September 2013 - The Privacy Post

1

Privacy Concerns with Mobile Health Apps

Posted by on Sep 30, 2013

Mobile

Image from techhealthperspectives.org

While perusing the iPhone app store recently I came across a calorie counting app which I thought would be interesting to try out. I installed the app and started creating a user profile. The app walked me through a series of questions to create the profile – most of them standard (email id, user name, password etc), but some of them reasonably personal (date of birth, weight, gender, zip-code (for targeted ads??). Having an information security background, and also having worked in the health care industry dealing with sensitive insurance information, I was naturally curious.  After all, this is a lot of information. How is the app safeguarding and using this data?

Mobile health apps are ubiquitous. There are applications to count calories, measure heart rate, document sleep patterns, analyze blood sugar and even monitor moods for signs of depression (see Figure 2 for the top 5 mobile health apps). A recent study reveals that there are about 97,000 varieties of inexpensive and easy to use mobile health apps available in the market, all indications point to huge growth in the near future.

The mobile industry tracker Research2Guidance predicts that by 2017 half the world’s more than 3.4 billion smart phone users will have downloaded health apps.  But have we realized what happens to the sensitive data consumers enter into these apps? Most of the apps don’t even deliver the medical miracles they promise – rather they share that data with advertisers and other third parties without the user’s knowledge. With a huge growth in the health apps, the privacy of important medical data has become a reason of concern.

2012 Mobile Health App Study

Image from verasoni.com

Health apps collect all sorts of personal information like name, email address, age, height, weight and in some cases even more detailed information about your health. Lot of users trustfully log everything from diet to sleep patterns in the apps, without having any knowledge about companies or the app developers. By sharing such personal information you may be opening yourself to targeted advertising, identity theft, insurance or employment discrimination.

The Privacy Rights Clearinghouse recently released a study funded by California Consumer Protection Foundation showing the potential privacy risks of the mobile fitness and health apps. The study evaluated 43 health and fitness apps (paid and free) on both Google Play and Apple’s App Store to determine potential risks to important health data being collected, transmitted and stored using these apps. Although Clearinghouse chose not to include the names of those apps in it’s report, some of those apps could have included Nike+ Running, Runkeeper, Lose It! and WebMD.

The findings of the report are summarized in the table below:

Study

Image from privacyrights.org

This report unveils many security loopholes in the usage and storage sensitive health information collected by mobile medical apps. In addition, according to the report, only 13 percent of free apps and 10 percent of paid apps encrypt all data connections and transmissions between the app and the developer’s website. Probably the biggest difference between paid apps and free apps was the statistic that 43 percent of free apps shared user-generated personally identifiable information (PII) with advertisers – only 5 percent of paid apps did so.

The Health Insurance Portability and Accountability Act (HIPAA), which limits who can see and receive your health information, instructs doctors, insurers and pharmacies to keep your electronic health records confidential, unless you explicitly give the permission to share them. However, certain mobile health app developers are not obliged to follow such regulations if the data is not being used by a covered entity, such as physician, hospital, or health plan. The apps often send clear and unencrypted data without the user’s knowledge and consent. Some apps even share user’s location and other personal details with other companies within few minutes of being turned on. They often share data with advertisers and third parties without the knowledge of user. Less than half of the free apps have privacy policies in place and only half of those who had privacy policies described the app’s technical processes accurately. Due to unencrypted connection during data transmission and unprotected data storage, apps end up exposing sensitive data to everyone in the network – a huge privacy risk.

Keeping all these security and privacy concerns in mind, you can take the following steps towards protecting your data.

  • You should do a thorough research, and read the reviews to get a good idea about the app.

  • Spend a few minutes to read the privacy policy before downloading a mobile health app. It is important for you to know what the app intends to do with the data that you provide.

  • You should provide limited information to the apps – do not provide more information than what is necessary. Do not allow the app to access your contact list or personal contact details – most apps should not need that information to provide the service that they are intended for.

  • Consider paid apps over free apps as they offer better privacy protection. This is because paid apps don’t have to rely on advertising solely to make money. Most apps are a few dollars at the most – a small price to pay for something that you are going to entrust personal health information with.

