"In the future, everyone will be anonymous for 15 minutes." So said the artist Banksy, but following the rush to put everything online, from relationship status to holiday destinations, is it really possible to be anonymous - even briefly - in the internet age?

That saying, a twist on Andy Warhol's famous "15 minutes of fame" line, has been interpreted to mean many things by fans and critics alike. But it highlights the real difficulty of keeping anything private in the 21st Century.

"Today, we have more digital devices than ever before and they have more sensors that capture more data about us," says Prof Viktor Mayer-Schoenberger of the Oxford Internet Institute.

And it matters. According to a survey from the recruitment firm Careerbuilder, in the US last year 70% of companies used social media to screen job candidates, and 48% checked the social media activity of current staff.

Also, financial institutions can check social media profiles when deciding whether to hand out loans.


Meanwhile, companies create models of buying habits, political views and even use artificial intelligence to gauge future habits based on social media profiles.

One way to try to take control is to delete social media accounts, which some did after the Cambridge Analytica scandal, when 87 million people had their Facebook data secretly harvested for political advertising purposes.

While deleting social media accounts may be the most obvious way to remove personal data, this will not have any impact on data held by other companies.

Fortunately, in some countries the law offers protection.

In the European Union the General Data Protection Regulation (GDPR) includes the "right to be forgotten" - an individual's right to have their personal data removed.

In the UK the that is policed by the Information Commissioner's Office. Last year it received 541 requests to have information removed from search engines, according to data shown to the BBC, up from 425 the year before, and 303 in 2016-17.

The actual figures may be higher as ICO says it often only becomes involved after an initial complaint made to the company that holds the information has been rejected.

But ICO's Suzanne Gordon says it is not clear-cut: "The GDPR has strengthened the rights of people to ask for an organisation to delete their personal data if they believe it is no longer necessary for it to be processed.

"However, this right is not absolute and in some cases must be balanced against other competing rights and interests, for example, freedom of expression."

The "right to be forgotten" shot to prominence in 2014 and led to a wide-range of requests for information to be removed - early ones came from an ex-politician seeking re-election, and a paedophile - but not all have to be accepted.

Companies and individuals, that have the money, can hire experts to help them out.


A whole industry is being built around "reputation defence" with firms harnessing technology to remove information - for a price - and bury bad news from search engines, for example.

One such company, Reputation Defender, founded in 2006, says it has a million customers including wealthy individuals, professionals and chief executives. It charges around £5,000 ($5,500) for its basic package.

It uses its own software to alter the results of Google searches about its clients, helping to lower less favourable stories in the results and promote more favourable ones instead.


"The technology focuses on what Google sees as important when indexing websites at the top or bottom of the search results," says Tony McChrystal, managing director.

"Generally, the two major areas Google prioritises are the credibility and authority the web asset has, and how users engage with the search results and the path Google sees each unique individual follow.

"We work to show Google that a greater volume of interest and activity is occurring on sites that we want to promote, whether they're new websites we've created, or established sites which already appear in the [Google results pages], while sites we are seeking to suppress show an overall lower percentage of interest."

The firm sets out to achieve its specified objective within 12 months.

"It's remarkably effective," he adds, "since 92% of people never venture past the first page of Google and more than 99% never go beyond page two."

Prof Mayer-Schoenberger points out that, while reputation defence companies may be effective, "it is hard to understand why only the rich that can afford the help of such experts should benefit and not everyone".


So can we ever completely get rid of every online trace?

"Simply put, no," says Rob Shavell, co-founder and chief executive of DeleteMe, a subscription service which aims to remove personal information from public online databases, data brokers, and search websites.

"You cannot be completely erased from the internet unless somehow all companies and individuals operating internet services were forced to fundamentally change how they operate.

"Putting in place strong sensible regulation and enforcement to allow consumers to have a say in how their personal information can be gathered, shared, and sold would go a long way to addressing the privacy imbalance we have now."

[Source: This article was published in bbc.com By Mark Smith - Uploaded by the Association Member: Jay Harris]

Categorized in Internet Privacy

Tech companies are leaving your private data unlocked online and there isn’t much you can do about it. (image: Flickr/ Maarten Van Damme)

SANTA ROSA, CALIF. — Chances are your private data has probably been available on the web for any random visitor to read. And you may not even be able to blame hackers or identity thieves for it.

Instead, somebody at a company that collected or handled your information — maybe a wireless carrier, maybe a software firm with a mailing list, maybe a political research firm trying to put you in one likely-voter box or another — may have left it vulnerable on their own. And this happens often enough for a security researcher to make finding these exposures his speciality.

What’s more, there’s really not much you can do about it short of becoming a digital hermit.

A boom in breaches

Chris Vickery, director of cyber risk research at Upguard Security, has a simple theory for why he keeps finding databases open.

