Eliana Willis

Image: Citizen Lab
Apple’s application of filters for blocking content in China has seeped into how it operates in Hong Kong and Taiwan, according to Citizen Lab researchers.According to research performed by Citizen Lab, Apple’s application of filters, which pertain to derogatory, racist, sexual, and sometimes political content, censor more than what is required by a certain region’s moderation regulations. The research looked at keyword filtering rules used by Apple to moderate content across China, Hong Kong, Taiwan, Japan, Canada, and the United States. While the six jurisdictions each have different regulatory and political environments that may affect Apple’s filtering decisions and content moderation policies, Citizen Lab found the censorship applied within China also bled into both Hong Kong and Taiwan, with much of this censorship exceeding Apple’s legal obligations.In Taiwan, Apple does not have any legal obligation to perform political censorship, but it still blocks engravings related to the Chinese Communist Party, China’s state organs, and political-religious groups like Falun Gong.Meanwhile, in Hong Kong, Apple broadly censors references to collective action, such as the Umbrella Revolution, Hong Kong Democratic Movement, double universal suffrage, and freedom of the press.Although the National Security Law took effect in Hong Kong last year, which can potentially be used to mandate entities and individuals to remove political content, freedom of expression is legally protected in the region under the city’s Basic Law and the Bill of Rights.

Beyond Apple double-dipping China’s filtering practices in Hong Kong and Taiwan, the iPhone maker at times also made arbitrary blocks. In one case, Citizen Lab said Apple censored ten Chinese names surnamed Zhang with generally unclear significance, although it said the names were also on a list used to censor products from a Chinese company.”Apple does not fully understand what content they censor and that, rather than each censored keyword being born of careful consideration, many seem to have been thoughtlessly reappropriated from other sources,” Citizen Lab claimed.”Apple’s seemingly thoughtlessly and inconsistently curated keyword lists highlight the ongoing debates of companies’ content regulation models. Companies, especially those operating globally, have great impacts on both users of their products and non-users who may be indirectly affected by their products.”In the research, Citizen Lab analysed how Apple engravings for keywords are filtered across the six different regions. For each region, Apple verifies engravings using a different API endpoint, which facilitates different filtering rules for each region. By testing how these different API endpoints responded to the engravings of over 505,000 previously discovered keywords that are censored in various Chinese applications, including WeChat, Citizen Lab discovered the largest amount of blocks applied to mainland China, where Citizen Lab found 1,045 keywords filtering product engravings, followed by Hong Kong with 542, and then Taiwan with 397.By reviewing the filtered engravings, Citizen Lab found the Taiwan filtering rules are a strict subset of the Hong Kong filtering rules which are a strict subset of the mainland China filtering rules.The researchers also said Apple does not have any public-facing policy documents that explain or regulate what users can or cannot engrave on Apple products across each of the six jurisdictions.In light of the lack of transparency regarding how Apple moderates its content, Citizen Lab has called for the company to release a set of guidelines explaining why and how the company moderates content.”The need for Apple to provide transparency in how it decides what content is filtered is especially important as we discovered evidence that Apple derived their Chinese language keyword filtering lists from outside sources, whether copying from others’ lists or receiving them as part of a directive,” the Canadian research group said. Citizen Lab previously unveiled WeChat, the popular messaging app operated by Tencent, subjected China’s pervasive content surveillance to accounts beyond China that were previously thought to be exclusively reserved for China-registered accounts.”WeChat implements censorship for users with accounts registered to mainland China phone numbers. This censorship is done without notification to users and is dynamically updated, often in response to current events,” Citizen Lab wrote in that piece of research.Related Coverage More

The Office of Inspector General (OIG) has released a report this week saying the US Census Bureau dealt with a cyberattack on January 11, 2020.OIG investigators reviewed the incident from November 2020 and March 2021, finding that while the Census Bureau was successful in stopping the attackers from gaining access to sensitive data, they left open a slate of vulnerabilities that hackers could have exploited.The investigators found that servers operated by the Census Bureau — which were in place to allow employees to access production, development, and lab networks remotely — were attacked using a publicly available exploit. “According to system personnel, these servers did not provide access to 2020 decennial census networks. The exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution,” the report found.  “However, the attacker’s attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.”The attack was initially handled by the Department of Commerce’s Enterprise Security Operations Center (ESOC), which manages security incidents and facilitates information sharing between the department, the Census Bureau and CISA. While commending the Bureau for stopping the attack, the OIG investigators found many other problems with how the incident was responded to and the way the Bureau used the servers. 

