Indias proposed internet regulations can threaten privacy everywhere

ISLAMABAD: India this week is poised to unveil new rules that threaten encrypted communications around the world, it seems safe to say that the encryption fight is now fully underway, foreign media reported on Friday.

Messaging products that are end-to-end encrypted can be read only by the sender and the recipient. The encrypted platform itself such as Apples iCloud, or Facebooks WhatsApp cant read the message, because it doesnt have a key. This has led to periodic attempts from law enforcement agencies and lawmakers to force platforms to create so-called backdoors that would allow them to snoop on the contents of those messages. But the platforms have resisted, and the issue has generally been in a stalemate.

The Indian government has often taken a draconian approach to regulating the web shutting down internet access at least 95 times last year, including an indefinite shutdown in Kashmir that a judge called an abuse of power earlier this year.

Now a set of rules proposed a little over a year ago would force tech platforms to cooperate continuously with government requests, without requiring so much as a warrant or court order. Among the requirements is that any post be traceable to its origin. And in what is believed to be a world first, the rules would require tech companies to do the investigating to deploy their sophisticated tools to track a posts spread on their network back to its point of origin, and then turn that information over to law enforcement.

This is quite different from the current approach, in which law enforcement identifies a suspect and then asks platforms to supply information about them. Now tech companies could essentially be required to serve as deputies of the state, conducting investigations on behalf of law enforcement, without so much as a court order.

That almost certainly means breaking encryption how else could tech companies be expected to trace the source of a message? Imagine Clearview AI, but as a service tech companies are required to provide to law enforcement for free.

The final rules are expected to be released imminently, Saritha Roi reports in Bloomberg:

The Ministry of Electronics and Information Technology is expected to publish the new rules later this month without major changes, according to a government official familiar with the matter.

The provisions in the earlier draft had required platforms such as Googles YouTube or ByteDance Inc.s TikTok, Facebook or its Instagram and WhatsApp apps, to help the government trace the origins of a post within 72 hours of a request. The companies would also have to preserve their records for at least 180 days to aid government investigators, establish a brick-and-mortar operation within India and appoint both a grievance officer to deal with user complaints and a government liaison. The rules would apply to any app with more than 5 million users, including Facebook, YouTube, Twitter, and TikTok. Bloomberg reports that its not clear whether the identities of foreign users would be exempt.

The tech companies are fighting back. A trade group has argued that the rules would represent a severe violation of Indian citizens privacy, and they would almost certainly sue if the rules were implemented as written. But theres no guarantee that theyll win. And if these rules take effect India wont be the last democracy to implement them. Tech companies will come under increasing pressure to implement a similar system in other Western countries. (Australia seems poised to try to break encryption as well.)

What happens if encryption supporters lose? First, privacy is diminished for billions of users including for activists, dissidents, victims of domestic abuse, businesses, and even government workers who have come to rely on secure messaging.

Second, the move could hurt the tech sector both in India and abroad by making it prohibitively expensive to launch a new business. Who can afford to build a compliance regime that requires the company to accommodate any government request, no matter how small, from day one? In practice, the answer is likely to be only incumbents. Hannah Quay-de la Vallee makes this point here:

If this rule is implemented in India (and potentially copied by other nations) it could force companies to create two types of systems one that uses e2e and one that doesnt. Companies might well justifiably balk at the cost and complexity of that approach and simply build less secure systems. That would weaken the overall safety of the internet ecosystem, harming users around the globe. Alternatively they could remove themselves from the Indian market altogether, depriving 1.2 billion people of state-of-the-art internet security. Neither of these are good outcomes.

See the original post:
Indias proposed internet regulations can threaten privacy everywhere - The News International

On the upside, the Bureau recovered more than US$300 million in funds lost to online scams last year

In 2019, the United States Federal Bureau of Investigation (FBI) received more than 467,000 cybercrime complaints that caused an estimated US$3.5 billion in losses, according to the Bureaus annual 2019 Internet Crime Report (IC3). Last year saw both the highest number of complaints and the highest dollar losses on record; in 2015, for example, annual losses totaled only US$1.1 billion.

Business Email Compromise (BEC) fraud remains the costliest type of fraud on the list, accounting for more than half of the total losses and costing businesses almost US$1.8 billion. These schemes are constantly evolving, too. Back in 2013, scammers would typically hack or spoof the email account of a CEO or CFO to request a fraudulent transfer of funds to accounts under their control. Over the years the tactics have evolved to also include compromising personal or vendor emails as well as spoofing lawyers email accounts.

