The Evolving Threats – Why Internet Privacy Matters for Individuals and Business
Our reliance on technology is increasing by the day, on both personal and professional levels. It’s not an overstatement that our personal information is available on more than one website. Professionally, more businesses are incorporating digital mobility, thus exposing themselves to ever-increasing threats.
Cyber crime continues to escalate at a worrying rate, but it’s not just the malicious software and hackers that businesses need to worry about. We’re talking about mass surveillance by governments and security agencies. Now it is true that web monitoring does help detect threats, but it shouldn’t come at the cost of infringing privacy as well as the laws that protect privacy.
The mass surveillance network of governments raises many questions as to whether it is ethical to have access to such sensitive information. Let’s take a look at the evolution of cyber threats and mass surveillance to have a better understanding of where we stand today, and what we can do to better protect personal and confidential data.
Threats to Professionals and Companies
Given the level of personally identifiable information (PII) available online, regarding a person or a business, it only makes sense to fortify online security and takes matters of privacy seriously. However, that is seldom the case, and the past decade, especially the last five years, prove that complacency remains at large in this regard.
Sony Entertainment, iCloud, Tesco Bank, Sony PlayStation Network, and Sage have all been victims of cyber breaches and hacks. Perhaps the most infamous example of such large-scale data breaches is Sony Corporation, which had attacks on two of its biggest divisions in just the past five years.
In 2011, personal information of 77 million PlayStation users was compromised and leaked online, making it one of the largest breaches in history. Sony Entertainment, on the other hand, had to deal with unprecedented leaks of emails and confidential data in 2014. Government organisations and diplomats are not safe either, and the Department of Justice (DOJ)’s website and Clinton’s email leaks provide strong evidence.
These are of course the high-profile examples of data and security breaches. Millions of companies are exposed to increasing cyber threats, which can be internal or external. Internal threats, otherwise known as inside attacks, are carried out when an employee or ex-employee of an organisation misuses their access privileges for various nefarious reasons. The five major examples of external threats include:
Advanced Persistent Threats – Also known as APT, these long-term attacks are highly targeted, with the objective to penetrate a network without detection. There can be various motives to launch APTs.
Distributed Denial of Service (DDoS) – If you’ve seen Mr. Robot, then you might be familiar with DDoS attacks. These attacks are carried out by overloading a server with requests to eventually shut down the website and/or the network system.
Malware – There are many, many ways through which a malicious software can be introduced to a computer in a network. The goal is to gain access or cause damage to confidential data. Over the past few years, malware has become increasingly sophisticated.
Password Attacks – These attacks can be carried out in a number of ways. A hacker may guess the password until gaining access, or use dictionary attacks where a program is used to try combinations. Keylogging is another form where the login IDs and passwords of users are tracked.
Phishing – Last but definitely the most common type of cyber attack is phishing. In simple words, phishing is gathering sensitive information such as login details and banking information (credit-cards, online payment methods) through websites that look legitimate but are ultimately fraudulent. Phishing often lures individuals through email, and is the most common type of cyber attack on small and medium businesses according to Ponemon Institute!
As a business, now more than ever, you are at an increasing risk of getting networks compromised, and your database breached. You might think that email servers such as Outlook, Gmail, and Yahoo are safe for business communication, but think again.
Why Using Popular Email Servers Is Never A Good Idea
One of the biggest mistakes a business can make today is not choosing the email service provider wisely for business accounts and hosting plans. Conventional wisdom dictates that Outlook, Yahoo, and Gmail are the most popular services, and often viewed the safest email servers out there, so there is no reason to not choose one of the three.
The reality, however, is very different, and the most popular email services of today are more suspect to targeted attacks and phishing. For starters, Yahoo’s servers have proven to be prone to hacks, as the latest, and possibly the worst hack in the company’s history will tell you. Login credentials of over 500 million users were compromised earlier this year. If your business was or is using Yahoo, then you might have been told to update your password.
This is not the first time Yahoo and its users were at the centre of massive hacks. In fact, there have been many attacks on Yahoo’s servers in the past, none more so than the ones in 2012 and 2014. In regards to the latest attack, one former information security officer of Yahoo, Jeremiah Grossman, summed up the attack in less than 140 characters:
"It's unsurprising when breaches, even of this magnitude, take place. Yahoo certainly isn't the first. And they won't be the last."
Microsoft and Google email service users are not far away from danger either. To give you an overview, another major email hack transpired earlier this year. It led to a massive theft of tens of millions of accounts of Outlook, Yahoo and Gmail users. Good damage control on part of three internet giants meant that the news didn’t make the rounds as it should have. While Microsoft was prompt to issue a statement, admitting that such attacks are ‘an unfortunate reality’, Google and Yahoo did not comment.
Phishing remains a problem for all three major email service providers, and local internet service providers just don’t have the resources to keep up with the big guns. A good email service provider needs to ensure that it provides its customers (both individuals and businesses) with:
Robust Backup – To ensure that things go back to normal as quickly as possible to minimise the impact of downtime.
