Categories
Building Trust

WPML Test 1

WPML Test 1

Categories
Building Trust Improving Technical Security Strengthening the Internet

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA. NDSS is a premier academic research conference addressing a wide range of topics on network and system security. It’s an incubator for new, innovative ideas and research on the security and privacy of the Internet.

NDSS 2020 (23-26 February) will be one of the biggest NDSS symposium yet, featuring 88 peer-reviewed academic papers, 34 posters, 5 workshops, and 2 keynotes on vital and timely topics. Here are some of the highlights.

Workshops

This year’s program officially starts with five workshops on Sunday, 23 February. NDSS workshops are organized around a single topic and provide an opportunity for greater dialogue between researchers and practitioners in the area.

The QUIC Privacy and Security (QUIPS) Workshop focuses on QUIC security and privacy analysis efforts. The IETF QUIC protocol is a modern UDP-based, stream-multiplexing, encrypted transport protocol. Inspired by prior art, QUIC’s packet and header encryption removes cleartext information from the network while simultaneously mitigating ossification of version-specific protocol behavior. The goal of the QUIPS workshop is to bring formal analysis results to the IETF working group and developer communities in order to build confidence in and improve QUIC before its widespread deployment.

The Workshop on Measurements, Attacks and Defenses for the Web (MADWeb) returns this year after making its debut in 2019. The web connects billions of devices, running numerous types of clients, and serves billions of users every day. To cope with such a widespread adoption, the web constantly changes. This is evident by some browsers that have a release cycle of just six weeks. These rapid changes are not always studied from a security perspective, resulting in new attack vectors that were never observed before. MADWeb is looking to connect researchers working at the intersection of browser evolution and web security. The goal is to bring together a community to discuss the rapid changes to browsers from a security perspective, the security implications of current web technologies, and how we can make browsers in the future more secure without hindering the evolution of the web.

The Learning from Authoritative Security Experiment Results (LASER) Workshop focuses on learning from and improving cybersecurity experimental results. The workshop strives to provide a highly interactive, collegial environment for discussing and learning from experimental methodologies, execution, and results. Ultimately, the workshop seeks to foster a dramatic change in the experimental paradigm for cybersecurity research, improving the overall quality and reporting of practiced science. As such, it will be structured as a true “workshop” in the sense that it will focus on discussions and interactions around the topic of experimental methodologies, execution, and results with the goal of encouraging improvements in experimental science in cybersecurity research. Authors will lead the group in a discussion of the experimental aspects of their respective efforts.

The Binary Analysis Research (BAR) Workshop returns for its third year at NDSS. Binary analysis refers to the process where humans and automated systems examine underlying code in software to discover, exploit, and defend against vulnerabilities. With the enormous and ever-increasing amount of software in the world today, formalized and automated methods of analysis are vital to improving security. This workshop will emphasize the importance of releasing and sharing artifacts that can be used to reproduce results in papers and can be used as a basis for further research and development.

The Workshop on Decentralized IoT Systems and Security (DISS) is also in its third year. The seemingly endless potential of the Internet of Things (IoT) is somewhat tempered by the ongoing concern over the ever-increasing risk that these devices pose to the Internet. The ultimate success of IoT depends on solving the underlying security and privacy challenges. Following the spirit of NDSS, the goal of this workshop is to bring together researchers and practitioners to analyze and discuss decentralized security in the IoT.

Keynotes

There will be two keynotes this year: Paul Forney, Chief Security Architect at Schneider Electric, on Monday, and Dr. Sharon Goldberg, Associate Professor in the Computer Science Department at Boston University and CEO/Co-Founder of Arwen, on Tuesday.

Paul Forney will discuss “Overcoming the ‘Evil Twins’ Attack: Lessons Learned from the Industrial Battlefield.” He asks the important question: “What could happen during a simultaneous attack of the industrial safety controllers (SIS) and Industrial Control Systems (ICS) of a critical infrastructure system?” Paul will discuss the technical lessons that can be learned from this sort of attack and how to best architect, protect, and contextualize a better future.

Dr. Sharon Goldberg will present “A Few Adventures in Technology Transfer.” This talk will discuss her adventures in technology transfer and in particular address two key metrics – ease of integration and precise specification.