“I would say convenience is probably the biggest reason,” Vickery said during an interview at a coffee shop in this Sonoma County city where he works remotely for his Mountain View, California employer. “It’s easier just to have it open to everybody.”


At best, he added, some hapless employee doesn’t think they left the data exposed or believes nobody will stumble upon their attempt to ease telecommuting.

The biggest such example Vickery found to day was some 200 million voter-registration records that a Republican National Committee contractor left publicly accessible.

But the consequences of changing secure default settings in such cloud systems as Amazon’s (AMZNAWS can go well beyond extra spam.

For example, the 13 million account credentials from the Mac-software firm Kromtech that Vickery found in 2015 could have been used to hack into other accounts “secured” with the same passwords.

The 6 million Verizon (VZ) wireless subscriber records Vickery found last month included some account passcodes that an attacker might have used to defeat two-step verification security that confirms strange logins with a one-time code texted to your phone.

(Verizon’s media division Oath owns Yahoo Finance.)

And the 87 million Mexican voting records he uncovered in 2016 could have been exploited by drug traffickers to compound the country’s plague of kidnappings and murders. Vickery recalled one immediate reaction: “You cannot let the cartels know about this.”

The 32-year-old’s work has won endorsements from other security researchers.

“Chris has been enormously effective at sniffing out exposed data left at risk in all sorts of obscure places,” said Troy Hunt, an Australian researcher who runs a data-breach index called Have I been pwned? that can reveal if your accounts have been exposed.

How to find a breach

Vickery said the easy part of his job is finding these databases, thanks to a searchable catalogue of publicly-accessible devices called Shodan and automated scanning toolsthat can quickly detect databases left open.

“The amount of data that comes back isn’t a ton, but it happens at a very, very fast rate,” he said.

At no point, he said, does he engage in hacking or impersonation of a legitimate user.

“If you have a password or a username set up, I’m not going to go any further,” he said. “I don’t trick anything.”

If a search locates apparently sensitive data, he will download a sample to confirm that it represents material that should have stayed private. He usually doesn’t bother looking for his own info, but he has not been amused when he finds it — such as in a leaked voter-registration database in 2016.

“I looked myself up just to see if it was legit, and it was all my data,” he recalled “I was pretty pissed.”

Then he will try to notify the affected company. That hasn’t always been easy. Kromtech, the maker of the often-scorned security app MacKeeper, didn’t respond to his queries until he posted about the problem on Reddit — though after securing the data, the firm hired him to blog about security issues.

Hunt, the Australian researcher, recently met even more egregious resistance when a British firm selling family discounts for things like theme parks blocked him and others on Twitter for tweeting about its lax security.

“I used to start at the bottom, calling the receptionist or something,” Vickery said. “Now I’ll start with the breached data and then find the CEO’s home number and call him at dinner. That usually gets a faster response.”

Unhelpful responses and an unhelpful law

But a response accepting his findings can still come seasoned with denial. Vickery advised against trusting the common excuse that only he saw the exposed data — many companies don’t keep the access records needed to prove that claim.

“They can say that plausibly because they’re not keeping logs,” he said.

Vickery said he has also received the occasional legal threat, despite making a point of not using hacking tools to sneak into sites.

“No law enforcement agency has ever even suggested that what I do is illegal,” he said.

But the 1986-vintage Computer Fraud and Abuse Act applies such a broad definition of online trespassing that a company could feasibly try to sue a researcher like Vickery.

A new bill, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, would exempt more security research from the CFAA as part of a larger tightening of security standards for internet-connected devices in government use. But this law’s vagaries have survived years of talk about reforming it.

Will another round of data-breach headlines change that? We’ll probably find out soon enough, Vickery said. While consumers are now better educated about the scope of the problem, companies keep making the same mistakes.

“I think things have gotten better in the past couple of years as far as awareness goes,” Vickery said. “But the number of breaches happening hasn’t decreased at all.”

Source: This article was published yahoo.com By Rob Pegoraro

Categorized in Internet Privacy

Companies like Paul Bunyan Communications, AT&T and Comcast have made public announcements pledging that their values remain unchanged in the face of the FCC ruling that now allows them to sell customer data.

(TNS) — BEMIDJI — Internet providers locally and nationally have stated they won't collect and sell Web browsing history.

The responses follows the passage of federal legislation this week allowing internet service providers to sell their customers' web browsing history. The legislation is a reverse of an Obama administration era privacy rule through the Federal Communications Commission.


Regionally, Paul Bunyan Communications stated in a press release that regardless of what the law allows, it won't sell members' web browsing history.


"Our members' privacy is of the utmost importance to our member-owned and governed cooperative," Gary Johnson, the CEO and general manager of Bemidji-based Paul Bunyan Communications, said in the release. "We have never sold member web browsing history and have no plans to do so in the future regardless of what the rules and regulations may allow.