Payroll diversion emerged as a popular form of BEC fraud last year. Scammers target HR and payroll departments by acting as employees who want to update their direct deposit information for the current payment period. The updated information then usually directs the funds to a pre-paid card account.

Elder fraud is also an increasingly pressing issue. With 68,013 victims, this type of fraud had the highest number of victims; under-twenties claimed just 10,724 victims. The number of victims may not reflect the true extent of the problem since providing the age range is voluntary.

Seniors are often the targets of romance, tech support, government impersonation and lottery scams. Victims of these schemes have been defrauded out of over US$835 million. Romance and confidence fraud alone account for almost half a billion dollars in losses, with the FBI estimating that up to 30% of romance fraud victims had been used as money mules.

RELATED READING: Cybersecurity Barometer: Cybercrimes impact on privacy and security

Tech support fraud remains a growing problem as scammers attempt to defraud their victims by contacting them under the pretense of resolving a non-existing technical issue with their software licenses or bank accounts.

Recently, however, scammers have started impersonating representatives of well-known travel companies, financial institutions or virtual currency exchanges. Tech support fraud has claimed approximately US$54 million in losses in 2019, a 40% increase compared to the previous year, with most victims falling into the over-60 age category.

Meanwhile, losses emanating from ransomware reached around US$9 billion, almost triple the losses incurred in 2018. The number of reported victims also rose to about 2,000 compared to 1,500 from 2018. While phishing was still the most widespread problem claiming 114,072 victims last year, non-payment and non-delivery scams came in second with about half the number of victims being 61,832.

Not to end on a bleak note, the FBIs Recovery Asset Team (RAT) helped retrieve almost US$305 million lost in scams, giving it a 79% return rate of reported losses.

Excerpt from:
FBI: Cybercrime losses tripled over the last 5 years - We Live Security

In December, after a somewhat bruising Senate hearing with Facebook, I argued that the fight over encryption was just beginning. This week, with India poised to unveil new rules that threaten encrypted communications around the world, it seems safe to say that the encryption fight is now fully underway.

First, some background.

Messaging products that are end-to-end encrypted can be read only by the sender and the recipient. The encrypted platform itself such as Apples iCloud, or Facebooks WhatsApp cant read the message, because it doesnt have a key. This has led to periodic attempts from law enforcement agencies and lawmakers to force platforms to create so-called backdoors that would allow them to snoop on the contents of those messages. But the platforms have resisted, and the issue has generally been in a stalemate.

In India, though, things are moving very quickly to make end-to-end encryption illegal. The country has sought to exert more control over the internet in the wake of lynchings committed after false rumors spread on WhatsApp. But the Indian government has often taken a draconian approach to regulating the web shutting down internet access at least 95 times last year, including an indefinite shutdown in Kashmir that a judge called an abuse of power earlier this year.

Now a set of rules proposed a little over a year ago would force tech platforms to cooperate continuously with government requests, without requiring so much as a warrant or court order. Among the requirements is that any post be traceable to its origin. And in what is believed to be a world first, the rules would require tech companies to do the investigating to deploy their sophisticated tools to track a posts spread on their network back to its point of origin, and then turn that information over to law enforcement.

This is quite different from the current approach, in which law enforcement identifies a suspect and then asks platforms to supply information about them. Now tech companies could essentially be required to serve as deputies of the state, conducting investigations on behalf of law enforcement, without so much as a court order.

That almost certainly means breaking encryption how else could tech companies be expected to trace the source of a message? Imagine Clearview AI, but as a service tech companies are required to provide to law enforcement for free, and you start to understand what the Indian government is asking for here.

The final rules are expected to be released imminently, Saritha Roi reports in Bloomberg:

The Ministry of Electronics and Information Technology is expected to publish the new rules later this month without major changes, according to a government official familiar with the matter. [...]

The provisions in the earlier draft had required platforms such as Googles YouTube or ByteDance Inc.s TikTok, Facebook or its Instagram and WhatsApp apps, to help the government trace the origins of a post within 72 hours of a request. The companies would also have to preserve their records for at least 180 days to aid government investigators, establish a brick-and-mortar operation within India and appoint both a grievance officer to deal with user complaints and a government liaison.

The rules would apply to any app with more than 5 million users, including Facebook, YouTube, Twitter, and TikTok. Bloomberg reports that its not clear whether the identities of foreign users would be exempt.

The tech companies are fighting back. A trade group has argued that the rules would represent a severe violation of Indian citizens privacy, and they would almost certainly sue if the rules were implemented as written.