NDSS 2020 Papers

The star and indeed the core of NDSS 2020 is the final set of peer-reviewed academic papers to be presented and published. This year there are 88 peer-reviewed papers organized into 19 sessions, representing less than 20% of the original submissions. This year there were over 500 submissions during both a summer and a fall submission period. A program committee of 97 experts assisted by 133 external reviewers worked to select and shepherd the accepted papers to this result. Topics cover a wide range including authentication, cryptography, censorship, network security, privacy, IoT, and mobile and web security. Papers, slides, and videos of all the talks will eventually be available on the NDSS 2020 programme page. The detailed agenda is already there!

Finally, NDSS 2020 also includes an energetic Poster Session and Reception featuring 34 posters of recently published or newly-emerging research. Attendees can vote for their favorites with special prizes being awarded in different categories.

All of this fabulous content takes a huge effort by a large group of people. Special note should be given to the Program Committee along with the Organizing Committee. This is teamwork and collaboration in action!

NDSS is where the next generation of security research starts, and for more than 20 years, the Internet Society has been a proud partner in hosting this event. Nearly 450 security experts will gather this coming week in San Diego to collaborate and engage in research discussion to help advance network and system security – all for the benefit of better security and a strong Internet.

Follow along via our social media channels – Twitter, Facebook, and LinkedIn, or search/post using #NDSS20.

See you in San Diego!

Categories
Building Trust Encryption Strengthening the Internet

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series of activities and events dedicated to working towards a more secure Internet. I’m really excited to take part in the activities organized by the Brazilian hub of Safer Internet Day, where the topic of encryption in the Latin American and the Carribean region is going to be discussed in one of the panels.

It’s great to have a day dedicated to building a more secure Internet for everyone, however, the reality for most people championing digital security is that every day is safer Internet day. This is certainly the case at the Internet Society. Our global community of staff, Chapters, members, partners, and supporters are deeply committed to an open, globally-connected, secure, and trustworthy Internet for all. That’s why we aligned our 2020 Action Plan to focus on building a bigger and stronger Internet for everyone.

Digital security is the foundation of our connected economies and societies – and encryption is the bedrock of digital security. It protects the integrity, confidentiality, and authenticity of data and communications. And as a colleague of mine always says, “when we fail to protect data, we fail to protect people.” Some might read that with an emphasis on “people.” Others with an emphasis on “data.” But to truly champion digital security it’s also important to read between the lines: we must protect the structural elements that form the Internet ecosystem. This means protecting every product, service, or application that directly or indirectly connects people to data and communication flows: the Web, social networks and messaging apps, online banks, digital government services, e-commerce marketplaces, corporate cloud systems and so on. It is undeniable that nearly everything that touches our daily lives depends on encryption technologies.

It’s clear that businesses and consumers care about the security of their data and private communications. Encryption protocols and services, especially end-to-end encryption, have become a growing trend in the last decade.[1] The last Online Trust Audit undertaken by the Online Trust Alliance (OTA) found that the percentage of the 1000 audited sites fully encrypting their web sessions grew from 52% to 93% from 2017 to 2018. Digital security is also increasingly related to consumer purchasing decisions. A recent survey led by public policy and business innovation website InnovationAus found 40% of firms that responded say they lost sales after Australia passed a law forcing companies to weaken security to help with surveillance.

It’s increasingly common to see encrypted communications blamed as an obstacle to law enforcement, public safety, and national security. But breaking or weakening encryption isn’t the solution. While these approaches might stem from a sense of urgency and good intentions, they threaten the security of the digital ecosystem as a whole. This is especially true with widely-used, general-purpose, and off-the-shelf applications. It’s important to recognize that despite good intentions, any proposed business, policy, or regulatory “solution” that involves weakening encryption will do more harm than good, putting users at a greater risk. Intentionally weakening security can also have negative economic and political consequences which are not always easy to understand and predict.

This Safer Internet Day, let us all show the world that strong encryption is a critical component to a safer and more secure Internet for everyone.  If you’d like to participate in a Safer Internet Day event, you can find a local hub or join me in Brazil (streaming available!), where I’ll take part in an open multistakeholder dialogue with other experts discussing “Security, Privacy and Encryption.”

Learn more about encryption. Explore these resources:

Want to help make every day a Safer Internet Day? Join the global movement of people and organizations standing in support of strong encryption for everyone: become an Internet Society member today!


