Outsourcing key banking data and services to a small number of cloud service providers means that those providers have the power to dictate their own terms.  
Getty Images/iStockphoto
Banks’ growing reliance on cloud computing could pose a risk to financial stability and will require stricter oversight, according to top executives from the UK’s central bank. In a report focusing on financial stability in the UK over the past few months, the Bank of England drew attention to the increasing adoption of public cloud services, and voiced concerns about those services being provided by only a handful of huge companies that dominate the market. Outsourcing key banking data and services to a small number of cloud service providers (CSPs), said the Bank of England, means that those providers have the power to dictate their own terms, potentially to the expense of the stability of the financial system. 

For example, cloud providers might fail to open up the inner workings of their systems to third-party scrutiny, meaning that it is impossible for customers to know if they are ensuring the level of resilience that is necessary to carry out banking operations. “As regulators and people concerned with financial stability, as (CSPs) become more integral to the system, we have to get more assurance that they are meeting the level of resilience that we need,” Andrew Bailey, the Bank of England governor, told reporters in a press conference.  In the past years, financial institutions have accelerated their plans to scale up their reliance on CSPs. From file sharing and collaboration to fraud detection, through business management and communications: banks have used cloud outsourcing both to run software and access additional processing capacity, and to support IT infrastructure. Until recently, cloud services were used mostly to run applications at the periphery of banking operations, such as HR systems with no direct impact on financial services. According to the Bank of England, however, this is now changing, with CSPs being called in to process operations that are more integral to the core running of banks.  

“We’ve crossed a further threshold in terms of what sort of systems and what volumes of systems and data are being outsourced to the cloud,” said Sam Woods, the chief executive officer of the Prudential Regulation Authority (PRA). “As you’d expect, we track that quite closely.” Last year, the Bank of England opened bidding for a cloud build partner, with the goal of creating a fit-for-purpose cloud environment that could better support operations in a digital-first environment. At the time, the institution said that it had already been in talks with Microsoft’s Azure, Google Cloud and Amazon’s AWS, and that it would likely be targeting Azure in a first instance. The possibility of adopting a multi-cloud strategy was also raised. There are many benefits to moving financial services to the public cloud. For example, while using old-fashioned, on-premises data centers incurs extra expenses, a recent analysis by the Bank of England estimated that adopting the ready-made services offered by hyperscalers could reduce technology infrastructure costs by up to 50%. Another advantage of public cloud services is that they are more resilient. The sheer scale of CSPs enables them to implement infrastructure that integrates multiple levels of redundancy, and as such, is less vulnerable to failures.  Moving to the cloud, therefore, is not intrinsically detrimental to banking services – quite the contrary. But the main sticking point, according to the regulators, lies in the concentration of major players that dominate the cloud market. According to tech analysis firm Gartner’s latest numbers, the top five cloud providers currently account for 80% of the market, with Amazon holding a 41% share and Azure representing nearly 20% of the market. “As of course a market becomes more concentrated around one supplier or a small number of suppliers, those suppliers can exercise market power around of course the cost but also the terms,” said Bailey.  “That is where we do have a concern and do have to look carefully because that concentrated power on terms can manifest itself in the form of secrecy, opacity, not providing customers with the information they need in order to be able to monitor the risk in the service. And we have seen some of that going on.” As Bailey stressed, part of the reason for CSPs to remain secretive comes down to better protecting customers, by not opening up key information to potential hackers. But the regulator said that a careful balance has to be maintained on transparency, to enable an appropriate understanding of the risks and resilience of the system without compromising cybersecurity. Leighton James, the CTO of UKCloud, which provides multi-cloud solutions to public sector organizations across the country, explains that these issues are not unprecedented, and it is unsurprising to see them trickle down to the financial services. “We’re anxious about cloud providers becoming so big that the terms and conditions are pretty much ‘take it or leave it’. We’re definitely seen that happening already in the public sector, and we can definitely see it happening in the financial services sector if we are not careful,” James tells ZDNet. According to James, part of the risk stems from traditional banks attempting to compete against new disruptive players in the sector. Financial institutions are now rushing to overhaul their legacy infrastructure and catch up with the digital-native customer experiences that were born in the cloud and are now widely available thanks to fintech companies.  “It’s clearly imperative for the financial sector to modernize and adopt digital technologies,” says James. “The question becomes how best they can do that by balancing the risk of digital transformation.” And in this scenario, the risks of placing all of banks’ eggs in a handful of CSP’s baskets is too high, argues James.  The Bank of England has similarly urged financial institutions to exert caution when developing their digital transformation strategies, and is currently in talks with various regulators to discuss how to best tackle those risks. With cloud concerns widely shared by other nations, especially in the EU, those discussions are likely to become international, and the UK’s central bank predicts that global standards will be created to develop a consistent approach to the issue.  More

TikTok removed more than 104.54 million videos from its platform in the first half of this year for breaching its community guidelines or terms of service. The number accounts for less than 1% of all videos uploaded on the Chinese app maker’s platform, with the largest volumes removed from India and the US at 37.68 million and 9.82 million, respectively. 
Some 96.4% of the videos were identified and removed before users reported them, while 90.3% were removed before they clocked any views, according to TikTok’s latest transparency report released Tuesday. The majority, at 30.9% were removed for containing nudity and sexual activities, while 22.3% were taken out for violating minor safety and 19.6% were removed for containing illegal activities and regulated goods.  

