Dear 2016: don't take it personally, but I'm really, really glad you're coming to a close.
That seems to be the sentiment with many friends and colleagues as we discuss the end of the year. It's not that 2016 has been all bad, but it’s certainly become a bitter pill to swallow. Massacres in Syria, protectionist political risings, the deaths of David Bowie & Muhammad Ali... the list goes on. While it’s difficult to say what awaits in 2017, good or bad, it’s a relief to shake off the long past twelve months and prepare for a fresh start in the new year.
In the world of information, data, and privacy, there have been massive shakeups throughout 2016, forcing users and businesses to not only re-evaluate how they work with information resources, but who else they're actually sharing insights with. We’ve had a lot to contend with, and it’s clear going forward that the work has just begun: we’re walking into a very new era of regulations, changes, and expectations. Going over all that’s happened, it was hard to pick out the “top” incidents of the year, but there were certainly enough worth making the list. Here are some of the highlights we’ve seen since January 1st 2016:
7. Yahoo, you have some explaining to do.
While data breaches were on the rise in 2016, internet giant Yahoo has been forced to deal with a bit more scrutiny than most, and for good reason. Bad is admitting to users their accounts were compromised in 2013, releasing such personal information including names, email, address and passwords. Worse was the discovery that Yahoo had been allowing government access to emails over the past year, negating any and all privacy users might have presumed to have. Finally, as of December 2016 it was revealed that the hack released in September was the tip of the iceberg; over a billion accounts were compromised in a separate incident as of 2014. The constant breach of customer trust has not been without financial fallouts: already markets are in question if the data breaches will cost the company it’s 4.8 Billion expected sale to Verizon. Bottom line, if you’re trusting Yahoo with personal information and private communications, now’s the time to stop.
6. The Investigatory Powers Act 2016 is passed by the United Kingdom Parliament
Passed in November and better known as "The Snooper’s Charter,” this legislation gives a significant amount of power to British intelligence regarding information accessible to law enforcement and a list of government agencies. A full list of what the changes will mean to individuals and internet service providers can be found here and here; the list of what can be accessed and how is significant. Some of the more eye-raising provisions in the charter include legal hacking of individual devices and large-scale data stores within specific regions (both requiring a warrant), a requirement for internet history data to be saved up for 12 months, and the ability for intelligence agencies to obtain “bulk personal datasets”, which by their nature is expected to include innocent parties during data collection.
In fairness to the United Kingdom, security agencies are under more pressure than ever to be ahead both cyber warfare and terrorist activities; more access to information allows governments to spot attack patterns before they happen, and build cases bringing perpetrators to justice. Nor is the UK the only country who has upped its cyber surveillance laws: in March Turkey enacted the Data Protection Law, in July Russia signed to law several measures requiring data retention from telecom companies, and as of November in Canada, CSIS has been under fire for illegally holding personal data. However, placing information under government scrutiny also places more onus on governments to treat the information with respect, and avoid practices that might cause harm to citizens exercising opinions, faith, speech, gender, sexual orientation or other freedoms. Unfortunately, as people already tend to modify and guard their actions when big brother is watching, the damage these security actions inflict on personal rights and privacy is expected to be substantial.
5. Fake news: Who do you trust, and where are they taking you?
Fake news is not a new problem: gossip and false stories have existed since humanity could communicate. What has brought fake news to the limelight however is the very new ways in which it permeates the media and is positioned to readers. With the development of algorithms to show readers related materials based on past likes and clicks, we live in an online space where more information exists then ever before and yet it's much harder to view opposing view points, and more work is required to check the facts. Unless the searcher takes a proactive role to view different sides of the story, the information we access is more under control than we might realize: blogs, articles, comments and blurbs are hand-delivered into our feeds via our platforms of choice. This leads to the question of how healthy are those algorithms in the first place, and do social media platforms, like published, printed news, have a responsibility to readers for fact-checking? Like a health inspector at a restaurant, should our servers have some responsibility in the quality of their offerings?
Facebook has come heavily under fire for this, fighting an argument that they are a technology company, not a media company, and have made public claims towards removing fake news from the site. This is unlikely however to solve the problem: Facebook simply doeskin have the manpower to fact-check every outgoing link, and as others have rightfully pointed out, doing so is not in the company’s best interest. Facebook wants you on their site, using their platform, and clickbait fake articles get user attention.
More critically, recognizing fake news as an elephant in the room highlights the need for better information literacy, to read with a critical eye and question the writer's agenda, regardless of political spectrum, and find ways to educate others in the same. Make no mistake, how we absorb and process information has a huge impact on our world, as current politics have proven, and control of information by any particular group, either through information access or influence on what we take in as truth, is a path to power as old as time.
4. The European Union adopts the General Data Protection Regulation.
In a win for privacy enthusiasts, the European Union adopted the General Data Protection Regulations (GDPR), replacing previous privacy protocol including the Safe Harbour agreement that was struck down in 2015. Coming into force for May 2018, European companies, and businesses who collect personal data on European citizens, have two years to get organized, before repercussions including hefty fines and penalties. Requirements under the GDPR include pseudonymisation and encryption of personal data, notification of data breaches, and the appointment of a Data Protection Officer for companies of over 250 employees; one who reports to management, but works independently of the organization, suggesting an increase in outside consultancies such as Information in Bloom.