Additionally, more work needs to be done from the app developer’s perspective to secure this important data. A few recommendations for app developers are:

  • Be upfront and transparent with your privacy policy – make it easily accessible to the user

  • Take steps to ensure that proper data encryption methods and security controls are implemented to secure user data

  • Review your privacy and security policies and ensure that they comply with federal and state law.

  • Assess whether the software will be used by a covered entity, and whether it will contain confidential patient information, and ensure that they are compliant under HIPAA regulations.

Keep your medical data secured

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, file-names, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment.

SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plain text data. Sign up for this product today!SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.

 

September 2013 - The Privacy Post

0

Calming the Biggest Cloud Fears

Posted by on Sep 27, 2013

Small businesses have been stuck in a security limbo over the past few months. News of the NSA’s PRISM program has frustrated consumers and has complicated the international market. Widespread cloud fears and worries of government surveillance programs, as well as the prevalence of state-sanctioned hacking have prompted many businesses to cancel contracts and forgo the cloud altogether. But security fears shouldn’t keep you or your business from capitalizing on all that the cloud has to offer. With a secure cloud service that offers zero-knowledge storage, data privacy, strong encryption, and user anonymity, SMBs can leverage the cloud without worrying about dealing with the headache of a breach or leak.

SMBs in the Cloud

Consumer fallout following revelations of the National Security Agency’s PRISM program are set to cost U.S. cloud service providers up to 20% of the foreign cloud market for a potential combined loss of $35 billion. The Information Technology & Innovation Foundation (ITIF) recently put out a report that claims that lack of consumer trust could derail the American cloud for the long term. According to the report’s author Daniel Castro, “If U.S. companies lose market share in the short term, it will have long-term implications on their competitive advantage in this new industry. Rival countries have noted this opportunity and will try to exploit it.” And a report by the Cloud Security Alliance revealed that 10% of respondents cancelled contracts with U.S. cloud providers following news of the PRISM program leak.

Cloud Fears

Another survey of executive-level managers shows that 49% of respondents believe that the cloud will positively benefit their business but have been hesitant to adopt the technology due to security fears. According to cloud engineering specialist Ryan Stenhouse, the cloud actually can be more secure than what many businesses are currently using. Stenhouse says, “If anything, you have more control over what you’re deploying on, since you have no fixed allocation of resources – you use as much or as little as you need and that leads to savings. The biggest security concerns are around access to your data on your VM, you should carefully investigate the controls providers have in place to secure your environment. Big providers such as Amazon and Rackspace make this information available and are accredited to the highest industry standards.”

Sam Visner

Still, businesses should be wary of exactly which providers they trust with their sensitive data as companies offer a wide range of security protections, from the virtually nonexistent to the practically uncrackable. Vice president and general manager of Cybersecurity Sam Visner says, “Data protection is a particularly important concern. Organizations need to ensure that their cybersecurity policies and protections cover information assurance — particularly as they seek to unlock the value of information and big data and use it to make high-value decisions regarding customer strategy, public policy and national security. The survey shows we still have some way to go to allay these types of cybersecurity concerns.” One of the biggest blocks to adoption is lack of understanding of how to proactively protect data. According to Visner, “Information technology professionals in general, and CIOs in particular, need to be informed about the controls necessary to protect their operations and the providers’ approach to meeting those controls. Those contemplating the acquisition of cloud services should look carefully at how security certification or attestation is being performed, and who is performing it.” For SMBs looking for strong security protections, zero-knowledge data policies are essential. This way, only your company has access to your sensitive data.

SpiderOak for Small Businesses

For most SMBs, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides businesses with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, SMBs can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.

September 2013 - The Privacy Post

0

The Rise of State Sanctioned Hacking

Posted by on Sep 26, 2013

Businesses that compete on the global market have to contend with a wide range of security threats. Hackers could steal intellectual property, disrupt production, and attack digital assets for ideological motives as well as for personal profit. Internal leaks from cloud providers and disgruntled employees could dip into profits by revealing company secrets and leaking projects before their marketed release date. But the latest threat to business security comes from the rise of state sanctioned hacking. Whether under the banner of citizen espionage programs or large-scale coordinated attacks on political enemies and dissidents, instances of state-backed hackers are increasing each year. One of the best ways that companies can proactively protect their data is through exclusive storage and syncing with a secure cloud service that offers data privacy and user anonymity.