Footnote:
[1] https://www.cryptome.org/cpi-survey.htm; https://www.schneier.com/blog/archives/2016/02/worldwide_encry.html;
https://www.scmp.com/lifestyle/article/1980679/growth-demand-encrypted-apps-no-cause-alarm-say-tech-experts; https://www.forbes.com/sites/forbestechcouncil/2019/04/19/15-tech-experts-predict-the-next-big-topics-in-encryption-and-cybersecurity/#4f433dd1134c.

Categories
Building Trust Encryption Privacy Security Strengthening the Internet

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data, and enable trust.

Let’s face it, protecting your privacy can feel overwhelming. It can seem like we conduct our entire lives online and it’s hard not to notice headlines about our privacy being undermined, like law enforcement trying to gain access to encrypted data. But whether you know it or not, you’re making choices about what you share and how you share it each day. These seemingly-small actions can make a big impact.

You might already be doing some of these, but here are six actions you can take to protect your privacy:

  • Use end-to-end encrypted messaging apps. Switch to using messaging apps that offer end-to-end encryption, such as WhatsApp, Signal, Threema, and Telegram. Some are better than others, so make sure to read the reviews.
  • Turn on encryption on your devices or services. Some devices or services will offer encryption, but not set it as the default. Make sure to turn on encryption.
  • Use strong passwords. Do not just use a default password, a simple guessable password, or a password that uses personal information, such as your pet’s name. No matter how strongly your device or application is encrypted, if someone can figure out your password – they can access your data.
  • Keep up with updates. No system is perfectly secure. Security vulnerabilities are always being discovered and fixed with updates. That’s why it is so important to keep up with updates to your applications, devices and services. The update could be fixing a vulnerability and making you safer!
  • Turn on two-factor log-in (2FA). Two-factor log-in adds another factor (like a bank security fob) to your usual log-in process (e.g. a username and password). Adding another factor makes it even harder for criminals to access your data.
  • Turn on erase-data options. Some smartphones and services have an option that will erase your data after 3 or 10 failed attempts. Turn this on to protect yourself from thieves or if you lose your phone.

This Data Privacy Day, join the global community of people who are taking steps to secure our data. Your small actions can make a big difference!


Image by Vlad Tchompalov via Unsplash

Categories
Building Trust Privacy Security

Deep Dive: Scoring ISPs and Hosts on Privacy and Security

In April 2019 the Internet Society’s Online Trust Alliance (OTA) released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to governments. In this post we will take a deeper dive into the ISP/Hosts sector of the Audit. This sector is comprised of the top ISPs and other hosting organizations in the U.S. It includes everything from organizations that provide network access to organizations that host email services.

In the Audit, privacy statements are scored across 30 variables. ISP/Hosts were a decidedly mixed bag compared to other sectors, which tended to do either relatively well or poorly across the board in their statements. (Though to clear, the vast majority of organizations in the Audit had poor privacy statements, it was the most common reason for failure across privacy and security scoring.)

ISP/Hosts fell somewhat short in the presentation of their statements. OTA advocates several best practices that deal with how the privacy statement is displayed to make it as easy as possible for users to understand.

The simplest practice OTA advocates is a link to the privacy statement on the homepage so users can easily find it. Here ISP/Hosts did not fare well, with just 75% having links on their homepage – the lowest of any sector – compared to 89% of sites overall.

Another simple practice is putting a date stamp at the top indicating when the privacy statement was last updated. Here 43% of ISP/Hosts had a date stamp at the top, compared to 47% overall. This number is deceiving, however. Because ISP/Hosts were the lowest of any sector, they brought down the overall average significantly.

Finally, OTA advocates for the use of “layered” statements. The bar for getting points for a “layered” statement is low. This can be achieved with something as simple as a table of contents, to something more complex like an interactive statement or a summary outlining the longer privacy statement.

Just 25% of ISP/Hosts had a layered privacy statement, the lowest of any sector, compared to almost half (47%) of organizations overall. ISP/Hosts may have lagged behind in how they display their privacy statements, but they did much better in the content of the statement.

Specifically ISP/Hosts stood out in data sharing and retention language. Fully 82% of ISP/Hosts had language explicitly saying they did not share user data (except to complete a service for a customer), compared to 67% overall. In addition, 5% had data retention language. This means they explicitly said how long user data is retained and for what purpose. While 5% may seem small, only 2% of organizations had this language at all. In addition, ISP/Hosts were the second highest sector just behind the top 100 Internet retailers at 6%.

