Apple iPhone 17 Pro Max <!–> ZDNET’s key takeaways The new flagship iPhone brings two big photography upgrades, in the zoom camera and the front-facing camera The new A19 Pro processor, the N1 chip, and the thermal upgrades combine to rev up performance For the author, this year’s upgrade choice boils down to overcoming a […] More

Can you tell a human from a bot when you are using instant messaging? Source: Information Technologies – zdnet.com More

Minut privacy-based smart home sensor in pictures Minut is a noise, temperature, and motion sensor that has been built for privacy that’s aimed primarily at the short-term rental market — think Airbnb, that sort of thing. … Source: Information Technologies – zdnet.com More

By stopping third parties from scrutinizing content, E2EE can effectively create a safe harbour for criminal activity.  
Image: Getty Images / iStockphoto
Despite recent controversies, end-to-end encryption should not be weakened, the UK’s data protection watchdog has concluded – while acknowledging that some additional measures are needed to mitigate the potential harms that can stem from the privacy-protecting technology. The Information Commissioner’s Office (ICO), an independent body that oversees information rights in the UK, has published the results of initial deliberations that were carried out on end-to-end encryption (E2EE), in light of a years-long debate that has divided governments, social media platforms and freedom-of-speech activist groups. 

E2EE has long been seen as a way to protect users’ online privacy, by encrypting content in communications channels so that only the sender or recipient can access the information. This prevents any third party from accessing the data, including the provider of the platform or law enforcement agencies. SEE: Even computer experts think ending human oversight of AI is a very bad ideaThe method is one of the most reliable approaches to data protection, and is increasingly seen as a golden standard for privacy. At the same time, users are growing more aware of the implications of exchanging data online: the ICO found in a survey, for example, that 77% of respondents see protecting their personal information as essential.  To gain the trust of the public, therefore, social media platforms are turning to E2EE. Facebook is testing the technology in Messenger’s Secret Conversations, while Zoom rolled out E2EE for all video meetings last year; and platforms like Signal, Telegram or Element are seeing fast increases in their user base as their promise of fully encrypted messaging gains popularity. The ICO has reiterated its long-standing view that E2EE should be widely deployed by online communication providers. “While we do not say that organisations must encrypt in all circumstances, there must be a strong justification for not doing so. This also applies to E2EE,” said the watchdog in the report. 

