Category: Government

Bitcoin Battered

Posted on by Rob Burdett

Cryptocurrency Bitcoin’s value has now dropped to $6,000, a fall of $13,000 since November 2017.

What Is Bitcoin?

Bitcoin is a digital web-based currency that operates without the need for central banks and uses highly secure encryption to regulate the currency units and to verify transfers of funds. Bitcoin, which was first produced in 2009, uses the ‘Blockchain’, an open and programmable technology that can be used to record transactions for virtually anything of value that can be converted to code and is often referred to as a kind of ‘incorruptible ledger’.

In order to receive a Bitcoin, a user must have a Bitcoin address i.e. a ‘purse’ (of which there is no central register).

Bubble

Warnings of a Bitcoin ‘bubble’ were being delivered last year after its value rocketed from $1,000 to £19,000 in the space of less than a year.

Why The Fall In Value?

Several factors have led to the rapid fall in value since November last year. These include:

  • Tightening legislation and government opposition. Back in September, for example, China ordered exchanges to cease trading in the cryptocurrency as a way to gain control of the cryptocurrency through forced licensing. Also, China and South Korea have now banned initial coin offerings, Japan and Australia have taken steps to tighten Bitcoin regulations, and US restrictions look set to follow.
  • Negative predictions by currency experts. The news reports of the Bitcoin ‘bubble’ plus financial regulators in the UK and France warning investors that they could lose their money if they buy digital currencies issued by companies, known as “initial coin offerings”.
  • Banks and Credit Card Companies banning cryptocurrency purchases using credit cards. With less people able to buy cryptocurrencies, this has had the most recent downward effect on the value of Bitcoin.
  • Cyber criminals cashing-in. Crime is toxic to reputations, and Bitcoin has been increasingly targeted by criminals. For example, Slovenian-based Bitcoin mining marketplace NiceHash reported the theft of Bitcoin to an estimated value of $80m back in December, and an escalation of ‘crypto-jacking’. This happens where people’s devices are taken over by criminals trying to mine crypto-currencies such as via the Android phone-wrecking Trojan malware, dubbed ‘Loapi’. Bitcoin has been widely publicised as having link with crime e.g. to evade traditional money laundering checks and other regulations. Bitcoin is often named as the currency that ransomware scammers request their victims to pay with because of the anonymity that it offers. Some currency commentators have even suggested that the recent surge in the value of Bitcoin towards the end of last year was partly caused by European banks buying Bitcoin to pay off ransomware as a short-term way to deal with cyber-security.
  • Investors purchasing alternatives. As investors look for alternatives to the volatile Bitcoin bubble, this has had a negative effect on the value of Bitcoin, and a brief positive effect on the value of other cryptocurrencies.

What Does This Mean For Your Business?

From an investment point of view, Bitcoin is clearly risky. There are other cryptocurrency alternatives e.g. Ripple, Ethereum, Litecoin, but they all appear to have been tarred with the same brush as Bitcoin, particularly with the announcement that credit cards can’t be used to buy them.

Many of the possible advantages of cryptocurrencies to businesses e.g. to use for fast global trading and investing outside of bank controls, delays and red tape, are currently being overshadowed by the actions of banks and governments.

Cryptocurrencies may be currently in a dip, but the importance of other new technologies to businesses such as AI and driverless vehicles is finally being reflected in the value of the shares of companies who are leading the charge in those technologies, which are likely to provide many global business opportunities going forward.

Virgin Credit Cards: No To Crypto

Posted on by Rob Burdett

Shortly after Lloyds Bank announced that it would be banning customers from buying crypto-currencies such as Bitcoin using their credit cards, Virgin Money is now adopting the same policy.

Why?

The volatility of cryptocurrencies such as Bitcoin have led Lloyds, and now Virgin Money to try to protect their customers from running up large debts following a sharp fall in the value of a digital currency they’ve bought. Several of the biggest issuers of credit cards in the US including Bank of America, Citigroup, JP Morgan, Capital One and Discover, have also banned customers from using their cards to buy digital currency.