ISP/Hosts were right in the middle on one data sharing variable, showing that there is room for improvement in this area. Roughly half of ISP/Hosts (55%) had language stating that they would hold their third-party vendors to the same standards they hold themselves, compared to 57% of organizations overall. OTA advocates this practice because any organization that uses vendors must hold those vendors accountable. If a vendor abuses user data, and has a written agreement with an organization, that organization could be held liable for the vendor’s behavior.

ISP/Hosts privacy statements show that OTA standards are generally easy to meet. Small changes in these statements can go a long way to helping users understand the information being conveyed. These changes will also become increasingly important to keep up with the rapidly changing landscape of privacy laws and regulations around the world.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Deep Dive: U.S. Federal Government’s Security and Privacy Practices

In April 2019, the Internet Society’s Online Trust Alliance released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet, from retailers to government sites. In this post we will take a deeper dive into the U.S. Federal Government sector of the Audit. The Government sector is defined as the top 100 sites in the U.S. Federal Government by traffic (based on Alexa ranking). Given the nature of the U.S. Government compared to companies, this sample has some unique properties, namely site security.

The most obvious place the government excels is in the area of encryption. The reason for this is largely due to a mandate from the Homeland Security Department that all U.S. Government sites be encrypted, but the standard should still be the same for any site. Put another way, the other sectors in the Audit do not have an excuse for lagging in security.

In site security the Government sector fared the best with 100% adoption of “Always-On Secure Socket Layer” (AOSSL) and/or “HTTP Strict Transport Security” (HSTS), compared to 91% of sites overall. The health sector fared the worst with 82% of sites using these technologies. Both technologies ensure that traffic on the website is encrypted.

Most sites in the Audit fared well in these areas, but the Government sector was the only one to achieve 100% adoption of these technologies. From OTA’s perspective all sites should be adopting these technologies and while it is encouraging that the U.S. Federal Government (or at least the top 100 sites) have, it is discouraging that all of the other sectors are not reaching the 100% adoption rate.

In addition, the Government sector saw improvement over time. All sectors improved somewhat, but the Federal Government was the only one to cross the finish line. Here again it is important to note that the Federal Government is unique in some ways. Homeland Security can simply mandate encryption and it happens. Companies and other types of organizations may not be as straightforward, but that is not an excuse not to work towards full encryption.

In 2017, 91% of Federal Government sites were encrypted, up to 100% this year as noted above. Other sectors improved as well. ISP/Hosting sites went from 70% in 2017 to 91% in 2018. Banks, a sector where encrypting website traffic is particularly important given the types of data sent over those sites, also saw a marked improvement. In 2017 just 76% of banks encrypted their sites. In 2018 that number jumped to 91%.

Despite improvements across the board in site encryption, banks are a good example of where improvement is not enough. The Government sector sets the standard. The lesson for all organizations from the success of the U.S. Federal Government is simple. It’s possible to encrypt large numbers of sites quickly – and it’s in the interest of any organization to do so.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Security

‘Major Initiatives in Cybersecurity’ Shows Everyone Can Contribute to Trust

How do we work toward a more secure Internet?

In the Cyber Security discussions that take place in the various policy fora around the world, there is often little appreciation that the security of the Internet is a distributed responsibility, where many stakeholders take action.

By design, the Internet is a distributed system with no central core or point of control. Instead, Internet security is achieved by collaboration where multiple companies, organizations, governments, and individuals take action to improve the security and trustworthiness of the Internet – so that it is open, secure, and available to all.

Today we’ve published Major Initiatives in Cybersecurity: Public & Private Contributions Towards Increasing Internet Security to illustrate, via a handful of examples regarding Internet Infrastructure, there are a great number initiatives working, sometimes together and sometimes independently, in improving the Internet’s security. An approach we call collaborative security.

Major Initiatives in Cybersecurity describes Internet security as the part of cybersecurity that, broadly speaking, relates to the security of Internet infrastructure, the devices connected to it, and the technical building blocks from which applications and platforms are built.

We make no claim to completeness, but we do hope that the paper illustrates the complexity, breath, and depth of the various initiatives out there. And, by extension, that there are no one-size fits all solutions. In the spirit of collaboration, we appreciate any feedback you might have for future versions of this document.

