Aggregatore di feed

Improving Routing Security: Microsoft Joins MANRS

Internet Society - News Headlines - Mer, 22/05/2019 - 14:01

In November, a routing incident in Nigeria caused Internet traffic to be rerouted through Russia and China. It lasted for just over an hour, but during that time, it significantly affected some cloud and search services globally, including Spotify and Google’s Search. It was one of more than 10,000 incidents, such as route hijacking and leaks, that occurred in 2018. Past events have led to large-scale Denial of Service attacks, stolen data, and financial losses.

The global routing system is the backbone of the Internet. It determines how everything – from email messages to videoconferences to website content – moves from network to network. The November event, caused by a configuration mistake with a small ISP in Nigeria, shows that routing incidents can have significant global effects – impacting the security of the Internet itself.

A number of network operators around the world – including Oracle, GÉANT, and Comcast – have joined MANRS to address these types of routing threats. The Mutually Agreed Norms for Routing Security (MANRS) initiative, supported by the Internet Society, does this through technical and collaborative action across the Internet. Those who join agree to take meaningful action to keep the Internet safe for everyone – by taking four concrete steps to improve routing resiliency.

We are pleased to announce that Microsoft is one of the latest to join the MANRS initiative – working with other industry giants to improve routing security globally. They join a community of security-minded organizations committed to making the global routing infrastructure – and the Internet itself – more robust and secure.

“Microsoft has long been committed to increasing cybersecurity online. We are therefore excited to be joining the MANRS community in addressing the very real challenges related to routing security, which impact businesses and consumers on a daily basis. In addition to having implemented the existing MANRS framework in our operations, we are also partnering with Internet Society, the Cybersecurity Tech Accord, and others to examine how actors beyond network operators and IXPs can effectively contribute to routing security,” said Yousef Khalidi, Corporate Vice President, Azure Networking.

Collaboration and shared responsibility are key to the success of MANRS. So far 152 network operators and 32 IXPs have signed on. By joining, these companies are working hard to secure the fabric of the Internet.

Routing security is vital to the future and stability of the Internet. We’re thrilled that Microsoft has joined MANRS, and we hope that they will lead the way for other network operators around the world.

The post Improving Routing Security: Microsoft Joins MANRS appeared first on Internet Society.

The Week in Internet News: San Francisco Bans Use of Facial Recognition by Police

Internet Society - News Headlines - Lun, 20/05/2019 - 15:53

No cameras, please: The San Francisco Board of Supervisors has voted to ban the use of facial recognition technologies by the policy and other agencies over privacy and civil liberties concerns, the New York Times reports. Even though police across the country have used the technology to identify criminals, facial recognition has raised fears of abuse and of turning the country into a police state.

Broadband in space: SpaceX had planned to launch a rocket containing 60 satellites designed to deliver broadband service, but the company delayed the launch a couple of times, first because of wind and then because the satellites need a software update, ExtremeTech reports. The launch was supposed to be a first step toward Elon Musk’s plan to create a space-based broadband network.

Broadband in drones: As an alternative to satellite broadband and other efforts, SoftBank is looking at ways to provide Internet service by drone, the L.A. Times says. The Japanese telecom carrier recently announced it is working with drone maker AeroVironment to build a drone capable of “flying to the stratosphere, hovering around an area for months and serving as a floating cell tower to beam internet to users on Earth.”

Just pay the man: Some vendors offering technological services to unlock the data of ransomware victims often just pay the fees to hackers instead, ProPublica reports. One vendor Proven Data promised to help ransomware victims by unlocking their data with the “latest technology,” but instead it obtained decryption tools from the cyberattackers by paying the ransoms.

Doing it themselves: Residents of Alton, Maine, population about 900, have voted to expand fiber broadband services to cover the entire area, a guest column in the Bangor Daily News says. The city is working with small telecom provider Otelco and the state to expand fiber access.

Infrastructure attacks: Bad guys are plotting to attack the Internet’s infrastructure, and that’s bad news, according to a story at Brink News. One recent example was a January attack on DNS and Netnod’s I-Root server based in Sweden. In this case, the damage was limited, “but a worst-case scenario could have undermined global Internet communication,” the story says.

Routing security is vital to the future and stability of the Internet. MANRS helps reduce the most common routing threats.

The post The Week in Internet News: San Francisco Bans Use of Facial Recognition by Police appeared first on Internet Society.

Envisioning the Future in the Middle East

Internet Society - News Headlines - Gio, 16/05/2019 - 21:17

How can the brightest minds help transform the Middle East for the better? The MIT SciTech Conference hoped to find answers. The annual three-day conference, which took place 19-21 April in Boston, Massachusetts, brought together students and professionals from across North America and the MENA Region. This year’s theme was “Envisioning the Future: Cities of MENA,” and included an IDEAthon on Energy, Innovation, and Infrastructure.

Many people from all over the globe attended the conference, mainly Arabs who were also successful tech entrepreneurs, leveraging the Internet to reach communities across the world. They also spoke about their innovations and inspired the young participants, who included MIT students, through panels, keynotes, ideation processes, and SciTech talks.

The first day started with a tour of MIT Labs and the launch of the IDEAthon. After initial sessions and introductions, participants were left for the night to work on their ideas. Those ended up being presented at the end of the third day to judges, with cash prizes awarded to winners so that they could turn them into reality by implementing them throughout the Arab world.

Infrastructure is a challenge in the MENA region, especially with a rapidly growing population, and the conference showcased projects that use the Internet to address this. For instance, Swivl is a bus ride sharing app that’s making people’s lives easier in Egypt. The platform Womena enables women’s empowerment by showcasing success stories, mentoring women, and helping ideas to fruition.

The Internet Society was a sponsor of the event and fielded many questions about Internet infrastructure. People were keen to learn. For instance, the more the history of the Internet was shared, the more questions arose. To my surprise, many people don’t know much about the beginnings of the Internet, as well as how the Internet works. To some peoples’ awe, it’s not fully connected by satellites, but also by marine cables.

The Internet Society’s participation in the MITSciTech conference resulted in the following:

  • Establishing a connection between leading organizations in the Arab world and Arabs at the Massachusetts Institute of Technology.
  • Sharing our vision for an open, globally-connected, secure, and trustworthy Internet for everyone.