The report said the Bureau “missed opportunities to mitigate a critical vulnerability which resulted in the exploitation of vital servers.” Even after the servers had been exploited, the Bureau did not discover and report the incident “in a timely manner.””Additionally, the Bureau did not maintain sufficient system logs, which hindered the incident investigation. Following the incident, the Bureau did not conduct a lessons-learned session to identify improvement opportunities,” the OIG report said. “We also found that the Bureau was operating servers that were no longer supported by the vendor. Since the January 2020 incident, the Bureau has made changes to its incident response program. By addressing the findings and recommendations in this report, the Bureau can continue to improve and have a more effective response to future cybersecurity incidents.”The Bureau had multiple opportunities to mitigate the vulnerability in its remote-access servers — in December 2019 and January 2020. Investigators found that on December 17, 2019, Citrix, the vendor the Bureau worked with on the servers, released information about the vulnerability along with steps to mitigate it. NIST gave the vulnerability a severity rating of “critical” and a member of the Bureau’s CIRT team attended security meetings with CISA where it was discussed. CISA even sent out a link for ways to mitigate the vulnerability.The changes were not made until after the attack had been started. The attack would have failed if the Bureau had simply made the changes necessary, the OIG said. They noted that the Bureau was also not conducting vulnerability scanning of the remote-access servers and the servers were not even included in a list of devices to be scanned.”This occurred because the system and vulnerability scanning teams had not coordinated the transfer of system credentials required for credentialed scanning,” the report said, noting that while the attackers failed to gain access to systems, they still were able to create new user accounts. “The Bureau was not aware that the servers had been compromised until January 28, 2020, more than two weeks later. We found that this delay occurred because, at the time of the incident, the Bureau was not using a security information and event management tool (SIEM) to proactively alert incident responders of suspicious network traffic. Instead, the Bureau’s SIEM was only being used for reactive, investigative actions.”The report said that by not using a SIEM to generate automated security alerts, it took the Bureau longer to confirm that the servers have been attacked. Their systems also failed to catch much of the attack at first.The investigators found that one of the remote-access servers was trying to communicate to a malicious IP address outside of the Bureau’s network and their SOC misidentified the direction of the malicious network traffic, concluding it had been blocked.The OIG said this was a missed opportunity that was compounded by the failure of the ESOC to immediately share critical information about the exploited servers.ESOC allegedly was contacted by CISA about the attack on January 16, 2020 but did not respond. CISA sent another notice on January 30 to investigate the issue, which was then forwarded by ESOC to other Bureau leaders. There were a number of other delays that they said “wasted time during the critical period following the attack.” They urged the director of the US Census Bureau to ensure the CIO reviews automated alert capabilities on the Bureau’s SIEM and develop procedures to handle alerts from outside entities like CISA. The Bureau also did not maintain sufficient system logs, hindering the investigation. A number of servers were configured to send system logs to a SIEM that had been decommissioned since July 2018. Even after migrating the capabilities of a number of remote access servers to new server hardware in September and December 2020, the report said investigators found in February 2021 that the Bureau was still running all of the original servers that were involved in the incident. All of the servers were operating past their end-of-life date which occurred on January 1, 2021. Despite the mistakes made, the Bureau’s firewalls blocked the attacker’s attempts to establish a backdoor to communicate with the attacker’s external command and control infrastructure.In a letter attached to the report, Acting Director of the US Census Bureau Ron Jarmin reiterated that there are “no indications of compromise on any 2020 Decennial Census systems nor any evidence of malicious behavior impacting the 2020 Decennial counts.” “Furthermore, no system or data maintained and managed by the census bureau on behalf of the public were compromised, manipulated, or lost because of the incident highlighted in the OIG report,” Jarmin said. His office noted that this was a “federal-wide incident that impacted numerous departments and agencies.””The Census Bureau’s response to this incident was in line with federal direction and response activities,” Jarmin added. While they admitted to waiting too long to report the exploitation of the servers, they claimed they were waiting for further direction from CISA. In response to the criticisms about using legacy systems that needed to be decommissioned, the Census Bureau said in late 2020, they were working with Citrix engineers to migrate capabilities to new devices. “Due to circumstances outside the bureau’s control — including a dependency on Citrix engineers who were already at capacity supporting customers across the federal government who had realized greater impacts from the January 2020 attack, to complete the migration, and the COVID-19 pandemic — the migration was delayed,” Jarmin’s office explained. Jarmin pledged to take end-of-life concerns more serious and said they have already made changes to how they respond to critical vulnerabilities and share information with other departments. They have also developed automated alerting capabilities and established information sharing procedures, Jarmin said.The OIG report suggested the Census Bureau introduce a slate of further changes to how vulnerability notifications are handled and how assets are scanned for vulnerabilities. They also said Bureau incident responders need to ensure that they comply with Departmental and Bureau requirements to report confirmed computer security incidents to ESOC within 1 hour.But the report criticized the Bureau for not holding any kind of formal lessons-learned meeting, roundtable or talk after the attack at any level of the organization. “One incident responder stated that the team was consumed with responding to data requests from outside entities, which interfered with holding a lessons-learned session,” the investigators said. “Furthermore, after reviewing Bureau incident response policies and procedures, we were unable to locate any requirement or guideline prescribing the timeframe in which to hold a lessons-learned session.”The Bureau said in a letter on July 19 that it concurred with all nine of OIG’s recommendations and sent in plans to achieve all of them.  More

