Europe Keeps a Close Watch on Improper Remote Work Surveillance

Beware! You may be watched during office hours. As ‘stay at home’ became a general motto, the number of remote workers drastically increased. Yet, privacy and remote work don’t always seem to go hand in hand.

Before 2020, for many employers, work productivity meant as much time as possible spent behind a desk. But now, companies are introducing tracking and monitoring systems to get a clearer picture of the business day.

While employee monitoring is not a new concept, the pandemic turned it into widespread practice, even without people’s knowledge or approval.

So, it’s no wonder that some companies are under fire for violating the General Data Protection Regulation (GDPR) in Europe. The privacy law stipulates clear boundaries and justifiable reasons for any data collection practices. This includes video surveillance or any other tracking mechanism during working hours.

Let’s find out more about remote employee monitoring and the laws protecting privacy at work.

European authorities are investigating illegal employee monitoring

European data protection authorities have started to check worker surveillance violations closely.

For example, the Danish privacy authority issued guidelines explaining how organizations should handle current and former workers’ data.

Recently, the French regulator emphasized an essential rule about the lawful management of privacy issues for remote employees. Workers can’t be under constant surveillance through video cameras or key logger technologies that capture everything they type.

Privacy doesn’t seem to be a given in offices, so European regulators have been quite busy lately. Here are just a few examples of GDPR fines and notices for unlawful employee tracking and monitoring:

      • A German electronics retailer was fined $12.6 million for using video surveillance cameras to monitor employees. The company violated the privacy law in the European Union’s 27 countries.
      • Another German regulator fined a famous fashion retailer $41 million for collecting personal data from employees, including details about their health and religion.
      • UK regulators are investigating a multinational bank after allegations that it used software to monitor individual workers without their knowledge. The UK union described this approach a “dystopian Big Brother tactics.” The company had previously been criticized for installing heat sensors to detect if the staff was at their desks.
      • The Norwegian Data Protection Authority has fined a local computer hardware company $24.000. A former employee disclosed that the company activated automatic forwarding of the personal email address to its servers.

People don’t expect surveillance in the workplace, so companies using video surveillance must justify why this is necessary to avoid GDPR fines.

But these reasons can be tricky. For example, some companies tried to point out that they use cameras to track how goods are stored and sold or whether they are damaged or go missing. Video surveillance isn’t aimed at monitoring staff members.

However, according to EU’s 2019 guidelines on the processing of personal data through video devices:

Video surveillance is not by default a necessity when there are other means to achieve the underlying purpose. Otherwise, we risk a change in cultural norms leading to the acceptance of lack of privacy as the general outset.

The tools used to track workers’ productivity

Way before the pandemic and before GDPR came into force, corporations were using some non-traditional monitoring techniques such as email monitoring and location tracking.

Learn more about how you can protect your privacy when working from home.

Here is what a 2007 survey by the American Management Association showed:

      • 66% of employers monitored internet connections;
      • 45% tracked keystrokes, content, and time spent at the computer;
      • 43% stored and reviewed computer files;
      • 10% monitored employee social media accounts.

A 2018 Gartner survey of over 200 companies revealed that more than 50% applied some form of employee tracking, a rise from 30% in 2015.

Initially, organizations with jobs that required physical work, such as in manufacturing and warehouses, were more often employing these invasive techniques. Later, white-collar jobs began to be monitored. But now, advanced software allows companies to assess the workforce faster and in detail.

Since the coronavirus pandemic, more companies have decided to introduce tools to monitor employees’ work.

Some of the most commonly used features are:

      • Activity monitoring websites and applications;
      • Analytics dashboards showing where time has been spent and if it was productive;
      • Regular screenshots and continuous video recording;
      • Recording of audio from a device’s speaker and microphone;
      • Keystroke logging tracking keystroke across any software application;
      • Tools monitoring employees’ email and their activity on social media;
      • Systems monitoring online collaboration tools.
Check out the privacy risks of commonly-used work apps.

How do employees feel about having their employer keeping tabs on them?

Research done by YouGov in 2019 shows that two-thirds of employees are uncomfortable knowing their employer takes screenshots and records keystrokes while working from home.

Workers are not prepared for the future of working from home | Prospect

Currently, the UK Information Commissioner’s Office (ICO) plans to clarify workers’ rights about employers collecting data on them while also making sure they can express their opinion about workplace technology.

Yet, with the proper approach, employee surveillance while upholding privacy is possible:

There are some common misconceptions around what employee surveillance and monitoring really mean for the average user. You often hear people say it feels “Big Brother-ish”. No one wants to feel stalked and watched. To address this fundamental gap, I like to lean more towards a culture of transparency, trust, and communication. Why is monitoring important? What good can it do for us all? Imagine decades ago, when physical surveillance cameras started being installed in buildings, elevators, etc. I’m sure it felt a bit uncomfortable at first. But today, we all understand that from robberies and assaults to various criminal activities people are less opposed to being on camera. I appreciate those cameras for my own safety when I am walking alone in a parking garage for example. I think a similar evolution in understanding has to happen with digital surveillance. There is digital criminal activity and these “virtual cameras” serve a purpose when used ethically. I can’t emphasize the importance of that ethical aspect. Ultimately, privacy is a fundamental right of all employees, and upholding that should be a priority for everyone. With careful care and attention, I believe that a healthy balance can be struck between monitoring and respecting privacy.
Dr. Christine Izuakor | CEO of Cyber Pop-up

Get to know Christine Izuakor here.