The report comes off the back of recent debates surrounding E2EE, in which some governments – including the UK – have argued that although it is key to protecting user privacy, the technology also opens the door to carrying out harmful activities online without the risk of getting caught. By stopping third parties from scrutinizing content, E2EE can effectively create a safe harbour for criminal activity, since even  providers are unable to scan data to identify and respond to violations to their terms of services. This can include terrorist propaganda, violent crime, and child sexual exploitation and abuse.  Calls from governments to stop this from happening have multiplied in the past few years. Last year, for instance, the UK government published a statement calling for technology companies to implement encryption in a way that enables companies to act against illegal content, but also to allow law enforcement agencies to access content in a readable format when granted the appropriate authorization. Protecting users from harm is also at the heart of the draft Online Safety Bill published by the UK government earlier this year, which proposes to push a duty of care on social media platforms that would force technology companies to protect their users from dangerous content such as disinformation or hate speech. Although the bill makes no mention of E2EE in particular, experts say that this will effectively force platform providers to scan through private messages in search of harmful content, to ensure that they comply with the law. According to the ICO, the UK government’s position is slightly more nuanced. In a statement to the watchdog, the government said that rather than introducing backdoors to E2EE, the focus is on introducing “specific additional functionality” to companies’ services, which would enable access to messaging content by law enforcement or the platform service provider under tightly controlled circumstances.A spokesperson for the Department of Digital, Culture, Media and Sport told ZDNet: “Children will be at the heart of our new online safety laws, with tough sanctions on social media platforms that fail to protect young people from harm. We believe it is possible to implement end-to-end encryption in a way which is consistent with public safety and which does not prevent action being taken against child abuse.”The ICO seems to align with this view. The watchdog’s report states that, while the use of backdoors to encrypted channels would “unacceptably” undermine users’ rights, there is value in accelerating innovations that allow the detection of harmful content without compromising privacy. In other words, the organisation argues that safety and privacy don’t have to be in tension. With the right technologies, argues the ICO, it is possible to have both a safe online space, as well as a high-level of protection of personal data. “There should be no trade-offs,” Stephen Bonner, ICO’s executive director of regulatory futures and innovation, tells ZDNet. “We believe that privacy with E2EE is essential for online safety and can work alongside the ability to moderate online harms, plus enable law enforcement to deal with the worst offenders.” One technology that seems to balance both sides of the E2EE argument is homomorphic encryption, which enables calculations to be carried out on encrypted data without decrypting it first – although a lot more research and development will be necessary before the approach is considered a viable solution. Other tools could be deployed to control harmful communications without actually reading them, in a similar fashion to spam detectors that can recognize that an account is sending many emails at once, without having to look at the content of the messages.  “Organisations are assessing how accounts behave to detect and remove spammers, without monitoring what’s contained inside,” says Bonner. “The innovations that don’t require access to content already exist and are deployed on many E2EE platforms.” SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets betterIt remains that many of these tools are only emerging. Although the ICO is confident that the technologies will evolve, the organisation nevertheless recommended that more attention be paid to the effectiveness of existing tools that may enable access to private content without breaking encryption standards.  Jim Killock, the executive director of Open Right Group, which is campaigning against the removal of E2EE, argues for the need to do more to prevent the governments from restricting E2EE. “The ICO’s broad approach is correct, but let’s be clear,” Killock tells ZDNet. “E2EE saves people from scams and criminality. Removing it and collecting huge amounts of material would place millions of people at deep risk of blackmail and fraud. “The government should not be arguing to make everyone unsafe, to deal with specific, limited, but horrendous problems.”The ICO has specified that the latest report is not the organisation’s final policy position on E2EE. The watchdog will now be seeking the views of multiple stakeholders, and will publish the outcomes of those discussions early next year.  More

The state-sponsored hackers who breached US software provider SolarWinds earlier this year pivoted to Microsoft’s internal network, and then used Microsoft’s own products to further the attacks against other companies, Reuters reported today citing sources familiar with the investigation.

SolarWinds Coverage

The news comes after the US Cybersecurity and Infrastructure Agency (CISA) published an alert earlier today about the SolarWinds supply chain attack and its impact on government agencies, critical infrastructure entities, and private sector organizations.
CISA said they had “evidence of additional initial access vectors, other than the SolarWinds Orion platform.”
Two Reuters reports on the alleged Microsoft hack did not say what Microsoft products the hackers abused after breaching Microsoft.
In a statement, Microsoft admitted to finding trojanized SolarWinds Orion apps in its environment, but not to hackers pivoting to production systems and then using those systems against its customers. The full, unedited statement is available below:

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”

Five new SolarWinds hack victims came to light today
Microsoft now joins a list of high-profile entities that have been hacked via a backdoored update for the SolarWinds Orion network monitoring application.
The vast majority of these victims are US government agencies, such as:
The US Treasury Department
The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
The Department of Health’s National Institutes of Health (NIH)
The Cybersecurity and Infrastructure Agency (CISA)
The Department of Homeland Security (DHS)
The US Department of State
The National Nuclear Security Administration (NNSA) (also disclosed today)
The US Department of Energy (DOE) (also disclosed today)
Three US states (also disclosed today)
City of Austin (also disclosed today)

The only private company which acknowledged getting hacked via the malware-laced SolarWinds platform is cybersecurity firm FireEye.
Both FireEye and Microsoft were the first security firms to confirm the SolarWinds hack on Sunday, both providing extensive reports of how the breach happened.
Both companies were also involved in an effort to sinkhole the domain used to command and control the malware used in the SolarWinds hack.
Article updated one hour after publication with Microsoft’s statement. More