Facebook is at the heart of a storm after a whistleblower alleged that the data analytics firm that worked with Donald Trump’s election team and the winning Brexit campaign harvested 50 million Facebook profiles from a data breach.

Why?

London-based data analytics company, Cambridge Analytica, which was once headed by Trump’s key adviser Steve Bannon, has been accused of illegally harvesting 50 million Facebook profiles in early 2014 in order to build a software program that could predict and use personalised political adverts to influence choices at the ballot box in the last U.S. election.

Under Investigation

Cambridge Analytica is already the subject of two inquiries in the UK. The first is by the Electoral Commission which is looking into the company’s possible role in the EU referendum. The second is by the Information Commissioner’s Office which is looking into the company’s possible use of data analytics for political purposes.

Also, the company is the subject of an investigation in the US over possible Trump-Russia collusion.

It has been reported that Elizabeth Denham, the head of Britain’s Information Commission, is seeking a warrant to search the offices of consultancy Cambridge Analytica over the breach.

Facebook Under Scrutiny

Facebook has, of course, faced strong criticism over the breach, one tangible result of which has been nearly $40 billion off its market value as Facebook’s investors have become worried that damage to the reputation of the social media giant’s network will deter users and advertisers.

In a BBC radio report, the ICO’s chief Elizabeth Denhan said that the ICO is looking at whether or not Facebook secured and safeguarded personal information on its platform, and whether Facebook, when they found out about the loss of the data, acted robustly and whether or not people were informed.

Also, the head of Britain’s cross-party Media parliamentary committee is reported to have written to Facebook’s Mark Zuckerberg asking for more information by Monday 26 March, and in Dublin, Ireland’s privacy watchdog (the lead regulator for Facebook in the European Union) has said that it is following up with Facebook to clarify its oversight.

Harvested By Kogan’s App

It has been reported that the data was harvested from Facebook by an app on Facebook’s platform, created by British academic, Aleksandr Kogan, that was downloaded by 270,000 people, providing access to their own and their friends’ personal data too. It has been reported that Kogan says he changed the terms and conditions of his personality-test app on Facebook from academic to commercial part way through the project.

Facebook has said that Kogan violated its policies by passing the data to Cambridge Analytica, and Facebook was told that the data has since been destroyed, and has made its own efforts to obtain proof that it has been destroyed.

Mr Kogan has said on BBC radio that he was advised that the app was entirely legal, and that he thinks he’s being made a scapegoat for Facebook and Cambridge Analytica.

This latest incident sees Facebook back in hot water following on from reports of how its platform was used by outside interests for posts and adverts that were designed to influence the result of the US election. The share price has been impacted significantly this week.

What Does This Mean For Your Business?

There are so many worrying facets to this story, not least that personal data may not have been protected well enough to allow it to be harvested by an app on the platform, and then passed to a third-party that allegedly used it to create a tool to influence elections. Also, it has been several years since the breach happened, and news of the breach has only just been released. Some industry insiders have described the incident as ‘horrifying’, and many may rightfully believe that Facebook has a lot of questions to answer, as does Cambridge Analytica.

Facebook will be painfully aware that if the ICO’s investigations find Facebook to be at fault, the social media giant could be looking at a fine of up to 500,000 pounds ($700,000), and with the introduction of GDPR in May, it could be facing fines of up to 4% of its global turnover.

Also, Facebook is a major advertising platform for businesses, and some marketing commentators have pointed to the fact that scrutiny of Facebook over this latest issue could impact Facebook’s ability to gather and deploy data for ad targeting, which has been vital to ad efficacy and budget growth.

All the recent bad publicity about Facebook has seen the number of daily users in the United States and Canada fall for the first time in its history, dipping in the company’s home market by 700,000 from a quarter earlier to 184 million.

We haven’t heard the half of this story yet, and it remains to be seen what information will be released in the coming days and weeks and as the result of numerous investigations.

In a new trial involving a small number of users in the UK, Facebook has said that it will be testing the targeting of adverts based on users’ specific political and religious beliefs.

Why?

According to Facebook, the trial will help the social media platform to process and manage its customer data, so that it will be in a better position to ensure compliance with GDPR when it comes into force in May this year.

The severity of the fines associated with the enforcement of GDPR for large companies such as Facebook e.g. a fine for a breach of up to €20 million or 4% of their global annual turnover, whichever is greater, is likely to be a big motivator behind a trial that could improve how Facebook processes and stores data.