Bitcoin is a perfect example of how volatile a digital currency can be. For example, at the start of 2017, one Bitcoin was worth $1,000, reached highs of around $19,000 at the end of last year, and has since plummeted to $8,291.87, its worst performance since April 2013.

The rapid rise in the value of Bitcoin last year, was also accompanied by consumers being targeted by adverts and information which acted as a temptation and incentive to invest with the promise of big returns, with many investors being inexperienced in currency investments, and unaware of the potential risks. Facebook, for example, has recently announced that it will now block any advertising that promotes crypto-currency products and services.

Bank Could Lose

Some money commentators have made the point that although the move by Lloyds and now Virgin Money could offer some protection for customers, the banks are also helping themselves because if a person buys anything on credit, such as large amounts of cryptocurrencies, it’s the bank that stands to lose if the person can’t repay the debt.

Bitcoin, for example, also operates outside of the control of banks, which may be another reason why banks may not like it.

Used By Criminals?

The police and the UK government have also taken the opportunity presented by the announcements of Lloyds and Virgin Money to make the point that digital currencies are also popular among criminals because they can use them to evade traditional money laundering checks and other regulations.

Prime Minister Theresa May, for example, has stated that action against digital currencies may be needed because of their connection to criminal activity. At the risk of sounding cynical, some money commentators have pointed out that governments tend not to like some crypotocurrencies because they are beyond their control, and they can’t (yet) make revenue from them. For example, the Chinese government has long battled with the challenges posed by Bitcoin.

What Does This Mean For Your Business?

This move by two banks, with more likely to follow, sets a new precedent. Banks don’t like unsecured risks being taken with their money, and buying cryptocurrencies on credit appears to represent a far greater risk to them than traditional gambling which you can still use a credit card for (although it will be treated as a high interest cash loan).

It’s also worth remembering that banks and governments are likely to be less happy about things that they can’t control, regulate, and raise revenue from.

Even though criminals are known to use cryptocurrencies such as Bitcoin for just these reasons (and the anonymity), it is also worth pointing out that Bitcoin actually has many attractive advantages for businesses such as the speed and ease with which transactions can take place, which is actually due to the lack of central bank and traditional currency control. Using Bitcoin also means that cross-border and global trading is made much easier and faster.

Also, even though Bitcoin looks too volatile for many to invest in at the moment, the cryptocurrency has lasted through many ups and downs (hacks and government opposition), it is still popular, and its widening popularity and potential uses for its underlying technology ‘Blockchain’ mean that Bitcoin still has a future.

From a consumer / potential individual investor’s perspective, the move by Lloyds, Virgin, and the big US credit card companies does, however, look likely to provide some responsible and sensible protection for the time-being.

Facial Recognition Arrest Claims Via Twitter

Posted on by Rob Burdett

South Wales Police have taken to social media to announce news of the latest arrests made using Automated Facial Recognition (AFR) technology.

First Used At Champions League Finals Week

The AFR system was first used by South Wales Police last June at the Champions League final at the Millennium Stadium in Cardiff. AFR incorporates facial recognition, uses slow time static face search, and links to specialist software that can compare a camera image of a face to 500,000 custody images from the Police Record Management system in order to find a match.

Ironically, the first arrest made in Cardiff at the time using AFR was actually a local man whose arrest was unconnected to the Champions League, and who was identified by a van-mounted camera days after the match.

Police Tweets

The latest announcements of AFR-related arrests have made the news because they relate to the use of AFR at the recent Six Nations rugby tournament, the announcements have been delivered via Twitter, and have been seen by some media commentators as being boastful in style.

For example, Project leader Scott Lloyd took to Twitter to publicise the first identification and arrest made “within an hour”, and the drugs arrest of another man on a warrant using AFR Cardiff City Centre a short time later. Mr Lloyd also announced another “UK policing first” with the arrest of a third person, identified from night club CCTV a month earlier.

Controversy

The increased use of AFR at events has, however, been criticised by groups such as Big Brother Watch for infringing peoples’ rights, having no clear basis for its use, and for edging the UK closer to a ‘surveillance state’.

