Since its release on Sunday, experts and members of the public alike have raised privacy concerns with the federal governments COVIDSafe mobile app.

The contact tracing app aims to stop COVID-19s spread by tracing interactions between users via Bluetooth, and alerting those who may have been in proximity with a confirmed case.

Read more: Explainer: what is contact tracing and how does it help limit the coronavirus spread?

According to a recent poll commissioned by The Guardian, out of 1054 respondents, 57% said they were concerned about the security of personal information collected through COVIDSafe.

In its coronavirus response, the government has a golden opportunity to build public trust. There are other ways to build a digital contact tracing system, some of which would arguably raise fewer doubts about data security than the app.

Incorporating advanced cryptography into COVIDSafe could have given Australian citizens a mathematical guarantee of their privacy, rather than a legal one.

A team at Canadas McGill University is working on a solution that uses mix networks to send cryptographically hashed contact tracing location data through multiple, decentralised servers. This process hides the location and time stamps of users, sharing only necessary data.

This would let the government alert those who have been near a diagnosed person, without revealing other identifiers that could be used to trace back to them.

Its currently unclear what encryption standards COVIDSafe is using, as the apps source code has not been publicly released, and the government has been widely criticised for this. Once the code is available, researchers will be able to review and assess how safe users data are.

COVIDSafe is based on Singapores TraceTogether mobile app. Cybersecurity experts Chris Culnane, Eleanor McMurtry, Robert Merkel and Vanessa Teague have raised concerns over the apps encryption standards.

If COVIDSafe has similar encryption standards which we cant know without the source code it would be wrong to say the apps data are encrypted. According to the experts, COVIDSafe shares a phones exact model number in plaintext with other users, whose phones store this detail alongside the original users corresponding unique ID.

US-based advocacy group The Open Technology Institute has argued in favour of a differential privacy method for encrypting contact tracing data. This involves injecting statistical noise into datasets, giving individuals plausible deniability if their data are leaked for purposes other than contact tracing.

Zero-knowledge proof is another option. In this computation technique, one party (the prover) proves to another party (the verifier) they know the value of a specific piece of information, without conveying any other information. Thus, it would prove necessary information such as who a user has been in proximity with, without revealing details such as their name, phone number, postcode, age, or other apps running on their phone.

Some approaches to contact tracing involve specialised hardware. Simmel is a wearable pen-like contact tracing device. Its being designed by a Singapore-based team, supported by the European Commissions Next Generation Internet program. All data are stored in the device itself, so the user has full control of their trace history until they share it.

This provides citizens a tracing beacon they can give to health officials if diagnosed, but is otherwise not linked to them through phone data or personal identifiers.

The response to COVIDSafe has been varied. While the number of downloads has been promising since its release, iPhone users have faced a range of functionality issues. Federal police are also investigating a series of text message scams allegedly aiming to dupe users.

The federal government has not chosen a decentralised, open-source, privacy-first approach. A better response to contact tracing would have been to establish clearer user information requirements and interoperability specifications (standards allowing different technologies and data to interact).

Also, inviting the private sector to help develop solutions (backed by peer review) could have encouraged innovation and provided economic opportunities.

Read more: COVIDSafe tracking app reviewed: the government delivers on data security, but other issues remain

Personal information collected via COVIDSafe is governed under the Privacy Act 1988 and the Biosecurity Determination 2020.

These legal regimes reveal a gap between the publics and the governments conceptions of privacy.

You may think privacy means the government wont share your private information. But judging by its general approach, the government thinks privacy means it will only share your information if it has authorised itself to do so.

Read more: The new data retention law seriously invades our privacy and it's time we took action

Fundamentally, once youve told the government something, it has broad latitude to share that information using legislative exemptions and permissions built up over decades. This is why, when it comes to data security, mathematical guarantees trump legal guarantees.

For example, data collected by COVIDSafe may be accessible to various government departments through the recent anti-encryption legislation, the Assistance and Access Act. And you could be prosecuted for not properly self-isolating, based on your COVIDSafe data.

Moving forward, we may see more iterations of contact tracing technology in Australia and around the world.

The World Health Organisation is advocating for interoperability between contact tracing apps as part of the global virus response. And reports from Apple and Google indicate contact tracing will soon be built into your phones operating system.

As our government considers what to do next, it must balance privacy considerations with public health. We shouldnt be forced to choose one over another.

Here is the original post:
The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy - The Conversation AU

Written by Sean Lyngaas Apr 28, 2020 | CYBERSCOOP

Civil liberties groups on Tuesday asked an appeals court to unseal a federal judges ruling that rejected a U.S. government effort to force Facebook to decrypt voice calls.