We need new approaches

Illegal surveillance has grown gradually alongside digital transformations. Remote work just shone a brighter light on the problem, with privacy invasion becoming even more sensitive as the line between work and personal life blurred.

Many managers are now re-thinking their productivity strategies, shifting from ‘I want to see what you are doing’ to ‘I want to see how you are working.’

This new reality of working from home might continue for some time. According to a 2019 report from Buffer, 99% of people would choose to work remotely, at least part-time, for the rest of their careers. This only portrays the future challenges of remote work and its privacy issues.

Here is a positive outlook from Fareedah Shaheed:

Since the pandemic, we’ve seen more companies take up surveillance which has of course sparked more debate on the impact this has on workers. I believe we will see more push for effective laws to protect workers from this type of surveillance. Companies are a reflection of their values, so I also believe we will see some companies start to trust their employees and come up with better ways to manage accountability especially in a remote work environment. However, bigger corporations may be slow to follow and the breakdown in trust and safety will be even more evident.
    Fareedah Shaheed | Sekuva

Online Safety Educator, CEO and Founder of Sekuva

Get to know Fareedah Shaheed here.

Laws protecting employee privacy

In the UK and countries subject to Europe’s GDPR, employers must notify the “data subject” — in this case, the employee.

By comparison, there are few legal restrictions preventing surveillance in the US if employees are using a company device or working on a corporate network. The only exceptions are Connecticut and Delaware.

US’s primary workplace privacy employee regulation is the Electronic Communications Privacy Act of 1986. The ECPA allows business owners to monitor employee verbal and written communication if it presents a legitimate business reason.

It also allows for extra monitoring if the employee gives consent. Yet, the ECPA consent can be tricky, as it might empower monitoring employees’ personal communications and business ones. Additionally, several federal court cases ruled that employers are legally authorized to look through employees’ emails after sending them.

That’s because the ECPA defines “electronic communications” as any electronic messages currently in transmission. Upon sending, these transmissions become “electronic storage,” which courts have determined employers can monitor.

Still, it is a privacy regulation that dates back 35 years.

Mitigating trust and ethical boundaries

No one should expect to see employee monitoring vanish for good. But we need consistent and up-to-date privacy laws in that respect. Plus, employees should know and give their consent for such practices.

After all, this is the basic philosophy of a work contract: the employer trusts the employee to do their job, and the employee does it. And productivity can be effectively measured without monitoring tools.

If you want to increase your privacy, use a reliable VPN and protect your digital identity. Also, check out these useful tips on how to avoid being tracked on any device and consider a secure alternative to messaging apps.

 

Are you wary of corporate surveillance? Do you believe it’s possible for companies to monitor their workforce while respecting their privacy?

Let me know in the comments below.

   

All You Need to Know About GDPR

May 25th, 2018 marks the victory of data protection laws and consumer privacy. It’s the day Europe’s General Data Protection Regulation came into being.

You might know it as GDPR, and I’m here to tell you all about it.

GDPR – the basics

GDPR stands for General Data Protection Regulation, and it encompasses a long list of regulations for the handling of consumer data.

The GDPR was Europe’s attempt to unify data privacy laws across different countries, with the most significant changes behind the scenes.

You can check out the full GDPR text here.

Its goal is to help align existing data protection regulations while increasing individuals’ levels of protection. GDPR enforced stricter rules on data protection, and this translated into people having more control over their personal information and businesses benefiting from a level playing field.

This regulation has replaced previous data protection rules across Europe. Some of them were outdated, being first drafted in the 1990s before the world wide web offered many online services and options. A change was needed because, as people routinely shared their personal information online, local privacy regulations were relatively powerless in the grand scheme of things.

GDPR sets rules for how companies can use collected data, so many have had to rethink their approach to tech stacks, analytics, and, of course, advertising.

But how does this translate for your privacy?

As a user, you can thank GDPR for the notifications you get if your personally identifiable information (PII) has been revealed in a data breach.

Your PII includes:

      • Identity information such as name, address, and ID numbers
      • Web data such as location, IP address, cookie data
      • Health and genetic data
      • Biometric data
      • Racial or ethnic data
      • Political beliefs
      • Sexual orientation

Now, let’s take a closer look at your rights.

The right to be forgotten

This is the right individuals have to request that their personal information be deleted from the internet. You might know also know it as the right to erasure.