Courtesy of privacyinternational.org

Hacking Team

In 2001 a hacking program called Ettercap enabled the proliferation of spying, remote device control, and password cracking technology. Billed as a “comprehensive suite for man-in-the-middle attacks” this open source free program was intended as a security test mechanism for networks. But the program’s abilities quickly caught on in the hacking community. The Milan police department caught wind of the program and soon contacted its Italian developers, Alberto Ornaghi and Marco Velleri, to help them track the Skype calls of suspects. This became the catalyst for the start of the Milan-based hacking company called Hacking Team. This organization boasts 40 employees and offers commercial hacking programs to international law enforcement agencies. One troubling program developed by Hacking Team is Da Vinci. This citizen espionage program allows law enforcement to access more data than the controversial PRISM program conducted by the U.S. National Security Agency. Through Da Vinci, governments can access suspect phone conversations, Skype calls, webcams, computer microphones, and emails.

Courtesy of cisco.com

How Ettercap Works

Such broad trespasses of citizen digital rights come under the auspices of the “war on terror”. Unfortunately, these programs are mostly used to threaten and harass dissidents and political opponents. Back in July, the political dissident Ahmed Mansoor was attacked through malware while in Dubai. Governmental sources are suspected and reveal ramped up efforts to control political opposition in the light of the Arab Spring. The Moroccan activist Hisham Almiraat sought help from the Electronic Frontier Foundation to confirm a coordinated malware attack on journalists. According to Almiraat, “After the Arab revolutions happened, those governments have maybe realized they have to harness the power of the Internet and use those tools to try to scare activists, or try to spy on them and follow their steps.” The attack was traced back to Hacking Team software and resulted in a seven-month-long jail sentence for Ahmed Mansoor.

Ahmed Mansoor

The impression such examples give is that these programs are just part and parcel of living under oppressive regimes. But such state-backed hacking efforts are also prevalent in democracies like the United States. In an attempt to convict suspected child pornographer Eric Eoin Marques, the FBI admitted to hacking into the Tor network, which has been widely criticized for hosting exploitative content on its Freedom Hosting servers. Whether or not state-backed hacking is being used to put away dangerous criminals or to gain a tighter grip on citizen communications, international businesses should be aware of the threat of such governmental security breaches. Know that regardless of what governments claim publicly, recent leaks like Snowden’s revelation of the PRISM program show the huge discrepancy between what the government admits to doing and what they actually do in private.

Securing Data Online With SpiderOak

For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, users can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling safe mobile access.

September 2013 - The Privacy Post

0

Secure Banking & the Cloud

Posted by on Sep 25, 2013

The banking world has set out some of the tightest online security measures for secure banking transactions on the web. But as hosts of private customer knowledge, account numbers, and assets, online banking services are prime targets for hacking, leaks, and attacks. One of the best ways for banks to secure their information is to remap their services using the private development framework Crypton while exclusively storing and syncing sensitive data to a secure cloud service provider.

Courtesy of dailymail.co.uk

Santander

Recently a Santander bank branch in London was the victim of a sophisticated cyber-attack worthy of the silver screen. London police in conjunction with PCeU, Scotland Yard’s e-crime unit, detained twelve men on suspicion of conspiring to steal data and money from the bank. One of the suspects allegedly posed as a maintenance engineer and was able to install a keyboard video mouse device (iKVM) to a branch computer, which enabled the group to seize the desktop contents of the device through the bank’s network. According to PCeU Detective Inspector Mark Raymond, “This was a sophisticated plot that could have led to the loss of a very large amount of money from the bank, and is the most significant case of this kind that we have come across.”

Courtesy of techweekeurope.co.uk

KVM Switch

Santander responded through a spokesman, which assured customers that their assets were still safe. According to a statement the bank claims, “Santander was aware of the possibility of the attack connected to the arrests. The attempt to fit the device to the computer in the Surrey Quays branch was allegedly undertaken by a bogus maintenance engineer pretending to be from a third party. It failed and no money was ever at risk. No member of Santander staff was involved in this attempted fraud. We are pleased that we have been able, through the robustness of our systems, to prevent the fraud and help the police gather the evidence they needed to make the arrests.” But according to Dr. Eerke Boiten from the University of Kent, the failed plot should be cause for concern for all banks as it shows a ramped-up level of criminal sophistication. Boiten says that the iKVM “captures all the information that goes to the screen, keyboard and mouse. If you manage to get it installed inside the computer, it gives you a way of contacting the device through a remote computer. This is what people use for controlling a big server remotely. You basically can control a computer inside that bank branch. With one such device you can do as much damage as an individual teller can, within the bank. This is not just one guy trying to install this thing and see if he can get through to the Internet.” The foiled attempt at digital theft shows that thieves are willing to exploit any and all weaknesses in security, whether physical or digital.

