-called “fake news” online with up to ten years in jail plus a fine of 500,000 MYR (about £90,000), Reuters reports.

Kuala Lumpur, capital of Malaysia

“The proposed Act seeks to safeguard the public against the proliferation of fake news whilst ensuring the right to freedom of speech and expression under the Federal Constitution is respected,” the government said in the bill.

The bill gives a broad definition to fake news, covering  “news, information, data and reports which is or are wholly or partly false”. It seeks to apply the law extra-territorially, to anything published on the Internet provided Malaysia or Malaysians are affected by the article.

“Fake news” has become an increasingly popular target of political attack since Donald Trump popularised the term in his battles with CNN and other major broadcasters. In the UK, a Parliamentary Select Committee recently held their first ever hearings in Washington DC on the subject, summoning social media platforms to be lambasted for failing to suppress allegedly “fake news”. The Prime Minister’s office established a new unit to counter fake news in January.

So far, however, no UK government Minister has suggested jailing people for writing something on the Internet that isn’t right.

Council of Europe publishes guidlelines for Internet intermediaries

By | International, News

The Council of Europe has published a Recommendation to Member States on the roles and responsibilities of Internet intermediaries. The Recommendation declares that access to the Internet is a precondition for the ability effectively to exercise fundamental human rights, and seeks to protect users by calling for greater transparency, fairness and due process when interfering with content. The Recommendation also calls for greater respect for user privacy.

The Recommendations’ key provisions aimed at governments include:

  • Public authorities should only make “requests, demands or other actions
    addressed to internet intermediaries that  interferes with human rights and fundamental freedoms” when prescribed by law. This means they should therefore avoid asking intermediaries to remove content under their terms of service or to make their terms of service more restrictive.
  • Legislation giving powers to public authorities to interfere with Internet content should clearly define the scope of those powers and available discretion, to protect against arbitrary application.
  • When internet intermediaries restrict access to third-party content based on a State order, State  authorities should ensure that effective redress mechanisms are made available and adhere to applicable  procedural safeguards.
  • When intermediaries remove content based on their own terms and conditions of  service, this should not be considered a form of control that makes them liable for the third-party content for  which they provide access. 
  • Member States should consider introducing laws to prevent vexatious lawsuits designed to suppress users free expression, whether by targeting the user or the intermediary. In the US, these are known as “anti-SLAPP laws“.

The Recomendations’ provisions aimed at service providers include:

  • A “plain language” requirement for terms of service.
  • A call to include outside stakeholders in the process of drafting terms of service.
  • Transparency on how restrictions on content are applied, when, and detailed information on how algorithmic and automated means are used.
  • Transparency reporting
  • Effective remedies and complaints mechanisms for users who wish to dispute restriction of their service or content. “all remedies should allow for an impartial and independent  review of the alleged violation [of users’ rights to expression]. These should – depending on the violation in question – result in inquiry, explanation, reply, correction, apology, deletion, reconnection or compensation”.

The Council of Europe is an intergovernmental body entirely separate from the European Union. With 47 member states, it seeks to promote democracy, human rights and the rule of law, including by monitoring adherence to the rulings of the European Court of Human Rights. Its Recommendations are not legally binding on Member States, but are very influential in the development of national policy and of the policy and law of the European Union.

ICANN protects .home, .mail and .corp from registration

By | DNS, Internet Governance, News

ICANN has announced that it will not delegate new top-level domains .home, mail and .corp, effectively turning these domains into reserved strings. The move acts to protect organisations that already use these domains to indicate IT resources on their own local network.

These three domains have been found to have been widely used by organisations for internal use, even though they are not available from ICANN.Numerous representations have been made to ICANN that delegating these domains would cause “string collision”, including by ICANN’s own Security and Stability Advisory Committee. String collision occurs when the same domain is used by different parties, recognised by different DNS resolver trees, meaning that the user may not be directed to the resource they expect. This can pose a risk of phishing fraud. String collision is normally considered a risk of a split DNS root (i.e. someone trying to usurp ICANN’s job), but can also occur when individual organisations make “private” use of an unregistered domain on their own network.

For example, if .corp were available for registrations then someone that registered fileserver.corp might receive traffic that users expected to go to a fileserver on their own corporate network – a clear security risk. By preventing these top level domains being delegated, ICANN has removed that threat from corporate networks already making use of them.

Government conclusions on NIS implementation

By | News, Security

The UK Department for Digital, Culture, Media & Sport (DCMS) has published its response to the replies it received to last year’s public consultation on implementation of the Network Information Security Directive (NIS-D). Finding broad support from responders for its proposed approach, it intends to press ahead largely unchanged, but with altered thresholds and adjustments to the penalty regime.

In regard to Internet Exchange Points, the government has dropped port capacity as the criterion for identifying essential services; any particular threshold would quickly have become out of date. Instead, the qualifying criteria will be based market share and routing table coverage. An IXP operator will qualify as an essential service if it has:

  • “50% or more annual market share amongst UK IXP Operators in terms of interconnected autonomous systems”, or if it
  •  “offer[s] interconnectivity to 50% or more of Global Internet routes”

The thresholds for DNS providers have also been changed

  • Operators of TLD registries will qualify as operators of essential services if they service an average of 2 billion queries or more per day (threshold unchanged);
  • Operators of DNS resolvers will qualify as operators of essential services if they service an average of 2 million DNS clients per day (changed from 60 million DNS queries per day). Moreover, only resolvers for publicly accessibly services will count, which may exclude some public and academic sector operators.
  • Additionally, operators of authoritative DNS hosting will also be brought into scope of NIS-D, for operators who host 250,000 domain names or more, again for public services.