The event had a huge turnout, with more than 300 people attending. MIT SciTech was a platform for over 20 accomplished speakers and panelists and featured keynote speeches from the dean of the MIT School of Architecture and Urban Planning as well as high-level executive attendees, such as the chairman of Orascom.

An innovation exhibition followed day three of the event that showcased 15 organizations from the Arab world as well as our very own booth for the Internet Society. Next year, we hope to see that the ideas incubated at this year’s MIT SciTech Conference have made a positive impact on the Internet.

The post Envisioning the Future in the Middle East appeared first on Internet Society.

WhatsApp: How a Bug Relates to the G7

Internet Society - News Headlines - Mar, 14/05/2019 - 19:02

On 13 May, more than a billion users saw the messaging application WhatsApp being updated. At the same time reports appeared that a vulnerability had been used in attacks that targeted an unknown but select number of users and was orchestrated by an advanced cyber actor.

Facebook, the owner of WhatsApp, reported it fixed a vulnerability – a buffer overflow, a fairly well known type of vulnerability – that was, according to media (see references  below), used in the spyware product Pegasus from the NSO Group, an Israeli company that sells spyware to governments and intelligence agencies all around the world.

Two observations:

  • Despite best efforts, bugs in software exist – if critical bugs in global communication systems are found they can have a global impact. There are two additional observations that come with that:
    • WhatsApp is a valuable target, if bugs exist they will be found and exploited.
    • A process that allows for bugs to be reported, promptly fixed, and automatically rolled out are crucial elements to maintain (or restore) trust in this sort of software. There are sectors of the industry (anybody listening in IoT land?) that can learn from how this is handled by Facebook.
  • The use of spyware like this cannot be contained, a Financial Times article suggests that clearly: The NSO software has been used against lawyers engaged in a lawsuit against the NSO Group and against various civil rights groups.

Using software bugs to get access to the encrypted devices and communication of users is also one of the approaches that also arises in the context of lawful access by law enforcement. However, hoarding vulnerabilities puts us all at risk. When bugs like this are found they can either be reported to fix the software, used to create an exploit, or sold. Knowledge of an exploitable bug can be sold to multiple parties. Whilst arguably speculative, one cannot be certain that the NSO Group was the only entity with knowledge of the vulnerability.

This example clearly makes the case that exploits of unintentional bugs are undermining the security of over a billion WhatsApp users, and that they pose a risk to national security and personal safety. One can only imagine what the effect of the introduction of intentional vulnerabilities could be, which is what recent lawful access methodologies proposed so far are doing.

As the Digital Ministers of the G7 countries prepare to meet tomorrow, this serves a real world example of one of the reasons why the Internet Society calls for strong and secure communication, and takes exception to lawful access methodologies that weaken security, not only of the encryption technology itself but also of the devices and applications that offer it.

It is a critical time to stand for strong and secure communications.  If you are on social media, use the #G7 hashtag and join us by asking world leaders to support strong and secure encryption for all.


There are two Financial Times articles that did early reporting on this: and (paywalled) and various other outlets picked up the news too.

Encryption is under threat around the world. It’s up to each of us to take action.

The post WhatsApp: How a Bug Relates to the G7 appeared first on Internet Society.

The Week in Internet News: Broadband Project to Nowhere

Internet Society - News Headlines - Lun, 13/05/2019 - 15:49

Dead end: ProPublica has a story about Kentucky’s $1.5 billion broadband expansion program, which the story calls an information highway to nowhere. The program is behind schedule and over budget, with the state’s IT chief directing money to other projects and partnering with commercial ISPs.

Broadband billions: Meanwhile, the U.S. Department of Agriculture says that bringing broadband to unserved areas of the country would generate $47 billion of new economic activity a year, according to a story at Broadband in rural areas would enable precision agriculture technologies, which allows high-tech crop management based on sensors and other connected data sources.

I can’t Google: Finally, our broadband access trifecta of stories concludes with a Cronkite News story about the lack of access in many U.S. tribal areas. “Just Google it” has become a bit of a joke among the Hopi tribe in Arizona because many areas don’t have Internet access.

The luxury of privacy: Consumer privacy online can’t be a luxury good that only the rich have access to, Google CEO Sundar Pichai said recently in an opinion piece at the New York Times. Speaking at a conference, Pichai also spoke in favor of privacy legislation because it would “help us work toward ensuring that privacy protections are available to more people around the world,” CNet reports.

You must encrypt: A new version of the Android operating system, called Q, will require every device using it, including smartphones and television sets, to encrypt user data, Android Police reports. This comes after Android parent Google, unveiled its new lightweight Adiantum encryption mode in February, allowing low-end devices to run encryption, Slashgear notes.

Marketplace goes dark: The U.S. FBI has shutdown the gateway to allegedly illegal marketplaces on the Dark Web, ABC News reports. A grand jury in Pittsburgh has indicted two Israelis on charges of money laundering conspiracy. They were accused of receiving more than $15 million from the operation, which began in late 2013.

The Internet is for everyone. Learn about the the Internet Society’s upcoming 2019 Indigenous Connectivity Summit!

The post The Week in Internet News: Broadband Project to Nowhere appeared first on Internet Society.

Introducing The Internet Society Accessibility Special Interest Group

Internet Society - News Headlines - Ven, 10/05/2019 - 19:56

An ordinary day on 9th April 2019 was turned in to an extraordinary one, as our efforts bore fruit and we finally succeeded in chartering the Internet Society Special Interest Group on Accessibility. The Internet Society Accessibility Special Interest Group or ISOC Accessibility SIG/ISOC A11y SIG is intended to serve persons with disabilities to ensure the Internet and digital domain is for everyone.

Over 1.3 billion people worldwide – about 15% of the world’s population – experience some form of disability. The Accessibility SIG, with a people-centric approach, is aimed at providing interested participants a platform to discuss the Internet-related accessibility issues faced by the people with disabilities and to try to find the solutions to those issues. It also aims to provide a collective voice to a community that the UN calls the world’s largest minority.

The SIG also represents a journey for all of us who are members and who are dedicated to creating equal access to the Internet for everyone regardless of disability. The journey at the Internet Society started with the establishment of the ISOC Disability and Special Needs Chapter in 2002. Along the way, many dedicated and tireless workers, like the late Cynthia Waddell, kept the movement alive. The transition from the Disability and Special Needs Chapter to Accessibility SIG was as historic as the formation of the Chapter itself in 2002.