In the EU, anyone can request an organization invoking the right to be forgotten; then, the recipient has one month to respond. If the request is approved, all results using the person’s name can no longer appear within the EU countries.

However, refuse is also possible on the grounds of legal necessity and public interest.

Behind the curtains, the right to be forgotten highlights the need for a traceable mechanism to ensure that deleted data is also removed from any backups.

The right to data portability

As its name suggests, you have the right to move your data from one company to another.

You can request a company a copy of your personal information and data at any time. You can even ask them to send your data to another organization, even if it’s a competitor.

Also, companies need to convert this data into a machine-readable format to make portability smoother and faster.

The right to be informed

Data breaches are the worst, but you’re limited in what you can do to prevent them as a consumer.

However, thanks to GDPR, companies must notify you if your private information is ever breached or disclosed.

While this might be peanuts when your privacy has been invaded, at least it gives you the opportunity to increase your protection, change your passwords, and delete any of your obsolete accounts.

The right of access

The right of access allows you to know:

      • How the information you give to companies is processed and stored
      • Where, for what purpose, and for how long companies keep your information

As a result, companies must state how they handle your details. This might include purchase and order records, account details, and other bits needed to offer you their services. Organizations can also keep records for auditing purposes, as long as this is clearly documented.

All in all, the right to access forces companies to pay extra care in handling your data and puts an end to using it without your consent, including selling it to advertising companies.

The right to rectification

You also have the right to ask a company or organization to rectify or delete your personal information. This includes instances where you change your name, gender, address, or payment details.

However, some things cannot be deleted. Their list includes data needed:

      • To offer you the online services you signed up for,
      • For reasons of public interest,
      • For the exercise or defense of legal claims,
      • For archiving purposes, according to local regulations.

How to know if a company is GDPR compliant

The key here is transparency. Any GDPR-compliant company needs to make highlight what data they collect from you, what’s the purpose, and most importantly, you need to give explicit consent.

As a result, organizations need to focus on their website and their service.

On websites, it’s essential to read and understand the Privacy Policy. Based on GDPR recommendations, they need to avoid ambiguous language, be specific and accurate. Cookie policies can also help you know what happens with your privacy as a visitor.

What’s more, companies need to have straightforward contact procedures.

Moving on to the service, the terms of service need to be clear, as do the terms of consent. GDPR requires companies to design their systems with the proper security protocols in place, so now’s the perfect time to get familiar with the Privacy by Design principles.

Lastly, there’s the matter of how a company handles children’s data.

According to GDPR, users need to be at least 16 years old to have their data processed. However, individual member states can set their age limit to match local legislation.

Additionally, GDPR stipulates that children have to be at least 13 years old to have the right to sign up for digital services.

GDPR – a success story

So, how has GDPR changed data protection for European citizens?

Well, the European Commission doesn’t shy away from showcasing the benefits of GDPR. According to them:

      • 4.3 million citizens and businesses consulted the European Commission’s GDPR portal in the past two years.
      • 69% of the EU’s citizens over the age of 16 have heard about GDPR.
      • 71% of people in the EU have heard about their national data protection authority.
      • Individuals lodged 275,000 complaints about data protection breaches to national data protection authorities between May 2018 and November 2019.

Although GDPR is far from being perfect, its enforcement seems to be sending a strong message to companies across the globe.

One of the most critical elements of the GDPR has been regulators’ ability to hit non-compliant businesses with huge fines.

One of the most significant fines under GDPR to date has been against Google. The French data protection regulator, the National Data Protection Commission (CNIL), fined the company €50 million. CNIL said the fine was issued for two main reasons. First, Google did not provide enough information to users about how it uses the data that it got from 20 different services. And also, Google did not get proper consent for processing user data.

However, some people are not convinced that €50 million is enough to make a dent in Google’s finances.

Whether fines will be enough to make companies more responsible about data protection remains to be seen.

 

But how do you feel about GDPR? Do you trust companies more now that they’re forced to handle your information with care? Let me know in the comments below.

Until next time, stay safe and secure!

The Bad Side of Photos – Your Face May Be Used for Facial Recognition Training

Your identity is unique. But it doesn’t seem to be a secret since digital whereabouts can be easily tracked. And that includes photos you posted on online platforms.

But how would you feel knowing that those very same pictures may be part of research projects meant to build facial recognition technology? Because that’s a valid use case nowadays.

Let’s find out how you can uncover the secret life of your images as algorithm fodder.

How Exposing.ai works

Artist Adam Harvey and programmer Jules LaPlace founded the MegaPixels website in 2019. They aimed to reveal the journey of the photos people posted online and show that they are reused without people’s consent. The two used public Flickr images that were uploaded under copyright licenses that allow liberal reuse.

Flickr is an image and video hosting service.

Harvey and LaPlace initially designed a facial recognition tool to find people’s photos in datasets. But they soon discovered this didn’t work as planned, so they built a scalable search tool.

