By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

The data regulator for the German state of Lower Saxony has fined a local laptop retailer a whopping €10.4 million ($12.5 million) for keeping its employees under constant video surveillance at all times for the past two years without a legal basis. The penalty represents one of the largest fines imposed under the 2018 General Data Protection Regulation (GDPR) not only in Germany but across Europe as well. The recipient is notebooksbilliger.de AG (doing business as NBB), an online e-commerce portal and a retail chain dedicated to selling laptops and other IT supplies. The State Commissioner for Data Protection (LfD) for the state of Lower Saxony said that the company installed two years ago a video monitoring system inside its warehouses, salesrooms, and common workspaces for the purpose of preventing and investigating thefts and tracking product movements. Officials said the video surveillance system was active at all times, and recordings were saved for as much as 60 days in the company's database. But while the retailer thought it was running a banal video monitoring solution, as found in many other businesses across Germany and all over the world, the German data regulator found it to be a gross encroachment on the rights of German workers. "We are dealing with a serious case of video surveillance in the company," said Barbara Thiel, head for LfD Lower Saxony, in a press release earlier this month. "Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees." The German data regulator argued that employees do not have to give up their right to privacy because their employer puts them under suspicion of potentially committing a crime in the future. "If that were the case, companies could extend surveillance without limit," Thiel said. The German official claimed that video surveillance was not to be used as a "deterrent" to prevent crime but only when an employer had justifiable suspicion against certain employees. In those cases, employees could be monitored for limited periods of time until the suspicion was confirmed, and not for years in a row. "Video surveillance is a particularly intensive encroachment on personal rights, because, theoretically, the entire behavior of a person can be observed and analyzed," Thiel said. The LfD head said that because of the constant video monitoring, employees are under continuous stress and pressure to behave as inconspicuously as possible in order to avoid being criticized for their behavior. Furthermore, the German data regulator said that NBB also recorded customers while testing devices in its salesrooms without their knowledge or consent, which represented another major privacy breach. But in a PDF statement published on its website, NBB CEO Oliver Hellmold said the fine and accusation that it monitored employees were unfounded. "At no point was the video system designed to monitor employee behavior or performance. It wasn't even technically equipped for it," Hellmold said. The NBB CEO accused the LfD Lower Saxony office of misconduct. He argued that officials didn't visit its premises during the three-year investigation and that NBB previously made adjustments to its video surveillance system at the office's request in order to become compliant. Furthermore, Hellmold called the fine disproportionate to the company's size and said that they plan to appeal. "It is absurd that authority imposes a fine of more than 10 million euros without sufficiently investigating the matter. Apparently, an example is to be made here at the expense of our company," he said. Continue reading on OUR FORUM.

Parler’s website suddenly appeared online Sunday with a message from its CEO, John Matze, who said, “Hello world, is this thing on?” The message suggests Parler was able to find another hosting service, coming about a week after Amazon Web Services booted the social media website from its services, taking the site down. It came as Parler—billed as a “free speech” platform—was seeing an unprecedented surge in users as prominent conservatives, among others, were being banned from Twitter, Facebook, and other platforms. Matze also issued a temporary status update. “Now seems like the right time to remind you all—both lovers and haters—why we started this platform,” Matze. “We believe privacy is paramount and free speech essential, especially on social media. Our aim has always been to provide a nonpartisan public square where individuals can enjoy and exercise their rights to both. We will resolve any challenge before us and plan to welcome all of you back soon. We will not let civil discourse perish!” Amazon Web Services’ rationale behind jettisoning Parler was due to a lack of moderation and came in the backdrop of the Jan. 6 U.S. Capitol riots. Parler, in a court filing, citing text messages between Matze and an Amazon representative, claimed Amazon was primarily concerned with whether President Donald Trump would migrate to Parler after his Twitter account was banned last week.