In 2018, when we decided to transform the Chapter to a SIG, there was no precedent of such a transformation at the Internet Society, similar to in 2002 when there was no example of a non-geographic Chapter. But, thanks to tireless support and lots of efforts and dedication by many people, particularly, my fellow SIG leaders (Gunela Astbrink, Vice President; Greg Shatan, Treasurer; Judith Hellerstein, Secretary; Joly MacFie, AMS Admin; and all the founding members of the Accessibility SIG) as well as Internet Society staff (including Kyle Shulman and his colleagues), we were able to finally overcome the challenges of chartering the SIG.

We at the Accessibility SIG believe that accessibility should sit at the heart of policy, planning, and design. For persons with disabilities, this is only possible if the principle of “nothing about us without us” is applied. In the context of Internet and digital devices, the implementation of internationally-recognized accessibility guidelines developed by W3C, also known as Web Content Accessibility Guidelines (WCAG), with a little more effort can make a website, application, or device accessible and usable for everyone. It just requires awareness, will, and determination.

Moving forward in this significant journey, we also need your support. If you:

  • have worked on digital accessibility
  • are interested in working on accessibility for people with disabilities
  • are just interested in knowing about accessibility-related issues

Please join the Accessibility SIG!

To join, simply fill out this form or login to the Internet Society membership portal, select “Join a Chapter or SIG,” and select “Accessibility SIG.” Moreover, if your chapter has done work on digital accessibility for people with disabilities, please share the links with us. You can contact us via email, website, or follow us on Twitter.

At different forums, a lot of work on accessibility is being done. The Accessibility SIG hopes to contribute its part to making the Internet accessible, open, safe, and secure for everyone – be they a person with or without disability.

The Internet is for everyone! Visit the Accessibility Toolkit page to learn how you can contribute to a more accessible Internet.

The post Introducing The Internet Society Accessibility Special Interest Group appeared first on Internet Society.

Talking Internet of Things in Canada at IoT613 This Week

Internet Society - News Headlines - Lun, 06/05/2019 - 18:56

This week, 8-9 May, we’ll be at IoT613 in Ottawa, Canada, talking about our work on “Trust by Design” – the idea that privacy and security should be built into Internet-connected products, and not just an afterthought. We have been working with manufacturers to embrace the Online Trust Alliance’s IoT Trust Framework, which identifies the core requirements manufacturers, service providers, distributors/purchasers and policymakers need to understand, assess and embrace for effective IoT security and privacy. We also work to encourage consumers to demand security and privacy and to help policymakers create a policy environment that strengthens trust and enables innovation.

This week in Ottawa, we’ll have an Internet Society booth at the event both days, and on 9 May, Mark Buell, North American Bureau Director, will be part of an “IoT in Canada” panel that will “explore current IoT trends in Canada, identify the benefits of IoT for businesses and citizens and find out how Canada’s IoT ecosystem stacks up compared to the rest of the world.” Mark will speak about the Canadian Multistakeholder Process: Enhancing IoT Security, an Internet Society-led initiative to develop a broad-reaching policy to govern the security of the IoT for Canada. 

From its website, IoT613 “fosters a culture of knowledge, sharing, and growth within the local and global IoT community. Through our varied programs, we provide a platform for technology, business, and policy professionals to learn, connect, and interact for the advancement of technology and economic development in the National Capital Region.”

Join us in Ottawa, come chat with us about IoT, privacy, and security, and read more about our work on the Internet of Things

The post Talking Internet of Things in Canada at IoT613 This Week appeared first on Internet Society.

The Week in Internet News: Unencrypted USB Drives Pose Security Risk

Internet Society - News Headlines - Lun, 06/05/2019 - 16:02

No encryption for U(SB): About 55 percent of U.K. businesses don’t encrypt information on USB drives, according to the result of a survey published at Information Age. Also, 62 percent of executives surveyed admit to seeing USB devices in unsecured locations such as desks, drawers, and exposed office spaces.

Out of touch: As healthcare providers explore ways to use Artificial Intelligence to treat patients, the human touch may end up a casualty, NPR says. AI could “create a gulf between health caregivers and people of more modest means,” with some people not getting the human interaction with healthcare professionals that they need, the story says.

Ship it with blockchain: FedEx CIO Rob Carter, speaking at a recent conference, called on the international shipping industry to mandate the use of blockchain to track shipments, Computerworld notes. The technology could help weed out counterfeit goods, backers say.

Intelligent standards: The U.S. White House has launched an effort to develop AI standards, and it’s asking for public input, NextGov writes. An executive order on AI directs the U.S. National Institute of Standards and Technology to issue a set of standards and tools that will guide the government in its adoption of the technology.

Shutting down violence: Social media shutdowns don’t achieve the common government goal of shutting down violence, suggests an opinion piece at In some cases, protestors have simply moved to other ways to communicate, and violence has continued, the piece suggests.

Blockchain or bike chain? IBM has identified a new use for blockchain: reducing bicycle thefts, Forbes says. Bike riders would register their proof of ownership on a blockchain to provide “irrefutable proof of ownership and an easy process to report and claim on the theft,” the story suggests. Perhaps chaining a bike to a fence would also work?

The trouble with fake news: Journalism organization the Poynter Institute published a list of “unreliable” news sites recently, but later pulled it after objections about some of the sites it included, the Hill says. Some conservative-leaning sites complained that they were included in the list, which told advertisers how to blacklist the sites, but that some liberal news sites were not included.

Encryption is under threat around the world. It’s up to each of us to take action.

The post The Week in Internet News: Unencrypted USB Drives Pose Security Risk appeared first on Internet Society.

Register for AfPIF 2019

Internet Society - News Headlines - Gio, 02/05/2019 - 16:13

Join us in Balaclava, Mauritius for the 10th Africa Peering and Interconnection Forum (AfPIF) from 20-22 August 2019.

AfPIF attracts ISPs, content providers, governments, and IXP’s for three days of learning, sharing, and building business in Africa.

Why should you attend AfPIF-2019? Have a look through the AfPIF 2018 Summary Report, which contains briefs of presentations, emerging discussions, speakers, and sponsors.

Sponsorship opportunities are available to promote your business to these key audiences. Find out more about these opportunities here:

Register now to secure your place – and remember to check your visa requirements for travel to Mauritius.