Courtesy of cs.kent.ac.uk

Dr. Eerke Boiten

This case of attempted theft has caused a wave of concern to ripple through the tech security world. According to senior security researcher at Kaspersky Lab David Emm, “Like many other hacking attempts, the game plan of the hackers in this case was to be able to get information on transactional and customer data held on the computers within the bank to use for financial advantage. This attempt should remind organizations that a holistic approach needs to be taken toward security. It’s not just the IT security methods that need to be scrutinized, but the people within the organization as well.” Banks should make sure that all employees are brought up to date on security protocols and that no unauthorized personnel are allowed near branch devices.

As McAfee CTO Raj Samani says, “These arrests prove that the ease with which anybody can conduct what is described as a very significant and audacious cyber-enabled offence requires limited technical knowledge and [a] questionable moral compass. Simply plugging in a physical device that can be [acquired] from any number of legitimate outlets demonstrates that the bar required to be a ‘cyber-criminal’ is probably at its lowest level.” The fact that banks and security experts can’t agree on the level of sophistication that this foiled plot poses should worry customers that expect strong security measures for their assets. Through creating completely private infrastructures on Crypton and uploading sensitive information to a private cloud, banks can ensure that data is kept safe, even when accessed remotely from approved users.

Keeping Customer Data Safe With SpiderOak

For most banks, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides banks with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive customer data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, banks can rest easy knowing that their customer data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.

September 2013 - The Privacy Post

0

Amazon Cloud Suffers Another Outage

Posted by on Sep 24, 2013

Startups of all sorts use the cloud to leverage technology in their favor in order to compete on the rapidly changing international market. New companies have fewer resources and less customer loyalty, so the ability to change gears on a moment’s notice is essential. Large and expensive onsite servers and IT infrastructures require costly maintenance and can become obsolete the minute a new technological development hits the shelves. To save time and money, many startups have flocked to Amazon’s popular cloud services. Unfortunately, this popular service is far from secure and has been marred by outages. For startups looking to secure their data while capitalizing on the cloud, only a provider that offers a zero-knowledge privacy policy along with strong encryption and user anonymity will do the twin tasks of conveniently storing and securing data.

Courtesy of digitaltrends.com

Amazon Cloud Outage

Despite Amazon’s frequent problems, its popularity has drawn business from organizations as large and varied as NASA and Netflix. When Amazon goes down, it takes down all organizations and companies that rely on its services, halting productivity and dipping into profits. The company notoriously experiences latencies and error rates for EBS-backed instance launches and the APIs for Elastic Block Storage. This technological failure has frustrated companies that heavily rely on the Amazon cloud for daily production. One such company is Wuaki.tv, which utilizes the cloud’s B availability for its integral production system. Systems operations engineer Rhommel Lamas said, “We have a complex architecture and this is just one tiny part of it. We saw how all of our Region B on US-East was failing with increasing latency issues and errors between machines in different zones.” This type of failure is unacceptable for startups that often depend on a cloud service’s reliability. Unfortunately, this is just par for the course for Amazon, which notoriously leaves large security gaps that are easily exploited by hackers and disgruntled employees.

Courtesy of blogs-images.forbes.com

Netflix Outage

All of this comes on the heels of recent market numbers that show Amazon’s dominance with developers. According to the study, 62% of developers use Amazon for processing power. This is compared to 39% that use Microsoft Azure and 29% that use Google’s Cloud Platform. Luckily for startups, new programming frameworks like SpiderOak’s Crypton offer the ability to develop fully private applications while protecting sensitive projects from hacking and leaks until it’s time for a marketed release. Even when pressed, Amazon can’t provide clear answers to where user data is stored and whether or not backups are deleted. This means that sensitive information could just be floating around, ready to be hacked, seized, or leaked at the first opportunity.