The duo renamed their project Exposing.ai. You can use it to match information from Flick to image datasets. All you have to do is fill in a username, photo URL, or hashtag, and you’ll learn if your pictures are among those that developers used to train their facial recognition algorithms.

According to the tool’s developers, examining how yesterday’s photographs became today’s training data is one of their goals. They also hope to include other photo search options beyond Flickr in the future.

Harvey and LaPlace received support from S.T.O.P. (Surveillance Technology Oversight Project) organization:

S.T.O.P. was proud to support Adam Harvey and Jules LaPlace in launching Exposing.AI because we believe that no one should have their face used for AI training without consent. It is wrong that our biometric information is powering the tools that fuel mass incarceration and undermine human rights around the world.
Albert Fox Cahn, Executive Director S.T.O.P.

Sadly, there isn’t much you can do once your photos have been scrapped. You can’t remove your photos from image datasets that have already been distributed.

But you can prevent having your photos displayed on Exposing.ai, as well as anywhere online.

Just log into your Flickr account and edit your photos: change their status to private or hidden, or delete them. Plus, you always have the option of deleting your account. This way, your photos can no longer be loaded from Flickr.com.

Your photos fuel facial recognition tech

Flickr photos can be shared under a Creative Commons license.

Creative Commons is a public copyright license that allows content to be copied, distributed, edited, and built upon, all within copyright law boundaries.

However, CC licenses allow materials to be used for educational purposes as well. So, teachers and students can freely copy, share, and sometimes modify a CC work without seeking the creator’s permission. Many universities used this loophole to experiment with publicly available photos and facial recognition technology.

Here are just a few examples:

      • Researchers at Stanford University collected and used 10,000 images. They later shared this database with the China’s National University of Defense Technology and an artificial intelligence (AI) company that provided China with surveillance technology.
      • Duke University has also collected thousands of images used to train AI tech in the US, China, Japan, and the UK.
      • The University of Washington in Seattle posted a database called MegaFace with over 3 million photos from Flickr. While most images were included without explicitly given consent, the collection practices were legal at the time. The MegaFace library is now offline, but various organizations and businesses have used it.

But it’s not just Flickr. Social media platforms and other tech companies let developers scrape photos one way or another. OkCupid dating website uses images posted on their website to develop machine learning for facial recognition.

And while IBM, Amazon, and Microsoft took a step back from facial recognition in 2020, the practice is still going strong. Companies like Amazon’s Ring want to go forward with it.

Facial recognition technology is also used as part of US Customs and Border Protection’s biometric tech to ID passengers. Travelers who board flights may encounter this type of technology at many airports.

We need more facial recognition regulations

Ethical concerns aside, using publicly available images for facial recognition is also a matter of copyright and fair use.

For example, within the European Union, the General Data Protection Regulation states that data processing, biometric info included, can only happen after users consent.

In the United States, things are a bit vague and not evenly aligned.

Illinois was the first state to pass a law (The Illinois Biometric Information Privacy Act – 2008) requiring companies to inform users when collecting certain biometric information, including details used in facial recognition technology.

Later, Texas and Washington followed suit, while California enacted a comprehensive privacy law in 2020. Some states provide legal coverage or protection for biometric information, including facial templates.

Ideally, laws worldwide would empower users to hold tech companies and governments accountable for facial recognition’s fair use. Regulations should also determine for how long a company can keep the biometric information.

Keep your digital footprint to a minimum

In 2020, the misuse and abuse of facial recognition technology at the forefront of news coverage. There have been stories of governments, law enforcement agencies, and private companies using the tech to track people. As you can imagine, his happened without their knowledge or consent.

To stay private online, here are a few things you can do.

      • Limit your posts, don’t disclose personal info, and don’t upload photos of yourself. Whenever possible, make your profile private or delete social media accounts altogether.
      • If you’re on iOS, switch to Secret Photo Vault to keep your treasured memories to yourself.
      • Protect your digital identity with a reliable VPN. With your IP address hidden and your connection encrypted, you’ll be untraceable online.
 

What’s your opinion on reusing web images for machine learning research? Do you believe there should be a law that strictly forbids it?

Let me know in the comments section below.

 

7 Ways to Tell if Your Router Has Malware

Not many people know this, but malware isn’t limited to PCs and phones.

You can get malware on pretty much any gadget you own, including your router.

Here’s how to tell if yours has any issues.

Router malware: 7 tell-tale signs

Router malware isn’t spoken about as often as other types of malware.

But you should know that not all routers have robust security features, and some firmware is more prone to vulnerabilities.

So, you shouldn’t take your router security lightly.

But before we get into the nitty-gritty, here’s one thing you should know. Before diagnosing any router problem, check matters with your internet service provider (ISP) first. They should confirm there are no technical issues with your router or the coverage in your area before you troubleshoot further.

Now, with that out of the way, let’s see 7 ways you can tell if your router has malware.

1. Your internet is slower

Your internet speed can depend on various factors, from your ISP to your devices to your router.