But theres no guarantee that theyll win. And if these rules take effect India wont be the last democracy to implement them. Tech companies will come under increasing pressure to implement a similar system in other Western countries. (Australia seems poised to try to break encryption as well.)

What happens if encryption supporters lose? First, privacy is diminished for billions of users including for activists, dissidents, victims of domestic abuse, businesses, and even government workers who have come to rely on secure messaging.

Second, the move could hurt the tech sector both in India and abroad by making it prohibitively expensive to launch a new business. Who can afford to build a compliance regime that requires the company to accommodate any government request, no matter how small, from day one? In practice, the answer is likely to be only incumbents. Hannah Quay-de la Vallee makes this point here:

If this rule is implemented in India (and potentially copied by other nations) it could force companies to create two types of systems one that uses e2e and one that doesnt. Companies might well justifiably balk at the cost and complexity of that approach and simply build less secure systems. That would weaken the overall safety of the internet ecosystem, harming users around the globe. Alternatively they could remove themselves from the Indian market altogether, depriving 1.2 billion people of state-of-the-art internet security. Neither of these are good outcomes.

Given how many things Americans have to worry about domestically, I understand how a story about Indian internet rules can fly under the radar. But its important to recognize that the spirit thats animating the discussion in India is alive and well in the United States. Threats to privacy are multiplying faster than tech or society can deal with them. In such a world, encryption is one of the last and best tools we have to fight back.

Today in news that could affect public perception of the big tech platforms.

Trending sideways: Facebooks fundraising features, which have led to more than $3 billion in donations since 2015, have generated significant goodwill. But nonprofits are complaining they dont receive enough data about donors to form long-lasting relationships.

Mike Bloomberg is paying some of the biggest meme-makers on the internet to post sponsored content on Instagram promoting his presidential campaign. Hes working with Meme 2020, a company formed by some of the people behind extremely influential accounts, like Mick Purzycki of Jerry Media. Taylor Lorenz at The New York Times has the scoop:

The campaign, which launched this week, has already placed sponsored posts on Instagram accounts including @GrapeJuiceBoys, a meme page with more than 2.7 million followers; Jerry Medias own most popular account, with more than 13.3 million followers; and @Tank.Sinatra, a member with more than 2.3 million followers.

The accounts all posted Bloomberg campaign ads in the form of fake direct messages from the candidate.

Larry Ellison, the founder of Oracle and one of the worlds richest men, is throwing a fundraiser for Donald Trump. Its the most significant display of support from a major tech titan for the president, by far. (Theodore Schleifer / Recode)

Senator Kirsten Gillibrand (D-NY) released a proposal to overhaul the way the US government regulates privacy. Her new Data Protection Act would create an independent agency to protect consumer data at large. (Makena Kelly / The Verge)

A court in Moscow fined Twitter and Facebook 4 million rubles each (a piddling $63,000) for refusing to store the personal data of Russian citizens on servers in their home country. Its the largest penalty imposed on Western technology companies yet under Russias new internet laws, which are designed to give the government more control over peoples online activity. (Associated Press)

A network of news sites is expanding across the country. Nearly 40 websites masquerading as conservative local news outlets were discovered in Michigan in October. Now, additional statewide networks have sprung up in Montana and Iowa. (Katherina Sourine and Dominick Sokotoff / The Michigan Daily)

A mobile voting app used in West Virginia has basic security flaws that could allow someone to see and intercept votes as theyre transmitted from mobile phones to the voting companys server. Its the latest evidence that digital voting solutions are not secure. (Kim Zetter / Vice)

Facebooks dataset of anonymized URLs, which is meant to help researchers study the impact of social media on democracy, is finally live. The project, which allows approved researchers to see every link shared on Facebook, is part of a research partnership with Social Science One. Gary King and Nathaniel Persily of Social Science One talk about why the launch took so long:

When Facebook originally agreed to make data available to academics through a structure we developed (King and Persily, 2019, GaryKing.org/partnerships) and Mark Zuckerberg testified about our idea before Congress, we thought this day would take about two months of work; it has taken twenty. Since the original Request for Proposals was announced, we have been able to approve large numbers of researchers, and we continue to do so. When this project began, we thought the political and legal aspects of our job were over, and we merely needed to identify, prepare, and document data for researchers with our Facebook counterparts. In fact, most of the last twenty months has involved negotiating with Facebook over their increasingly conservative views of privacy and the law, trying to get different groups within the company on the same page, and watching Facebook build an information security and data privacy infrastructure adequate to share data with academics.