Courtesy of i2.cdn.turner.com

Amazon Outage Results

One thing that startups should look for when choosing a cloud provider is transparency. Just how is your data protected? Are there any protections for your company’s identity? And what about the case of a subpoena? What sensitive information would the company have access to? Make sure that whatever cloud your business chooses offers strong encryption to protect your data. A good cloud provider should also user anonymity to protect projects in development as well as a zero-knowledge policy so that only your authorized users have access to the data you upload. You should also be able to access a yearly report on data disclosures from the cloud provider so you know just what to expect in the case of a subpoena or security breach.

Securing Data Online With SpiderOak

For most startups and businesses, finding a truly protected third party cloud service can be quite a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like the NSA’s PRISM continue to stand unchallenged, startups can rest easy knowing that their data is truly protected while earning diehard customer support for securing their information. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling safe mobile access.

September 2013 - The Privacy Post

0

SpidedOak’s Crypton & The Promise of Secure Apps

Posted by on Sep 23, 2013

For applications and software developers, the idea of a truly private application framework has been a pipedream. Developers have had to contend with countless leaks, attacks, and instances of hacking that severely dip into profits and halt production. But with SpiderOak’s new Crypton application framework, developers can build applications and programs that private and cryptographically secure. This ensures that projects stay secret until they are ready to be unveiled and that nothing is stolen. Along with Crypton, developers can keep data secure through SpiderOak’s private cloud services.

Crypton

Crypton

Many developers have previously been wary of the cloud as it once meant sacrificing privacy for convenience. But with Crypton, everyone can take full advantage of the cloud while enjoying the privacy and zero-knowledge that SpiderOak users have come to love. This new framework comes equipped with complex layers of cryptography to befuddle any would-be hackers. According to SpiderOak co-founder and CEO Ethan Oberman, “We can now start a true dialogue around privacy online as Crypton makes it possible for anyone to build ‘zero-knowledge’ cloud-based applications.

Most companies out there aren’t making money by mining through your uploaded content; rather, they are providing a service and charging a monthly or yearly fee. Through Crypton, these companies can now give privacy back to their user base and further protect themselves against potential liabilities and/or outside attacks.” Especially in the wake of the NSA’s PRISM program, consumers are more demanding of privacy rights and data protections then ever. According to Oberman, “Ultimately– we believe that privacy is a right in this country. And inherent in privacy is the concept of ownership. We own our information and therefore can make decisions about when and with whom we share it. This issue has been severely complicated by the growing nature of cloud technologies, as the data you upload had to be accessible by that 3rd party company in order for that service to be useful. But the world is evolving and Crypton gives the conversation a meaningful place to start.”

Courtesy of computerweekly.com

Prevalence of Hacking

This revolutionary framework promises to put data security back into the hands of developers. Projects no longer need to fear tapping the cloud for its convenience and cost-savings as Crypton has zero-knowledge of any user data. SpiderOak first developed the tool internally to meet their extremely high security standards in software development. Through the tool, the company was able to encrypt data without using a different program. The fact that Crypton doesn’t store any plaintext keeps developments safe from all eyes, even SpiderOak’s. As CEO Ethan Oberman says, “If you’re business model doesn’t rely on monetizing user data, then why store that data in plaintext? The liability of storing data is increasing daily.

“The PRISM story awoke people to the growing and associated risks around ‘big data’ and how it can be abused. And there will, of course, always be the threat of data leakage or theft. Whereas previously there was no accessible solution, Crypton represents a new way forward by providing a ‘privacy-first’ approach to application design and implementation. It is time to stop thinking of privacy as a feature and start thinking of privacy as a platform. Previously, privacy could only live in the belly of a downloaded client, which limits adoption and creates obstacles — especially as the world shifts toward the web. Now armed with a way to push privacy further into the web than previously possible, the Crypton framework can serve as a necessary cornerstone in the development and continued advancement of this new privacy platform.”