Microsoft has invested an undisclosed amount in cloud data management firm Rubrik as part of plan to jointly develop Zero Trust products built on the Azure cloud. Rubrik and Microsoft plan to provide Microsoft 365, data protection and cloud services on Azure, according to Rubrik. According to a Bloomberg source, Microsoft’s investment was in the “low tens of millions” and valued Rubrik at about $4 billion. The company, which competes with Dell EMC, Commvault and other storage and backup companies, was valued at $3.3 billion in 2019.   Rubrik provides cloud backup and recovery services on Azure, AWS, Google Cloud and Microsoft 365, as well as ransomware recovery services.Microsoft made the investment as it continues its push for organisations to adopt a Zero Trust architecture, which focuses less on hardening the network perimeter and aims to protect BYOD devices and applications that are used at work and home. The partnership will also help customers continue digital transformation projects and push more data to the cloud.Rubrik says its combination with Microsoft’s cloud will allow customers to protect critical applications such as SAP, SQL, Oracle, and VMware, as well as network attached storage (NAS)  devices with Azure. 

The two companies support more than 2,000 mutual customers globally, according to Rubrik. Rubrik, which launched in 2014, is a cloud-native enterprise backup and recovery service targeting customers running storage with legacy software.    Microsoft sees an opportunity to make the cloud a key defence against the rise in ransomware attacks, which often happen as a result of attackers scanning for and finding RDPs and VPNs exposed on the internet. This year has seen an uptick in multi-million-dollar ransomware demands that victims, such as Colonial Pipeline, have paid.”When an attacker tells you they have control to the keys to your data and you can’t get it back without paying a ransom, this allows us to have an alternative source for that data in real time to be able to bring that company back to operational control,” Tyler Bryson, a Microsoft vice president, told Bloomberg.”There’s a lot of backup solutions out there, but even those are vulnerable to having been compromised. If you didn’t design with the modern cloud architecture in mind, you may find you’ve just recovered to something already compromised.”  More