There have also been reports of a possible 35 false matches and one wrongful arrest after the London Metropolitan Police used AFR at the last Notting Hill Carnival.

What Does This Mean For Your Business?

So far, AFR has proven to be a relatively expensive system for the number of arrests it has delivered (£177,000 for its use in Cardiff for 1 arrest), and it has generated a lot of negative publicity and suspicion. It is little wonder, therefore, that a police spokesperson has been only too happy to take to an immediate way (Twitter) of announcing every arrest as it happens in an attempt to boost public confidence in the system, and to demonstrate some value for money.

With the introduction of GDPR this year, however, questions will no doubt be asked about the security and privacy of the images captured by the AFR system, as personal images do fall under the category of personal data.

Despite the findings of a study from YouGov / GMX of August 2016 that showed that UK people still have a number of trust concerns about the use of biometrics for security, biometrics actually represents a good opportunity for businesses to stay one step ahead of cyber criminals. This is because biometric authentication / verification systems are thought to be far more secure than password-based systems, which is the reason why banks and credit companies have already started using them.

All this said, facial recognition systems are widely believed to have value-adding, real-life business applications. For example, last May, a ride-hailing service called Careem (similar to Uber but operating in more than fifty cities in the Middle East and North Africa) announced that it was adding facial recognition software to its driver app to help with customer safety.

Military Bases Exposed By Fitness App

Posted on by Rob Burdett

A user activity ‘heat map’ published by fitness tracker Strava has unwittingly revealed the location and structure of military bases in other countries.

How?

The app, made by San Francisco-based Strava, uses a mobile phone’s GPS to track a subscriber’s exercise activity. Although the new version of the app, introduced in November last year, is reported to be built from a billion activities – three trillion points of data, covering 27 billion km (17bn miles) of distance run, jogged or swum, the data used to produce a ‘heatmap’ of user activity is not live data.

The latest heatmap published by the company, showing the paths its users log as they run or cycle, is intended to show the app’s popularity and is actually made from aggregated data from activities recorded between 2015 and September 2017.

Revealed

Unfortunately for Strava, since military personnel engage in regular exercise, and are generally limited to following the same exercise routes in or close to the base where they are stationed, Strava’s heatmap of user activity reveals the outline of military bases and the most popular routes taken by the soldiers there.

Danger

Even though the location and outline of many military bases are already known from satellite imagery, the heatmap from the app exposes the regular routes taken by soldiers when they are most likely not armed and at their most vulnerable. Also, the heatmap could expose the routes taken by other personnel such as aid workers and NGO staffers in more remote areas. All of this could mean that the app is exposing soldiers and other personnel to danger from attack or kidnap by state and non-state actors e.g. in countries such as Syria, Yemen, Niger, Afghanistan or Djibouti.

There is also a danger that hackers could access Strava’s database and find the details of individual users.

UK Personnel at Risk Too

Even though Strava is a US app, it has also been reported that user activity at the UK’s RAF base at Mount Pleasant in the Falkland Islands was also exposed by the app’s heatmap.

Privacy Settings

Privacy settings do exist on the app but the onus is on the user to explicitly opt out of data collection for the heatmap.

US Already Takes Measures To Protect

The US government already takes measures to guard against similar risks to those posed by the app heatmap. For example, it has already published a tract called Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD, and in 2016, banned Pokémon GO from government-issued mobile phones.

What Does This Mean For Your Business?

This is not the first time that the negative aspects of fitness-tracking device companies and their activities have been featured in the news i.e. that the devices are transmitters as well as recorders of data about us. Back in February 2016, a study by a Canadian research team revealed that popular types of fitness trackers actually transmit a signal via bluetooth that could act as an ‘identifier’ signal that could be picked up by beacons that are now being used by retail stores and shopping centres to track, recognise and profile customers.