Presently, businesses are scrambling to get started, although there are still concerns of how to meet the GDPR while upholding other, often high surveillance laws that are growing within independent nations. Information that moves within UK is a prime example: not only has the UK vowed to leave the EU with the vote results of BrExit, but an increase in government security powers pose potential conflict. How the UK and member countries of the EU will resolve this conflict is still difficult to predict, particularly in the case of Irish businesses, but having an inventory of your information repositories and access users will be useful no matter which way things move. If you plan on doing business internationally with a country in the EU, start looking at your information governance now.
3. The Internet of Things is attacked: largest DDoS hits the wild.
In October users of major streaming sites online, including Twitter, Netflix, Spotify and other popular web-based services found themselves disconnected. The cause? The largest DDoS attack in the world, manufactured with a little help from malware ‘botnets’ connecting unsecured Internet of Things devices together into a coordinated attack, bombarding servers. Security professionals had argued, and still argue, that internet-connected devices are woefully underserved when it comes to security. Many use little to no encryption in their data transmissions, while lack of standards mean operating and system security are an afterthought at best.
Although the attack resulted less in a danger to the global community and more of an inconvenience, make no mistake, unless security standards are required in IoT devices, this will keep happening, with potentially heavier repercussions down the road. Already arguments are made that the combination of IoT devices and the rise of ransomware makes for a dangerous combination: how much would you pay for access to your ‘smart’ car if a hacker gets in and steals the key?
2. International hackers vs election tampering; it’s a whole new world.
It still feels inconceivable to write: the USA Central Intelligence Agency investigating into a foreign power using technological expertise to break into government systems and use stolen information to influence a presidential election. For those unfamiliar with the case, Russia is accused by the CIA of hacking into both the Democratic National Committee and the Republican National Committee; in the former case to steal emails and release damaging communications, in the latter to operate strategic information warfare, including propagation of fake news and social media. While the leaks themselves happened over the summer, the story has only gotten wilder: are we looking at a coincidental attack and release of information, or through theft of correspondence and inflicting data bias, was the attack carried out to weaken an electoral candidate, or place one in the winning?
Regardless of your preferred candidate, that a sophisticated, cyber-savvy group like the CIA is investigating a government-sanctioned hacking and release of information to bias an election should raise alarm bells. If evidence is confirmed it may cause a significant shakeup within the new administration and political relations between the two countries; if it doesn't then the citizenry and rest of the world will be baffled why not, as what is the point of having the world's largest democracy if politicians accept foreign interference, so long as it places them in power? If one group benefited from cyber warfare, will there be any influence on foreign policy to follow? Certainly, given the current evidence, it will appear off for the USA to rebuke other instances of cyber warfare against it or allies in the future.
It's also a mistake to say that poor information email governance cost the Democratic candidate, Hillary Clinton, the election: there are far too many variables in that pot, ranging from a rise in "anything but the status quo,” to outright sexism, a growing racial divide, and the increasing rise of the "alt-right". However, the media attention on the scandal, combined with the poll dips when Wikileaks made its release, are evidence that this was a significant factor in the Democratic downfall. If nothing else, the result should be a sobering story to anyone who wants to send sensitive information via email: don’t.
1. Forcing encryption backdoors: Apple takes on the FBI
Originally I had this much higher on this list, but a report by the House Judiciary Committee's Encryption Working Group on December 20th pushed it back down to number 1. Back in February, the FBI requested apple to create a work-around to the system’s phone encryption; in particular, to access an iPhone used in the December 2015 San Bernardino shooting, but the request was such it would set a precedent for all Apply software going forward. Apple however, publicly argued the security concerns such a requirement both for the security of its devices and user privacy: no government previously had made such a request, and by creating a backdoor the FBI could use to bypass security the company would in effect create a backdoor that could be exploited by malware or hackers. Apple won the case, but not via Supreme Court ruling: a day prior to the trial, the FBI dropped the charges, having found a third party who could break into the specific device in question. In the meantime, it was revealed that for some devices, notable Google’s Android, such a backdoor was already in existence, allowing company access to even locked devices.
For privacy professionals and security engineers, the battle over required government access to encrypted information is far from over. If anything, the FBI vs Apple case demonstrates a growing conflict between government need to access information for security purposes, and user rights to safeguard personal information from government access. International governments appear split: in China, the requirement to force backdoors was originally part of the anti-terrorism law that came into force in January 2016, dropped only with the final version. It has been made clear that inaccessible encryption does not sit well with the upcoming American administration, however the Congressional Encryption Working Group reported this December that such backdoors and required access would do more harm then good, posing a threat to security. Technology policy groups now hope this report will carry weight in the future against legislation requiring law enforcement backdoors to encrypted files and devices in the future.
It’s worth mentioning that there are a lot of news-worthy events and discoveries this year that are not being touched upon: 2016 also saw a rise in ransomware, a solid growth of data breaches due to lack of security, and further momentum in biometrics. Security experts and information professionals are working to educate the growing online population that these concerns can’t be handled by experts alone: with phishing and poor passwords still the number one cause of hacks, everyone needs to take active control over their digital lives, and be aware of what they’re sharing with whom. To quote American Activist Wendell Phillips: "Eternal vigilance is the price of liberty.” When the clock hits midnight on December 31st, drink down that champaign and make plans for your information and data resources to hit the gym: you'll want them in shape for the new year.