Read Major Initiatives in Cybersecurity:Public & Private Contributions Towards Increasing Internet Security

Categories
Building Trust Privacy Security

Deep Dive: How Does the Consumer Sector Score on Privacy and Security?

In April 2019 the Internet Society’s Online Trust Alliance released its 10th annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to government sites. In this post we will take a deeper dive into the Consumer section of the Audit. The Consumer section is a diverse set of sites including travel sites, hotels, and dating sites (see the methodology of the report for the full list).

In 2018 the Consumer section improved its standings with 85% making the honor roll, up from 76% in 2017. This was largely due to improvements in email security. Despite these gains in overall email security, TLS 1.3 adoption was actually down in 2018 (largely due to a change in the list of retail sites). Despite this OTA advocates the adoption of TLS 1.3.

Where these sites did stand out, compared to other sectors, was in privacy scores. Overall, the Consumer sector scored 43 out of 55 on their privacy tracker score, among the highest of any sector, and 33 out of 55 on their privacy statement, also among the highest.

The Consumer section privacy statements were exemplary in a few ways. First, the Consumer section had the highest score in the use of archives for their privacy statements, 12% of consumer sites had archives, the highest of any sector in the Audit.

OTA advocates this practice so users can see what changes were made to the privacy statement over time, without having to compare past statements on their own. This is a transparency issue. Privacy statements change constantly and it helps the organization to give users an easy way to see those changes.

Second, the Consumer section also stood out in data sharing language. 68% of Consumer sites had language they do not share data with third parties, among the highest of any sector. In addition, only 39% had language that they share data with “affiliates.”

“Affiliate” language is about sharing data within a corporate family, as opposed to entirely third parties. While obviously common practice, OTA advocates that organizations be more open about their data sharing practices, even among the corporate family.

Finally, the Consumers section scored among the highest with language explicitly saying that they hold their vendors to the same standards as themselves. In short, this is about holding any vendor that might hold data to the same data privacy standards as an organization would hold itself.

Overall, 74% of Consumer sites had language indicating they held their vendors to their own standards. This compares to 50% overall, well above the average for the entire sample. OTA advocates language like this because often data breaches happen with third party vendors, as opposed to the main organization itself, and therefore it is important that any organization make it clear that they hold all of their partners to the same standards they hold themselves.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Deep Dive: How the News and Media Sector Scores on Security and Privacy

In April 2019 the Internet Society’s Online Trust Alliance released its 10th annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites in various sectors. The news and and media sector, comprised of the top 100 news and media sites according to US traffic to their websites, improved its privacy practices in 2018. Like most sites, however, there is still room for improvement in privacy statements.

In 2017 less than half (48%) of news and media sites made the Honor Roll. In 2018 that number went up significantly to 78%, largely due to improvements in privacy statements. Privacy is scored in two ways in the Audit, we look at trackers on each site and we score the privacy statements across over 30 criteria.

One area where news sites did not improve was in the use of trackers on their site. Out of all the sectors news and media scored the lowest in trackers with a score of 39 (out of 45). Part of the reason for this is the news and media sector relies on advertising revenue, which often requires the use of trackers to serve ads.

On the positive side, news and media fared well in the use of tag management systems and privacy solutions, with 69% of news and media sites using these technologies. Tag management systems and privacy solutions help manage third-party data collection and data sharing in real time.

On the bright side, however, news and media sites did improve their privacy statements. On statements, news and and media scored near the top with a score of 32 out of 55, second only to the consumer section.

First, news and media sites improved the readability of their statements, with 71% using layered notices up from 42% in 2017. A layered notice can be anything from a simple table of contents to a summary version of the longer privacy policy. OTA advocates the use of layered statements to help users understand the privacy statements and find information they may be looking more for easily.

One area for improvement, however, is in the use of icons and multilingual policies. Just 1% of news and media sites used icons to indicate what information is being conveyed in a section of the privacy policy. OTA advocates the use of icons to help users of various reading comprehension levels understand the information in the statement. In addition, only 5% had privacy statements in multiple languages. To be fair this is not unique to news and media. Few sites in the Audit use either icons or have multilingual policies.

Second, news and media sites improved their sharing language. Overall, 60% of news and media sites had language that they do not share user data with third parties, up from 53% in 2017. In addition, most (85%) news and media sites indicated that they hold those they do share data with to the same standards they hold themselves.