In the case of Strava, although the company could be forgiven to an extent because of the relatively unforeseen risk that its activities may have caused, there is an argument that a better approach would be to make the device opt-out by default, and to give users the choice to opt-in should they wish to. It may also have been better to avoid publishing any heatmaps, and to simply publish some statistics instead.

In addition to the possible risk to the life of service personnel (and others) that the map has caused, it has also highlighted other important issues relating to fitness-tracking devices and consumer protection e.g. data protection and privacy implications, the risk of hacking the devices, and the need for greater transparency about what is stored and transmitted by the devices.

Companies producing devices that store and transmit personal data need to ensure that they comply with data protection laws, and that they are mindful of potential identifiers and other security risks.

UK’s Digital Snooping Powers Illegal

Posted on by Rob Burdett

A legal challenge by Labour MP Tom Watson against the UK government’s own digital mass surveillance legislation laws introduced in 2014 has led to a court deciding that the laws were illegal.

Legislation

The legislation that was successfully challenged in court was the Data Retention and Investigatory Powers Act (DRIPA), which was actually replaced at the end of 2016 by The Investigatory Powers Act, also known as the Snooper’s Charter.

What Was Wrong With DRIPA?

DRIPA required communications companies to store detailed personal information e.g. people’s mobile phone data, their emails, texts and internet communications.

Tom Watson has been reported as saying that, back in 2014, DRIPA was rushed through Parliament just before recess, and therefore lacked proper parliamentary scrutiny. This meant that one section was inconsistent with EU law. It was this section that UK judges agreed was illegal because it granted spy agencies and law enforcement access to UK citizens’ phone records and internet activity for reasons other than using the details to fight serious crime, all without seeking or getting approval from a court or independent authority.

What Difference Does This Make?

Even though DRIPA is defunct, many of those who objected to DRIPA have said that in the light of the court’s ruling, the current Investigatory Powers Act should be changed accordingly, and that a system of independent approval for access to communications data needs to be put in place.

Digital rights Charity Liberty is reported as saying that the judgement tells ministers that they are breaching the public’s human rights, and that the latest incarnation of the Investigatory Powers Act must now be changed.

Already Heading That Way Says The Government

The Security minister Ben Wallace is reported as saying that the government had already announced that it would amend the Investigatory Powers Act to address the two areas in which the Court of Appeal found against the previous data retention regime.

Current Snooper’s Charter In Crowdfunded Challenge

The current Investigatory Powers Act is being challenged separately by the charity Liberty with the help of £50,000 crowdfunding. Liberty wants to challenge the Charter on the argument that surveillance of everybody in the UK may not be lawful or necessary, and that whistleblowers and experts have warned that the powers would actually make it more difficult for security services to do their jobs effectively.

There are also the arguments that the new law puts too much power in the state’s hands, could be an invasion of privacy, and that the government’s storing of large amounts of sensitive information about each of us could in itself be irresponsible and a security risk.

Some critics have also expressed suspicions about the motives of the UK government for introducing the law e.g. to censor and control rather than to protect.

What Does This Mean For Your Business?

The ruling by the European Court of Justice back in December 2016 that DRIPA was unlawful, coupled with this latest agreement by judges with Tom Watson’s challenge will strengthen the need for the UK government to act quickly to make changes to what has been controversial legislation.

Most people would probably agree that people in the UK need to be protected from terrorist attacks, and that children and young people need to be protected from predatory behaviour and the activities of paedophiles online. Although the Investigatory Powers Act may include measures that could help with that, many people and businesses (communications companies, social media companies, web companies etc) are uneasy with the extent of the legislation and what it forces companies to do, how necessary it is, and what effect it will have on businesses publicly known to be snooping on their customers on behalf of the state. The 200,000+ signatures on a petition calling for the repeal of the Investigatory Powers Act after it became law, and the £50,000 crowdfunding raised from the public in less than a week to fight the bill, both emphasise the fact that UK citizens value their privacy and take the issues of privacy and data security very seriously.

Licence Plate Recognition -1 Million Mistakes a Day!

Posted on by Rob Burdett

Concerns over the possible misreading of hundreds of thousands of vehicle licence plates each day have led to calls for statutory regulation of the UK’s automatic number plate recognition (ANPR) system.