Multiple high-profile foundations and philanthropic organizations came together to criticize Facebook for shutting down the accounts of New York University (NYU) researchers investigating advertising disinformation on the platform.  The open letter was from the NetGain Partnership, which includes the Mozilla Foundation, Ford Foundation, John D. and Catherine T. MacArthur Foundation, the Omidyar Network and more. The group of foundations focus their work on fostering research into emerging technology.The letter, signed by the CEOs and presidents of each organization, lambasts Facebook for their decision to close the accounts of NYU researchers Laura Edelson and Damon McCoy. The two led a team of researchers that ran the Ad Observer browser extension, which allowed Facebook users to let the researchers see what ads pop up when they visit the social media platform.Facebook said in a statement on August 3 that the browser extension violated privacy regulations within Facebook and initially lied about being forced to shut down the project because of a deal with the FTC. The FTC later released its own letter slamming Facebook for lying about this and reiterating their order had no relation to the work of Edelson and McCoy. “The consent decree does not bar Facebook from creating exceptions for good-faith research in the public interest,” said Samuel Levine, acting director of the FTC’s consumer protection bureau. “Indeed, the FTC supports efforts to shed light on opaque business practices, especially around surveillance-based advertising.”The two researchers spent months going back and forth with Facebook but their accounts were shut down as soon as they announced a potential examination of Facebook disinformation about the January 6 attack on Congress. The foundations called Edelson and McCoy’s work “pathbreaking” and said it “brought to light systemic gaps in the Facebook Ad Library, identified misinformation in political ads, and studied Facebook’s amplification of divisive partisan campaigns.” 

“This action by Facebook also cut off access to more than two dozen other researchers and journalists, who relied on Ad Observer data for their research and reporting, including timely work on COVID-19 and vaccine misinformation,” the open letter explained. “This is only the latest example of Facebook’s attempts to curtail journalism and independent, academic research into their business and advertising practices. In the absence of more fulsome disclosure and transparency from the social media industry, independent research efforts have been essential to understanding how disinformation spreads on digital platforms. This research also uncovered how advertisers exploit the industry’s ability to micro-target advertisements, the extent to which bad actors use these platforms to exacerbate societal rifts and inequities, and the costs to civil society.”The influential members of the NetGain Partnership said they stood behind NYU’s Cybersecurity for Democracy project and the larger community of researchers who work on disinformation in social media.  The group’s work proved its worth by what it uncovered about Facebook’s platform, the open letter said, noting that Ad Observer discovered “highly partisan, misleading news sources receive more engagement on Facebook than more reliable news sources.”Facebook, they said, continues to take in advertisements from extremist groups and militias while still publishing discriminatory ads. The social media giant also fails to catch political ads that potentially violate its own rules. Like NYU, Edelson and McCoy explained when the shut down was announced, the open letter reiterates that Ad Observer only collected limited and anonymized information about the users who shared their ads. “When Facebook claims that the tool nonetheless violates the privacy of its ‘users,’ the ‘users’ it is referring to are the paying advertisers, who have already consented to making their ads public,” the open letter said. “Facebook’s latest actions undermine the independent, public-interest research and journalism that many of our foundations support. We believe research on platform and algorithmic transparency, like the work led by Cybersecurity for Democracy, is necessary to make evidence-based policy that is vital to a healthy democracy.” The group demanded Facebook urgently reinstate the accounts attached to the project and change its Terms of Service within the next three months to allow safe harbor for research that is “ethical, protects privacy and is in the public interest.””Our foundations share a vision for an open, secure, and equitable internet space where free expression, economic opportunity, knowledge exchange, and civic engagement can thrive,” the open letter said. “This attempt to impede the efforts of independent researchers is a call for us all to protect that vision, for the good of our communities, and the good of our democracy.” More

Apple is a business.This is the first thing you should know about it. It’s a company that exists to make money.It’s not your friend. It’s not a superhero. It’s not a religion.

As a company, it invites you to buy its products and services. If you don’t like what it has to offer, you’re free to move on.And I think that this confusion is at the heart of a lot of the criticism that Apple has received over the new child safety features that it is introducing. It’s quite a complicated and charged subject, and both Apple’s messaging, along with how the media have reported those messages, have created more confusion.  Add to that the fact that some people get very upset when Apple does something that doesn’t fit in with how they see the company, and it’s a recipe for disaster.However, the other day Apple released a document that went into great detail as to how the system will work, the steps that exist to keep false positives to a minimum, the mechanisms in place to prevent governments, law enforcement, and even malicious or coerced reviewers from abusing the system, and how Apple maintains the end user’s privacy throughout.

According to Apple, “the system is designed so that a user need not trust Apple, any other single entity, or even any set of possibly-colluding entities from the same sovereign jurisdiction (that is, under the control of the same government) to be confident that the system is functioning as advertised.”It’s a deep document, but it’s well worth a read.Must read: Apple iPhone could be forced to use USB-C instead of LightningBut these are just words on a page.It ultimately comes down to one thing.Do you trust Apple?