Singapore must look beyond online falsehood laws as elections loom
Country’s government is missing the point with its use of correction directives, when it should be looking more closely at how the legislation can be used to address bigger security threats as it prepares for its first elections since the emergence of technology, such as deepfake, and increased online interference.
Read More

Apart from India and the US, the highest numbers of videos also were removed from Pakistan, Brazil, and the UK at 6.45 million, 5.53 million, and 2.95 million, respectively. 
TikTok also complied with “valid” government and law enforcement requests across the globe for user information. Such requests would have to be submitted with the appropriate legal documents such as subpoena, court order, warrant, or emergency request. Amongst these, India submitted the most requests at 1,206, of which TikTok complied with 79%, followed by the US at 290, of which 85% were complied with. Israel made 41 requests, of which TikTok complied with 85%, while Germany submitted 37 requests, but just 16% were complied with.
In limited emergency situations, TikTok said it would disclose user information without legal process. This typically occurred when it had reason to believe the disclosure of information was required to prevent the imminent risk of death or serious physical injury to any person. 
China was notably missing from the list of government requests. 
In addition, TikTok said it also received legal requests from governments and law enforcement agencies as well as IP (intellectual property) rights holders to restrict or remove certain content. These, the company said, would be honoured if made through “proper channels” or required by law.
Amongst these, Russia submitted requests that identified the most number of accounts at 259, of which 29% were complied with. India submitted requests that specified 244 accounts, of which 22% were complied with.
Pointing to its efforts to “connect” its users, TikTok said it promoted content — amidst the global pandemic — thru in-app info pages and hosted hashtag challenges with partners such as World Health Organization, UNICEF India, and well-known individuals such as Bill Nye the Science Guy and Prince’s Trust. It also developed dedicated pages within its app that enabled users to learn more about Black history, in support of the Black community. 
Proposal for global group to safeguard against harmful content 
In a separate statement Tuesday, TikTok said its interim head Vanessa Pappas sent a letter to the heads of nine social and content platforms, proposing a Memorandum of Understanding aimed at encouraging companies to warn one another of violent, graphic content on their own platforms. 
“Social and content platforms are continually challenged by the posting and cross-posting of harmful content, and this affects all of us [including] our users, our teams, and the broader community,” the company said. “As content moves from one app to another, platforms are sometimes left with a whack-a-mole approach when unsafe content first comes to them. Technology can help auto-detect and limit much, but not all of that, and human moderators and collaborative teams are often on the frontlines of these issues.”
“Each individual effort by a platform to safeguard its users would be made more effective through a formal, collaborative approach to early identification and notification amongst companies,” TikTok said. “By working together and creating a hashbank for violent and graphic content, we could significantly reduce the chances of people encountering it and enduring the emotional harm that viewing such content can bring — no matter the app they use.”
TikTok said it previously launched a fact-checking program across eight markets to help verify misleading content, such as misinformation about COVID-19, elections, and climate change. It also introduced in-app educational public service announcements on hashtags related to important topics in the public discourse, such as the elections, Black Lives Matter, and harmful conspiracies, including QAnon.
RELATED COVERAGE More

Multiple members of Congress have come out against a plan from the Internal Revenue Service (IRS) to incorporate facial recognition provider ID.me into its processes this summer. The White House continues to ignore requests for comment, but Congressman Ted Lieu, Congresswoman Anna Eshoo, Congresswoman Pramila Jayapal, and Congresswoman Yvette Clarke sent a letter to IRS Commissioner Charles Rettig on Monday demanding the agency “halt its plan to employ facial recognition technology and consult with a wide variety of stakeholders before deciding on an alternative.” 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Any government agency operating a face recognition technology system — or contracting with a third party — creates potential risks of privacy violations and abuse. We urge the IRS to halt this plan and consult with a wide variety of stakeholders before deciding on an alternative,” the Congress members wrote. Like the letter sent by numerous Senate Republicans last week, the House members question the new biometric requirements that will be necessary for accessing a wide array of vital tools the IRS provides. They note the cybersecurity ramifications of the IRS partnership with ID.me as well as the racial implications of using a flawed technology for IRS services. An ID.me spokesperson even told The Washington Post that there was “variation across demographic groups and skin color” with its facial recognition algorithm, additionally claiming that the variations are “incredibly small.”Questions were also raised by House members about the IRS process that led to ID.me being chosen as well as ID.me’s previous lies about its technology. “Furthermore, the IRS’s Privacy Impact Assessment neglects to mention ID.me is even using this technology on Americans. Given these issues, it is simply wrong to compel millions of Americans to place trust in this new protocol,” the letter said. 