Over 1 Million Mistakes Per Day!

The ANPR system uses 9,000 ANPR cameras, to record and store up to 30 million vehicle records each year. Unfortunately, it is also reported to be recording a staggering (up to) 1.2 million false readings of number plates every day! That’s the equivalent to over 400 million incorrect readings each year!

The implication is that innocent motorists may be wrongly accused and punished for a variety of motoring offences, and that real offenders may be escaping punishment. This has led to calls for statutory regulation of the camera system.

Police In the Dark

Not only does The National ANPR Data Centre (NADC) accept data from all police ANPR systems, without carrying out any checks on the effectiveness of those systems, but it is also believed that Police currently have no meaningful data on the accuracy of ANPR, or on the contribution surveillance cameras make to tackling crime.

Also Cyber Attack Risk

Not only is it unclear what contribution the camera system could be making to cutting crime, but it has also been revealed that some systems could be at risk from cyber attack, thereby possibly allowing data to be changed, making it impossible to use as evidence anyway.

A recent example in the U.S. left over half of the surveillance cameras covering the city of Washington’s public spaces unable to record footage for three days, until experts were able to remove ransomware from the recording devices.

Facial Recognition Camera Concerns

There are growing concerns too, particularly where data protection and privacy are concerned, about the increased use of facial recognition cameras to identify suspects by matching camera images against 19 million custody images held by police. For example, Leicestershire Constabulary faced criticism after using automatic facial recognition at the Download concert in 2015, in Donnington Park, and the Metropolitan Police used similar technology during last year’s Notting Hill Carnival to match images of people with photographs stored on its Electronic Wanted and Missing Systems (EWMS).

Surveillance Camera Commissioner Says…

The England and Wales Surveillance Camera Commissioner, Tony Porter, has said that he is yet to be convinced that an assertion that national ANPR meets performance standards holds water.

What Does This Mean For Your Business?

Although there may be valid concerns about inaccuracies in the ANPR system and the impact these could have on businesses and individuals, other surveillance cameras can play an important role for business security monitoring systems. Used responsibly and only for the intended purpose, they can add value, and provide a low cost, cost saving, and vital way to maintain security.

Camera surveillance generally is now an almost unnoticed part of daily life in what, according to Big Brother Watch, is now the most surveilled western democracy, where there is now an estimated 6 million+ surveillance cameras. The worry among some of those being watched is that privacy and security are at risk, the fact that we are being watched constantly by unknown parties (and our images potentially stored and shared) is sinister, mistakes can be made with the responsibility being placed on the victim to clear their name and prove inaccuracy, regulations are not adequate, and that many cameras are operated by businesses, and quasi-government organisations.

For many people, an argument that ‘if you’re doing nothing wrong you’ve got nothing to worry about’ is not a valid argument because it simply gives a green light to the further erosion of rights without considering the consequences, and occasionally we all do something wrong (but perhaps not intentionally) which is more likely to be caught on camera than ever before, and the punishment may not feel as though it fits the crime with the inflexibility of some camera-based systems and their operators.

The introduction of GDPR will also have implications for what images from surveillance cameras are stored, where and how securely they are stored. For example, GDPR could apply to stored facial images of individuals.

Extremism Tax

Posted on by Rob Burdett

UK Minister of State for Security, Ben Wallace, has said that Britain may impose new taxes on tech giants like Google and Facebook unless they do more to combat online extremism by taking down any material aimed at radicalizing people or helping them to prepare terror attacks.

Lack Of Co-operation

In an interview with the Sunday Times, Security Secretary Wallace is reported as saying that tech giants appear to have been “less than co-operative”, and are placing too much of the responsibility and cost for tackling extremist material and influence on the UK government (i.e. the taxpayer).

Mr Wallace is reported as saying that although the tech firms appear to be happy to sell people’s data, they seem less happy to give that data to the UK government, thereby forcing it to spend large amounts of money on de-radicalisation programs, surveillance and other counter-terrorism measures.