Well, do you?I think that this is a deep question, and one that goes further than scanning for images of child abuse (something that most people will think is a good thing for Apple to be doing). The trust issue here goes deeper.First, Apple has developed an on-device scanning system that can detect — with great accuracy — specific information. Right now, Apple is using this to filter out CSAM (child sexual abuse material) and to detect sexually explicit images sent or received by children via iMessage, but there’s nothing that prevents that mechanism being used to detect anything, whether it be religious, political, terrorist-related, pro/anti leanings on vaccines, cat photos, or anything else.And that scanning mechanism is backed into its devices.The Apple of the here and now might hand-on-heart swear that this system will only be used for good and that it won’t abuse it, but this is only reassuring to a point.Let’s take some simple but contemporary examples such as COVID-19 anti-vax misinformation, or climate-change denialism. What if Apple decided that it was in the interests of the greater good to identify this material and step in to prevent its dissemination? Might not be a bad thing. Might be a thing that enough people could get behind.And the CSAM mechanism would technically make this possible. Would it be right? One could argue that CSAM is illegal while anti-vax or climate-change misinformation is not.OK, but laws vary from country to country. What if a country asked Apple to step in to identify and report other material that is illegal in that country? Does it become a game of cherry-picking what material to detect and what not to detect based on the PR fallout?What if Apple decided to scan for any and all illegal material? The mechanism to do this is in place.Also, this is not only a question of space, but of time. The people at the helm of Apple today will not be the people at its helm in the future. Will they be so motivated to protect user privacy? Could they become complicit with abusing the system because of governmental pressures?These are all slippery-slope arguments, but that doesn’t eliminate the fact that slippery slopes do indeed exist and that vigilance itself is not a bad thing.Do you trust Apple? More

After another year of ransomware and supply chain attacks, Microsoft is talking up its role in helping to put US President Joe Biden’s May Executive Order on cybersecurity into practice.Microsoft is one of 18 cybersecurity companies that was selected to work with the National Institute of Standards and Technology (NIST) to develop Zero Trust designs that federal agencies can implement under Executive Order 14028.Instead of focusing on hardening the network perimeter, Zero Trust assumes that an organisation has already been breached and includes a design that acknowledges data needs to be protected both within and outside the network, across managed and unmanaged devices. Other vendors in the Zero Trust consortium include Amazon Web Services, Appgate, Cisco, F5, FireEye, IBM, McAfee, MobileIron, Okta, Palo Alto Networks, PC Matic, Radiant Logic, SailPoint Technologies, Symantec, Tenable, and Zscaler. Google and its BeyondCorp zero trust initiative is notably absent.   Biden’s order demanded CISA and NIST to create benchmarks for organisations managing critical infrastructure. It followed the SolarWinds hack targeting primarily federal agencies and US tech companies, the Exchange email server attacks, and the Colonial Pipeline ransomware attack. The SolarWinds attack, in particular, highlighted the need for zero trust, with the attacks occurring amid the mass shift towards remote work during the pandemic.The vendors in the project will be working with NIST’s National Cybersecurity Center of Excellence (NCCoE) to “develop practical, interoperable approaches to designing and building Zero Trust architectures” that are commercially available from US cybersecurity firms.Microsoft has previously identified five scenarios where zero trust can help agencies meet Biden’s order, including endpoint detection and response, multi-factor authentication, and continuous monitoring. 

Azure Active Directory is central to Microsoft’s plans for most of the five scenarios, which includes SaaS applications, legacy applications, protecting remote sever administration tools, and cloud segmentation. Azure also plays a key role in ‘micro-segmentation’ of the network. While Biden’s order only applies to federal agencies, the White House did encourage the private sector to take “ambitious measures” in the same direction.       Microsoft notes its proposed example solutions will include commercial and open-source products. Separately, the Linux Foundation has thrown its support behind Biden’s order to develop a Software Bill of Materials (SBOM), or a “formal record containing the details and supply chain relationships of various components used in building software.”The Zero Trust proposals from vendors are meant to align with NIST SP 800-207, Zero Trust Architecture, which was developed through meetings with Federal Chief Information Officer (CIO) Council, federal agencies, and industry. More