"We feel it is extremely important to reassure our customers that our cooperative will not sell their web browsing history," Johnson said. "Any provider who sells their customers' web browsing history without their consent is putting profits ahead of the trust of its customers and we believe that flies in the face of common decency, customer privacy and certainly our cooperative values and principles."

Other companies across the country made similar statements, such as Comcast.

"We do not sell our broadband customers' individual web browsing history. We did not do it before the FCC's rules were adopted and we have no plans to do so," said Comcast's Chief Privacy Officer Gerard Lewis in a release, according to Reuters Media.

AT&T, meanwhile, said in a statement that the company, "will not sell your personal information to anyone, for any purpose. Period," Reuters reported.


Source : govtech.com

Categorized in Internet Privacy


Startups are usually in a rush, and they often forget about data security as they try to get an MVP out.With new businesses, a data breach can result in the company closing down. To address the mistakes most commonly made, I asked ten YEC entrepreneurs the following:

What’s the one crucial mistake that tech startups seem to make when it comes to data security nowadays and why?

1. Personal and professional borders

Bring your own device (BYOD) has become increasingly popular during the past years, even more so in the startup scene. People don’t like carrying several smartphones and having to get proficient in different operating systems for tasks as checking their email or updating their calendars. However, convenience often compromises security. Workers’ personal devices can access and store sensitive corporate information locally. When the person leaves the company, the information leaves with them, forever stored on his or her device. Security-wise, this is a crucial mistake.


2. Ignoring two-step authentication

Two-step authentication – the system that sends your mobile phone a code via SMS, to enter when logging in a new web page – is an easy, but often ignored, initial step. It is now offered in all the key business platforms, including Salesforce and Google Apps for Work. You can even enable this security system in social networks at will. Since password breaching is becoming more and more common, the wise thing to do is to enhance your online-stored sensitive information with an added protection layer.


3. Security issues

Racing to get a sustainable product on the market and getting those all important sales is a top startup priority, which may cause security mishaps early on. Ensuring that your systems are secure is a meticulous process which can rob resources from product development. However, when startups “cheat” during security setup, it is almost certain that they’ll come across the same problem in the future. Privacy and safety should be top priorities from the beginning.

4. Insufficient exit protocols.

Data lapses and security breaches are more common with companies that depend mostly on freelancers or part-time staff unless they incorporate a predetermined exit procedure. Data loss, in the form of confidential information sharing, account access and other, is not hard to take place when sensitive corporate data remains stored on the devices of these people; they are not so security-conscious on their personal devices, or they even forget about having the information stored in the first place. You ought to protect your company’s and your client’s information by planning ahead with your legal team.

5. Forgoing SSL from the beginning

SSL (Secure Sockets Layer) is easily implementable from day one. It should be enabled by default in every website. It reassures your users, while upgrading the security level of your communications.


6. Failing to prioritize security

Startups often think they can leave security for later when they will have grown larger. The problem with this approach is that the company fails to incorporate security in its core values, which makes it harder to deal with when the time comes.

7. Having no policies for cloud storage

Cloud Storage services like Dropbox, Box and Google Drive, are an amazing way to keep your team up to speed and handle documents. However, failing to lock them down properly renders them vulnerable to ransomware, viruses, and unauthorized access. The main vulnerability is the convenience of file sharing itself, which means that backups, anti-virus, password, email attachment and access policies must be set up before a single user is allowed to cause trouble for a whole company.

8. Disregarding security best-practice

Change in security practices follows the pace of technological evolution. This means that security standards from a decade ago are now obsolete. Many startups fail to keep up with the most up-to-date security developments and as a result, they use outdated encryption protocols or old techniques that can be breached by hackers and crackers.

9. No internal policies and infrastructure

Tech startups are in a prime position regarding data security because they have the ability to apply best industry practices from the start, without being kept behind by outdated systems. This has resulted in unprecedented product security. However, despite the increased security, internal protocols and practices at tech startups have not evolved accordingly. Limited use of single log-in, sharing of credentials and insecure password policies are all aspects of the failure of technology startups to invest adequate resources in their internal systems and infrastructure or their influence on data security.



10. No suspicious activity notifications

About half-a-year ago, I suffered a data breach that brought me close to a significant financial setback. For starters, I used a single (weak) password across many organizations, as well as for personal use. Someone figured out the password, and I suffered breaches in multiple points at the same time. I could have easily avoided this catastrophe with a simple policy regarding password strength. What’s more, I found out that sophisticated data security tools exist in many systems for mitigating data breaches. On Google Apps for Business, for example, I set up a notification alert to be sent whenever weird activity takes place.

Source:  https://www.entrepreneur.com/article/277086





Categorized in Others

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media