Tax Threat

Mr Wallace is reported as saying in his interview with the Sunday Times that the government was prepared to look at things like tax as a way of incentivising or compensating the tech giants for their “inaction”.

Vulnerable

Mr Wallace made the point that the UK is “more vulnerable than at any point in the last 100 years.” He highlighted how social media and encrypted messaging services like WhatsApp may be making things easier for attackers, and how taking down online extremist more quickly than is currently happening could save the millions of pounds that are being spent on de-radicalising people (who have been radicalised) rather than preventing radicalisation in the first place.

Echoes of Amber Rudd

Mr Wallace’s reported comments appear to echo many of those of interior minister Amber Rudd, who, just weeks after the second bridge attack, headed a very public campaign to stop the complete end-to-end encryption model used by some social media platforms, and allow ‘back doors’ to be built-in to such systems to allow the government to access them in the name of intercepting communications by extremists / terrorists. Critics have pointed out that a building in back doors would make the platforms vulnerable to hackers.

Stereotyping

Mr Wallace’s reported comments also included a description of tech company staff that appeared to stereotype them as people who “sit on beanbags in T-shirts”. He was quick to create a contrast between this more passive perceived public image, and his perceived reality that the tech giants are in fact “ruthless profiteers” who will “sell our details to loans and soft-porn companies”.

What Does This Mean For Your Business?

This appears to be another effort by the government to put pressure on the tech giants through negative publicity, and this time through threats of new taxation, to highlight what the government sees as their responsibility in playing a role in reducing the terror threat from extremists. Businesses and individuals are obviously likely to be unanimous in their wish for increased national security, the reduction of a terror threat, and in closing avenues which lead to radicalisation and recruitment for extremist / terror activities.

There are, however, other influences and points of view at play here, including the powerful commercial interests and profits of the ‘tech giants’, the need to be seen to resist any forms of censorship and outside interference, and the need to be seen to protect users’ privacy and trust, diplomatic and trade interests and relationships e.g. with the U.S where the tech giants are mainly based, personal data and security implications (with stopping end-to-end encryption), and the influence of freedom and rights campaigners.

The comments of Mr Wallace are likely to be followed by many more from the government in the near future as they attempt to exert some influence over many wealthy, overseas-based but very popular tech companies that play such an important part in the daily lives of many UK citizens.

Justice Too Slow With Data Requests Says ICO

Posted on by Rob Burdett

The UK’s Secretary of State for Justice has been hit with an Enforcement notice by the Information Commissioner’s Office over backlogs and poor handling of requests for personal records made under data protection laws.

Subject Access Requests

In the UK, under the Data Protection Act 1998, anyone can make a request to any organisation (termed the ‘data controllers’) for copies of both paper and computer records and related information that the organisation is holding, using, or sharing about them. This is known as a ‘subject access request’ (SAR), and organisations usually charge a fee for providing the information e.g. up to £10 in normal circumstances. Under the DPA, organisations are required to answer data access requests within 40 days

The Backlog

The issuing of the Enforcement Notice by the ICO to the UK Ministry of Justice (technically the ‘data controllers in this case) on 21st December 2017 relates to the fact that ICO has received a large number requests for assessment by people whose subject access requests had not been dealt with quickly enough by the Ministry of Justice.

The Enforcement Notice highlighted the fact that there is a backlog of 919 SARs from individuals, some of which dated back to 2012.

Two Main Problems Highlighted

The two main problems highlighted by the Notice are that that the Justice Secretary (data controller) has contravened section 7 of the Data Protection Act for failing to act “without undue delay” and that the “data controller’s internal systems, procedures and policies for dealing with subject access requests made under the DPA were unlikely to achieve compliance with the provisions of the DPA”.

Plan To Clear Backlog

The ICO Enforcement Notice did, however, acknowledge that the Ministry of Justice has given the ICO a recovery plan which shows that it intends to clear the backlog by October 2018, and answer new requests without “undue delay” from January 2018.

