SSL and internet security news

marketing

Auto Added by WPeMatico

Regulating International Trade in Commercial Spyware

Siena Anstis, Ronald J. Deibert, and John Scott-Railton of Citizen Lab published an editorial calling for regulating the international trade in commercial surveillance systems until we can figure out how to curb human rights abuses.

Any regime of rigorous human rights safeguards that would make a meaningful change to this marketplace would require many elements, for instance, compliance with the U.N. Guiding Principles on Business and Human Rights. Corporate tokenism in this space is unacceptable; companies will have to affirmatively choose human rights concerns over growing profits and hiding behind the veneer of national security. Considering the lies that have emerged from within the surveillance industry, self-reported compliance is insufficient; compliance will have to be independently audited and verified and accept robust measures of outside scrutiny.

The purchase of surveillance technology by law enforcement in any state must be transparent and subject to public debate. Further, its use must comply with frameworks setting out the lawful scope of interference with fundamental rights under international human rights law and applicable national laws, such as the “Necessary and Proportionate” principles on the application of human rights to surveillance. Spyware companies like NSO Group have relied on rubber stamp approvals by government agencies whose permission is required to export their technologies abroad. To prevent abuse, export control systems must instead prioritize a reform agenda that focuses on minimizing the negative human rights impacts of surveillance technology and that ensures — with clear and immediate consequences for those who fail — that companies operate in an accountable and transparent environment.

Finally, and critically, states must fulfill their duty to protect individuals against third-party interference with their fundamental rights. With the growth of digital authoritarianism and the alarming consequences that it may hold for the protection of civil liberties around the world, rights-respecting countries need to establish legal regimes that hold companies and states accountable for the deployment of surveillance technology within their borders. Law enforcement and other organizations that seek to protect refugees or other vulnerable persons coming from abroad will also need to take digital threats seriously.

Powered by WPeMatico

Security Breaches Don’t Affect Stock Price

Interesting research: “Long-term market implications of data breaches, not,” by Russell Lange and Eric W. Burger.

Abstract: This report assesses the impact disclosure of data breaches has on the total returns and volatility of the affected companies’ stock, with a focus on the results relative to the performance of the firms’ peer industries, as represented through selected indices rather than the market as a whole. Financial performance is considered over a range of dates from 3 days post-breach through 6 months post-breach, in order to provide a longer-term perspective on the impact of the breach announcement.

Key findings:

  • While the difference in stock price between the sampled breached companies and their peers was negative (1.13%) in the first 3 days following announcement of a breach, by the 14th day the return difference had rebounded to + 0.05%, and on average remained positive through the period assessed.

  • For the differences in the breached companies’ betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

  • For the differences in the breached companies’ beta correlations against the peer indices pre- and post-breach, the difference in the means of the rolling 60 day correlation 8 months pre- breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

  • In regression analysis, use of the number of accessed records, date, data sensitivity, and malicious versus accidental leak as variables failed to yield an R2 greater than 16.15% for response variables of 3, 14, 60, and 90 day return differential, excess beta differential, and rolling beta correlation differential, indicating that the financial impact on breached companies was highly idiosyncratic.

  • Based on returns, the most impacted industries at the 3 day post-breach date were U.S. Financial Services, Transportation, and Global Telecom. At the 90 day post-breach date, the three most impacted industries were U.S. Financial Services, U.S. Healthcare, and Global Telecom.

The market isn’t going to fix this. If we want better security, we need to regulate the market.

Note: The article is behind a paywall. An older version is here. A similar article is here.

Powered by WPeMatico

Websites Grabbing User-Form Data Before It’s Submitted

Websites are sending information prematurely:

…we discovered NaviStone’s code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.

This is important because it goes against what people expect:

In yesterday’s report on Acurian Health, University of Washington law professor Ryan Calo told Gizmodo that giving users a “send” or “submit” button, but then sending the entered information regardless of whether the button is pressed or not, clearly violates a user’s expectation of what will happen. Calo said it could violate a federal law against unfair and deceptive practices, as well as laws against deceptive trade practices in California and Massachusetts. A complaint on those grounds, Calo said, “would not be laughed out of court.”

This kind of thing is going to happen more and more, in all sorts of areas of our lives. The Internet of Things is the Internet of sensors, and the Internet of surveillance. We’ve long passed the point where ordinary people have any technical understanding of the different ways networked computers violate their privacy. Government needs to step in and regulate businesses down to reasonable practices. Which means government needs to prioritize security over their own surveillance needs.

Powered by WPeMatico