Privacy Protection – To protect the personal and sensitive information of individuals, and business and their customers.
Disaster Recovery – To quickly identify and address the cause of server failure and start recovery efforts swiftly.
The gist of this is that popular email servers such as those of Microsoft, Yahoo, and Google are still susceptible to different types of cyber threats. But if the potential ramifications of a massive data breach were not enough, professionals and businesses today also need to keep a watchful eye on government mass surveillance.
Whistleblower Diaries: The NSA and GCHQ
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
When Glenn Greenwald published the first bombshell evidence of mass surveillance on American citizens by the National Security Agency (NSA) in The Guardian, fear and panic gripped the world. Just three days later, the source of the leaked documents stepped forward, Edward Snowden.
The second bombshell that came out within 24 hours after the first story was published highlighted the existence and role of PRISM and how it can, by law, ask companies to provide user data. Tech leaders at Silicon Valley have been vocal about increasing transparency when the government requests user data.
Perhaps the two most unprecedented revelations from the Snowden leaks were that the NSA spies on foreign governments, and that the UK has a mass surveillance program of its own. The Government Communications Headquarters (GCHQ) allegedly intercepts data by tapping the fibre optic cables from around the world.
In addition, the Snowden leaks also revealed that the GCHQ and NSA work closely on a program codenamed Tempora. This program allows them to share intelligence and sensitive data in bulk, including but not limited to individuals, consumers, business, diplomats, and government agencies. The GCHQ has also gained notoriety for monitoring phone calls, internet traffic, emails, browsing history, and even Facebook messages.
Privacy advocates like Edward Snowden have become more vocal than ever, and human rights organisations are calling for the US and UK governments to show accountability and implement more transparency. Though the conversation on privacy and mass surveillance is getting bigger, the legal side of things is anything but changing.
The Laws Are Changing
Yes they are, but in favour of such mass surveillance programs in prominent countries. The 374-FZ and 375-FZ bills of Yarovaya Law were passed earlier this year as counterterrorism measures. The amendments made to the law give telecommunications operators authority to record phone calls and messages of customers for up to six months. They also give the Federal Security Service (FSB) permission to receive decryption keys from messaging services like Telegram and Facebook. Despite that the implementation of the amendments will be extremely expensive, the Russian government is planning to see it through.
Another draconian law that was passed without as much of a whimper was the Investigatory Powers Bills (IPB), which was approved by the UK Parliament just last month. The IPB should raise many eyebrows, but the fact that it passed relatively unnoticed makes it all the more concerning.
Only a few lawmakers and reformers in the parliament were strongly against the bills. When the bill was passed, Edward Snowden took to Twitter to voice his opinion: “The UK has just legalised the most extreme surveillance in the history of western democracy. It goes further than many autocracies.”
The bill labelled as ‘the most extreme surveillance in the history’ will come into effect from 2017, and highlights of it include:
Retention and access to online browsing records for 12 months without warrant.
Collection of bulk communication data, though foreign companies aren’t currently required to comply but there are some exemptions.
Removing encryption wherever and whenever the intelligence agencies (GCHQ and MI5) and government feels is necessary
Enforcing communications providers and third parties to reveal data requests, under which whistleblowers will become criminals by revealing abuse of privacy.
The IPB gives the UK intelligence agencies unparalleled powers, currently unmatched by the US and rest of Europe. It legalises a wide range of hacking and snooping measures under the battle cry of national security and counterterrorism. Though these bills currently apply to only UK companies, foreign companies may be required to comply.
Time to Take Privacy Seriously
On the back of ever-evolving cyber threats and continued mass surveillance from intelligence agencies, more and more people and businesses are taking privacy and data security more seriously. Since emails are a major target of cyber threats and surveillance, fortifying your business email accounts should be a top priority. Alternatives such as ProtonMail have proved to be the voice of digital advocacy in what many are calling the golden age of invasion of privacy.
As ProtonMail is a Swiss company, it is able to provide strong, end-to-end encryption, all the while legally avoiding mass surveillance bills and regulations imposed by other jurisdictions. Its email service is a massive upgrade over the not-so-safe and definitely prone to mass surveillance email servers of Microsoft, Google, and Yahoo.
In addition, more people and companies need to start using encryption based text messaging and web browsing applications and programs. Complacency in these matters could very well result in situations where our digital rights are abused, or in some cases, revoked.
No one is safe from cyber threats. Not the government, not a business, not your next door neighbour, and definitely not your email server. On top of that, governments are imposing totalitarian regulations that undermine the very meaning of democracy. But there are still advocacy groups and tech companies that continue to fight for the digital rights of individuals and business. It’s a matter of choosing whether you want to get complacent in personal and professional life, or want to protect what’s rightfully yours – privacy!