Finally, this year’s Audit tracked some aspects of GDPR (which went into effect in spring 2018) in order to gauge adoption of certain GDPR principles. To be clear, at the time of this Audit’s data collection many of the sites were not required to follow GDPR as they are largely U.S.-based organizations.

Since this Audit’s data collection period, more regulations have been put in place around the world, such as the California Consumer Privacy Act (CCPA), that mirror many of the principles OTA measured. Here news and media did not fare as well. For example, one GDPR requirement is that privacy statements be easy for most consumers to read and understand. Here the news and media sector fared the worst with just 8% being easy to read. On the plus side 70% of news and media sites offered a direct contact for users to address their privacy concerns. (In GDPR parlance this is a Data Protection Officer, but in the U.S. one is not required at the moment.)

It is encouraging to see improvement in the news and media sector’s privacy statements. It is also true, however, that given the shifting privacy regulations around the world these improvements will need to continue if news and media sites want to stay ahead of regulatory changes.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
About Internet Society Building Trust Securing Border Gateway Protocol (BGP) Security Technology

Claudio Jeker Honored by Internet Security Research Group with Radiant Award

This week another Radiant Award has been awarded by the Internet Security Research Group, the folks behind Let’s Encrypt. The award puts the limelight on the heroes who make the Internet more secure and trustworthy each day.

The newest Radiant Award winner is Claudio Jeker, who receives the prize for his work of a BGP4 implementation on OpenBSD. This makes me horrendously enthusiastic. Why?

OpenBSD is a open-software based operating system that is focused on being secure and feature complete. It comes with a set of tools that make it ideally suited to be deployed, for instance, as a secure route server in an Internet Exchange Point (IXP). A route server is a service that an IXP can host in order to make the participating network service providers lives a little easier. They do not have to get the routing information from each other, but can simply talk to this piece of centralized infrastructure. OpenBSD allows this type of infrastructure to be build from commodity components in a scalable and secure way.

With a route server in place, an IXP can take additional measures to secure the Internet, namely by taking the MANRS actions.

Ultimately this would not be possible if OpenBSD did not have a rock-solid implementation of the Internet routing protocol (BGP4) – and that is exactly what Claudio developed. And to put a cherry on top, his software fully supports authenticated filtering of routes using a protocol called RPKI. RPKI is yet another critical piece of infrastructure needed to secure the Internet routing system and a way to implement one of the MANRS actions.

Claudio’s work will prove to be an important piece towards a better Internet security.

Want to know more about Let’s Encrypt? Read a comprehensive overview of the initiative – from inspiration to implementation, organization, and execution.

Categories
Building Trust Internet of Things (IoT)

Rural Development Special Interest Group Organizes Internet Connectivity Tag 2019

In November, the Internet Society Rural Development Special Interest Group (RD SIG) organized an event called the Internet Connectivity Tag 2019 in Bangalore, India to deliberate on emerging technologies for the Internet of Things (IoT) and security, and what this means for rural development in India.

RD SIG invited a number of distinguished speakers to the event, many of whom are Chapter members. Adarsh B.U., for instance, is the president of RD SIG, a member of the Bangalore Chapter, and the program chair of the Hyderabad Chapter, which is currently being established. B.U. has been recognized as one of the top eight IoT thought leaders for his contribution towards the advancement of IoT in India. At the event, he organized an interactive, hands-on session with Contiki OS and Cooja Simulator.

Leading up to the event, RD SIG issued a call for fellowship applications from which over 300 expressions of interest were received. Out of the applicants, seven fellows from different parts of India were selected to participate in the event.

Highlights from the event included a presentation by Abhijan Bhattacharyya on IPv6 in the context of 5G for digital convergence. In his talk, he looked at the promise of 5G in fueling a convergence of applications and the essential role of IPv6 in supporting the core network for this convergence. Towards the latter part of the event, Bhattacharyya demonstrated the use of SimuLte for 5G simulation.

Adding more depth to the conversation on 5G and IPv6 was Nicolas Fiumarelli, who presented remotely from Uruguay. He focused on current and future applications of the technologies and shared some of the activities undertaken by the Internet Governance Forum Youth Ambassadors in his country.

The other remote speaker was Mohit Sethi from Finland. He spoke on the topic of wireless LAN security. He examined two new features: WiFi Enhanced Open for verifying open systems and Simultaneous Authentication of Equals for insurance against word reference assaults in home systems. He clarified the deficiencies and security vulnerabilities of WPA3, and gave a few thoughts on security in an enterprise wireless network with IEEE 802.1x and Extensible Authentication Protocol.