How Could Targeting Adverts This Way Be Of Help?

The trial appears to be using adverts for consenting participants to focus on testing and improving how the company handles the required greater consent from data subjects that GDPR will bring, and to ensure that sensitive data is better protected.

One other important result of the trial will be to enable the testing of facial recognition. Facebook is exploring how it can successfully give users an opt-in for facial recognition, which will form part of a measure to stop online impersonations by informing users whenever their faces have been used elsewhere on the site.

The Trial

It has been reported that the trial will work by first asking a number of UK users for permission to allow advertisers to target them on the basis of their political and religious beliefs, and their listed interests.

It is understood that Facebook will also ask users whether they are happy for their public information that identifies them (e.g. their faith and politics) to remain visible for everyone and, if permission is given, Facebook will provide an opt-in for allowing the information to be used to personalise content, and also act as one of the signals for relevant suggesting ads. This will include targeted advertising based upon things like politics, sexuality and faith.

Worries

Some people have expressed fear that opting-in to elements of the trial could enable extremists to use targeted advertising for recruitment propaganda. Facebook has denied this.

What Does This Mean For Your Business?

This story is more proof that the seriousness of the implications of GDPR is hitting home, particularly with those companies that stand to lose in a big way if they are found not to be compliant. Although the subject of targeted advertising is an emotive one that can make us feel a bit uneasy as Internet users in terms of privacy, it is at least good news that this Facebook trial could lead to better protection of our personal data by a platform that arguably knows more about us than most.

With X-day now past this story should be another reminder that its time for companies everywhere to think about double-checking that their own systems and procedures will be GDPR compliant.

New measures by the EU will mean that technology companies will have as little as just one hour to take down illegal and terror content, or face penalties under new legislation.

Why Only One Hour?

The new measure, which has reportedly been met with dismay by the big tech companies such as Google and Facebook (who will arguably be most seriously affected), is focused mainly on terror-related content. The logic is that because terrorist content is considered to be most harmful in the first hours of its appearance online, all companies will, therefore, be required to remove such content within only one hour from its referral, as a general rule.

Other illegal content that is being targeted by the new measures includes incitement to hatred and violence, child sexual abuse material, counterfeit products and copyright infringement content.

3 Months To Report Back

As well as the news that tech companies must remove the most serious content within one hour, the EC has also announced that any tech company that is responsible for people posting content online will have only three months from now to report back to the EU on what they were doing to meet the new targets it has set.

Operational Measures

The EC recommendations are that a set of operational measures will be used to ensure faster detection and removal of illegal content online, to reinforce the cooperation between companies, trusted flaggers and law enforcement authorities, and to increase transparency and safeguards for citizens. These operational measures will be:

• Clearer ‘notice and action’ procedures. Companies should set out easy and transparent rules for notifying illegal content. These should include fast-track procedures for ‘trusted flaggers’. Also, to avoid unintended removal of content which is not illegal, content providers should be informed about such decisions and have the opportunity to contest them.
• More efficient tools and proactive technologies. This means that companies should set out clear notification systems for users. These should include proactive tools to detect and remove illegal content, in particular for terrorism-related content and for content which does not need contextualisation to be deemed illegal, such as child sexual abuse material or counterfeited goods.
• Stronger safeguards to ensure rights. To ensure that decisions to remove content are accurate and well-founded, companies should put in place effective and appropriate safeguards. These should include human oversight and verification, in full respect of fundamental rights, freedom of expression and data protection rules.
• Special attention to small companies. The technology industry should, through voluntary arrangements, cooperate and share experiences, best practices and technological solutions, and this shared responsibility should particularly benefit smaller platforms with more limited resources and expertise.
• Closer cooperation with authorities. If there is evidence of a serious criminal offence or a suspicion that illegal content is posing a threat to life or safety, companies will be required to promptly inform law enforcement authorities, and EC Member States should establish the appropriate legal obligations.

The recommendations are in addition to on-going work with the technology industry through voluntary initiatives to ensure that the internet is free of illegal content, and are intended to reinforce actions taken under different initiatives.

Response From The Tech Industry

Although Facebook has said that it shares the European Commission’s goal, the industry association EDiMA, (which includes Facebook, Google, and Twitter) has stressed that the one-hour turn-around time could harm the effectiveness of service providers’ take-down systems rather than help.

What Does This Mean For Your Business?