The American Civil Liberties Union and the Electronic Frontier Foundation argue that the public has a right to know about how U.S. prosecutors tried to force Facebook to decrypt the calls in a 2018 investigation of the MS-13 gang, and why a judge rejected the prosecutors effort. The Department of Justice is urging the court to keep the ruling sealed, arguing that making it public could compromise ongoing criminal investigations.

It is the latest front in a broader standoff between privacy advocates and law enforcement over access to encrypted communications. Law enforcement officials have for years lamented that strong encryption has hampered investigations into terrorists and criminals. But many technologists say any software especially designed for law enforcement access risks weakening security for many other internet users.

In this case, civil liberties groups say a failure to clarify the legal requirements forgivingauthorities access to encrypted communications would set a dangerous precedent.

[U]sers of electronic communications services, and the providers of those services themselves, would not know whether federal law requires providers to weaken the security of their services at the behest of the police, Riana Pfefferkorn, a scholar at Stanford Law SchoolsCenter for Internet and Society and one of the plaintiffs, told CyberScoop in an email.

The DOJ pressure on Facebook stemmed from a 2018 criminal case against suspected members of the MS-13 gang in California. After the FBI said it couldnt access calls made on Facebook Messenger by the suspects, prosecutors tried to get a judge to hold Facebook in contempt of court for failing to carry out a wiretap order to decrypt the calls. The judge rejected the prosecutors request, Reuters reportedinSeptember2018.

A U.S. district judge denied the ACLU and EFFs request to unseal the documents last year,but the groups have taken the case to the U.S. Court of Appeals for the Ninth Circuit.

[T]he Department of Justice has told us that the current law is not strong enough and does not give it enough authority to conduct the surveillance it needs to in investigations, Jennifer Granick, a lawyer for the ACLU, argued during the video-conferenced hearing Tuesday. The public needs to know what that current law is.

But Scott Meisler, a DOJ lawyer, argued that unsealing the ruling could disrupt other criminal investigations.

If we have parallel proceedings where we have right-of-access litigation on one side versus criminal discovery on the other side, I do think it interferes not just with ongoing investigations but with the way that ongoing prosecution is carried out, Meisler told the court.

It is unclear when the appeals court will make a ruling on the documents.

The standoff over encryption has escalated in recent months, as Justice officials have held conferences to galvanize support for their positionagainst allowing people to go dark in their communications.

They have sympathetic ears on Capitol Hill. In March, a bipartisan group of senators introduced legislation that would force tech companies to do more to fight child exploitation or risk losing liability protections. Critics say there would be no way for companies to comply with the bill without undermining strong encryption.

The Facebook Messenger case is reminiscent of when the FBI took Apple to court in 2016 to compel the tech company to unlock the iPhone of the perpetrator of the San Bernardino terrorist attack. The bureau dropped that demand after paying a contractor to crack the phone.

Read more:
ACLU, EFF still trying to get documents unsealed in Facebook encryption case - CyberScoop

Lets Encryptissued its one billionth digital certificate a few weeks ago. Run by the nonprofit Internet Security Research Group (ISRG), the service provides these certificates to websites for free, allowing your browser to create a secure and validated connection to a server thats effectively impenetrable to snooping. The pandemic hasnt halted the groups progress: It says its now issued over 1,080,000,000 certificates.

That Lets Encrypt doesnt charge for this service is a big deal. A digital certificate for a websitealso useful for email servers and other client/server systemsused to cost hundreds of dollars a year for a basic version and even more for a more comprehensive one. For smaller sites, that cost alone was a barrier.

While the price had dropped significantly before Lets Encrypt began issuing its certificates at no cost in 2015, and some commercial issuers had offered free certificates on a limited basis, encrypting a site was no trivial matter. It required technical expertise and the ability to puzzle through command-line configurations. (Though Ive been running websites since 1994, renewing and installing certificates had remained one of my bugbears before Lets Encrypt.)

Lets Encrypt didnt set out to launch a price war and thereby destroy an existing marketplace. By making encryption free and simple, the organization has been a large part of an industrywide shift to encrypt all web browsing that has doubled the number of secure sites from 40 to 80 percent of all sites since 2016.

As executive director and cofounder of ISRG Josh Aas says, the organization wants everyone to be able to go out and participate fully in the web without having to pay hundreds of dollars to do something. Setting the cost at zero benefits each sites users and the internet as a whole.

Google tracks opt-in information from Chrome browser users about the type of connections they make. It shows that secure connections rose from 39 percent (Windows) and 43 percent (Mac) in early 2015 to 88 and 93 percent respectively on April 11, 2020. One source indicates that Lets Encrypt now supplies 30 percent of all website digital certificates. Two hundred million websites now use its certificates, the organization says.