According to the update and plan published in the Enforcement Notice, the Ministry of Justice believes that it has 793 requests that are over 40 days old, and that it planned to deal with 14 cases from 2O14 by 31 December 2017, 161 cases received from 2015 by 30 April 2018, 357 cases from 2016 by 31 August 2018, and 261 cases from 2O17 by 31 October 2018.

What Does This Mean For Your Business?

This is an embarrassment for the Ministry of Justice, and may be an indication of a wider problem faced by many businesses and organisations in the UK that are still not getting to grips with their responsibilities under the current Data Protection Act, let alone getting prepared for the introduction of the UK’s Data Protection Bill, and the EU’s GDPR will come into force on 25th May 2018.

Under GDPR for example, businesses and organisations will have to deal with requests even more quickly, may have to provide additional information, and won’t be able to charge a fee for complying with requests. There will also be the challenges of responding to an individual’s ‘right to be forgotten’, and the prospect of much greater penalties greater penalties for non-compliance than under the current Data Protection Act.

This story is a reminder that all businesses and organisations should take the opportunity now to ensure that their data practices are in order and likely to be compliant with GDPR, and also to consider that being GDPR compliant could actually provide commercial advantages as this will become a serious factor for consideration in trading relationships and alliances.

Kaspersky Tries To Overturn U.S. Directive

Posted on by Rob Burdett

Embattled Moscow-based cyber security firm, Kaspersky Lab, is appealing against a U.S. Government’s ban on its software on the grounds that it is unconstitutional, and that there is no technical evidence.

What Directive?

Back in September, The U.S. Department of Homeland Security (DHS) issued a Directive ordering civilian government agencies to remove Kaspersky software from their networks within 90 days. Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions (anti-virus software).

Concerns Over Many Years

The U.S. Directive (ban) came after concerns about possible Russian state interference in the U.S. elections, but Kaspersky have long been the subject of suspicion and concerns by western governments.

In July this year, for example, security researchers claimed to have found a way to force the anti-virus product to assist snoops in stealing data from segmented networks (not connected to the wider internet).

Back in 2015, it was also reported that the US National Security Agency and GCHQ had sought to carry out reverse engineering of Kaspersky anti-virus as far back as 2008 to discover any vulnerabilities.

Long-running fears about Kaspersky have also been fuelled by leaks from the NSA through Edward Snowdon (2013), Hal Martin (2016), and by allegations (printed in the Wall Street Journal) that a Vietnamese NSA contractor was hacked on his home computer by Russian spies via Kaspersky.

Earlier this month Barclays bank in the UK emailed its 290,000 online banking customers to say that it will no longer be offering Kaspersky Russian anti-virus because of information and news stories about possible security risks.

The Appeal

A federal appeal has now been filed by Kaspersky Lab appeal under the Administrative Procedure Act against the U.S. Directive to remove Kaspersky software from civilian government agency networks. According to Kaspersky, the DHS has acted unconstitutionally and has violated Kaspersky Lab’s right to due process by issuing Binding Operational Directive 17-01.

Kaspersky Lab argues that the issuing of the Directive was based on no technical evidence, and the company has repeatedly denied any ties to any government and has said that it would not help a government with cyber espionage.

Damage

Kaspersky Lab has publicly stated that the Directive and the wide-scale media coverage and public / business reaction to it have damaged the company’s position in the market. Sales are reported to be down, Kaspersky has announced the closing of its D.C. headquarters as a direct result of the U.S. government’s public suspicion toward its business, and the company’s founder, Eugene Kaspersky, has said that the company has also suffered damage to its reputation.

Submitting Code

As well as strenuously denying the allegations and launching an appeal, Kaspersky Lab said in October that it would submit the source code of its software and future updates for inspection by independent parties. U.S. officials.

What Does This Mean For Your Business?

For businesses using Kaspersky in the UK, it is worth remembering that although Barclays Bank have stopped using the software, and a U.S. Directive remains in place, no actual evidence of wrongdoing related to espionage / spying, or of the company colluding with the Russian state has been publicly provided.