But if all your devices take their sweet time to connect and browse online, it’s a clear sign something is wrong, especially if your connections are suddenly much slower without any apparent reason.

2. Your router is physically hot

Your devices can sometimes overheat, depending on your activity. Things like gaming on high specs, having a lot of apps open, or even video editing can slightly raise your device’s temperature.

But routers are a different story. Regardless of what you do online, your router’s temperature should remain relatively constant.

3. Your internet connection crashes randomly

Constant connection crashes are never a good sign. Significant fluctuations in speed can also be a cause for concern.

If you start experiencing online downtimes without any prior warning from your ISP, you might want to look into the issue.

4. Your DNS server address has changed

For the average internet user, DNS will never be an issue. Since it’s usually automatically configured by your ISP, it doesn’t require much input from you.

So, if you notice your DNS server address changes randomly, contact your ISP to investigate the situation further.

If you use a custom DNS, a VPN, or proxy service and you notice sudden changes, check with your provider.

5. You’re getting redirected to unusual or weird-looking HTTP sites

This is a common sign of DNS hijacking or DNS poisoning. This is a type of attack in which DNS queries are incorrectly resolved in order to redirect users to malicious sites.

DNS hijacking is usually used for:

      • Pharming: attackers typically display unwanted ads to generate revenue;
      • Phishing: attackers show fake versions of websites you might access to steal your data or credentials.

6. Your online searches get redirected

This is a tell-tale sign of rerouted traffic, and many types of malware operate by redirecting your traffic.

The reason for this? So hackers can install other types of malware, try to steal your private data, or get ad revenue.

7. Your devices are showing malware symptoms

usually because any malware can act as a gateway for other cyber threats. So, make sure you keep an eye out for other threats, like:

Protect yourself from router malware

Malware is never easy to deal with. And especially for casual internet users, having a network infection can be a scary experience.

But here are some things you can do, even if you don’t consider yourself tech-savvy.

Update your firmware

Updates generally come with security patches, which might be a good thing if you have any router problems.

While updates might not be a fix for your malware, they’re worth a shot.

You can check for updates on the manufacturer’s website.

Change your password

Check out our tips for creating strong passwords.

If you have reason to suspect your network is infected, change all your passwords immediately. Start with your admin credentials, then move on to your accounts.

Better safe than sorry.

Install a VPN

If you want to take your router security seriously, consider installing a VPN on your router. It’s the easiest way to hide your IP address and encrypt your internet traffic.

A performant VPN adds an extra layer of security to your connections. Plus, with a VPN on your router, your laptops, phones, tablets, Smart TVs, and all the other IoT devices from your home are shielded from attacks.

Your entire digital life stays safe and protected, and you’re kept anonymous online.

Reset your router to factory settings

If you’ve confirmed you are dealing with router malware and you’re at an impasse, there’s always the option of resetting your router to factory settings.

This can delete most malware.

 

How about you? Did you ever deal with malware on your router? Let me in the comments below.

Until next time, stay safe and secure!

Why Unsubscribing from Spam Emails Is Not Your Safest Bet

My inbox is drowning in piles and piles of emails. It feels like being stuck in a maze. How do I get rid of all these? Unsubscribe me. Unsubscribe me, PLEASE!

Ever felt the agony of having a cluttered inbox? I bet you did, and you’re not the only one.

But here’s the thing: rushing to click the ‘Unsubscribe’ button is not the right way to make sure all those unwanted emails don’t come back ever again. As counterintuitive as it sounds, unsubscribing will make you receive even more spam in some situations.

So, sit tight, as I’ll explain to you why that happens and how you can protect yourself from spammers that get on your nerves.

Defining spam emails

First of all, let’s define spam emails.

Many believe email marketing messages are the same thing as spam, which is not the case. These senders have received your permission to be in your inbox. You either subscribed or accepted to receive newsletters or notifications.

Spam accounts for 14.5 billion messages globally per day. That makes up 45% of all emails.

And while remembering every service you subscribe to might be difficult, the best advice is to start keeping track

of them. You could save a list of all your subscription or build it by searching your inbox for messages along the lines of “You have successfully subscribed to (…)”.

The rest of it is spam, meaning they’re emails sent to a large number of recipients who did not consent to be added to a database.

Through web scraping, spammers got your email address along with dozens of other ones. Once in a while, they just click a button and make sure all those addresses receive the same message.

Unsubscribing from spam has a boomerang effect

Most spammers have no idea if your email address is a valid one. They’re just sending emails and hoping someone will fall for them.

But when you hit that seemingly legit unsubscribe button, they get confirmation your email address is active. And they proceed to bombard it with even more messages every day.

A gloomier possibility is that the unsubscribe link is corrupt. By clicking it, you download malware, ransomware, or other viruses onto your device.

Some spammers create custom addresses or use popular URLs with a typo in them to trick the receiver. Don’t click them. And dare I say, fight any temptation of replying to spam emails to make fun of or get into arguments.