Sanjay Adiwal gave an informative talk on the Domain Name System and its security, while Prasant Misra delivered a fascinating presentation on the real-time analysis of traffic flow and how this has helped traffic authorities make better decisions and policies.

Oh behalf of RD SIG, we would like to take this opportunity to express our gratitude to all the participants, speakers, and sponsors for making this event a success and allowing us to reach out to multiple communities. The event was supported by IEEE Ramaiah Students Branch, IEEE Bangalore Section, Ramaiah Institute of Technology, and Moradabad Institute of Technology.

If you’re interested in knowing more about the Rural Development Special Interest Group, drop us an email at info@ruralisocsig.org!

Categories
Building Trust Privacy Security

Online Trust Audit for 2020 Presidential Campaigns Update

On 7 October 2019, the Internet Society’s Online Trust Alliance (OTA) released the Online Trust Audit for 2020 U.S. Presidential Campaigns. Overall, 30% of the campaigns made the Honor Roll, and 70% had a failure, mainly related to scores for their privacy statements. As part of this process, OTA reached out to the campaigns, offering to explain their specific Audit scores and ways to improve them. The campaigns were also told that they would be rescored in mid-November and the updated results would be published in early December. As a result, several campaigns contacted us to understand the methodology and scoring, and several of them made improvements.

Rescoring of all elements of the Audit was completed on 25 November, and the table below shows the updated results since release of the original Audit. Several campaigns have been suspended since early October (Messam, O’Rourke, Ryan, and Sanford, as well as Bullock and Sestak in early December). Campaigns shown in bold in the Honor Roll column made enough improvements to earn passing scores for their privacy statements and thereby achieve Honor Roll status. Campaigns shown in italics at the bottom of the table are new entrants since the Audit was released. Based on this updated list of 20 campaigns, 10 made the Honor Roll while 10 had a failure in one or more areas, creating a 50/50 split.

Figure 1 – 2020 Presidential Campaign Audit Supplement Results
Privacy Practice Updates

Three campaigns updated their privacy statements, and all three made changes that caused them to pass in the privacy area (a score of 60 or more) and achieve Honor Roll status. However, these were minor changes (added a date stamp, addressed children’s use of the site, layered the statement to make it easier to navigate) – none addressed the core data sharing issues highlighted in the original Audit.

For the new entrants, one had no privacy statement (De La Fuente), one had a privacy statement with a score below 60 (Bloomberg), and one had a privacy statement with a passing score that directly addressed the data sharing issues (Patrick).

Site Security Updates

Minor changes were noted in the site security aspects of the Audit, and none were substantial enough to cause a change in Honor Roll status. Two campaigns now have outdated software (lowering their score), and one added support for TLS 1.3.

Site security scores for the new entrants were strong, which is in line with other campaigns, and all of them support “always on SSL” or fully encrypted web sessions.

Consumer Protection Updates

A few changes were noted in the existing campaigns – one added support for DNSSEC, and one added DMARC support with a reject policy (the recommended email security best practice). These improved the campaigns’ scores, but did not affect their Honor Roll status. The two campaigns that originally had failures due to email authentication have been suspended so are no longer on the list.

For the new entrants, one has insufficient email authentication (so fails in Consumer Protection as well as Privacy), and while the other two have strong SPF and DKIM protection, only one uses DMARC with a reject policy. One supports DNSSEC.

Conclusion

The engagement with several of the campaigns was constructive and led to improvements that helped them earn Honor Roll status. We find that for most organizations the issue is more about awareness of best practices and their impact on overall trust than a refusal to follow those best practices. However, the data sharing language in all but one of the privacy statements is concerning. For example, most of the campaigns had language that would allow them to share data with “like minded organizations.” Language along these lines gives the campaigns broad discretion to share user data. We encourage campaigns (and the political parties they work with) to consider improvements to sharing language to increase transparency about how data is shared and give users more control over their data.

Campaign Sites and Privacy Statements

You can find the list of the URLs for the rescored campaign sites and associated privacy statements in the Supplement to Online Trust Audit – 2020 Presidential Campaigns.

This supplement was finalized before Kamala Harris dropped out of the U.S. presidential race on 3 December 2019.