This dramatic increase in web encryption protects people from some unwanted commercial tracking and snooping by malicious parties and government actors alike. It took Lets Encrypt as a catalyst to put it within the reach of every website.

After the revelation of the scope and nature of wide-scale, routine data collection by U.S. national security agencies added to the already-known and suspected habits of other democracies and repressive countries, tech firms shifted heavily into encrypting connections everywhere they could. That meant more encryption between data centers run by the same company (as Google added starting in 2013), encryption of data at rest stored on servers, and browser makers calling users attention to unprotected web sessions.

That last part was critical, as Chrome, Firefox, and Safari slowly increased warnings about nonencrypted connectionsand finally turned those warnings into outright error messages. But it could also have been unfair to smaller websites, especially those in developing nations and ones run by nonprofits, volunteer groups, and small companies lacking the wherewithal to implement encryption. Without an easy way for most organizations to secure their sites, it would have balkanized the net.

Lets Encrypt stepped into that growing void. Now financially supported by a host of major tech companiesthough Apples name is oddly and noticeably absentthe firm has scaled successfully from a million certificates a year to a million a day over just four years.

We want to make sure that when someone entrusts us with a dollar, we go out and do the most work we can with that dollar.

We want to make sure that when someone entrusts us with a dollar, we go out and do the most work we can with that dollar, Aas says. For instance, he says, the group relies on three very expensive, exceedingly reliable database servers. Each costs $100,000 or more, but the setup provides triple redundancy. Using more common, cheaper hardware would require more staffers to provide maintenance.

ISRG has also retained an extremely tight mission focus on certificate issuance. And it offers no customer support, though it has a rich and active community that it encourages and ever-improving online documentation. Not providing support results in a huge amount of internal pressure to ensure people dont need support, says Aas. Developing community is a huge part of our efficiency.

Some major hosting firms have adopted Lets Encrypt as an effectively no-cost method of adding digital certificates for their users sites with almost no overhead. They can automate the process of requesting a certificate, receiving it, and installing it, a dramatically less intensive process than any previous method. (Lets Encrypt has focused on automation and spent three years shepherding a relevant Internet Engineering Task Force draft through to a proposed standard in March 2019.)

The widely used cPanel administrative interface offers Lets Encrypt as a point-and-click option to install a certificate. But its equally trivial to use manually. To renew certificates across about 20 domains and subdomains I own, I type in a single command every three months, reminded by Lets Encrypts renewal email 30 days in advance. A few seconds pass and Im ready to go for another three months. If I were slightly less lazy, I could entirely automate the process through a recurring server-based task.

Most free things on the internet come with an expensive price tagusually involving giving up our privacy. Lets Encrypt is the rare organization that does something useful and controls its scope and budget, so it can be more efficient every day it operates. The organization knows virtually nothing about parties requesting certificatesit doesnt even ask for an email addressand retains almost nothing. It relies entirely on domain ownership as proof of a users identity. Thats enough, since all a certificate does is validate that someone runs the domain that the certificate is securing.

With its constrained mission, Aas says that ISRG has plenty of efficiencies yet to reap and improvements to make, even as it focuses on its day-to-day operations. We take the time to do it right, but we dont take more time than we need to get it right, he says. The group took years to become a certificate authority (CA), for instance, making it one of a few hundred organizations trusted by a handful of operating system and browser makers to be the root of trust for certificates.

And just before the billionth certificate was issued, Lets Encrypt implemented a security technique, the first by a CA, that effectively blocks the ability of a malicious party to subvert a flaw in the internets data routing system and obtain a domain certificate fraudulently. (It fully documented its new technology so others could benefit from it too.)

In many ways, Lets Encrypt is a throwback to the precommercial internet, when a combination of generosity, mutual benefit, and enlightened self-interest allowed for rapid improvements. Its free certificates are a ticket to that pastbut with modern technological efficiencies that keep it pointing toward the future.

Visit link:
How Let's Encrypt changed the web with free, easy encryption - Fast Company

Technavio has been monitoring the encryption management solutions market and it is poised to grow by USD 3.21 bn during 2019-2023, progressing at a CAGR of almost 14% during the forecast period. The report offers an up-to-date analysis regarding the current market scenario, latest trends and drivers, and the overall market environment.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20200417005010/en/

Technavio has announced the latest market research report titled Global Encryption Management Solutions Market 2019-2023 (Graphic: Business Wire)

Technavio suggests three forecast scenarios (optimistic, probable, and pessimistic) considering the impact of COVID-19. Please Request Latest Free Sample Report on COVID-19 Impact

The market is concentrated, and the degree of concentration will accelerate during the forecast period. Cisco Systems Inc., IBM Corp., McAfee LLC, Oracle Corp., Sophos Ltd., and Symantec Corp, are some of the major market participants. To make the most of the opportunities, market vendors should focus more on the growth prospects in the fast-growing segments, while maintaining their positions in the slow-growing segments.