The penalty regime has been simplified as a straightforward maximum fine of £17 million. This replaces a two-tier structure of up to €20 million or 4% of global turnover for failure to implement appropriate security measures, and €10million or 2% of global turnover for other offences. For many, but not all, of the affected businesses this will be a reduction in their exposure.

Another change is that incident reporting will be viewed as a compliance operation, for the operator to register the existence of a security incident with the regulator, separate from incident response. This is intended to protect the existing co-operative relationship operators have with the National Cyber Security Centre and other government protective services.

The government has also made adjustments to the draft “high level security principles” with which operators will be required to comply, in some cases so as to make the expectation more specifically require a good outcome, rather than merely a good process.

The government has confirmed that it will proceed with the approach of using sector-specific regulators as the regulator for NIS-D, resulting in having multiple “Competent Authorities”. This was broadly welcomed by affected businesses. Accordingly, the NIS-D regulator for Digitial infrastructure (IXPs and DNS providers) will be Ofcom.

ECJ to rule on whether Facebook must actively seek out hate speech

By | Content Issues, News

The Austrian Supreme Court has asked the European Court of Justice to rule on whether Facebook should actively search for hate speech posted by users.  The original lawsuit against Facebook was filed by Eva Glawischnig, the former leader of the Austrian Green Party, in 2016, after Facebook refused to take down what she claimed were defamatory postings about her.

Last year, an Austrian appeals court ruled in favour of Glawischnig, ordering Facebook to remove the hate speech postings – both the original posts and any verbatim repostings of the same comments – not just in Austria but worldwide. The Austrian Supreme Court has asked the ECJ to look at two issues: 1. Whether Facebook needs to actively look for similar posts, instead of just reposts, and 2. Whether such content needs to be removed globally.

The case comes amidst concerted pressure in Europe for social media platforms to do more to tackle hate speech. A new hate speech law in Germany, known as the network enforcement act, requires companies to remove or block criminal content within 24 hours, or seven days for complex cases, of it being reported. The law has already attracted controversy, despite only being actively enforced since 1 January 2018, after Twitter deleted a post by the German justice minister, Heiko Maas, dating back to 2010 before he was appointed to the role, calling a fellow politician “an idiot”. Twitter has also deleted anti-Muslim and anti-migrant posts by the far-right Alternative for Germany (AfD) party and blocked a satirical magazine’s account after it parodied the AfD’s anti-Muslim comments. The German Government has said that an evaluation will be carried out within six months to examine how well the new law is working.

Meanwhile, the European Commission has kept up the pressure on tech companies calling for them “to step up and speed up their efforts to tackle these threats quickly and comprehensively” and reiterating that it would “if necessary, propose legislation to complement the existing regulatory framework.”

UK Government to set up new unit to tackle fake news

By | Content Issues, News

The UK government has announced that it will set up a new unit to counter “fake news” and disinformation. The government said that the “dedicated national security communications unit”, which is already being dubbed the “Ministry of Truth”, would be charged with “combating disinformation by state actors and others”. As yet, there is no further information on where the unit will be based or who will staff it.

The Digital, Culture, Media and Sport Committee is currently carrying out an inquiry into “fake news” and has requested information from Facebook and Twitter including on Russian activity during the EU referendum campaign.

IPO launches copyright lessons for seven-year olds

By | Content Issues, News

The UK’s Intellectual Property Office (IPO) has launched a new campaign to teach children about online copyright infringement. In a bid to make intellectual property “fun”, the IPO has produced a range of teaching materials for seven- to 11-year-olds, which centres on a series of cartoons following the adventures of Nancy and the Meerkats.

According to the BBC:

The five-minute cartoons tell the story of would-be pop star Nancy, a French bulldog, who battles her ideas-stealing, feline nemesis, Kitty Perry, and teaches friends, including Justin Beaver and a rather dim Welsh sheep called Ed Shearling, about the importance of choosing an original band name and registering it as a trademark.

The IPO, which believes learning to “respect” copyrights and trademarks is a “key life skill”, is spending £20,000 on the campaign, which is part-funded by the UK music industry.

UK to tighten takeover rules to protect national security

By | News, Security
The UK Department for Business, Energy and Industrial Strategy (BEIS) has published a Green Paper with plans to bolster government powers to intervene in corporate mergers and takeovers involving high-tech goods and services to protect national security, and is consulting on what other powers it might need.
In the short term, the government will reduce the turnover threshold that limits its existing powers to intervene in corporate takeovers. At the moment, the Competition and Markets Authority powers only apply to takeovers where the target company has a turnover of at least £70m per year. For companies producing goods and services for military use, or “dual-use” technologies that can be used for military purposes, this is to be reduced to cover any company with a turnover in excess of £1 million. It will also reduce the takeover threshold to £1million turnover per annum for companies involved in the creation, design or support of “multi-purpose computing hardware” and quantum-based technology.
 
In the longer term, the government is looking at a range of options, including

  • extending existing powers to intervene in corporate takeovers, so that they would also apply to new projects, the acquisition of land near sensitive locations, and the sale of “bare assets” (e.g. equipment, intellectual property, or divisions of a business) not involving the sale of the entire company; and
  • creating a mandatory obligation on companies to notify the Competition and Markets Authority when they are targetted for takeover.

The deadline for commenting on the changes to takeover thresholds is 14th November 2017, and for the longer term reforms is 9th January 2018.

UK Government publishes Internet Safety green paper

By | Content Issues, Malware and DOS attacks, News

The UK Government has announced proposals for a voluntary levy on Internet companies “to raise awareness and counter internet harms”. The government has said that the levy would target issues such as cyberbullying, online abuse and children being exposed to pornography on the Internet.