SpiderOak’s Commitment to Transparency

The company’s high regard for user privacy has earned them diehard support and has even gained recognition by The Information and Privacy Commissioner of Ontario, Canada, Dr. Ann Cavoukian. The commissioner recently named CEO Ethan Oberman and SpiderOak a Privacy by Design ambassador. This recognition indicates the level to which SpiderOak has remained committed to user privacy across all levels, from consumers to businesses to developers. Along with the Crypton framework, SpiderOak also offers businesses and development teams secure storage and syncing services.

Securing Data With SpiderOak

For most SMBs and developers, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides businesses with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, developers can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.

September 2013 - The Privacy Post

0

The DEA, AT&T, And Your Right to Privacy

Posted by on Sep 20, 2013

It wasn’t that long ago that Edward Snowden blew the lid off the NSA’s now notorious PRISM program. This digital spying program has caused a fierce backlash against participating companies and may even result in lost revenue for many U.S. cloud companies. Recently, the New York Times revealed that AT&T has partnered with the DEA in offering law enforcement officials access to a massive database of phone records. Civil liberties groups are enraged and promise to battle this encroachment of citizen privacy in the courts. In the meantime, mobile users should be wary of information they disclose through their phones. And any sensitive data hosted online should be exclusively stored through a secure cloud that offers data privacy and user anonymity.

Courtesy of static.rappler.com

The Hemisphere Project

The DEA program is called The Hemisphere Project and is enabled through a close partnership with AT&T. According to the NYT release, the U.S. government pays AT&T to merge some of their employees with drug enforcement units around America. Officials are aided by AT&T employees in accessing phone data from 1987 until today. According to the American Civil Liberties Union’s deputy legal director Jameel Jaffer, “the integration of government agents into the process means there are serious Fourth Amendment concerns.” The program has remained secret until relatively recently and Jaffer wonders if “one reason for the secrecy of the program is that it would be very hard to justify it to the public or the courts”.

 

Image courtesy of publicintelligence.net

How the Project Works

The Hemisphere project uses a complex algorithm to track users across different phone devices so that investigations remain fluid even if someone gets a new phone. Law enforcement officials, the DEA, and detectives can tap the project to find the exact location of phones as well as call logs from as old as one hour. The ACLU’s Jameel Jaffer claims that “The government appears to have had a significant role in developing the program, and apparently it’s even paying the salaries of some AT&T employees…To the extent that this is a government program, it’s subject to the Fourth Amendment. In any event, the fact that AT&T is playing such a big role here should be alarming, not reassuring. AT&T is looking out for its shareholders, not ordinary citizens, and its conduct isn’t governed by the Constitution.”

Courtesy of networkworld.com

Disclosure Statement

Digital privacy groups, consumer advocates, and 4th Amendment defenders echo Jaffer’s concerns. The government claims that the outrage is unwarranted and that this program isn’t simply a telecommunications version of PRISM. According to Justice Department spokesman Brian Fallon, “Subpoenaing drug dealers’ phone records is a bread-and-butter tactic in the course of criminal investigations…The records are maintained at all times by the phone company, not the government. This program simply streamlines the process of serving the subpoena to the phone company so law enforcement can quickly keep up with drug dealers when they switch phone numbers to try to avoid detection.” But consumers are wary of such data collection and monitoring programs, especially as the PRISM leak shows that the government isn’t always honest when asked about the extent of their privacy breaches.

Marc Rotenberg is the Electronic Privacy Information Center’s executive director voiced concern over the high potential for abuse in the program. According to Rotenberg, “One of the points that occurred to me immediately is the very strong suspicion that there’s been very little judicial oversight of this program,” Rotenberg said. “The obvious question is: Who is determining whether these authorities have been properly used?” When it comes to any data you want to keep safe, be careful of what you disclose over unsecured telecommunication servers. And for any online data you need to store or sync, be sure to exclusively upload to a secure cloud provider.

Securing Data Online With SpiderOak

For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, users can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling safe mobile access.

September 2013 - The Privacy Post

0

How to Reduce Your Risk in the Cloud

Posted by on Sep 19, 2013

Small businesses have been somewhat hesitant to switch to cloud service providers, especially after the NSA PRISM program leaks. International backlash threaten many U.S. cloud services, as users are suspicious of governmental citizen espionage. But there are ways for businesses to still leverage all of the cloud’s benefits while securing their data from legal snoops. From better practices onsite to exclusive storage through a secure cloud service, there are plenty of options for SMBs to protect themselves from all sides.