As the Vice-President for the Digital Single Market Andrus Ansip has pointed out, online platforms have become many people’s main gateway to information. For this reason, and if we accept that what is illegal offline is also illegal online, many people feel that these widely used technology platfoms now have a responsibility to provide a secure environment for their users. Many businesses are advertisers on these platforms, and are likely to share a desire to rid them of illegal content.

While some popular tech platforms have continued to resist what some see as too much censorship, interference, or over-regulation, the frequency and severity of terrorist attacks in Europe and the role and influence of platforms in spreading information, true or false (e.g. the US election) has given governments the fuel, impetus, and feeling of justification to try and apply more force to tech companies. The EC’s view is that the spread of illegal content online undermines the trust of citizens in the Internet and poses security threats, and the new operational measures could, along with any self-regulation, speed up the process of clearing illegal content.

The scale and frequency of illegal content posting has posed serious cost and resources challenges to tech platforms in recent years.

Blockchain Used To Reduce Child Labour Blockchain, the same technology that powers the Bitcoin cryptocurrency, is being tested in a pilot project between car-maker BMW and start-up Circulor with a view to eliminating battery minerals produced using child labour.

What Is Blockchain?

Blockchain is an incorruptible peer-to-peer network (a kind of ledger) that allows multiple parties to transfer value in a secure and transparent way. Blockchain’s Co-Founder Nic Carey describes Blockchain as being like “a big spreadsheet in the cloud that anyone can use, but no one can erase or modify”.

Battery Mineral Problem

The pilot between BMW and Circulor is focusing on reducing child labour by finding a way to avoid using any cobalt that is mined in unregulated artisanal mines in Democratic Republic of Congo. At the moment one fifth of cobalt is mined in a way that often uses child labour.

How Can Blockchain Help?

The pilot project is using Blockchain to help provide a way to prove that artisanal miners are not using child labour in their cobalt mining activities.

Each bag of cobalt produced by an artisanal miner will be given a digital tag. This tag will be entered into Blockchain using a mobile phone. The details of the digital tag will then be entered by each link in the chain of buyers, thereby providing a clear, verifiable trail, all the way from miner to smelter. Since Blockchain is ‘incorruptible’, provided all organizations throughout the supply chain will be involved in the project, the Blockchain evidence should be accurate.

Challenges

Challenges to the system being tested in the pilot could include cobalt mined by a child could simply being mixed in with ‘clean’ cobalt prior to processing.

Used In Similar Industries

There is every reason to think that Blockchain could help with ethical cobalt mining and supply because it has been used in a similar way by the diamond industry to provide a forgery-proof record of a diamond’s lifecycle.

What Does This Mean For Your Business?

The Blockchain technology has always shown huge promise, beyond simply being used in digital currencies. One of its key strengths is that trust is embedded into the incorruptible system. This means that businesses can use it to categorically prove a certain source and route for e.g. delivery, raw materials or production. This could be particularly valuable to businesses where provenance of some kind is necessary to add to the monetary, ethical or other value of a product or service.

After first being used in the financial, legal and public sectors, Blockchain is now being used by businesses and organisations around the world in many other different ways such as:

• Using the data on a Blockchain ledger to record the temperature of sensitive medicines being transported from manufacturers to hospitals in hot climates. The ‘incorruptible’ aspect of the Blockchain data gives a clear record of care and responsibility along the whole supply chain.
• Using an IBM-based Blockchain ledger to record data about wine certification, ownership and storage history. This has helped to combat fraud in the industry and has provided provenance and re-assurance to buyers.
• Shipping Company Maersk using a Blockchain-based system for tracking consignments that addresses visibility and efficiency i.e. digitising a formerly paper-based process that involved multiple interactions.
• Start-up company ‘Electron’ building a Blockchain-based system for sharing information between those involved in supplying energy which could speed up and simplify the supplier switching process. It may also be used for smart grid processes, such as local load-balancing of supply and demand.
• Australian start-up Zimrii developing a Blockchain-based service that allows independent musicians to sell downloads to fans, distribute the proceeds between collaborators, and allow interaction with managers.

Blockchain still has huge untapped potential for all kinds of businesses and could represent a major opportunity to improve services, and effectively tackle visibility, transparency and efficiency issues.

The ‘Cyber Attacks In Local Authorities’ report from Big Brother Watch shows that local governments are subject to cyber attack attempts at the staggering rate of 37 per minute!