Don’t miss Africa’s premier peering event – celebrating its 10-year anniversary this year!

The post Register for AfPIF 2019 appeared first on Internet Society.

How the Internet Society’s Privacy Statement Stacks Up

Internet Society - News Headlines - Mer, 01/05/2019 - 18:04

For ten years, the Internet Society’s Online Trust Alliance (OTA) has published an annual comprehensive survey of 1,200 sites’ security and privacy practices. The 10th edition of this Audit has been released and can be found here. As part of the Audit, we score each site’s privacy statement against 29 criteria, ranging from whether it is linked to on the site’s homepage, to whether it states how the site handles children’s data.

For this blog post, we decided to use the Internet Society’s current privacy statement as an example, to illustrate the criteria used, and to show how a privacy statement fits into the bigger picture of an organization’s privacy practices. A privacy statement is only one piece of an organization’s overall privacy practices – although, as the public-facing piece, it is of course important. Other aspects (which are not included in the OTA survey) include:

  • expressing and committing to a set of overall privacy principles
  • having internal policies and practices that put the public-facing privacy statement into practice
  • internal and external enforcement of the commitments expressed in the privacy statement

There are myriad ways to structure a privacy statement and, to be frank, many privacy statements are written with different goals in mind. As a result, our survey sees a wide range of privacy statements, from single paragraphs to dozens of pages. Where a privacy statement is long, the Audit will score it more favorably if it uses a “layered” approach to improve readability – and this is the approach adopted by the Internet Society’s statement.

A privacy statement can be “layered” in a number of ways, but the usual approach is through something that looks like a table of contents: an introductory section of the statement summarizes its purpose and contents and lists the sections to come. This approach works even better if the list has internal hyperlinks to each corresponding section. In the sites studied, 47% layered their privacy policy in some way. The Internet Society’s statement is relatively unusual in opening with a set of over-arching principles that set out its commitment to respect the privacy of individuals whose personal data it collects.

Other formatting/presentation choices can also make a policy score higher in the survey: for instance, including the date the statement was last updated at the top or bottom of the page and linking clearly to the privacy statement from the organization’s home page. The Internet Society’s statement met both of these criteria (compared with 47% of sites with a date stamp on top and 24% having one at the bottom), and was comparatively rare in its inclusion of links to previous versions of the organization’s privacy statements.

Another presentation-related criterion the Audit checks is the use of icons to tell users about certain functions or kinds of data. For example, some sites use a megaphone icon to indicate that the section is about sharing user data, or a symbol of a fingerprint to represent biometric data. In general privacy advocates suggest using icons because it can improve clarity and helps with comprehension for users at different reading levels. It can also simplify the policy by making it more visually appealing, as opposed to just pages of text. The icon approach suffers from a lack of standard icons to represent specific functions or data types. The Internet Society’s privacy statement does not currently use icons, and could improve by doing so. Icons are comparatively rare among the sites studied, being used by only 2%.

Some presentation-related criteria in the Audit are more subjective. For example, the EU’s General Data Protection Regulation (GDPR) says that privacy policies should be easy for most users to read. Applying some online analysis tools to the Internet Society’s privacy statement suggests that it has a “fog index” of around 17 – in other words, it can be readily understood by someone educated up to that age. That is probably high for text that is aimed at a general public audience, and therefore an area where some improvement is possible.

We should note, though, that some laws require legal text to be present in the statement, and this can mean including language which is more formal and less easy to read. For example, two parts of the statement are legally required in the United States. The first states whether the site collects data on children under 13 (to comply with the Children Online Privacy Protection Act). The Internet Society does fulfill this, along with 67% of sites.

The second relates to Do Not Track. Under current California law the site must notify users of how it responds, technically, to a “Do Not Track” signal from a web browser – though the site is not legally required to honor such a signal (only to say how it responds).  The Internet Society’s statement does reference Do Not Track, along with 40% of sites. It does not, however, honor Do Not Track requests. None of the sites in the Audit honor Do Not Track either. We will be publishing a number of blog posts over the coming weeks to explain the steps the Internet Society has taken to minimize the privacy impact of tracking technologies on its sites.

A crucial aspect of any privacy statement is what it says about data sharing, and several of the survey criteria address this concept. In this regard, we look at three main areas.

First, legal obligations to share data. We test against two criteria, here. Is the privacy statement clear about cases where the Internet Society may be legally obliged to disclose users’ data? Here, we check whether the statement says that data may be shared with legal authorities if requested. The Internet Society’s statement, along with 90% of sites, does satisfy this test.

The other check is whether the statement says that users will be notified in case of a law enforcement request for data. The Internet Society’s statement does not make this commitment, but that is not unusual. Virtually none of the sites surveyed make such a commitment, and in some jurisdictions there may be cases where the law prevents a data controller from notifying users if a law enforcement access request is made.

Second, data sharing other than as required by law. The Internet Society’s statement does specify the instances where data might be shared with third parties, and it states what purposes such sharing is intended to achieve. Overall, the statement does reflect a clear set of principles and a policy of minimizing data sharing, confining it to stated practical purposes. However, different parts of the statement can be confusing in this area, and there is scope for improvement.

Third, data monetization. The Internet Society’s statement is clear in this regard, stating from the outset that “we will not sell or rent your personal data to others.”

A privacy statement is the main opportunity an organization has to tell all its users, visitors and stakeholders how their data is used, and how that use is governed by their rights. It is also an important part of ensuring that what the organization does with personal data is fair and legal. However, legal requirements and users’ expectations can all evolve over time, so privacy statements are dealing with a moving target and can always be improved. Privacy isn’t a state – it’s a process – and the same goes for privacy statements. They’re never done; they should always be subject to review, refinement, and improvement.

How would your organization do in the Online Trust Audit? Check out the Best Practice Checklist (Appendix E) and use it to improve your site’s security and privacy.

The post How the Internet Society’s Privacy Statement Stacks Up appeared first on Internet Society.