The levy is one of a series of measures proposed in the Internet Safety Green Paper, which is the result of a consultation launched in February. The other measures include:

·       A new social media code of practice to require more intervention by social media companies against allegedly bullying, intimidating or humiliating content

·       An annual Internet safety transparency report, to help government track how fast social media companies remove material that has been the subject of a complaint

·       Demands for tech and digital startups to “think safety first” – prioritising features to facilitate complaints content removal as functionality that must be into apps and products from the very start

All the measures will be voluntary although the government has not ruled out legislating if companies refuse to take part. In remarks that will be of concern to Internet companies, the Culture Secretary Karen Bradley hinted that the government could change the legal status of social media companies, to deem them publishers rather than platforms, which could mean even greater regulation of their users’ content.

“Legally they are mere conduits but we are looking at their role and their responsibilities and we are looking at what their status should be. They are not legally publishers at this stage but we are looking at these issues,” she said.

The consultation will close on 7 December, and the government expects to respond in early 2018.

Amber Rudd focusses on Internet in conference speech

By | Content Issues, News
Home Secretary Amber Rudd focussed on Internet policy issues in her speech to the Conservative Party Conference in Manchester. The Home Secretary reiterated her demands for Internet platforms to do more to combat terrorism and child abuse.
Rudd announced plans to tighten terrorism laws to criminalise merely viewing terrorist content, as opposed to keeping a copy found on the Internet, as well as new legislation to criminalise publishing information about the police or armed forces for the purposes of preparing an action of terrorism.Internet companies, however, will be most directly concerned with the Home Secretaries demands directly of them.

“But it is not just Government who has a role here. In the aftermath of the Westminster Bridge attack, I called the internet companies together. Companies like Facebook, Google, Twitter and Microsoft. I asked them what they could do, to go further and faster.

They answered by forming an international forum to counter terrorism. This is good progress, and I attended their inaugural meeting in the West Coast.

These companies have transformed our lives in recent years with advances in technology.

Now I address them directly. I call on you with urgency, to bring forward technology solutions to rid your platforms of this vile terrorist material that plays such a key role in radicalisation.

Act now. Honour your moral obligations.”

— Home Secretary Amber Rudd

The Home Secretary announced that the government would be funding Project Arachnid, web-crawler software developed by the Canadian child protection Cybertipline, designed to search out child abuse imagery online.

“It is software that crawls, spider-like across the web, identifying images of child sexual abuse, and getting them taken down, at an unprecedented rate.

Our investment will also enable internet companies to proactively search for, and destroy, illegal images in their systems. We want them to start using it as soon as they can.

Our question to them will be ‘if not, why not’. And I will demand very clear answers.”

— Amber Rudd

Rudd also doubled down on previous attacks on end-to-end encryption in person-to-person messaging software

“But we also know that end to end encryption services like Whatsapp, are being used by paedophiles. I do not accept it is right that companies should allow them and other criminals to operate beyond the reach of law enforcement.”

— Amber Rudd

Speaking earlier at a conference fringe event, she hit back at critics who accuse her of fighting a war against mathematics, saying

“I don’t need to understand how encrpytion works”,

— Amber Rudd

And accusing tech experts of “patronising” and “sneering” at politicians who want to regulate technology.

Websites discovered using their users’ computers to mine cryptocurrency

By | General, News

Two websites have been discovered to be using their users’ computers and phones to mine cryptocurrency without their consent in a bid to compensate for the continuing collapse in online advertising revenues.

The two sites, BitTorrent search engine, The Pirate Bay, and US video streaming service, Showtime, have now both removed the mining code from their sites after users noticed its existence. The Pirate Bay admitted the practice in mid-September posting that the code was “just a test” and that it was carried out with a view to removing all adverts from the site. Showtime has yet to answer questions about why it was using the code.

The practice is controversial, and has been compared to running malware on user’s computers, as it slows down user’s machines and can also drain their batteries or greatly increase their electricity bills. Meanwhile, the user receives no benefit as all the revenue generated by the mining is collected by the website. The question is whether users will see this as an acceptable trade-off if sites begin to use it as an alternative solution to online ads.

UK prime minister calls on internet firms to remove extremist content within two hours

By | Content Issues, International, News

The UK prime minister, Theresa May, has told internet companies that they need to go “further and faster” in removing extremist content in a speech to the United Nations general assembly. The prime minister said that terrorist material is still available on the internet for “too long” after being posted and has challenged companies to find a way to remove it within two hours. The material in question can include links to videos glorifying terrorism and material encouraging converts to commit terrorist acts.

In her speech, May said:

“Terrorist groups are aware that links to their propaganda are being removed more quickly, and are placing a greater emphasis on disseminating content at speed in order to stay ahead.

Industry needs to go further and faster in automating the detection and removal of terrorist content online, and developing technological solutions that prevent it being uploaded in the first place.”

The UK, together with France and Italy, is demanding evidence of progress by the time of a meeting of G7 interior ministers in Rome on 20 October.

Electoral Commission proposes voting ban for social media trolls

By | News
The Electoral Commission has suggested social media trolls who abuse politicians should lose their right to vote, in a submission to the Committee on Standards in Public Life.
A voting ban could “could act as a deterrent to abusive behaviour”, the Commission wrote in comments on the CSPL’s investigation into intimidation in the 2017 General Election. The Electoral Commission is the UK’s regulator for general and local government elections.The Electoral Commission wrote
 

21. In some instances, electoral law does specify offences in respect of behaviour that could also amount to an offence under the general criminal law. This is often because electoral offences have special consequences, in that their commission could invalidate the election result and result in the person convicted losing their elected office and/or being subject to a period of disqualification from being registered as an elector, voting in an election and standing for election (section 173 RPA 1983). It may be that similar special electoral consequences could act as a deterrent to abusive behaviour in relation to candidates and campaigners.