Thankfully, only a tiny fraction of the attacks launched are successful although this still represents a serious problem. For example, 114 councils experienced at least one incident between 2013 and 2017.

High Stakes

The nature of the work of UK Councils is such that they hold a large amount of up-to-date personal data for people in their areas, so one successful breach can have very serious consequences.

Not Disclosing Breaches

One particularly worrying aspect of council behaviour exposed by the report is that, from the data gathered, few seem to have reported losses and breaches of data, which is something that organisations will be required to do within 72 hours under GDPR when it comes into force in May.

Human Error – Training Needed

As in so many companies and organisations, human error is often a factor in breaches. In 2015, for example, Big Brother Watch has exposed how local authorities committed 4 data breaches a day, all thought to be predominantly caused by human error.

Big Brother Watch has also revealed that that, despite the number and seriousness of the breaches, little action has been taken by UK councils to increase staff awareness and education in matters of cyber security and data protection. For example, it has been disclosed that 75% of local authorities do not provide mandatory training in cyber security awareness for staff, and that16% do not provide any training at all!

What Does This Mean For Your Business?

Some commentators have been quick to point out that bearing in mind how much sensitive data councils hold about citizens, and the incredible amount of attempted cyber attacks against them, they could be making more of an effort and an investment to beef-up security.

Other commentators have noted that cuts to council budgets e.g. with austerity measures may have played their part in limiting cyber security effectiveness in UK councils.

After the shocking findings of the report, Big Brother Watch issued some recommendations to local authorities which could very well apply to other businesses and organisations. These are:

• Cyber security should be prioritised, and that rather than investing too much in surveillance technologies, more should be invested in cyber security strategies and in the training of staff.
• Cyber security incidents should be consistently reported, and that a protocol needs to be established so that incidents are reported quickly and to the right authorities e.g. the police, the ICO, and the National Cyber Security Centre.
• All staff should receive mandatory training in cyber security because Cyber attacks are not only designed to breach computer systems, but also to exploit humans who are often the weakest cyber security link.

A report by Security Company Trend Micro has predicted that, as cyber-criminals are now focusing more on maximising financial return, the introduction of GDPR this year could give them potentially lucrative extortion opportunities.

How?

The point that this report is making is that with the prospect of massive fines under GDPR e.g. fines up to €20 million, or 4% of their global turnover, criminals could extort large sums of money from companies with the threat of a cyber-attack that could lead to data security breach, which could, in turn, lead to a fine under GDPR. It has been suggested that criminals could first determine the penalty under GDPR that could result from an attack, and then demand a ransom of slightly less than that fine.

What’s Happening?

The recent trends in cyber-crime are what have led to this latest chilling prediction. For example, the fact that cyber-criminals appear to be abandoning exploit kits and indiscriminate attacks in favour of more strategic attacks with maximised financial gain is a trend that has become more apparent. This trend coupled with the fact that, although the number of reported breaches in 2017 was lower than in 2016, the amount of data compromised by cyber attacks increased, have led security commentators to believe that criminals will seek to exploit GDPR as a money-making weapon.

Predictions Started Last Year

Predictions that the threat of GDPR fines could be exploited by criminals first surfaced in the media last November when researcher Mikko Hypponen made the point that GDPR fine figures could give cyber-criminals who are using ransomware, or hackers stealing data, a price point to set the ransom at because now they know how much money they should be asking.

Hypponen argued that because the criminals know what data is worth / what covering-up a data breach may be worth to some companies (probably large, well-known ones), these companies may be actually willing to pay anything less than the full amount of the fine to avoid serious damage to their reputation, loss of customers and more.

According to Hypponen, ransoms could, therefore, be set at up to 2% or 3% of the targeted organisation’s global annual turnover. This could equate to millions of dollars in some cases.

Threat Of Reporting Too

As well as the threat of a ransom to avoid a direct, deliberate attack that would result in a fine, security commentators have also suggested that hackers / scammers could steal data with advanced ransomware and then blackmail the victims with the threat of reporting them to the data protection commissioner. This is because ransomware can affect the availability, access, and recovery of personal data.