LAWMAKERS AND LAW enforcement agencies around the world, including in the United States, have increasingly called for backdoors in the encryption schemes that protect your data, arguing that national security is at stake. But new research indicates governments already have methods and tools that, for better or worse, let them access locked smartphones thanks to weaknesses in the security schemes of Android and iOS. Cryptographers at Johns Hopkins University used publicly available documentation from Apple and Google as well as their own analysis to assess the robustness of Android and iOS encryption. They also studied more than a decade's worth of reports about which of these mobile security features law enforcement and criminals have previously bypassed, or can currently, using special hacking tools. The researchers have dug into the current mobile privacy state of affairs and provided technical recommendations for how the two major mobile operating systems can continue to improve their protections. “It just really shocked me, because I came into this project thinking that these phones are really protecting user data well,” says Johns Hopkins cryptographer Matthew Green, who oversaw the research. “Now I’ve come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?” Before you delete all your data and throw your phone out the window, though, it's important to understand the types of privacy and security violations the researchers were specifically looking at. When you lock your phone with a passcode, fingerprint lock, or face recognition lock, it encrypts the contents of the device. Even if someone stole your phone and pulled the data off it, they would only see gibberish. Decoding all the data would require a key that only regenerates when you unlock your phone with a passcode, or face or finger recognition. And smartphones today offer multiple layers of these protections and different encryption keys for different levels of sensitive data. Many keys are tied to unlocking the device, but the most sensitive ones require additional authentication. The operating system and some special hardware are in charge of managing all of those keys and access levels so that, for the most part, you never even have to think about it. With all of that in mind, the researchers assumed it would be extremely difficult for an attacker to unearth any of those keys and unlock some amount of data. But that's not what they found. "On iOS in particular, the infrastructure is in place for this hierarchical encryption that sounds really good," says Maximilian Zinkus, a Ph.D. student at Johns Hopkins who led the analysis of iOS. "But I was definitely surprised to see then how much of it is unused," Zinkus says that the potential is there, but the operating systems don't extend encryption protections as far as they could. When an iPhone has been off and boots up, all the data is in a state Apple calls “Complete Protection.” The user must unlock the device before anything else can really happen, and the device's privacy protections are very high. You could still be forced to unlock your phone, of course, but existing forensic tools would have a difficult time pulling any readable data off it. Once you've unlocked your phone that first time after a reboot, though, a lot of data moves into a different mode—Apple calls it “Protected Until First User Authentication,” but researchers often simply call it “After First Unlock.” If you think about it, your phone is almost always in the AFU state. You probably don't restart your smartphone for days or weeks at a time, and most people certainly don't power it down after each use. (For most, that would mean hundreds of times a day.) So how effective is AFU security? That's where the researchers started to have concerns. For more visit OUR FORUM.

The US National Security Agency (NSA) says that companies should avoid using third party DNS resolvers to block threat actors' DNS traffic eavesdropping and manipulation attempts and to block access to internal network information. NSA's recommendation was made in a new advisory on the benefits (and risks) of using DNS over http (DoH) in enterprise environments, an encrypted domain name system (DNS) protocol that blocks unauthorized access to the DNS traffic between clients and DNS resolvers. "NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver," the US intelligence agency said. "This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information." Companies are suggested to use their own enterprise-operated DNS servers or externally hosted services with built-in support for encrypted DNS requests such as DoH. "However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure," the NSA added. The NSA urges enterprise network administrators to disable and block all other DNS services besides their organizations' dedicated ones. Network admins who disable DoH on their networks are also recommended to block "known DoH resolver IP addresses and domains" to block client attempts from using their own DoH resolvers instead of the DHCP-assigned DNS resolver. The agency's advisory also provides additional details on the purpose of DoH and the importance of correctly configuring it to augment enterprise DNS security controls. "We are releasing this guidance to our NSS, DIB, and DoD partners to help them manage encrypted DNS as it is automatically enabled by more applications, as part of our continuous efforts to provide timely, actionable, and relevant cybersecurity guidance," Neal Ziring, Technical Director at NSA, told BleepingComputer. "Encrypted DNS features are becoming more widely supported in commercial products, and our customers need to understand the technology and potential trade-offs." Last year, US government agencies' CIOs were recommended to disable third-party encrypted DNS services until an official DNS resolution service with DoH and DNS over TLS (DoT) support would be available. CISA also reminded that agencies are legally required to use the EINSTEIN 3 Accelerated (E3A) DNS service on all devices connected to federal agency networks as the primary (or ultimate) upstream DNS resolver for all local DNS recursive resolvers. Until a DNS resolution service with DoH and DoT support was made available, federal agencies were also recommended to "set and enforce enterprise-wide policy (e.g., Group Policy Objects [GPO] for Windows environments) for installed browsers to disable DoH use." DoH allows DNS resolution requests over encrypted http connections, while DoT will encrypt and wrap all DNS queries using the Transport Layer Security (TLS) protocol instead of using insecure plain text DNS lookups. "The 'Adopting Encrypted DNS in Enterprise Environments' Cybersecurity Information Sheet provides National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators guidance on proper network configuration for handling encrypted domain name system traffic," Ziring added. Learn more by visiting OUR FORUM.