Rising demand for digitalization has been instrumental in driving the growth of the market.

Encryption Management Solutions Market 2019-2023 : Segmentation

Encryption management solutions market is segmented as below:

To learn more about the global trends impacting the future of market research, download a free sample: https://www.technavio.com/talk-to-us?report=IRTNTR31232

Encryption Management Solutions Market 2019-2023 : Scope

Technavio presents a detailed picture of the market by the way of study, synthesis, and summation of data from multiple sources. Our encryption management solutions market report covers the following areas:

This study identifies honey encryption as one of the prime reasons driving the encryption management solutions market growth during the next few years.

Encryption Management Solutions Market 2019-2023 : Vendor Analysis

We provide a detailed analysis of around 25 vendors operating in the encryption management solutions market, including some of the vendors such as Cisco Systems Inc., IBM Corp., McAfee LLC, Oracle Corp., Sophos Ltd., and Symantec Corp. Backed with competitive intelligence and benchmarking, our research reports on the encryption management solutions market are designed to provide entry support, customer profile and M&As as well as go-to-market strategy support.

Register for a free trial today and gain instant access to 17,000+ market research reports.

Technavio's SUBSCRIPTION platform

Encryption Management Solutions Market 2019-2023 : Key Highlights

Table Of Contents :

PART 01: EXECUTIVE SUMMARY

PART 02: SCOPE OF THE REPORT

PART 03: MARKET LANDSCAPE

PART 04: MARKET SIZING

PART 05: FIVE FORCES ANALYSIS

PART 06: MARKET SEGMENTATION BY APPLICATION

PART 07: CUSTOMER LANDSCAPE

PART 08: MARKET SEGMENTATION BY DEPLOYMENT

PART 09: GEOGRAPHIC LANDSCAPE

PART 10: DECISION FRAMEWORK

PART 11: DRIVERS AND CHALLENGES

PART 12: MARKET TRENDS

PART 13: VENDOR LANDSCAPE

PART 14: VENDOR ANALYSIS

PART 15: APPENDIX

PART 16: EXPLORE TECHNAVIO

About Us

Technavio is a leading global technology research and advisory company. Their research and analysis focus on emerging market trends and provides actionable insights to help businesses identify market opportunities and develop effective strategies to optimize their market positions. With over 500 specialized analysts, Technavios report library consists of more than 17,000 reports and counting, covering 800 technologies, spanning across 50 countries. Their client base consists of enterprises of all sizes, including more than 100 Fortune 500 companies. This growing client base relies on Technavios comprehensive coverage, extensive research, and actionable market insights to identify opportunities in existing and potential markets and assess their competitive positions within changing market scenarios.

View source version on businesswire.com: https://www.businesswire.com/news/home/20200417005010/en/

Contacts

Technavio ResearchJesse MaidaMedia & Marketing ExecutiveUS: +1 844 364 1100UK: +44 203 893 3200Email: media@technavio.com Website: http://www.technavio.com/

Read the original post:
Analysis of COVID-19-Encryption Management Solutions Market 2019-2023 | Rising Demand For Digitalization to Boost Growth | Technavio - Yahoo Finance

Recent weeks have been rough, with droves of people turning to virtual communication for sensitive conversations theyd like to keep private medical visits, seeing friends faces and hearing their voices, or solace for those whove lost loved ones.

Understandably, the end-to-end (E2E) encrypted messaging app Signal has been signing up new users at unprecedented rates and flipping the switch on servers faster than we ever anticipated, Signals Joshua Lund said last week.

and you can say goodbye to any of that staying stateside if the EARN IT Act passes.

Signal claims that legal and liability concerns would make it impossible to operate in the US. That doesnt mean it would shut up shop entirely, but it could mean that the non-profit would need to move operations now based in the US.

Called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), the bill was introduced last month. If it passes, EARN IT would require tech companies to meet safety requirements for children online before obtaining immunity from lawsuits. You can read the discussion draft here.

To kill that immunity, the bill would undercut Section 230 of the Communications Decency Act (CDA) from certain apps and companies so that they could be held responsible for user-uploaded content. Section 230, considered the most important law protecting free speech online, states that websites arent liable for user-submitted content.

