The Law Shop is now closed. Please click here to find out more.

5 recent developments in online privacy & security

James Watkins - Law on the Web

  1. 19 April 2016
  2. Miscellaneous
  3. 0 comments
Malevolent computer hand

The internet is still a relatively new frontier for the law, particularly as governments clash with privacy advocates over where the line between national security and rights to privacy should be drawn.

We also have the increasing sophistication of online crime to worry about.

To mark the launch of our Cybersecurity and Keeping Safe Online section, we take a look at a few of the more interesting recent developments in cybersecurity.

The FBI iPhone hacking saga

One of the bigger stories of the last couple of months was the battle between the FBI and Apple over whether an iPhone should be unlocked.

The iPhone in question belonged to Syed Farook, one of the shooters involved in the San Bernardino attack from 2015 in which 14 people were killed.

The FBI, wanting access to the phone in order to see if any intelligence to combat terrorism could be gleaned, demanded that Apple create software that would unlock the phone for them, applying for a court order to have them do so.

However, Apple refused, saying that unlocking the phone would require them to create a backdoor that could endanger other iPhones.

They also stated that an order forcing them to unlock an individual’s phone at the behest of the government would set a “very dangerous precedent”.

“The only way to guarantee that such a powerful tool isn’t abused and doesn’t fall into the wrong hands is to never create it,” Apple said in a letter on their site.

However, in the end, Apple’s objections were for naught – the FBI were eventually able to unlock the phone without the help of the fruit-inspired tech giant.

The phone was accessed via a previously unknown security bug, which would apparently work on all iPhones versions 5C and older.

The FBI reportedly paid Israeli mobile forensics firm Cellebrite for the hack – however, the Washington Post reported this week that the hack had actually been bought from professional “grey hat” hackers.

WhatsApp introduces end-to-end encryption

David Cameron might want to ban end-to-end encryption, but it doesn’t seem like messaging apps are quite ready to let it go.

In a blog post, WhatsApp founders Brian Acton and Jan Koum announced that the instant messaging app will now use full end-to-end encryption.

This means that, according to the founders, “when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us”.

The service is now using an encryption method called the Signal Protocol, a highly secure form of encryption which uses a 256-bit key. WhatsApp is not the only messaging app which uses this – Apple’s iMessage also does – but it is the most widely used.

Using this encryption won’t get WhatsApp in trouble with the law over here just yet – however, it may find itself banned in India soon, where encryption over 40-bit is illegal.

Met police chief questions refunds for victims of online fraud

Sir Bernard Hogan-Howe, police commissioner for the Metropolitan police, stirred up a hornets’ nest last month when he suggested that banks should not refund victims of online fraud who fail to protect themselves sufficiently.

The commissioner said that consumers needed to be incentivised to take measures to improve their internet security, such as improving their passwords and keep anti-virus software up-to-date.

“If you are continually rewarded for bad behaviour you will probably continue to do it but if the obverse is true you might consider changing behaviour,” he said. “The system is not incentivising you to protect yourself. If someone said to you: ‘If you’ve not updated your software I will give you half back,’ you would do it.”

However, the commissioner was slammed for suggesting the idea.

“With online fraud increasing, this is an astonishingly misjudged proposal from the Met police commissioner,” said Richard Lloyd from Which?.

He added that recent research by his organisation had shown that customers were already finding it difficult to get their banks to refund them for fraudulent transactions.

“The priority should be for banks to better protect their customers, rather than trying to shift blame on to the victims of fraud,” he said.

NCA accused of trying to get alleged hacker’s password “by the back door”

The National Crime Agency (NCA) has applied for a court order which would force alleged hacker Lauri Love to disclose encryption keys to his own data.

Mr Love is accused of hacking into US Federal Reserve computers and stealing sensitive data, and is facing attempts to extradite him to the USA.

The NCA seized computers and hard drives from Mr Love’s home in 2013, and he is now suing them in an attempt to get the equipment back, under the Police Property Act.

However, if the NCA’s application is accepted, Mr Love will have to provide the NCA with his password so they can inspect the data within before they return the equipment.

The NCA and other enforcement agencies can force individuals to disclose encryption keys via court order under the Regulation of Investigatory Powers Act (RIPA). In fact, they already issued such an order to Mr Love back in 2014, but the order expired without any further action.

However, this application to get the encryption keys is completely independent from RIPA. The development has been met with dismay by privacy advocates, who have accused the NCA of trying to circumvent RIPA.

Stephen Cragg QC, who is representing Mr Love, said: “There is a concern that the NCA is seeking in this application to access Mr Love's data by the back door rather than by the route sanctioned by parliament in RIPA.”

Scammers can exploit cookie notifications

The cookie law has been criticised ever since it came into effect – however, those criticisms were mostly limited to it being laughably ineffective and a pain for site owners.

However, it also seems to have indirectly provided criminals with an extra way to harvest the private data of unsuspecting internet users.

Most sites notify their users about the cookies on their sites by using a form at the top of the page, with a button to accept or just hide the box.

According to this article at SC Magazine, scammers are using a technique known as clickjacking, wherein a hidden invisible box with a link is placed over something else you were trying to click.

When you hide one such link over ‘accept’ button on the cookie notification, a user will click on this instead, possibly downloading some form of horrid malware on their computer.

Jérôme Segura, senior researcher for anti-malware application Malwarebytes, said: “As an end user you should be aware of what you click on. Take time to look at any warning messages before clicking through.”

David Emm, from internet security firm Kapersky, recommended that internet users “be aware of what [they] click on”.

Share your experiences

Please note: The views expressed in community areas of this site do not necessarily reflect or represent the views of Law on the Web, its owners, its staff or contributors. All comments are moderated prior to publication.

comments powered by Disqus