The Economics of Trust: Overcoming Obstacles to Better Consumer IoT Security

Internet Society - News Headlines - Lun, 29/04/2019 - 18:00

In 2018 the Internet Society launched the Trust by Design campaign, to make sure that security and privacy features are built into Internet of Things (IoT) products. We focused our activities on consumer IoT, a segment particularly vulnerable, despite having the biggest share in the IoT market. We believe trust should come as standard, and so we’ve been working with manufacturers and suppliers to make sure privacy and security are included in the initial design phase all the way through the product lifecycle, as outlined in the OTA IoT Trust Framework. Our work does not stop there, as this goal can only be achieved when consumers drive demand for security and privacy capabilities as a market differentiator and policymakers create a policy environment that strengthens trust and enables innovation.

Consumer IoT devices and services without adequate security pose a wide range of risks, from directly threatening the security, privacy, and safety of their owners to the devices themselves turning into botnets that can initiate DDoS attacks against the Internet. As more and more connected devices with weak security are rushed to the market due to competition and cost concerns, missing trust is deeply rooted in economics. To better understand the economic aspects of consumer IoT security, we commissioned an independent study conducted by Plum Consulting that we are pleased to share with you.

The economics of the security of consumer-grade IoT products and services” looks at the consumer IoT market and the current state of security (or lack thereof) and points out the main economic obstacles to better security. Consumers often do not have enough information to identify products with weak security. This results in investment in security not being seen as a competitive differentiator for manufacturers. Additionally, since the cost of security breaches are borne by the device owner or third parties rather than the manufacturer, there is little incentive for manufacturers to invest in security. Finally, effective security by design requires specialized skills, can slow down the process, and can cost extra. Because of these factors, combined with cognitive biases of consumers, manufacturers tend to prioritize reducing cost and quickly sending IoT products to market.

But everyone, from consumers to policymakers, can take steps to incentivize manufacturers and shift demand in the market for strong IoT security. These vary by cost and difficulty and come with pros and cons of their own. The report provides a taxonomy and comes up with recommendations for the industry and policymakers to improve consumer IoT security, including prioritizing consumer guidance, leveraging public procurement procedures for products with strong security, encouraging responsible vulnerability disclosures, developing a trustmark for secure consumer IoT devices, prosecuting misleading claims on security, and prescribing a general set of security principles. Mandated security requirements through regulation is considered a last resort, and only if all other initiatives fail to improve security in the consumer IoT market.

Improving consumer IoT security calls for action from a diverse group of stakeholders and their actions complement each other. The complex IoT ecosystem is only as strong as its weakest link – and a collaborative approach to security is essential for success. It is only by working together that we can make a more secure consumer IoT. The economics say so, too.

The post The Economics of Trust: Overcoming Obstacles to Better Consumer IoT Security appeared first on Internet Society.

The Week in Internet News: Microsoft Reduces Password Count

Internet Society - News Headlines - Lun, 29/04/2019 - 16:18

What’s my password again? Microsoft has changed its baseline security configuration, which had suggested passwords be changed every 60 days, Ars Technica reports. Requiring users to change passwords so often can be counterproductive by encouraging them to pick easy-to-remember passwords, the article says.

Big money: Facebook has set aside $3 billion to pay a potential fine to the U.S. Federal Trade Commission over its handling of users’ personal data and various data breaches, CNet reports. Some critics say the expected fine, which could reach $5 billion, is a slap on the wrist for a company that clears tens of billions a year in profits, Recode suggests.

Blocking speech: Terrorist attacks in Sri Lanka that killed more than 350 people on April 21 have prompted the government there to block social media in an effort to prevent the spread of fake news, CNN reports. While some groups praised the decision others said that restricting free speech isn’t productive, says.

Censorship on the rise: Meanwhile, it’s becoming increasingly common for governments to block Facebook and other social media for a variety of reasons. This social media blocking could lead to wider censorship efforts, The Verge suggests.

Please regulate us: The technology industry needs to be regulated because there are some “serious issues” facing companies, Apple CEO Tim Cook said. “We all have to be intellectually honest and admit that what we’re doing isn’t working,” Cook said in an article from The Street. “There are now too many examples where [having] ‘no rails’ has resulted in great damage to society.”

Isn’t it ironic? Twitter has declined to run tweets for a French government get-out-to-vote campaign, citing concerns that it would run afoul of the country’s fake news law, The Independent reports. Twitter has decided to block all political advertising campaigns, although the French Government Information Service calls the effort public information, not political content.

Read “The Lazy Person’s Guide to Better Online Privacy

The post The Week in Internet News: Microsoft Reduces Password Count appeared first on Internet Society.

Young People: Building an Internet for Everyone

Internet Society - News Headlines - Ven, 26/04/2019 - 18:00

Young people everywhere are building technology, mobilizing communities, and raising their voices to shape policies that create an Internet that’s truly for everyone.

That’s why we’re partnering with the not-for-profit and non-governmental organization AIESEC on a pilot project to train 500 young people on Internet-related skills in Bolivia, Nepal, Namibia, and Kenya.

It’s our hope that this project will be the start a journey that will result in even more young voices joining a community of thousands of people around the world who believe in the open Internet.

Young people like Pamela Gonzales.

At only 24 years old, Gonzales is the co-founder of Bolivia Tech Hub, an early stage incubator that serves as one of La Paz’s only support systems for the city’s tech community, helping entrepreneurs to learn, develop, and collaborate on new projects.

She’s impacting hundreds of lives, but she says it didn’t come easily.

In her first year of university, she partnered with a friend of hers, a local web developer, and together they secured funding and built something new.

“My mission was to find a place to learn the things I couldn’t learn in the university,” Gonzales said. “I found there were a lot of students who couldn’t learn a lot of tech things because we didn’t have computers with Internet.”

Today, the Hub is completely funded through sponsors. Gonzales spends a lot of time securing funding, but to get it off the ground, she says she and her co-founder had to start from scratch.

“We started doing a lot of contests and challenges, and that created a small tech group which was very creative and full of new people,” Gonzales said. Many of the participants eventually started companies and the ones not going into entrepreneurship secured jobs as developers. As time went on, Gonzales turned her attention to the country’s vast underserved communities. Bolivia Tech Hub runs Technovation for women and girls, and the Curiosity Machine Program, for families.

Community building is at the heart of Gonzales’ work.

She is also a member of the Internet Society Youth Special Interest Group (SIG Youth), a community of young people dedicated to ensuring the voices of young people are heard when it comes to decisions that impact the Internet.

These young people represent the future of the Internet and the world. They are building their dream Internet and they will help inform the policies that govern it. You could be one of them.