 

Courtesy of risk.net

Cloud Warning

 

Some businesses are already aware of cloud services that protect user data through strong encryption and zero-knowledge policies, but many still don’t know hot to protect data onsite. Encryption should begin at home through Virtual Private Network (VPN) and TLS (HTTPS) tunnels. Through proactively protecting data before it reaches your secure cloud provider you can ensure that you have all of your bases covered. Don’t let government overreach scare you away from capitalizing on the cloud, with a service that offers data privacy and user anonymity, you can reach the right combination of convenience and security.

 

Courtesy of online-backup.choosewhat.com

Data Encryption

 

Aside from employing a secure cloud and encrypting onsite, there are other ways to help keep your data safe while using the cloud. Gretchen Marx is the manager of cloud security strategy at IBM and recently offered The Guardian six keys steps to protecting your data while using a secure cloud:

1. Know who’s accessing what
People within your organization who are privileged users, – such as database administrators and employees with access to highly valuable intellectual property – should receive a higher level of scrutiny, receive training on securely handling data, and stronger access control.

2. Limit data access based on user context
Change the level of access to data in the cloud depending on where the user is and what device they are using. For example, a doctor at the hospital during regular working hours may have full access to patient records. When she’s using her mobile phone from the neighborhood coffee shop, she has to go through additional sign-on steps and has more limited access to the data.

3. Take a risk-based approach to securing assets used in the cloud
Identify databases with highly sensitive or valuable data and provide extra protection, encryption and monitoring around them.

4. Extend security to the device
Ensure that corporate data is isolated from personal data on the mobile device. Install a patch management agent on the device so that it is always running the latest level of software. Scan mobile applications to check for vulnerabilities.

5. Add intelligence to network protection
The network still needs to be protected – never more so than in the cloud. Network protection devices need to have the ability to provide extra control with analytics and insight into which users are accessing what content and applications.

6. Build in the ability to see through the cloud
Security devices, such as those validating user IDs and passwords, capture security data to create the audit trail needed for regulatory compliance and forensic investigation. The trick is to find meaningful signals about a potential attack or security risk in the sea of data points

Following the six steps laid out above will go a long way in keeping your company’s data safe. Another way that privacy advocates are fighting for your security is in the world of development. Crypton is an open source software project that offers a way for developers to make encrypted cloud-based developments in a collaborative and mobile-enabled environment. According to the Crypton website, “To our knowledge there is no other existing framework that handles all the encryption, database storage and private user-to-user communication needed to build a zero knowledge cloud application.” The company behind this effort to encourage secure app development is SpiderOak, a leader in secure cloud solutions.

Courtesy of irec.executiveboard.com

Security Concerns

Securing Data With SpiderOak

For most SMBs, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides businesses with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, SMBs can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.

September 2013 - The Privacy Post

0

Google Claims It Has a Right to Your Email

Posted by on Sep 18, 2013

Millions of online users rely on Google Gmail for personal and business correspondence. But despite passionate consumer backlash against privacy breaching policies by companies like Facebook and organizations like the NSA, Google is claiming in court that it has a right to the contents of your emails. This outrageous declaration has prompted consumer rights groups to fight back and governmental organizations are even considering banning Gmail for official correspondence. As lawmakers and privacy advocates champion digital privacy rights, one way to protect your data in the meanwhile is to exclusively store and sync sensitive files to a secure cloud service provider. A good provider will offer data privacy, user anonymity, and zero-knowledge policies so that only you have access to the contents of your data.

Google Privacy

The group that filed the lawsuit against Google is Consumer Watchdog. The organization asserts that Gmail users do not reasonably expect that the company will search the contents of their emails. Director John Simpson recently told ABC News that Google “actually read and data-mine the content of the messages. They’re using my content for whatever purposes they want to do with it.” He hopes that the lawsuit might encourage Google to seek a profit through other means like “ads that aren’t based on reading your email. Or they could just stop reading emails. There are a number of commercial services that are more amenable to privacy concerns.” Other privacy experts are less certain of the legality of Google’s policy but still caution against it, as the company claims they are protected in part by the fact that they use computers and not people to scan the contents of emails. According to Lorrie Cranor, director of the privacy engineering master’s program at Carnegie Mellon University, “The issue isn’t whether it’s a machine or human reading emails, but what could happen as a result of having your email read…There is a difference between user expectations and business practices. Just because every business may do it doesn’t mean that users know the things that are actually done. Ideally, the best choice is to give people the option to opt out.”