MSPs warned cyber attack could last for days

By | Content Issues, Hacking, News
A cyber attack has recently impacted the Scottish Parliament. MSPs and their staff have been warned that they will be unlikely to be able to access their email accounts due to hackers launching a “brute force” cyber attack in an attempt to gain their passwords.
 
A brute force attack is a cyber attack that involves trying to use as many iterations or possibilities as possible to guess a password. Parliament chief executive Sir Paul Grice said that Parliament’s cyber systems were still under attack but there was no evidence that any systems had been breached: “At this point there is no evidence to suggest that the attack has breached our defences and our IT systems continue to be fully operational.” He went on to add that: “Staff from the BIT (Business Information Technology) Office are working closely with the NCSC and our suppliers to put in place additional security measures to continue to contain the incident and mitigate against any future attacks.”
It is not yet known which country the cyber attack originates from. It is believed, however, to be similar to the cyber attack launched on MPs earlier in June.

Cloudflare critiques own decision not to serve Daily Stormer

By | Content Issues, Hacking, News

Yesterday, Cloudflare ceased to provide caching and DDoS protection services for a far-right blog, the Daily Stormer, following claims by the latter that Cloudflare secretly support their ideology. Cloudflare’s CEO has published a lengthy and thoughtful analysis of their decision, beginning

Now, having made that decision, let me explain why it’s so dangerous.

One interesting tidbit concerns the nature of the pressure Cloudflare was under

“In fact, in the case of the Daily Stormer, the initial requests we received to terminate their service came from hackers who literally said: “Get out of the way so we can DDoS this site off the Internet.”

In an internal e-mail obtained by Gizmodo, Prince was blunt about his reasons for terminating Daily Stormer:

This was my decision. Our terms of service reserve the right for us to terminate users of our network at our sole discretion. My rationale for making this decision was simple: the people behind the Daily Stormer are assholes and I’d had enough.

Let me be clear: this was an arbitrary decision. It was different than what I’d talked talked with our senior team about yesterday. I woke up this morning in a bad mood and decided to kick them off the Internet. I called our legal team and told them what we were going to do. I called our Trust & Safety team and had them stop the service. It was a decision I could make because I’m the CEO of a major Internet infrastructure company.

Having made that decision we now need to talk about why it is so dangerous. I’ll be posting something on our blog later today. Literally, I woke up in a bad mood and decided someone shouldn’t be allowed on the Internet. No one should have that power.

Read the whole blog post on Cloudfare.com and Prince’s internal e-mail on Gizmodo.

Update note: This article was updated on 18th August to add the quotes from and link to the e-mail obtained by Gizmodo.

Sadiq Khan announces plans to deal with “Not-Spots”

By | Content Issues, News

The Mayor of London Sadiq Khan announced plans to help improve connectivity across London. One plan involves the creation of a “Not-Spot team” that will specifically target areas in London with low connectivity.

Another initiative entails encouraging local authorities to apply for the Government’s Digital Infrastructure Fund, which was set up to aid investment in full-fibre rollout. Relatedly, the announcement also encourages them to convene a Digital Connectivity Funding Forum that will support them in the application process and provide them with an avenue to share ideas on connectivity.

The plans will also highlight the role that Transport for London (TfL) has in bringing mobile connectivity to London Underground tunnels.

The announcement can be read here.

UK Government launches consultation on implementing NIS Directive

By | EU Legislation, News, Security

The UK Government has launched a consultation on its plans to implement the Security of Network and Information Systems Directive (“NIS Directive”). The NIS Directive was adopted by the European Parliament on 6 July 2016 and Member States have until 9 May 2018 to transpose the Directive into domestic legislation. The Government has emphasised that it supports the overall aim of the NIS Directive and that its intention is that this legislation will continue to apply in the UK even after the UK has left the EU.

The NIS Directive imposes obligations on two groups of businesses: “operators of essential services” and digital service providers. However, it does not affect network providers as they are already subject to similar obligations in the UK under Section 105 of the Communications Act 2003.

Under the Directive, operators of essential services including those in the energy, transport, water, healthcare and digital infrastructure sectors will have to take “appropriate and proportionate” security measures to manage the risks to their network and information systems. Operators of essential services will also be required to notify serious incidents to the relevant authority.

Key digital service providers (search engines, cloud computing services and online marketplaces) will also have to comply with the security and incident notification requirements established under the Directive.

Organisations who fall in scope of the Directive will be required to develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after an event, with the capability to respond and restore systems. The Government has stated that “any operator who takes cyber security seriously should already have such measures in place.”

Organisations who fail to implement effective security measures could be fined as much as £17 million or 4 per cent of global turnover. The Government has said, however, that fines would be a last resort, and will not apply to operators that have “assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack.”

The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR).

The consultation closes on 30 September 2017.

For more information, see: Consultation on the Security of Network and Information Systems Directive

DCMS publishes statement of intent on Data Protection Bill

By | Content Issues, General, News

The Department for Digital, Culture, Media and Sport (DCMS) has recently published a statement of intent regarding the new Data Protection Bill which will implement the General Data Protection Regulation (GDPR) and the EU Data Protection Law Enforcement Directive (DPLED) into UK domestic law.

GDPR will come into effect across all EU member states from 25th May 2018. The main objective of GDPR and the Data Protection Bill is to give individuals greater control over their digital footprint. This entails rights such as individuals being allowed to request social media platforms to delete material taken when they were children to be deleted from the website.