Help build an Internet that’s for everyone. Join SIG Youth!

The post Young People: Building an Internet for Everyone appeared first on Internet Society.

Consumers International Summit: Making IoT Privacy and Security a Priority

Internet Society - News Headlines - Ven, 26/04/2019 - 14:30

Each day, more and more of us buy products that connect to the Internet, such as personal assistants, fitness monitors, appliances, and home security systems. Odds are you have one, two, or even more. There are more than 23 billion of these Internet of Things (IoT) products installed around the globe – roughly triple the world’s population – and that number is growing.

The Internet of Things offers the promise of convenience, efficiency, and more personalized services. However, many of these products are designed with little consideration for basic security and privacy protections.

The Internet Society and Consumers International formed a working partnership last year to address these challenges and to make sure consumers have access to trusted Internet-connected devices. We are proud to be lead partner at the Consumers International Summit, 30 April – 1 May, focused on putting consumers at the heart of digital innovation.

Consumers care deeply about their privacy, security, and how their personal information is collected and handled. On May 1 at the Summit, our President and CEO Andrew Sullivan will unveil new research from Consumers International and the Internet Society exploring what matters most to consumers when buying connected devices. He will also share details on who consumers expect to be responsible for better privacy and security.

During the Summit we will meet with consumer organizations from around the globe, as well as representatives from business, civil society, and governments, to exchange ideas on how we can work together to increase consumer trust online. Several Internet Society Chapter leaders will attend to meet Consumers International members from the same country to open a dialogue for future collaboration on the issue of IoT privacy and security.

Another highlight at the Summit will be convening a high-level group of representatives from governments and organizations to discuss their initiatives on IoT privacy and security guidelines. The IoT Security Policy Platform members will identify common areas of overlap and explore best practices as an opportunity for global coordination to enhance IoT security and protect both people and innovation online.

The Internet Society values our partnership with Consumers International, and our shared focus on a trusted Internet for everyone. Watch for more details when we announce the IoT research findings on 1 May and how our collaborative work is leading us toward Trust by Design.

Privacy and security should be more than an afterthought. Learn more about Trust by Design and why it matters.

The post Consumers International Summit: Making IoT Privacy and Security a Priority appeared first on Internet Society.

EQUALS in Tech Awards: Nominations Now Open

Internet Society - News Headlines - Gio, 25/04/2019 - 16:18

Are you working to building a better Internet for women? Do you know initiatives that are promoting the development of digital skills for girls? Is your organization contributing to defend the Internet by helping women get equal access to leadership opportunities?

If the answers are yes, we have something for you.

The EQUALS Global Partnership has announced that the nominations for the 2019 EQUALS in Tech Awards are now open.

The Awards recognize groundbreaking initiatives from around the world aimed at bridging the gender digital divide.

The nomination period will run until June 11, 2019. You can nominate your own initiatives or those of others for an award in one of the following categories:

  • Access: Initiatives related to improving women’s and girls’ digital technology access, connectivity, and security
  • Skills: Initiatives that support development of science, technology, engineering, and math (STEM) skills of women and girls
  • Leadership (two subcategories):
    • Initiatives focused on promoting women in decision-making roles within the ICT field
    • Initiatives promoted by tech sector companies to bridge the digital gender divide
  • Research: Initiatives prioritizing research on gender digital divides and producing reliable evidence to tackle diversity issues within STEM and computing fields

The annual EQUALS in Tech Awards are organized and presented by the EQUALS Global Partnership – a network of 90+ organizations, companies, UN agencies, and research institutions. The Internet Society is proud to be the Chair of the Steering Committee and a member of the Coalitions.

The winners will be announced during the awards ceremony that will take place in November in Berlin as a side event at the Internet Governance Forum. Winners will be invited to attend and share their inspiring stories.

We know that our community of Chapters, Special Interest Groups, Organization Members, and Partners are doing a lot to improve women’s digital inclusion in many corners of the world. We want to encourage everyone to nominate their initiatives or help us to identify those who are working to build, promote, and defend the Internet for women and girls.

For information about how to submit a nomination, please visit:

Interested in helping to tackle the digital gender divide, but don’t know where to start?

  • Join SIG Women, which aims to “promote a global neutral space that works towards the involvement of women in technology and contributes to reducing the gender gap in the field.” Currently, there are many initiatives in different regions throughout the world.

The post EQUALS in Tech Awards: Nominations Now Open appeared first on Internet Society.

The Internet of Things: Why ‘Trust By Design’ Matters

Internet Society - News Headlines - Mer, 24/04/2019 - 16:08

As we have seen vividly in recent years, inadequate security and privacy protections in the Internet of Things (IoT) can have devastating impacts – on Internet users and core infrastructure. The high profile Mirai botnet distributed denial of service (DDoD) attack in 2016 was a dramatic example of the effects of poor security in IoT devices, and CloudPets connected teddy bears were withdrawn from sale by most retailers after it was revealed that millions of voice recordings between parents and their children were exposed. But the threats from these insecure devices don’t vanish when they are updated or recalled, since there is often a large number of them still in service, and still vulnerable.

Because of this, the Internet Society is particularly focused on improving the security and privacy of consumer IoT. As a rapidly growing area, it is especially vulnerable and has been exploited by malicious actors.

That’s why we’re encouraging manufacturers to adopt Trust by Design.

“Trust by Design” – an umbrella term that includes Privacy by Design and Security by Design – is an essential component of a healthy IoT ecosystem. It has significant implications beyond IoT for the health of the Internet as a whole, and all of its users.

The Privacy by Design concept was developed by Dr. Ann Cavoukian in the 90s in response to the growing and systemic effects of information technologies and large scale data systems. It has since become a foundational concept, underlying much of the work on privacy protection that has followed. There are 7 key principles:

  1. Proactive not reactive: preventative not remedial
  2. Privacy as the default setting
  3. Privacy embedded into design
  4. Full functionality: positive-sum, not zero-sum
  5. End-to-end security: full lifecycle protection
  6. Visibility and transparency: keep it open
  7. Respect for user privacy: keep it user-centric

While all 7 principles are essential, there is one we place particular emphasis on (especially with manufacturers): privacy embedded into design.

“Privacy measures are embedded into the design and architecture of IT systems and business practices. These are not bolted on as add-ons, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is thus integral to the system, without diminishing functionality.”