Facebooks New Product Experimentation team released a Pinterest-like app for saving and sharing photos of activities like cooking and home improvement projects. The app, called Hobbi, is meant to help you document and remember the things you love to do. Pinterest stock dipped on the news. (Alex Heath / The Information)

Teens are creating thrifting communities on Instagram where they buy and sell clothes in photos and comments. Its like a modern-day eBay. (Mia Sato / Input)

Jeff Bezos bought the most expensive property in LA with an eighth of a percent of his net worth. It is literally impossible to imagine just how rich the wealthiest people on the planet are. (Bijan Stephen / The Verge)

Amazons first employee, Shel Kaphan, says breaking up the company could potentially make sense. In an interview for a new PBS Frontline documentary about Amazon, Kaphan said hes proud of what the company has become, but also conflicted. (Jason Del Rey / Recode)

In 2019, YouTube dominated 70 percent of the total time people spent on their phones watching the top five entertainment apps. Its success is something that companies like Netflix, WarnerMedia, NBCUniversal, and Disney will have to take into account as they compete for peoples attention. (Julia Alexander / The Verge)

The CEO of an AI startup with deep ties to the University of Michigan just stepped down from the company amid allegations of sexual misconduct. But hes still a professor at the school. (Zoe Schiffer / The Verge)

Ezra Kleins new book, Why Were Polarized, charts 50 years of American history to figure out why our political climate is the way it is. It turns out the answer is a lot more complicated than just social media. (Nicholas Thompson / Wired)

New social media advice when going through a breakup: Deactivate your accounts, have a trusted friend change the passwords, and avoid looking back for as long as you can stand it. (Katie Way / Vice)

Im sure theres relevant context here, but Ive decided that I dont care to look it up.

Send us tips, comments, questions, and your WhatsApp user ID: casey@theverge.com and zoe@theverge.com.

See the rest here:
Indias proposed internet regulations could threaten privacy everywhere - The Verge

Theres big money in fake love. Over the years, romance scammers have preyed upon the lonely and vulnerable to steal hundreds of millions of dollars likely racking up into the billions.

Such scams usually sees a criminal masquerading as someone else online, often on dating sites, to gain a victims confidence. Once trust or perhaps love, on the part of the victim is established, the scammer asks for cash.

According to recent Internet Crime Complaint Center (IC3) figures, romance scammers stole $475m from unsuspecting victims in 2019.

While the FTC puts this figure at $201m, one thing is clear: romance scams are at an all-time high.

And as ESET cybersecurity specialist Jake Moore points out, the real figure could be far higher than the statistics suggest.

Romance scams are huge but still we only hear about the tip of the iceberg as few people want to let everyone know theyve been scammed in this way, he tells Verdict.

But people shouldnt be embarrassed as fraudsters are convincing storytellers. These criminals are very good at what they do and can manipulate their victims into sending money after gaining their trust rapidly.

Valentines Day, and the period surrounding it, is an obvious target for romance scammers. Research by ESET, a Slovakian internet security firm, claims that 52% of singletons are more likely to fall for romance scams at this time of year.

Although some may find it difficult to understand why you would transfer money to someone youve never met, Agari senior threat researcher Ronnie Tokazowski says there are a lot more moving parts than people realise.

While we may be quick to assume that victims are aware of their actions, our research shows that this is quite the opposite, Tokazowski tells Verdict.

Agari, which specialises in email security, has previously uncovered a romance scam group dubbed Scarlet Widow. The Nigerian crime ring specifically targeted dating sites for the disabled and divorced.

Victims truly think they are in an actual relationship, and in many cases are able to repeat the fake facts from scammers back to law enforcement, says Tokazowski.

Get the Verdict morning email

With law enforcement getting partial stories from victims who think they are actually in a relationship doing business transactions for a spouse, it becomes extremely difficult to track and cluster this activity.

Despite the prevalence of these scams, there are telltale signs that can give them away. The FTC notes that scammers will often say they are living in a different country, which makes it easier to put off meeting face to face. It also gives the scammer an opportunity to ask for money for a plane ticket to visit their victim.

They will usually mention money problems at some point or mention debt collectors, says Moore. Plus they will put off meeting up by coming up with a colourful selection of excuses.

If you have suspicions about an online relationship, talking to friends and family about it can provide a more objective opinion.

Scammers use romance victims for different things, including purchasing gift cards, cashing fraudulent checks, and laundering funds, always promising that the transactions are legitimate, adds Tokazowski.

Victims are told multiple different stories about the source of the money, such as paying legal or business fees for something.