Matt Hancock, Minister of State for Digital, said: “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”

It is believed the incorporation of GDPR into UK domestic law will help prepare the UK for a successful Brexit.

More about the development can be found here.

Phishing scam affects Newcastle University

By | Content Issues, News, News Sources

A phishing scam has recently affected Newcastle University, potentially duping many prospective students out of their money. The scam orientates around a mysterious individual or group of people operating under the deceptive title of “Newcastle International University” with a very realistic-looking website, URL and email address.

One expert described the spoofing attack as an “effective scam” and admitted that the culprit(s) of the phishing scam have put in substantial time into creating a seemingly authentic but fake website: “It is well designed, well executed, and it highlights the very real danger of modern spoofing attacks”.

The timing of the publication of the website has also been particularly timely, given the publication of exam results in a few weeks, and anxious students wanting to secure their place as soon as possible.

Newcastle University published a tweet warning people that “Newcastle International University” are in no way associated with Newcastle University. The tweet can be read here.

The very cunning phishing scam comes at a time when a growing number of universities are finding themselves being spoofed. A Freedom of Information request by Duo Security showed that 70% of universities, nearly three-quarters, had fallen victim to phishing scams in the previous 12 months.

Report reveals that cyberbullying is not as prevalent as feared

By | Content Issues, News
A study led by Dr. Andrew Przybylski of the University of Oxford found that cyberbullying – bullying that takes place over the internet – is not as prevalent as feared. The study comprised a survey of over 110,000 people and it found that just one percent of adolescents reported being bullied online but not in person.
Furthermore, the study found that those who were bullied online reported a lower emotional impact from the bullying online as opposed to bullying that happened face to face.Dr. Przybylski said, “There is a vanishingly small percentage of people who are bullied only online”. He went on to add that: “It has crystallised in the public imagination, and it’s easy to get drawn into these fears, but just because it is new it does not mean it’s a new behaviour.
Dr. Przybylski said that cyber bullying is merely a “new avenue to victimise those already being bullied in traditional ways, rather than a way to pick new victims” and urged efforts to be directed at building resilience as opposed to managing online behaviour.“The report can be read here.

Russia and China move towards banning virtual private networks

By | Content Issues, News

Both Russia and China are in the process of banning virtual private networks (VPNs), a tool that creates a secure, encrypted connection between a computer and a server operated by a VPN service. They are used by many to access material and websites that have been blocked by a government.

China has started implementing rules regarding VPNs that were approved in January 2017 that would require all VPNs to apply for a licence from the Chinese government – this licence would require VPNs to block access to websites and other online material that the Chinese government does not approve of. Two VPN services – Green VPN and Haibei VPN – have already said they would be closing down services in mainland China after receiving “notice from regulatory departments.”

In Russia, the State Duma (the lower house of the Federal Assembly of Russia) unanimously adopted the first reading of new legislation that would ban the use of VPNs as well as online anonymiser web browsers such as the Tor browser if they do not block access to a list of websites prohibited by the Russian government.

The move by both countries come at a time when VPNs and encryption are under increased scrutiny from governments around the world. You can read more about the situation in Russia and China from The Register.

ISPA 2017 Award winners announced!

By | General, News, Other
The Internet Service Providers’ Association (ISPA) has recently announced at the 19th Annual UK Internet Industry Awards – colloquially dubbed the “ISPAs” – the Internet Hero Award went to Marcus Hutchins for his role in finding the “kill switch” for the WannaCry ransomware that affected hundreds of thousands of computers earlier this year. He tweets under the Twitter handle @MalwareTechBlog. The less coveted award, the Internet Villain Award, went to President Erdogan of Turkey for his role in “cracking down on online freedom of expression, including blocking Wikipedia and social media”.ISPs that were also honoured at the included Hyperoptic, Storm Internet, Talk Straight, Zen Internet, Luminet, Telappliant, Wifinity, Linksys, Kemp Little and Gigaclear.

ISPA Secretary General Nicholas Lansman said: “I would like to congratulate all the winners at this year’s ISPA Awards. There was strong competition this year, and we saw some real innovation and commitment to development among the nominations. The Hero and Villain Awards are a bit of fun, but – as ever – showcase today’s pressing issues online. Unsurprisingly, cyber security and the encroachment of government censorship online were two issues voters felt passionately about. Here at ISPA we’re pleased to say that they’re two issues we’ve been addressing with our members for a long time, and will, of course, continue to do so.”

A huge congratulations to those awarded!

Baroness Howe tables Private Member’s Bill

By | Content Issues, News
Baroness Howe has tabled a private member’s bill seeking to broaden the definition of what is classified as extreme pornography.
Baroness Howe, a crossbencher and life peer in the House of Lords, has tabled a private member’s bill demanding a broadening of the definition of what constitutes “extreme pornography” in the 2017 Digital Economy Act. She advocates defining “extreme pornography” to include videos that either wholly or partly portray scenes that were “produced solely or principally for the purposes of sexual arousal” and did not receive a certificate from the video works authority because it did not believe there was a suitable classification certificate. The amendment would extend to England, Wales, Scotland and Northern Ireland.As a private members’ bill, it is unlikely to become law, but the initiative does maintain the Baroness’ campaign of pressure on the government in this area.

You can read the private member’s bill here.

Internet giants protest over rollback of net neutrality

By | Content Issues, International, News
A large number of internet giants – including Facebook, Google, AirBnB and others – are preparing for a “Day of Protest” on Wednesday 12th July over a ruling by the US communications regulator, the Federal Communications Commission (FCC), that will reverse Obama-era net neutrality rules that prevent the prioritisation (or “throttling”) of data.