Congressional threats and inducements make Twitter and Facebook censorship a free-speech violation. Facebook and Twitter banned President Trump and numerous supporters after last week’s disgraceful Capitol riot, and Google, Apple and Amazon blocked Twitter alternative Parler—all based on claims of “incitement to violence” and “hate speech.” Silicon Valley titans cite their ever-changing “terms of service,” but their selective enforcement suggests political motives.
Conventional wisdom holds that technology companies are free to regulate content because they are private, and the First Amendment protects only against government censorship. That view is wrong: Google, Facebook and Twitter should be treated as state actors under existing legal doctrines. Using a combination of statutory inducements and regulatory threats, Congress has co-opted Silicon Valley to do through the back door what government cannot directly accomplish under the Constitution.
Read more on WSJ Source WSJ | Opinion - Pic E.J. Bron Wp

"After a close review of recent Tweets from the @realDonaldTrump account and the context around them we have permanently suspended the account due to the risk of further incitement of violence," Twitter's official "Safety" account tweeted. Twitter permanently suspended President Donald Trump’s account on Friday, citing “the risk of further incitement of violence.” The president’s account, with 88 million followers, was initially banned for 12 hours on Wednesday due to “severe violations of our Civic Integrity policy,” after he used the platform to condemn Vice President Mike Pence as his supporters stormed the Capitol. “After a close review of recent Tweets from the @realDonaldTrump account and the context around them we have permanently suspended the account due to the risk of further incitement of violence,” the company said in a tweet. Almost immediately, the account that Trump had used for years to convey his every thought, to denounce his enemies and praise his friends, to convey uncountable false statements and official White House announcements, simply disappeared. It was suddenly impossible to see his previous tweets or even to see his reaction to Twitter's decision. Instead, his empty account had been marked: "Account suspended." Trump's attempts to tweet from associated accounts also were blocked. At one point, he was tweeting from his campaign account, but that was promptly suspended. In a blog post, Twitter detailed the reasoning behind the decision. “In the context of horrific events this week, we made it clear on Wednesday that additional violations of the Twitter Rules would potentially result in this very course of action,” Twitter wrote. “Our public interest framework exists to enable the public to hear from elected officials and world leaders directly. It is built on a principle that the people have a right to hold power to account in the open.” “However, we made it clear going back years that these accounts are not above our rules and cannot use Twitter to incite violence,” the post continued. “We will continue to be transparent around our policies and their enforcement.” The White House did not respond to a request for comment. Twitter banned the president’s account after years of public pressure and several attempts to limit the reach of his account in recent days. Hundreds of Twitter employees recently signed a letter urging Twitter CEO Jack Dorsey to ban the president from using the platform to incite violence in the wake of the Capitol siege. An employee at Twitter who has been pushing for the company to delete the president’s account this week told NBC News that “leadership took a beating” at a meeting Friday morning with employees, many of whom pleaded with executives to delete his account. This was the second time in a week Twitter had taken action against the president’s account. Twitter removed three tweets that promoted conspiracy theories about the election and locked Trump’s account on Wednesday, citing “a risk of violence,” after a violent riot at the Capitol. Trump’s official @POTUS account is still active, but if the company determines he’s using it to evade the ban, it will take action to limit its use, a Twitter spokesperson said in a statement. About two hours after his ban, Trump did turn to the official @POTUS account, railing against Twitter, Democrats, and “the Radical Left,” in a series of tweets that were quickly deleted. A Twitter spokesperson said, “As we’ve said, using another account to try to evade a suspension is against our rules. We have taken steps to enforce this with regard to recent Tweets from the @POTUS.” Learn more about this very bold and appropriate move from Twitter on OUR FORUM.