Moore recommends carrying out background checks to verify the identity of someone met online, which is something just 29% of Brits do, according to ESETs research.

I suggest people search online for the names of people and then do a reverse Google image search to see if their profile photo features anywhere else, he says.

Those that suspect they are the victim of a romance scam should file a complaint at IC3.gov, says Tokazowski.

Finally it goes without saying, however confident you may feel talking to them, never send money to anyone you havent met in person, adds Moore.

Read more: Scarlet Widow: The romance scam group preying on the disabled and divorced

Read more:
Romance scammers stole $475m last year. Here's how to spot them - Verdict

Its almost tax filing season, and scammers are seeking peoples information to file taxes in their name and receive their returns. According to the 2019 Internet Security Threat Report, malicious emails and other forms of phishing are dangers, especially to employees of small organizations, with 48 percent of malicious email attachments coming from downloadable Office files. TruWest Credit Union security engineer Chris Sprague has some tips on how to keep your identity safe from criminals and avoid becoming a victim of a tax scam as you prepare for National Tax Day on April 15.

AZ Big Media: What is the most common way that criminals get peoples information? Is there any new tax scam that has come to the forefront due to new technology?

Chris Sprague: Scammers are lazy. They use methods that are tried and true, which always are very effective, and that is social engineering. Phishing is a form of social engineering and so are these phone calls. They are very effective, especially for people that arent technologically savvy. Folks get kind of flustered and they see an email that looks official. It is trivially easy to capture the IRS signage and such off of the IRS web page and create emails that look really official. Its incredibly easy to just do screenshots, capture the logos, create a realistic-looking email and get people to click on links and provide login information, and then theyve got you.

Additionally, there are constantly breaches that happen across the internet where folks usernames and passwords are collected, and the bad guys then use that information to try and log in to various sites with the credentials that they have. So if a person is using the same password across multiple sites, that gives the bad guys that much more success when they go trying to see what they can get into. So I think its a combination of old, tried-and-true social engineering that is phone calls and emails, together with breach information collected from various breaches that happen constantly.

ABM: What are your top 5 tips for people so they do not become victims of tax scams?

CS: File your taxes as early as possible. The more time that the bad guys are able to steal your identity and file taxes as you, or the longer that you wait to file, the more opportunity that gives them to file as you. I would also absolutely never do my taxes over an insecure wireless connection. So plan to do that at your house, ideally over wired connection. But definitely, if youre going to connect to wifi, connect to a trusted wireless network.

CS: There will be passwords involved with every account that you create. When you are filing your taxes, make sure you are creating strong passwords. These days we are advising folks to use passphrases. So instead of the uppercase and lowercase letters, digits, plus some characters, were saying to just create a very long passphrase. Its okay if its all letters. Just make it a sentence that you will remember and that is extremely long. If you can add spaces, then thats good, but if its just one big jumbled phrase without spaces, then thats good, too. But using a very strong password for those sites is very much advised.

CS: Use multi-factor authentication for your account as well. That just means that you enter a username and password, and then youre prompted to receive a text that you need to enter in, a one time code from that text to finish the authentication process. Or, if youre using tools like Google authenticator, its a pretty popular one that is constantly generating new codes. We strongly advise anyone to use multi-factor authentication for any of their sensitive accounts, especially their financial accounts.

CS: The IRS will only reach out to you via mail. Good, old-fashioned snail mail is the only way that you should expect to hear from the IRS. If somebody calls claiming to be from the IRS, hang up on them. They do not make personal phone calls out to people. Same thing with email. Theyre not going to reach out via email, and more than likely its a phishing scam if youre receiving an email from the IRS. Also, if you go searching for information online, the IRS is always at irs.gov. So if you see any other site, irs.com or irs.net, that is not the official IRS site.

CS: One thing that I actually just learned about, is that the IRS just this year implemented a PIN program, an identity protection pin that you can use to further secure your tax returns. If you go to the IRS site, you can set up this new PIN. Setting up the PIN requires you to verify quite a lot of information about yourself, to prove you are who you say you are, before obtaining this PIN that you can then use to secure your tax return with the IRS. So the combination of all those things will leave you in pretty good shape.

ABM: What advice do you give to someone who finds themself a victim of one of a tax scam?

CS: Check out the IRS web page, taxpayer guide to identity theft. There are ways for you to fill out IRS forms stating that you are a victim of identity theft, so they have record of that, and that essentially starts the process of getting your information back in your hands, to stop the bad guys.

View post:
Here's how to avoid becoming a victim of a tax scam - AZ Big Media