Businesses will need to take an individual view of any possible risks, taking into account the context of a certain amount of paranoia and the recent focus in the media about Russia following allegations of interference in the US elections.

On a technical and security note, it may not be a good idea anyway to remove Kaspersky anti-virus from a computer without immediately putting a suitable alternative in place. Anti-virus forms an important part of a company / organisation’s basic cyber defences and this, and other software should be kept up to date with patches and updates to enable evolving threats to be combated as part of a wider strategy.

US Laptop Bans Lifted on Kuwait Airways and Royal Jordanian

Posted on by Rob Burdett

Laptop BanAfter security inspections of Kuwait Airways by US officials and the implementation of new security measures for US-bound flights by Royal Jordanian, the two carriers were allowed to lift the ban on laptops.

What Ban?

Back in March, the UK and US governments introduced a ban on taking laptops and tablets on planes as cabin baggage on flights from selected Middle East and North African Countries. The stated aim was to reduce the risk of concealed bombs being taken on board passenger aircraft.

For the UK, the ban was set to cover all flights from 6 countries: Egypt, Turkey, Jordan, Saudi Arabia, Tunisia and Lebanon. This means that 14 airlines, including British Airways and Easyjet, have been affected by the ban.

For the US, the ban has covered all flights from 8 countries: Turkey, Morocco, Jordan, Egypt, the United Arab Emirates, Qatar, Saudi Arabia and Kuwait, and the ban (up until now) has affected 9 airlines.

Kuwait Airways & Royal Jordanian

The ban has been lifted for Kuwait Airways and Royal Jordanian after both carriers reportedly worked with US officials in tightening their security measures for flights from Kuwait and Jordan. Kuwait Airways flies from Kuwait to New York via Ireland, while Royal Jordanian flies to three US cities from Amman, Jordan.

More Airlines Last Week

Last week, Etihad, Turkish Airlines, Emirates, and Qatar Airways became exempt from the ban. Meanwhile, airlines in Morocco, Egypt, and Saudi Arabia have not yet announced the lifting of the ban.

Saudia

Saudia, the flagship carrier of Saudi Arabia, has announced that, as from 9th July, passengers will be able to take personal electronic devices on flights bound for the US.

Royal Air Maroc, the flagship carrier of Morocco, is reported to be confident that they too will be able to have the ban lifted on their flights out of Casablanca by the same date.

Tighter Security Announced Last Month

Last month it was reported that the US Department of Homeland Security had announced plans for stricter passenger screening and other tougher security measures for all commercial flights entering the United States. The new rules look likely to affect around 2,000 flights a day from 280 airports in 105 countries. The rules have, however, fallen short of banning laptop computers and e-readers in carry-on luggage for all.

It is believed that as well as screening laptops and other personal electronic devices, the new measures may include more vetting of travellers, more explosive-sniffing dogs, greater exchanging of terrorist watch lists, and putting more systems in place to prevent insider attacks (by airline employees).

What Does This Mean For Your Business?

Although some airlines have enjoyed a relaxing of the rules, many are still being affected by the ban. For airline businesses, the continuation of the ban and the tightening of rules for the majority could hit profits by affecting passenger numbers, could increase baggage scanning and security costs (particularly at smaller airports), and could negatively affect customer satisfaction levels.

For business travellers, the ban can mean lost time where work could be done e.g. on the laptop during flights. The ban can also mean the hassle of having to find other means of entertainment on long flights, and perhaps having to suffer more distractions from other passengers who cannot use their electronic devices e.g. children.

For many travellers, the ban can mean greater disruption as a result of increased waiting times at security, and some commentators have also pointed out that there is the potential for electronic devices stored in the baggage hold to be damaged or lost, and this could have insurance implications. Other critics have also pointed out that forcing people to put laptops in cargo holds could pose other dangers because the lithium batteries could start fires.

The recent general tightening of the rules for flights entering the US (at a particularly busy time of year) have been criticised too for not having a great enough degree of collaboration and coordination to avoid the operational disruptions and frustrating consequences that could result from them.