Your safest bet is to delete the messages. Leave the rest to people like comedian James Veitch.

The best way to manage spam

If you want to unsubscribe from an email newsletter you’re sure you signed up for, it’s okay to click the unsubscribe link. Or reply to the most recent message and mention you don’t wish to receive them anymore.

For any spam email, mark it as ‘spam’ or ‘junk’ and delete it without opening it. In most cases, spammers can tell if an email was opened, leading to even more of them coming your way.

Plus, by moving emails to spam, you help your email provider identify them and better deal with them in the future.

Be on the lookout for spam and digital frauds

Spam is big business, but it’s also dangerous for your digital life. The same goes for other digital scams.

So, make sure you know how to identify and stay safe from threats like online dating scams, charity scams, and phishing emails. Plus, in order to protect yourself, make sure you go online protected by a trustworthy VPN.

 

What about you? How many spam emails do you get, and how do you usually deal with them?

Let me know in the comments below.

       

What Is HTTPS and Why You Should Care

While surfing online, you might have noticed a common theme among your URLs. They start with either HTTP or HTTPS.

But what is HTTP, and what is HTTPS? And which one is best for your online security? Worry not; you’re in the right place to learn all about them.

HTTPS: the 101 on secure connections

Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP.

Ok, that was quite a bit. Let’s backtrack.

Hypertext transfer protocol (HTTP) is the primary protocol used to send data between your web browser and a website. It’s the foundation of data communication on the world wide web as we know it.

The S in HTTPS is the indicator that your connection has encryption to increase this data transfer’s security.

If a website doesn’t have the prefix of HTTPS, it’s a clear sign that your data can easily be hijacked and read. This is problematic when you log in to a bank account, payment provider, or email service, as it can easily compromise your accounts.

This is how HTTPS works:

In the HTTP vs. HTTPS department, this is what we have.

HTTP
HTTPS
It stands for ‘hypertext transfer protocol.’
It stands for ‘hypertext transfer protocol secure.’
It’s not secure.
It’s secure and reliable.
URLs begin with http://
URLs begin with https://
Can be easily subjected to eavesdropping attacks.
It’s designed to withstand eavesdropping attacks and make it more difficult to read your data.

Modern web browsers mark websites that do not use HTTPS by displaying a “not secure” warning near the URL.

So, to protect your online data, you should avoid HTTP sites as much as you possibly can. And if a site does not have HTTPS, never enter your personal information.

HTTPS encryption: the details

HTTPS includes authentication via the SSL/TLS protocol.

SSL certificates are small data files that cryptographically establish an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browser remain private.

This is done by generating a pair of public and private keys.

In cryptography, this means that it’s possible to use the public key to encrypt a message that can only be decrypted with the private key.

When you visit an HTTPS website, you can be assured of the:

  1. Authenticity. The server presenting the certificate is in possession of the private key that matches the public key in the certificate.
  2. Integrity. The web pages have not been altered by a Man-in-the-Middle attack.
  3. Encryption. Communications between your browser and website are encrypted.

Is HTTPS safe enough?

The short answer is no.

Sure, having that bit of encryption is better than having your connection in the open. But in this digital age, where online threats are complex and rely on a mix of social engineering, vulnerability, and poor cybersecurity practices, HTTPS is not enough.

If you want to increase your online security, consider looking into a VPN.

Short for a virtual private network, a VPN is an easy and secure way of accessing the internet.

VPNs establish a virtual point-to-point connection between your device and the internet, sending your data through an encrypted tunnel.

As opposed to HTTPS, though, a VPN employs more robust encryption protocols. It also gives you extra benefits by hiding your IP address, unblocking websites and apps, and protecting your entire device, not just your browser.

And VPNs do a much better job at protecting your data than HTTPS. That’s because whenever you visit a website, you’re tracked through your IP address by cookies. They leave crumbs behind and weave an accurate picture of your online activity from website to website.

Also, many online services you use, like social media, search engines, and even apps, are programmed to collect as much data as possible on you.

So, it’s essential to protect your whole online identity and secure all your gadgets, not just your browser. And using VPN software alongside HTTPS is the best combo to maintain your digital confidentiality.

 

Until next time, stay safe and secure!

Privacy by Design Principles: Why Data Protection Should Always Come First

We all care about our privacy and expect to have it respected. That sense of freedom and being safe from intruders matters now more than ever.

But our right to anonymity is violated almost every single day. From data breaches to companies that collect and sell personal information or systemic surveillance, the list of intrusions goes on and on.

However, the concept of privacy by design is sparking new conversations and gaining more traction.

If you want to know how companies should protect your privacy and handle your data, you need to get familiar with privacy by design principles.

Let me tell you all about them.

The seven principles of privacy by design

Officially introduced with the General Data Protection Regulation (GDPR), privacy by design is a general desired approach when creating new technologies and systems.