The proposed legislations details havent been ironed out yet, but at this early point, the bills intent to water down Section 230 turns that protection into a hypocritical bargaining chip, Lund wrote on Signals blog.

At a high level, what the bill proposes is a system where companies have to earn Section 230 protection by following a set of designed-by-committee best practices that are extraordinarily unlikely to allow end-to-end encryption. Anyone who doesnt comply with these recommendations will lose their Section 230 protection.

Maybe some of the tech behemoths could swing the potentially huge financial risk that would come with slews of lawsuits as they suddenly become responsible for whatever random things their users say, but not Signal, Lund said.

It would not be possible for a small nonprofit like Signal to continue to operate within the United States. Tech companies and organizations may be forced to relocate, and new startups may choose to begin in other countries instead.

Its bizarre that a government thats reliant on secure, private messaging would even contemplate gutting E2E encryption, Lund said. In February, the European Commission endorsed the messaging app, telling staff to switch to Signal for encrypted messaging. Lund listed other military and government endorsements, calling the proposed legislation troubling and confusing:

For a political body that devotes a lot of attention to national security, the implicit threat of revoking Section 230 protection from organizations that implement end-to-end encryption is both troubling and confusing. Signal is recommended* by the United States military. It is routinely used by senators and their staff. American allies in the EU Commission are Signal users too. End-to-end encryption is fundamental to the safety, security, and privacy of conversations worldwide.

*The US Military also recommends Wickr for encrypted messaging: both it and Signal feature auto-delete functions that erase messages after a set period of time.

The bills backers claim that theyre not targeting encryption. Rather, as with other attempts to legally enforce encryption backdoors, theyre claiming that their real goal is to get companies to accept responsibility for the enabling of online child sexual abuse.

But as has been explained by Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity at The Center for Internet and Society at Stanford Law, the bill doesnt have any tools to actually stop online child abuse. Furthermore, if it passes, it would actually make it much harder to prosecute pedophiles, she says.

As it now stands, online providers proactively, and voluntarily, scan for child abuse images by comparing their hash values to known abusive content.

Apple does it with iCloud content, Facebook has used hashing to stop millions of nude childrens images, and Google released a free artificial intelligence tool to help stamp out abusive material, among other voluntary efforts by major online platforms.

The key word is voluntarily, Pfefferkorn says. Those platforms are all private companies, as opposed to government agencies, which are required by Fourth Amendment protections against unreasonable search to get warrants before they rifle through our digital content, including email, chat discussions and cloud storage.

The reason that private companies like Facebook can, and do, do exactly that is that they are not the government, theyre private actors, so the Fourth Amendment doesnt apply to them.

Turning the private companies that provide those communications into agents of the state would, ironically, result in courts suppression of evidence of the child sexual exploitation crimes targeted by the bill, she said.

Pfefferkorn has also pointed out that the bill would give unprecedented power to Attorney General William Barr, a vocal critic of end-to-end encryption, who would become the arbiter of any recommendations from the best practices commission that the EARN IT bill would create.

The best practices approach came after pushback over the bills predicted effects on privacy and free speech. The best practices would be subject to approval or veto by Barr, who has issued a public call for backdoors; the Secretary of Homeland Security (ditto); and the Chair of the Federal Trade Commission (FTC).

Basically, those wolves are going to eat smaller encryption providers alive, Lund said:

It is as though the Big Bad Wolf, after years of unsuccessfully trying to blow the brick house down, has instead introduced a legal framework that allows him to hold the three little pigs criminally responsible for being delicious and destroy the house anyway. When he is asked about this behavior, the Big Bad Wolf can credibly claim that nothing in the bill mentions huffing or puffing or the application of forceful breath to a brick-based domicile at all, but the end goal is still pretty clear to any outside observer.

Last month, Sen. Ron Wyden, who introduced the CDAs Section 230, said that the disastrous legislation is a Trojan horse that will give President Trump and Attorney General Barr the power to control online speech and require government access to every aspect of Americans lives.

The EARN IT Act is only the latest of many attempts to inject an encryption backdoor that the US government and law enforcement agencies have been trying to inflict for years.

Digital rights advocates say that the proposed act could harm free speech and data security, and Sophos concurs. For years, weve said #nobackdoors, agreeing with the Information Technology Industry Council that Weakening security with the aim of advancing security simply does not make sense.

The EARN IT Act is still working its way through Congress, not having seen a vote in either the House nor Senate.

Theres still time to stop it, Lund said. To reach out to elected officials, you can look up contact information on The Electronic Frontier Foundations Action Center.

Go here to see the original:
Signal: Well be eaten alive by EARN IT Acts anti-encryption wolves - Naked Security