These were implemented by classifying ISPs as telecommunications operators regulated under Title II of the US Communications Act.Campaigners fear the decision by the communications regulator will lead to a two-tier internet in which ISPs can determine the download speeds of content. Sean Vitka, a lawyer for pro-net neutrality groups Demand Progress and Fight for the Future, said: “If a new company can’t access companies on the same terms as the incumbents they’re not going to have the chance to thrive.But the NCTA, a trade association for network operators argued that Title II regulation is “a complicated set of rules from the 1930s” and “not remotely connected to net neutrality”.

The FCC implemented net neutrality rules under Title II when the courts found that it had exceeded its authority under Title I when imposing a previous ruleset in 2010.

On Wednesday, several internet companies will be voicing their opposition to the move in a variety of ways, from changing their homepage to black, simulate what internet access is like in a world without net neutrality, displaying messages against the move, and more.

Former GCHQ head criticises Government’s approach to encryption

By | Content Issues, News, News Sources
The former head of GCHQ, Robert Hannigan, has expressed criticism over the Government’s stance on encryption technology. Hannigan described encryption as an “overwhelmingly good thing” and criticised plans by Home Secretary Amber Rudd to install backdoors into encrypted communications as unworkable and dangerous: “Building in back doors is a threat to everybody and it’s not a good idea to weaken security for everybody to tackle a minority.”

The comments from Robert Hannigan echo those of Max Hill QC, the independent reviewer of counterterrorism legislation, who strongly condemned the Government’s approach to encryption. The growing barrage of criticism from pillars of the security establishment give renewed strength to industry warnings that undermining encryption will weaken UK security, rather than protecting the public.

Watchdog warns that authorities and industry are overlooking online fraud

By | News
The National Audit Organisation (NAO) has expressed concerns over the response by organisations and the Government to cyber crime such as online fraud and said it was difficult to see how its response up until now has been “proportionate, efficient or effective”.
Amyas Morse, head of the NAO, said: “For too long, as a low value but high volume crime, online fraud has been overlooked by Government, law enforcement and industry.” Morse went on to call on the Home Office to “oversee the system and lead change”. The large-scale nature of online fraud has given rise to new vocabulary such as “phantom goods”, which describes goods bought over the internet that are later found out not to exist. 

Max Hill QC criticises May’s approach to terrorism

By | News
Leading barrister condemns proposals by May to fine internet companies for not doing enough to remove terrorist content from platforms.
Max Hill QC, the terrorism legislation watchdog whose entire career has been summed up by The Times as “bringing terrorists to justice”, branded Theresa May’s proposals to fine internet companies if they do not do enough to remove terrorist content from their platforms as dictatorial and likened them to what takes place in China. He asked: “How do we measure ‘enough’? What is the appropriate sanction?” He went on to compare May’s proposals to the policies implemented in China: “We do not live in China, where the internet simply goes dark for millions when government so decides.”
The very strong comments were made at the Terrorism and Social Media conference in Swansea, Wales. Max Hill QC was appointed to be an independent reviewer of terrorism legislation by the Government in February 2017, a post Parliamentarians rely on heavily for advice on the proportionality of government legislation. The comments would have been per the norm had Max Hill QC been a privacy campaigner; given his central role in counter terrorism, the comments presage more significant challenges to government policy in the future.

Russia threatens to ban Telegram

By | News
The messaging app widely used in Russia has been threatened with closure if it does not comply with requests from Russian authorities.
The Russian communications regulator Roskomnadzor has threatened to close the Russian messaging app Telegram, unless it can provide details of its users, chat histories and encryption keys when asked by authorities. Telegram, which was founded by Russian brothers Nikolai and Pavel Durov, uses end-to-end encryption and markets itself by focussing on the high level of security and confidentiality it offers its users.Alexander Zharov, who heads Roskomnadzor, said that “time is running out” for the app. He wrote in an open letter that: “There is one demand and it is simple: to fill in a form with information on the company that controls Telegram. And to officially send it to Roskomnadzor to include this data in the registry of organisers of dissemination of information.” Zharov added that: “Telegram shall be blocked in Russia until we receive the needed information”.

The latest demand comes at a time when governments around the world – not least the United Kingdom – have expressed scorn on end-to-end encryption technology and have insisted on the installation of “backdoors”.

Parliament hit by cyber attack

By | News
Both Houses of Parliament – the House of Commons and the House of Lords – have been hit by a “sustained and determined” cyber attack. So say cyber experts upon reports over the weekend from a number of MPs and peers that they were unable to access their parliamentary emails from outside the Parliamentary estate.

A source from Whitehall was reported in the Daily Mail as saying it was “inevitable” that information had been stolen and there are fears that the information stolen may be used to blackmail both MPs and peers.A House of Commons spokesperson is reported as saying in the Daily Mail that: “The Houses of Parliament have discovered unauthorised attempts to access parliamentary user accounts”. The spokesperson added that: “We are continuing to investigate this incident and take further measures to secure the computer network, liaising with the National Cyber Security Centre.”

The attack comes roughly a month after several NHS trusts fell victim to a hacking attack. With reports that the Wi-Fi password for the parliamentary estate was so well-known that even the McDonalds worker across Westminster bridge knew it, it once again shows the importance of cyber-security today.

ITU to hold focus group on standard-setting for Blockchain-type technologies

By | General, News

The International Telecommunication Union (ITU) is to hold a conference from October 17 to October 19 in Geneva, Switzerland on the issue of establishing standards for distributed ledger technologies. The conference, dubbed the ITU-T Focus Group on Application of Distributed Ledger Technology, will convene with the aim of “identifying the standardized frameworks needed to support the scaling up of applications and services based on DLT globally.”