There are several interpretations of Security by Design. The Open Web Application Security Project (OWASP) Foundation does a good job of explaining the fundamental principles:

  1. Minimize attack surface area
  2. Establish secure defaults
  3. Principle of Least privilege
  4. Principle of Defense in depth
  5. Fail securely
  6. Don’t trust services
  7. Separation of duties
  8. Avoid security by obscurity
  9. Keep security simple
  10. Fix security issues correctly

We believe proper security should be included at all steps of the design and architecture of IoT systems, not as an afterthought.

The Online Trust Alliance (OTA, an Internet Society initiative) IoT Trust Framework has 40 key principles that provide a set of guidelines for manufacturers as they design and develop products and services ­– with privacy and security as a top priority. Developed through a consensus-driven, multistakeholder process, this IoT Trust Framework is unique in two significant ways:

  • It takes into account the lifecycle issues associated with IoT products and services..
  • It addresses the entire ecosystem, holistically, including devices/sensors, mobile apps, and backend services. Most frameworks focus on just the devices, but a system is only as strong as its weakest link.

There is a great deal that we can all do. In particular, it’s important that:

  • Manufacturers take affirmative steps to improve the security and privacy of the devices they produce
  • Retailers understand the role they play and the impact they can have when they take these factor into account when deciding upon which products to sell
  • Consumers inform themselves, using credible sources, to understand the security and privacy aspects of IoT devices they are considering or already using
  • Policymakers and regulators look at the roles they can play and work together with other key stakeholders toward better outcomes

Learn more about Trust by Design and what manufacturers, retailers, consumers, and policymakers can do:

The post The Internet of Things: Why ‘Trust By Design’ Matters appeared first on Internet Society.

The Internet Society’s African Chapters Join the African Union and Other Partners to Discuss IoT Security, Privacy, and Digital ID in Africa

Internet Society - News Headlines - Mar, 23/04/2019 - 19:37

In collaboration with the Africa Union Commission (AUC), the Africa Telecommunication Union (ATU), and Omidyar Network, from 8-11 April 2019 the Africa Regional Bureau successfully gathered in Addis Ababa, Ethiopia 103 participants comprising Internet Society Chapter leaders, African Regional economic bodies, privacy experts, regulators, and data protection agencies to a two-day workshop on IoT Security, Privacy, and Digital ID followed by the 2019 African Chapters Advocacy Meeting.

The first day of the workshop focused on IoT opportunities and security considerations. It explored the IoT landscape in Africa and shared active deployments and chapter-led projects. The day also discussed IoT security and privacy considerations with emphasis on frameworks that could be implemented to ensure the security and safety of IoT devices. A dedicated session on aligning policy and IoT security needs shared the experience of the Senegal multistakeholder IoT security process and motivated member states to initiate a similar process in their countries.

The second day focused on localizing the AUC and Internet Society Personal Data Protection Guidelines. Our partners AUC, Omidyar Network, Mozilla Foundation, and UNECA unpacked issues related to digital identity, personal data protection and privacy in the region. The meeting explored the nature of policies in place to ensure Internet users in Africa are secure and discussed legal and institutional frameworks to promote online privacy of people in African countries, including data hosted in other jurisdictions. Among some of the outcomes of the workshop was a resolution to conduct a regional IoT situational analysis to help policymakers understand the state of IoT in the region. With regards privacy, AUC will continue to work with partners to motivate member states to sign the Malabo convention. The Personal Data Protection Guidelines will be used as the basis for privacy policymaking within countries. Our Internet Society Chapters will also rally and act as advocates to their countries to prioritize privacy and personal data protection issues.

The third and fourth days were dedicated to the 2019 African Chapters advocacy meeting, which brought together 30 fellows from 26 African Chapters and one global SIG. During the two days the Chapters’ representatives discussed the Internet Society’s 2019 initiatives, campaigns and projects (with dedicated sessions on Internet shutdowns, consolidation, and encryption), the 2025 strategy, 2020 action plan development, and how they can get involved and implement concrete, relevant activities at the local level. The meeting was also a great opportunity for capacity building, advocacy, and mobilization of Chapters in building and promoting trust in the Internet in Africa with a special focus on IoT security, privacy, and personal data protection.

 Read more about the 2019 African Chapters Advocacy Meeting.

The post The Internet Society’s African Chapters Join the African Union and Other Partners to Discuss IoT Security, Privacy, and Digital ID in Africa appeared first on Internet Society.

Girls in ICT Day: Attend the Global Marathon in Digital Skills Development

Internet Society - News Headlines - Mar, 23/04/2019 - 16:35

There’s a lack of gender diversity at all levels in the technology sector. This is partly because the number of female students in mathematics, engineering, computer science, and science is disproportionately low around the world. So how do we close this gap?

Support for the education of women and girls in the ICT sector is consistent with the Sustainable Development Goals (SDGs) – in particular SDG 5, aimed at achieving gender equality and empowering all women and girls through, among other things, information and communication technologies.

The Women’s Special Interest Group (Women SIG) of the Internet Society is committed to promoting the participation of women in the Internet ecosystem, especially considering the importance to increase the participation of girls and adolescents in Information Technology and Communication.

This April 25, International Day of Girls in ICT, promoted by the International Telecommunication Union (ITU), aims to reduce the digital gender gap and to encourage and motivate girls to participate in technology careers. With the support of the Internet Society Chapters and local civil society organizations, we’re planning to celebrate the day with a global marathon of training in digital skills development. We want to motivate girls and teenagers to study and participate in ICTs and we want them to see the women who work in these areas as role models and inspiration.

Join one of the face-to-face or online events!