On Monday morning, Senator Ron Wyden released his own letter calling for an end to the IRS plan. Wyden acknowledged the IRS goal of stopping fraud through the facial recognition effort but said it is “simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online.” 

“It is also alarming that the IRS and so many other government agencies have outsourced their core technology infrastructure to the private sector. Quite simply, the infrastructure that powers digital identify, particularly when used to access government websites, should be run by the government,” Wyden said. The senator went on to question why the IRS and other agencies were not using Login.gov instead of ID.me, adding that the federal government needs to expand the effort internally to create a product that could match faces to photos held by the Department of Motor Vehicles and the Social Security Administration. “The IRS should redouble its efforts to remind taxpayers that facial recognition scanning is not now and has never been necessary to file taxes or receive a refund, as well as educate taxpayers on ways to access other IRS services without the use of facial recognition technology,” Wyden said. “Second, as a stopgap measure, the IRS should promptly revert its decision to require use of ID.me to transact online through the IRS’ website, delay the phase out of IRS.gov accounts created prior to the implementation of ID.me and restore the ability of taxpayers to create new IRS.gov accounts, which foes not use facial recognition. And finally, in the longer term, the IRS should migrate away from third-party identity verification services and utilize GSA’s government-wide login-gov service.”Senators Roy Blunt and Jeff Merkley sent their own letter last week making many of the same requests of the IRS. In November, the the IRS announced that by the summer of this year, taxpayers will need to have an ID.me account in order to access certain IRS online resources. 

In order to check on the status of a return, view balances and payments received, obtain a transcript, and enter into an online payment agreement, people will need to create an ID.me account and give the private company either a government ID, passport, birth certificate, W-2 form, social security card, a bill of some kind, or a “selfie,” among a host of other private documents they may ask for. The IRS signed an $86 million contract with ID.me, according to the Washington Post. More than 70 million Americans who filed for unemployment insurance, pandemic assistance grants, child tax credit payments, or other services have already had their faces scanned.Since the IRS announced the effort in November, there has been widespread backlash within Congress and among privacy advocates who continue to raise several issues with the effort. The Washington Post reported on Monday that IRS officials met with members of Congress on Friday and said they were looking into alternatives to ID.me that would not use facial recognition. ID.me is already used by 27 states for their unemployment benefits systems, according to CyberScoop, while 30 states and 10 federal agencies also use the system for other government services. Fight for the Future, Algorithmic Justice League, EPIC, and other civil rights organizations launched a website last week — called Dump ID.me — allowing people to sign a petition against the IRS plan. According to Fox Business, Rep. Bill Huizenga introduced a bill on Friday that bans the IRS from using any facial recognition in its processes. Caitlin Seeley George, campaign director at Fight for the Future, said the legislative response has shown that this is a bipartisan issue. “Facial recognition technology and the collection of peoples’ biometric data puts everyone in danger. I also think that in addition to the IRS (and other government agencies) canceling its contract with ID.me, there are a number of questions that legislators have sent to the IRS about how it landed on this tool,” Seeley George said. “It’s critical that we get answers to these questions, and hopefully use them to drive forward legislation to rein in the use of facial recognition and other biometric tools moving forward.”

Government More

DuckDuckGo DuckDuckGo, the internet browser that specializes in online privacy, is launching several new tools aimed at making sure online data brokers can’t get access to your personal information. Also: The best secure browsers to protect your privacy online The new set of tools, called Privacy Pro, combines three things: an anonymous VPN that secures […] More

A hacker has leaked this month the data of more than 4.2 million users registered on Peatix, an event organizing platform, currently ranked among the Alexa Top 3,500 most popular sites on the internet.

The site’s user data was made available through ads posted via Instagram stories, on Telegram channels, and on several different hacking forums.
According to samples of the Peatix data seen by ZDNet, the leaked information included full names, usernames, emails, and salted and hashed passwords.
Most of the leaked user data belonged to persons with Asian names, which is consistent with the evolution of the Peatix startup, which first launched in Japan in 2011 and later expanded to Singapore in 2013, before opening to the US and other parts of the world.
ZDNet notified Peatix of a possible breach earlier this month, but we never heard back from the company. Nonetheless, Peatix went public and admitted its breach this week through a message posted on its website [PDF, archived].
The company said it has investigated the reports, identified the point of entry, and blocked the intruders from re-accessing its systems.
Peatix reassured users that no financial data was involved as all payments were handled through third-party platforms, and nothing was stored inside its database.

“In addition, based on our investigation to date, we have no reason to believe that any historical data of events in which users participated, any data obtained through our questionnaire function or users’ addresses or phone numbers were accessed,” the company said.
ZDNet also reached out to the hacker who shared Peatix’s data online, on one of the multiple hacking forums. This individual told us that they are not the persons who breached the company but that they were only leaking the data to sabotage a rival data breach broker.

Image: ZDNet
Peatix is currently notifying all impacted users via email and requesting that they change account passwords. More