Distributed ledger technology is the technology that underpins Bitcoin.

The conference follows considerations by the European Commission to set up a blockchain observatory, showing how fashionable the topic is becoming. Other groups that have considered and are working on standards relating to distributed ledger technology include groups such as Hyperledger and the W3C’s Blockchain Community Group.

The conference demonstrates the ITU’s determination to break into standards-setting for information technologies, rather than remain limited to low-level traditional telecommunications standards. However, nimbler and more inclusive groups, led by industry and the technical community rather than governments, continue to lead the way.

More about the conference can be read here.

Decline in the number of students taking computer science and IT GCSE

By | Digital Britain, News

Figures released by Ofqual show that the number of year 11 students in the UK taking a GCSE in either computer science or information technology (IT) has fallen despite the 3% increase in the number of students who have registered to take their GCSEs in 2017. The British Computer Society (BCS) has expressed deep concerns about the latest findings, with its director of education Dr. Bill Mitchell saying that they “spell trouble for one of the most important subjects for the nation”. He also said: “We must ensure that schools are properly equipped to provide the best possible options for students at GCSE and that includes computer science.”

The latest findings are sure to prompt concerns about a looming “digital skills crisis” in the UK. In 2016, an inquiry with the science and technology committee at the House of Commons emphasised the exigency of young people acquiring digital skills. The committee also predicted 90% of all future jobs will need digital skills.

Leaked documents according to the Daily Mail and Wikileaks reveal that CIA has hacked Wi-Fi routers

By | International, Malware and DOS attacks, News

Leaked documents from activist group Wikileaks and as reported by the Daily Mail has shown that the Central Intelligence Agency (CIA) has hacked a number of routers and has converted them into devices used to snoop in on people’s conversations. The Daily Mail reports that the hacks have targeted 25 router models from manufacturers such as Linksys, DLink and Belkin. Furthermore, the Daily Mail cites the Wikileaks document as stating that the firmware could be expanded to affect a hundred or more devices if they are given only slight modifications.

The 175-page document was reportedly nicknamed “CherryBlossom” (CB for short) by the intelligence agency. The document described CherryBlossom as stating that: “The Cherry Blossom (CB) system provides a means of monitoring the internet activity of and performing software exploits on targets of interest”.

The firmware apparently works by converting the router into a “FlyTrap” that sends messages also known as “beacons” to CIA-controlled server nicknamed “CherryTree”. The FlyTrap sends information such as the router’s device and security information, which CherryTree logs into a database.

Devices that were protected with a weak or default password were highly susceptible to the firmware, the document from Wikileaks show.

The findings, if true, show the various problems associated with friendly governments taking the view that it is acceptable for intelligence agencies to compromise either security or privacy. The end result can only be the use of such mechanisms by actors with less than noble intentions – ranging from hostile governments to organised criminals to terrorists all the way down to script kiddies. This serves as a useful forewarning on the dangers of requiring ‘backdoors’ on encryption technology, together with the policy ramifications from the Investigatory Powers Act Technical Capability Notices.

Theresa May calls on internet firms to tackle terrorist content

By | News
Following the recent terror attacks in London which has thus far killed seven and has left 48 injured, Prime Minister Theresa May has called on internet companies to tackle terrorist content. In her speech before the country, she presented a four-point plan to tackle terrorism. The first is persuading people about the superiority of pluralism and British values to the values espoused by “preachers and supporters of hate”. The third is to stop terrorists from having safe spaces in the real world through military intervention in ISIS-controlled territories. The fourth strategy is a review of Britain’s counter-terrorism strategy.

Her second strategy concerned internet companies, and she called on internet companies to not be a safe space for terrorists and hate preachers: “We need to work with allied, democratic governments to reach international agreements that regulate cyberspace to prevent the spread of extremism and terrorist planning. And we need to do everything we can at home to reduce the risks of extremism online.”

Her words signal a likely augmentation of the 2016 Investigatory Powers Act and they come also come after the Home Office called for fines on social media companies that do not do enough to remove content deemed as extremist from their website. May’s words also parallel calls from the European Commission to allow access to data stored in the cloud by encrypted apps.

In the wake of the terrorist attacks, Facebook have said they aim to be a “hostile environment” for terrorists.

4G to come to the London Underground

By | Digital Britain, News
Transport for London (TfL) are due to hear bids from a number of telecommunications companies to provide 4G on the London Underground. It is believed that likely bidders include telecommunications companies BAI Communications, Wireless Infrastructure Group and Arqiva.

A TfL spokesman told Sky News that: “We are keen to offer full mobile phone coverage for our customers.

Swiss court convicts man over Facebook ‘likes’

By | News
A Swiss court has convicted a man for his ‘likes’ on Facebook. The 45-year-old unnamed defendant was told by the court in Zurich that because he had a ‘liked’ a post written by someone else regarding Erwin Kessler, who heads the animal rights group Verein gegen Tierfabriken (VgT), he was responsible for the words it contained, which alleged that Keller is a racist and an anti-semite.

The posts arose from a debate on Facebook concerning whether animal rights groups should take part in a large street vegan festival in Switzerland, the Veganmania Schweiz. Some left posts on Keller accusing him of racism and anti-semitism, which the defendant then ‘liked’. Kessler brought a case against the unnamed defendant, claiming that because these Facebook ‘likes’ helped to spread the accusations even further, he should be convicted. The court agreed, with Judge Catherine Gerwig saying at the trial that in liking the Facebook posts they were “spreading a value judgement”.

This was despite Kessler being convicted for racial discrimination in 1998 for trying to prevent the uplifting of a ban on the Jewish practice shechita, a Jewish religious method of slaughtering animals for food in order to produce kosher meat. However, because no current proof was provided for Kessler being racist now, the case against him for his Facebook ‘likes’ still stands.