25 April 2019, 19:00 (Hora de Brasilia)
online via Zoom

Burkina Faso
25 April 2019, 8:30-12:30
siège ISOC-Burkina Faso
Team: Micheline KABORE (Vice-présidente ISOC-Burkina), DA Régina modératrice, Linda TRAORE responsable de programme à IPBF

El Salvador
23 April 2019, 14:00-17:00 (hora de El Salvador)
La Casa de Internet de El Salvador, Calle La Reforma No. 249, Colonia San Benito, San Salvador

25 April 2019, 18:00-20:00 GMT
AITI-KACE Accra, Ghana
Digital Address: GA-079-3146
Facilitators (Panel discussion):
Mrs. Awo Aidam-Amenyah of J-Initiative, advocacy cybersecurity for children and women in Ghana
Madam Nancy Dotse high-level technical training for women in Africa
Madam Vivian from the Cybercrime unit of the CID division of Police
Presentation on Social Engineering: Botsyoe Edinam Lily

24 April 2019, 9:00-12:30
Centro Cultural de España en Guatemala (CCEG), 6a avenida 11-02 zona 1, Centro Histórico, Edificio Lux, segundo nivel, Ciudad de Guatemala

24 April 2019, 10 UT
High school girls Conakry common Ratoma

24 April 2019, 8:30-12:30
Cámara de Comercio e Industria de Tegucigalpa (CCIT)
Team:Elena Aguilera (fundadora de Guala Honduras), Sandy Palma, Aleli Castro, Dania Valle (fundadora de Reciclatecc)

Hong Kong
30 April 2019, 19:30-21:00
Zerozone, 9/F, Tungtex Building, 203 Wai Yip Street, Kwun Tong, Kowloon
Language: Cantonese
Registration: Prior registration
Fee: Free

25 April 2019, 09:00-15:00
Windhoek Technical High School

25 April 2019, 10:00 a.m.
St. Louis College, Jos

23 April 2019, 14:00-16:00
Edificio #3, piso #3, Facultad de Ingeniería en Sistemas,  Salón de Laboratorio # 3-401 en la UTP

26 April 2019, 8:30-17:30pm
Radisson Decapolis Hotel, Multicentro, Ave. Balboa, Ciudad de Panamá.
Más información. OEA CyberWomen Challenge

27 April 2019
CREATIVENEERS, Avenida Condado del Rey, Mi Condado Plaza, Piso 1, Panamá

25 April 2019, 09:00-16:00
Solusi University Computer Center

Help close the digital gender divide! Join SIG Women, which is open to everyone.

The post Girls in ICT Day: Attend the Global Marathon in Digital Skills Development appeared first on Internet Society.

10 Years of Auditing Online Trust – What’s Changed?

Internet Society - News Headlines - Lun, 22/04/2019 - 18:36

Last week we released the 10th Online Trust Audit & Honor Roll, which is a comprehensive evaluation of an organization’s consumer protection, data security, and privacy practices. If you want to learn more about this year’s results, please join us for our webinar on Wednesday, 24 April, at 1PM EDT / 5PM UTC. Today, though, we thought it would be interesting to see how the Audit and results have evolved over time. Here are some quick highlights over the years:

  • 2005 – The Online Trust Alliance issued “scorecards” tracking adoption of email authentication (SPF) in Fortune 500 companies.
  • 2008 – Added DKIM tracking to the scorecards, and extended the sectors to include the US federal government, banks, and Internet retailers.
  • 2009 – Shifted from scorecard to “Audit” because criteria were expanded to include Extended Validation (EV) certificates and elements of site security (e.g., website malware).
  • 2010 – Introduced the Honor Roll concept, highlighting organizations following best practices. Only 8% made the Honor Roll.
  • 2012 – Expanded criteria to include DMARC, Qualys SSL Labs website assessment, and scoring of privacy statements and trackers. Shifted overall sector focus to consumer-facing organizations, so dropped the Fortune 500 and added a “Social” sector (now called Consumer). 30% overall made the Honor Roll. Now a comprehensive audit, 2012 has served as the baseline year for Honor Roll achievement – there are 28 organizations that have earned Honor Roll status all seven years.
  • 2014 – Added News/Media sector and included US federal government as part of the Honor Roll (vs. just as an overall sector). 30% overall made the Honor Roll.
  • 2017 – Added ISPs, hosters, and email services sector. 52% overall made the Honor Roll.
  • 2018 – Added healthcare sector. 70% overall made the Honor Roll.

Since 2012 the overall assessment categories have not changed, but the breadth and depth of criteria have been expanded to give a more holistic view of organizations’ adherence to best practices. Criteria and their weighting are re-evaluated each year to make sure they reflect the latest best practices and protection against common threats.

Even though the bar is raised each year, Honor Roll achievement has grown steadily, from 30% in 2012 to 70% in the most recent Audit. While this is solid progress, we can’t forget that these organizations are the top in their sector (by assets, revenue, users or traffic), and therefore don’t necessarily reflect the status of the entire sector.

Our Audit criteria are meant to be practical and implementable by organizations of all sizes, so we encourage all organizations to examine the best practices summarized in Appendix E of the Audit and assess themselves. We look forward to another decade of progress in ensuring a more trustworthy and secure Internet.

Join the webinar on this year’s Audit!

The post 10 Years of Auditing Online Trust – What’s Changed? appeared first on Internet Society.

The Week in Internet News: Arkansas Reverses Ban on Municipal Broadband

Internet Society - News Headlines - Lun, 22/04/2019 - 15:42

Change in direction: A story at examines why the state of Arkansas has moved to rescind a 2011 ban on community-financed broadband networks. The state is the least connected in the U.S., according to one group, and residents have complained about “lousy” broadband options.

White and male: The Artificial Intelligence too white and too male, according to research from the AI Now Institute at New York University. About 80 percent of AI professors are men, and just 15 percent of the AI research staff at Facebook and 10 percent at Google are women, notes a story on the research at The Verge. Racial minorities also make up a small percentage of AI staff at large tech vendors.

Comey vs. encryption: Former U.S. FBI Director James Comey, who pushed for ways for law enforcement agencies to break into encrypted devices while he was in government, now says he would have taken a different approach to the encryption debate, the Washington Post reports. Comey says it was “dumb” to launch the encryption debate by criticizing U.S. tech companies. However, he still believes law enforcement agencies need access to encrypted communications.

Censorship vs. disinformation: The Ukraine government is battling disinformation coming from Russia by cracking down on Internet speech, reports. Ukraine in essence is becoming more like Russia to battle Russia, the story suggests.

Fake news as malware: Organizations battling fake news should treat it more like its computer malware, suggests a story at The Parallax. Social media sites and other organizations should take on a more “adversarial style of thinking,” said Sara-Jayne Terp, founder of cybersecurity consulting company Bodacea Light Industries.

Encryption is under threat around the world. It’s up to each of us to take action.

The post The Week in Internet News: Arkansas Reverses Ban on Municipal Broadband appeared first on Internet Society.