It requires all businesses to implement non-invasive privacy features and functions from the very beginning. For example, this could translate into a company creating a smartphone that doesn’t use or allow tracking systems.

To better understand the concept, let’s dive into the seven principles.

1. Proactive not reactive; preventive, not remedial

The first principle states that any company should focus on being proactive, with privacy the foundation for product development, not just an afterthought.

By getting out of the reactive mindset, organizations can anticipate privacy-related threats and prepare for them. And while having a clear plan on how to respond to any security breach that affects people’s data is essential, development teams first need to bake-in all the best techniques to avoid or minimize privacy risks.

Any system, process, or infrastructure that uses personal data should place privacy as a top priority from the beginning of the design process.

As a user, it’s hard to nearly impossible to know what goes on behind closed doors. But you identify businesses with privacy mindsets. They’re often the ones who are obsessed with their customers, and they’re always interested in collecting customer feedback and strive to meet their needs, including those related to privacy.

2. Privacy as the default

Regardless of the business they’re in, companies should automatically protect your data. This way, you never have to struggle to make sure they won’t expose your private information.

The ideal is for privacy features to be built into any system, tool, or device, guaranteeing your anonymity no matter what.

To see if a company cares about your privacy, check and see if they restrict data sharing, minimize data usage, and give you the possibility to opt-out from sharing sensitive information.

3. Privacy embedded into design

In order to protect you, teams shouldn’t add privacy features at the very end of a development cycle, or even worse, after a product has been launched.

Privacy by design is an integral part of both the system’s infrastructure and a core business practice. This should be the mindset every step of the way, from the ideation to completing a product or service.

At the end of the day, it doesn’t matter how useful or efficient a product is if it sports privacy design flaws and security vulnerabilities.

One way to see if the product you’re using abide by the privacy by design principles is to check if all the puzzle pieces fit together.

Read carefully and notice if a company’s privacy policy aligns with the product features, services, values, and other company practices. That tells you if they’ve managed to infuse privacy by design principles into everything they do, from people to processes and technologies.

4. Full functionality – positive sum, not zero sum

Most ventures focus on product functionality and implementing the latest tech stacks. Privacy concerns are at the bottom of their checklist (if at all) when they start writing specs, moving fast and breaking things.

Yet, the privacy-embedded-into-design principle suggests functionality and privacy go hand in hand and are equal partners. Not offering a great user experience on privacy’s account is not an option.

If a proposed concept threatens users’ privacy in any way, developers should look for other solutions and alternatives. No privacy risk should be overlooked.

Next time you’re excited about an app or a platform, check and see how much you can control the data you feed them and to what extent the company has taken customer privacy into account.

5. End-to-end security – full lifecycle protection

Privacy and security always go together. Without robust security, there can be no privacy. But what does information security imply?

Information security involves confidentiality, integrity, availability, transparency, and resilience of the systems that store it. Additionally, users should have full control of their data processing and the possibility to opt-out at any moment. This doesn’t happen with connected cars, for instance.

Personal data needs to be secured and protected from the moment it enters the system. Then it can be encrypted, stored safely, and deleted at the end of its lifecycle.

Here are some of the information protection mechanism organizations can implement:

      • Only collect data they need and have legal grounds to.
      • Use GDPR-compliant deletion or destruction methods for end-to-end protection.
      • Integrate pseudonymization or anonymization techniques.
      • Classify data and processing operations based on access profiles.
      • Rely on encryption standards to minimize the risk of stolen data.

Whenever you want to know more about how your data is being used, stored, or deleted, you can request a service provider to give you this information. You’ll learn from their reply if they are serious about privacy and security.

6. Visibility and transparency – keep it open

Many businesses are opaque about their design and development practices. They’d rather keep you in the dark and ask for forgiveness in the event of a data breach. While openness would gain them consumer confidence, it would also force them to stay accountable.

But people should know what happens to their data and how it is protected.

Visibility and transparency are all about showing the practical side of things. One of the keys to guaranteeing privacy is to be able to prove it. This way, users can verify that data processing aligns with the stated claims. Additionally, each company should allow people to send complaints, ask questions, or request changes.

Promoting transparency and visibility requires adopting measures such as:

      • Making Privacy and Data Protection Policies public.
      • Developing and publishing concise, clear, and comprehensible information clauses regarding data processing, the risks users may be exposed to, and how to exercise their rights on data protection.
      • Integrate pseudonymization or anonymization techniques.
      • Sharing the identity and contact details of the data controller.
      • Setting accessible, simple, and effective ways of communication, compensation, and complaints.

What we can see is that some brands have started to become more transparent about data collection.

And because we like to lead by example, here at CyberGhost, we’ve been publishing our Transparency Report ever since 2011.

7. Respect for user privacy – keep it user centric

The final principle emphasizes once more that user privacy needs to be the number one priority. After all, when you collect and store personal data, the risk of having it fall into the wrong hands becomes exceptionally high.