Other Trends

Other Trends uncovered in the recent Trend Micro Report include:

• A 32% increase in new ransomware families from 2016 to 2017.
• A doubling of business email compromise (BEC) attempts between the first and second half of 2017.
  Rapidly rising rates of cryptocurrency mining malware (100,000 detections in October).
• A 22% increase from 2016 in BEC attempts to trick company employees into approving money transfers to criminal accounts, mostly targeting the chief financial officer (CFO).
• More attacks on vulnerable internet of things (IoT) devices, with software vulnerabilities also continued to be targeted (1,009 new flaws discovered and disclosed in 2017).

What Does This Mean For Your Business?

As well as being an opportunity to get the (data) house in order and to enhance competitiveness (GDPR compliant companies are more likely to want to deal with other compliant companies), the size of the fines and now the potential activities of extortionists are risks for the coming years for UK businesses. Even though these predictions relate to more daring and sophisticated crimes, companies should still make sure that they are at least covered against more basic attempts e.g. by keeping up to date with software patching, and covering all known vulnerabilities.

Ways that companies could protect themselves against hacking / ransomware threats include only giving users access to what they need and taking away admin privileges, backing up all critical files effectively and securely, and testing those backups to make sure that information can be restored in a usable form. Training of staff e.g. chief financial officers (CFOs) or anyone involved in payment, and establishing a clear process for checking and chain of command could reduce the risk of BEC attempts and socially engineered attacks. Businesses would also be wise to make sure that their Business Continuity and Disaster Recovery Plans are kept up to date in the light of emerging threats.

Network services provider EfficientIP has warned businesses that, in reality, February 15th is the last day that organisations can ensure their real-world compliance with GDPR.

I Thought May 25th Was The Deadline?

May 25th is the actual date that companies and organisations need to ensure that they are compliant with GDPR. However, the point that EfficientIP made in an announcement last week is that, realistically, it actually takes 99 days to detect a data breach. This gives hackers time to ‘exfiltrate’ data, or remove it without detection. Taking this into account, February 15th is exactly 100 days before May 25th 2018, and could, therefore, be regarded as the last day organisations can ensure real-world compliance with GDPR.

Dubbed ‘X-Day’

With this point in mind, some Cyber Security experts have started referring to February 15th as “X-Day” because it is the last day companies can prevent data exfiltration attacks without potential prosecution by regulators.

What Is Data Exfiltration?

Data exfiltration is the unauthorized copying, transfer or retrieval of data from a computer or server. In other words, hackers can use the DNS protocol to very quickly transfer large amounts of personal and sensitive data from your company systems e.g. customer data such as credit card numbers, or company information such as financial records.

EfficientIP have pointed out that most of the companies breached after February 15th 2018 will only discover the attack after GDPR is in force, and will, therefore, (legally) only have 72 hours to publicly disclose the breach.

How Common is Exfiltration?

EfficientIP’s own research shows that as much as 24% of companies have suffered data exfiltration in the past year.

Positive View

Although the EfficientIP is a warning, and companies already know that failing to comply with GDPR will bring large fines, and data breaches can cause irreparable damage to a company and its reputation, there are some very positive reasons for preparing now for GDPR. For example, a recent Veritas survey showed 95% of decision-makers expect a positive outcome from GDPR compliance, and 92% think they would benefit from having better data hygiene.

68% of respondents in the Veritas survey also said that getting GDPR compliant would give them a better insight into their business, which could help to improve the customer experience, and that compliance could actually save the company money.

Getting Motivated

It’s all very well issuing worrying warnings, but companies not yet compliant need to find effective ways to drive the cultural and organisational changes needed to get to grips with GDPR going forward. These motivators, also highlighted in a recent Veritas survey, could include adding compliance to employee contracts (47%), implementing disciplinary action if the regulation is disobeyed (41%), and educating employees about the benefits of GDPR (40%).

What Does This Mean For Your Business?

GDPR is just around the corner and this ‘X-Day’ warning is an indicator that realistically, GDPR compliance shouldn’t be put off any longer.

Data management commentators suggest that companies should adopt an automated, classification-based, policy-driven approach to GDPR so that they can meet the regulatory demands within the short time frame available.

Businesses have now heard all the warnings, and many companies and organisations are now starting come around to the idea of focusing on the positive outcomes and benefits that GDPR compliance will bring such as increased revenues, resulting from improved customer loyalty, heightened brand reputation, and competitive differentiation in the market.

There is also now growing realisation that companies will prefer to have business relationships with GDPR compliant companies to help ensure their own compliance. This means that GDPR compliance will be become a basic necessity to enable companies to compete in a normal way in today’s business environment.