The man was fined 4,000 Swiss Francs.

German court denies mother’s access to daughter’s Facebook account

By | Content Issues, News, Privacy and Investigation
An appeals court in Berlin has recently ruled that a mother cannot gain access to her daughter’s Facebook account. Following the girl being killed by a train in 2012, the mother attempted to gain access to her daughter’s Facebook account to determine whether the incident was deliberate or accidental.

Facebook refused to provide access to the girl’s account, citing the girl’s privacy rights.A court in Berlin had initially ruled that the mother has the right to gain access to the girl’s account, citing the fact that she was a minor when she was killed, and that Germany’s law on inheritance suggests the girl’s contract with Facebook are transferred to her mother. Furthermore, as she was a minor, the mother has a duty of care over her and this means that she should be allowed to have access to the account.

However, the appeals court later ruled against the initial decision, arguing that the girl’s right to privacy superseded the mother’s parental rights. In addition, blocking access to the girl’s account would ensure the confidentiality of those she communicated with. The decision is best understood in the context of Germany’s aversion to surveillance, and with the understanding that Germany has one of the strictest privacy laws in Europe.

It is understood that the mother is likely to appeal the decision of the appeals court.

EU to spend €120m to extend free Wifi across Union

By | EU Legislation, Europe, News
The EU has announced it will spend €120 million to extend Wifi across 6,000 to 8,000 municipalities, bringing Wifi to “every European village and every city” with free Wifi by 2020. 

The scheme, dubbed WiFi4EU, is described by the European Commission as having the aim to “increase accessibility to high-performance mobile internet, and to raise awareness of the benefits of such connectivity.”

The action falls under the framework of the digital single market and the desire to make customers’ experience across the EU the same.

You can find more information about the initiative here.

Ex-GCHQ deputy director demands fines on social media firms that fail to remove “extremist” material

By | News

Brian Lord, the ex deputy director of intelligence and cyber operations at GCHQ, has suggested that social media companies should be fined if they fail to remove material deemed as extremist from their website. The calls parallel the legislation in Germany, the so-called Netzwerkdurchsetzungsgesetz, which fine companies if they do not remove material from their website deemed extremist or untrue within 24 hours or seven days depending on how easily it can be categorised as being extremist or constituting false news.

Although Brian Lord acknowledged that “social media is here to stay”, he argues that they have a social responsibility as well to remove extremist material. Yet, it remains unclear what Lord considers to be “extremist” or how that will be judged. Furthermore, Lord is silent on the possibility of there being a slippery slope, with each definition of extremist content further encroaching on the ability to post material once considered reasonable.

EU to impose national quotas on streaming services

By | EU Legislation, Europe, News
The EU is to impose national quotas on streaming services.

The EU is currently considering imposing a quota on streaming services, such as Netflix and Amazon Prime, to feature a minimum quantity of European works in their catalogues. The European Parliament has proposed a requirement of 30%, an increase on the European Commission’s proposal of 20%. The quota will be implemented as an amendment to the Audiovisual Media Services directive, which will likely be extended to include social media and any streaming on-demand service.

Colin Bortner, director of public policy for Netflix, argues that the quotas will result in lower quality work. One unnamed diplomat who opposed the measure said that there is a risk the directive will drift away from its original purpose and will move to policing “any moving picture on any screen”.

The quota is currently going through the ordinary legislative procedure, in which the Council of Ministers will also decide its own view, prior to the final outcome being negotiated between the three institutions in a process known as “trialogue”.

EU ministers approve hate speech rules

By | News

European Union ministers have recently approved rules that would oblige companies such as Facebook, Twitter and Google to remove videos deemed as constituting “hate speech” or face fines. The move comes in an attempt to create a common legal standard across the European Union on how to deal with video content in place of the discrepancy in national laws currently.

Andrus Ansip, vice president for the digital single market, said: “We need to take into account new ways of watching videos, and find the right balance to encourage innovative services, promote European films, protect children and tackle hate speech in a better way”. In order to become law, the rules must be agreed between the Council of Ministers, the European Commission and the European Parliament. This approval therefore represents an important first step in the legislative process, rather than a conclusion. While the Council of Ministers is generally seen as more influential than the European Parliament, especially on crime and security matters, the Parliament is often seen as more protective of free speech interests and other such fundamental rights.

House Republicans seek to revamp internet privacy rules

By | News
A bill that would explicitly lay out the terms under which internet service providers (ISPs) can collect and distribute information on their customers and when they can get opt-in and opt-out permission is being sponsored by Tennessee Republican representative Marsha Blackburn (R-TN).
 

The bill, known as the Balancing the Rights of Web Surfers Equally and Responsibly Act or BROWSER Act for short, would entail ISPs needing to get user consent for using collected information for purposes other than billing, security or emergency response. Furthermore, the bill would set the Federal Trade Commission (FTC) as the governing body of internet privacy rules.

The bill can be read here.

WannaCry ransomware inspires new phishing emails

By | News
Following the WannaCry ransomware attacks which has affected over 200,000 computers in at least 150 countries around the world, a spate of emails purporting to be from internet service providers warning customers to perform a security check have emerged.Action Fraud, the UK’s national fraud and cyber crime reporting center, revealed on the 18th May 2017 about a phishing email purporting to be from BT requesting users to perform a “security check” otherwise they would be unable to access their accounts.

The phishing email is sophisticated as it also comes at the same time that ISPs are genuinely informing their customers about the possibility of a security breach in the wake of the WannaCry situation.

More about the phishing email masquerading as BT can be seen here.