How Gmail Uses Emails for Ads

 

What does Google have to say about all of this? Essentially, they claim you have no privacy rights over your email. In their filing for a dismissal of the class-action lawsuit, Google wrote, “Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use Web-based email today cannot be surprised if their communications are processed…Indeed, a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” The idea is that because users put their content on Gmail, the company has a right to mine it for advertising purposes. The same idea was put forth by Facebook and shot down in the courts so it’s likely that this won’t hold up for long. Still, the company’s aggressive stance is frustrating to say the least. Google attorney Whitty Somvichian says that “Users, while they’re using their Google Gmail account, have given Google the ability to use the emails they send and receive for providing that service…They have not assumed the risk that Google will disclose their information and they fully retain the right to delete their emails.” Instead of waiting around for this company to protect your data, exclusively store anything sensitive to a secure cloud service like SpiderOak.

 

Backlash Against Google

Securing Your Emails With SpiderOak

For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave emails and private data wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that emails, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

September 2013 - The Privacy Post

0

Facebook’s Privacy Policy & Your Digital Rights

Posted by on Sep 17, 2013

Facebook has already gained the ire of privacy advocates over their advertising policies and their consent to the NSA’s PRISM program, but recent changes in the language of their privacy policy have sparked up another wave of controversy. All the while, shares of Facebook continue to rise, as users neglect the company’s use of their data for advertising purposes. Still, privacy groups continue to fight a public awareness campaign while challenging the company through a letter to the Federal Trade Commission. For users concerned with privacy, be sure to take control of your privacy settings and never upload content you don’t want exploited. Any sensitive data should be exclusively uploaded to a secure cloud provider that offers data privacy and user anonymity.

Facebook Privacy

Six major consumer advocate groups have championed digital privacy rights in an open letter to the FTC. The groups include CDD, Consumer Watchdog, EPIC, and representatives from the Privacy Rights Clearinghouse, Patient Privacy Rights, and the U.S. Public Interest Research Group. The privacy groups allege that changes in Facebook’s language violate a FTC court order and settlement that was reached back in 2011. According to the letter, “Facebook users who reasonably believed that their images and content would not be used for commercial purposes without their consent will now find their pictures showing up on the pages of their friends endorsing the products of Facebook’s advertisers. Remarkably, their images could even be used by Facebook to endorse products that the user does not like or even use.” This “free” advertising through mining and selling user profile data has outraged users that care about their digital rights. Executive director of EPIC (the Electronic Privacy Information Center), Marc Rotenberg, says, “Facebook is now claiming the default setting is they can use everyone’s name and image for advertising and commercial purposes, including those of minors, without their consent. Red lights are going off in the privacy world.”

Marc Rotenberg

Another issue is the fact that the new language indicates that simply by signing up, teens using the site imply parental consent to the use of teen data for advertising. But as the privacy advocate letter to the FTC points out, “Such ‘deemed consent’ eviscerates any meaningful limits over the commercial exploitation of the images and names of young Facebook users.” Marc Rotenberg offered privacy advocates his organization’s support saying, “The FTC needs to open an investigation and make a public determination as to whether the change in privacy policy complies with the 2011. Groups such as EPIC are prepared to litigate if the FTC fails to enforce its order that we all worked to put in place.” While groups like EPIC fight back against Facebook’s encroachment, some users are also up in arms. Facebook asked users to comment on the changes and received hordes of scathing criticism. One user wrote, “If, that proposal really is enacted, the first time ANY of my friends sees an ad with any of my information in it, I will be deleting my account, and encourage everyone else to do likewise. You need us. We don’t need you.” At the end of the day, each social media users should remain the sole owners of their data.

Who Has Access to Your Info?

Social Media & Security Through SpiderOak

Social media users should be aware of how their data is collected and used before using any social media site or platform. Don’t upload anything you don’t want shared and exploited for advertising purposes. And be sure to exclusively store anything sensitive to a secure cloud provider. For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that photos, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access