Even if companies collect data, that doesn’t mean they own it. Data belongs to the users who generated it, and they can grant or withdraw their consent at any time.

Out of respect for user privacy, data operators should offer measures such as:

      • Strong privacy defaults: Users are informed of the consequences for their privacy when they try to change default settings.
      • Appropriate notice: Specific consent is required for the collection, usage, or disclosure of personal information, and users may withdraw their consent at any time.
      • User-friendly options: Interfaces are to be human-centric, so that informed privacy decisions can be taken.

The principle involves designing user-centric processes, apps, products, and services, anticipating privacy needs.

At the same time, users need to play an active role in managing their data and controlling what corporations do with it. And companies can’t interpret a lack of pressure as a disinterest in privacy on the customer’s side.

A promise to solve the digital world’s privacy problems

While significant steps have been taken to improve user privacy, we still have a long way to go before becoming the norm. For now, privacy by design is a theoretical ideal, and it needs to be translated into widespread practices.

Until we get to live in a world where all companies enforce privacy by design principles, securing your digital privacy and anonymity is still up to you.

Luckily, you can rely on using a performant VPN, learning how to stay safe online, and making sure you set strong passwords for your accounts.

 

What’s your take on privacy by design principles? Do you think the companies making the digital products you use every day respect them?

Let me know in the comments section below.

 

Ding Dong! It’s the Police, Looking for Your Ring Footage.

Amazon’s Ring, the home security and smart home company, has been making the news in the past year for all the wrong privacy reasons.

While Amazon has taken a step back from providing facial recognition tech to the authorities, Ring is determined to work with them closer than ever.

In 2020, Ring attracted more departments than ever to their network. And if you own or ever walk in front of one of their installed products, this should worry you.

There are over 2,000 departments in Ring’s network

The Ring network lets law enforcement ask users for footage from their Ring security cameras to assist with investigations.

In America, almost every regional law enforcement agency has police or fire departments in Amazon’s Ring network. The only two exceptions are Montana and Wyoming.

Figures from Amazon show there are 2,014 departments in the network that’s been rapidly growing over the years:

      • 2018: 40 departments joined
      • 2019: 703 departments joined
      • 2020: 1,189 departments joined

According to Ring, these departments requested videos for over 22,335 incidents in 2020 through subpoenas, search warrants, and court orders. But since we don’t have any data for 2019, it’s hard to make any comparisons.

Ring complied with 57% of these requests. That’s down from 68% in 2019.

However, privacy advocates are still concerned over how Ring data is used and made available to law enforcement agencies.

Ring isn’t that efficient for catching criminals

Ring promised to make neighborhoods safer by deterring wrong-doers and helping to solve crimes. So, it’s no surprise that the law enforcement agencies have publicly supported the Ring network.

We have Ring cameras in our community (…) And we understand the value of those cameras in helping us solve crimes.

And yet, according to Lt. Edwin Santos, a department spokesman, the Winter Park Police Department hasn’t made a single arrest based on Ring footage even since it partnered with the company in April 2018.

An NBC News Investigation that looked at 40 law enforcement agencies in eight states that have partnered with Ring for at least three months has similar key results.

Here’s what they found:

      • Thirteen of the 40 jurisdictions reached, including Winter Park, had made zero arrests due to ring footage.
      • Other thirteen jurisdictions were able to confirm arrests were made after reviewing Ring footage. However, only two offered estimates.
      • The remaining jurisdictions, including large cities like Phoenix, Miami, and Kansas City, didn’t know how many arrests had been made as a result of their relationship with Ring and therefore could not evaluate its effectiveness.

None of these departments collected data to measure the impact of their Ring partnership. And not one department kept consistent track of when Ring footage helped identify or arrest a suspect.

The company itself said it doesn’t know how effective the doorbells are in helping identify suspects. But this lack of evidence just adds to the privacy concerns that have plagued the company.

It’s time to activate your Ring end-to-end encryption

In the midst of all this, Ring has upgraded their security, introducing end-to-end encryption to their doorbells. That was after reports surfaced about Ring employees who were watching customers’ videos.

Now, the footage isn’t available to third parties, even if it’s stored in Amazon’s cloud.

However, this feature isn’t on by default. If you own a Ring, here’s how to turn on your end-to-end encryption:

  1. Open the Ring app.
  2. Go to ‘Control Center’ and select ‘Video Encryption.’
  3. Select ‘Advanced Settings’ and choose ‘Video End-to-End Encryption.’
  4. Tap the slider to toggle the feature on, then tap ‘Get Started.’
  5. Follow the in-app instructions to enroll your account, mobile devices, and Ring cameras in end-to-end encryption.

While this might make your footage unavailable to Ring employees and maybe hackers, it won’t keep law enforcement at bay. Even if you refuse to share it, the authorities can bring a warrant to Ring to get it.

 

But what do you think? Should law enforcement have free access to the Ring network? Is there a practical reason to? Let me know in the comments below.

Until next time, stay safe and secure!