Information Technology

The Digital Transformation Agency (DTA) has been carrying out digital identity age verification trials for online alcohol purchases with selected providers in Australia since September, according to a Freedom of Information (FOI) request.FOI documents released by the Office of eSafety Commissioner indicated there were also plans to carry out similar trials for online gambling, with each private beta testing scheduled to operate for a three to six-month period.Scope to expand the trial in 2022 has also been proposed to include additional users, other Australian-based online alcohol, online gambling service providers, and R18+ online video games with “loot boxes”, and myGovID as an identity provider. The intention of the FOI request filed by Greg Tannahill dated September 29 sought to understand Mastercard’s proposed involvement in delivering or influencing the delivery of age verification services in Australia. It came off the back of Mastercard announcing just two days before the request was filed that it was working with the DTA to see how its digital identity service could enable Australians to digitally verify their age and identity.As part of the collaboration, Mastercard said it would work with the DTA to examine a series of private sector-led pilots and the impact its digital verification service could have on retailer and consumer experiences and expectations online.Mastercard announced the quiet expansion of the trial for its digital identification service, following the successful completion of phase one with partners Deakin University and Australia Post last year.  

Based on discussion notes about the trials between the DTA and eSafety Commissioner, DTA noted it was focused on “establishing systems that enhance privacy, security and safety — including by being least invasive to the user (i.e. simply determining that someone is 18+)”.”We prefer systems that are not an unnecessary burden to those wishing to access or services which are they are entitled to use,” the notes said.The DTA also highlighted that it flagged it was “interested in a market-based system that offers choice to consumers”.See also: Australia Post a ‘trusted’ service provider for government identificationAt the time of announcing its work with the DTA, Mastercard also said it applied for accreditation under the Trusted Digital Identity Framework (TDIF), which sets out the operating model for digital identity in Australia.If granted, Mastercard said would enable consumers to create a reusable digital identity using official identity documents, such as passports, driving licences, as well as protect digital identity data using encryption and facial biometrics.In October, the federal government released an exposure draft for legislation that seeks to expand the application of Australia’s federal digital identity system to state and territory governments and the private sector.Under the Bill, the federal government is seeking to formally enshrine two voluntary schemes for entities that want to provide or rely on digital identity services: A federal government-run digital identity system and a new accreditation scheme that will be based on the existing TDIF system.Additionally, the federal government, state and territory governments, Australian companies and foreign companies registered with the Australian Securities and Investments Commission (ASIC) would be eligible to apply to join the two digital identity systems.Related Coverage More

In an investigation conducted by Australia’s Information Commissioner (OAIC), it has found the Australian Federal Police’s (AFP) use of the Clearview AI platform interfered with the privacy of Australian citizens. Clearview AI’s facial recognition tool is known for breaching privacy laws on numerous fronts by scraping biometric information from the web indiscriminately and collecting data on at least 3 billion people, with many of those people being Australian.From November 2019 to January 2020, 10 members of the AFP’s Australian Centre to Counter Child Exploitation (ACCCE) used the Clearview AI platform to conduct searches of certain individuals residing in Australia. ACCCE members used the platform to search for scraped images of possible persons of interest, an alleged offender, victims, members of the public, and members of the AFP, the OAIC said.While the AFP only used the Clearview AI platform on a trial basis, Information and Privacy Commissioner Angelene Falk determined [PDF] the federal police failed to undertake a privacy impact assessment of the Clearview AI platform, despite it being a high privacy risk project. By failing to do so, the OAIC said the AFP breached the Australian Government Agencies Privacy Code. It added that the AFP did not take reasonable steps to implement practices, procedures, and systems relating to ensure the Clearview AI platform complied with the Australian Privacy Principles as well.

Read more: ‘Booyaaa’: Australian Federal Police use of Clearview AI detailedThe AFP submitted that it did not undertake privacy impact assessment as its use of Clearview AI platform was only under a “limited trial”. When investigating this decision, however, the OAIC said the AFP failed to provide any evidence that a project manager or trial participant conducted a threshold assessment to determine whether a privacy impact assessment was required. A threshold assessment is a preliminary assessment used to determine a project’s potential privacy impacts and whether a privacy impact assessment should be undertaken.Worryingly, the OAIC’s investigation also found that the AFP has not shown any indication that it has taken, or would take, steps to prevent similar breaches from occurring again in the future. This is despite the AFP having already admitted in April last year that it trialled the Clearview AI platform despite not having an appropriate legislative framework in place”Without a more coordinated approach to identifying high privacy risk projects and improvements to staff privacy training, there is a risk of similar contraventions of the Privacy Act occurring in the future,” the OAIC wrote in its determination.”This is particularly the case given the increasing accessibility and capabilities of facial recognition service providers and other new and emerging high privacy impact technologies that could support investigations.”In light of these privacy breaches, the OAIC has ordered the AFP to engage an independent third-party assessor to review its practices, procedures, and systems and write a report about any changes that the AFP must make to ensure its compliance with the Australian Government Agencies Privacy Code.The report of the gaps in AFP’s privacy infrastructure must be written in the next six months, and the AFP must also provide the OAIC with a timeline for implementing any actions set out in the report.The OAIC has also ordered for all AFP personnel that handle personal information to have completed an updated privacy training program in the next 12 months.RELATED COVERAGE More

At the start of this month, Australia’s Security Legislation Amendment (Critical Infrastructure) Act 2021 became law to give government “last resort” powers to direct an entity to gather information, undertake an action, or authorise the Australian Signals Directorate (ASD) to intervene against cyber attacks. The laws also introduced a cyber-incident reporting regime for critical infrastructure assets. Those laws were originally drafted to be wider in scope, with Home Affairs proposing other obligations for organisations within critical infrastructure sectors. Provisions seeking to enshrine those obligations were eventually excluded from the Critical Infrastructure Bill, however, after the Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended for these “less urgent” aspects to be legislated in another Bill down the road. In those recommendations, the PJCIS said legislating those aspects later would give businesses and government additional time to co-design a regulatory framework that receives a broader consensus among stakeholders. Home Affairs has now released an exposure draft [PDF] of a Bill focusing on those excluded aspects. In this second Bill, called Security Legislation Amendment (Critical Infrastructure Protection) Bill (SLACI Bill), the federal government is seeking to introduce risk management programs for critical infrastructure entities and enhanced cybersecurity obligations for those entities most important to the nations.

The risk management program obligation, if it were to become law, would apply to entities within the 11 sectors classified as critical infrastructure sectors in the first Bill. The enhanced cybersecurity obligations, meanwhile, would apply to a smaller subset of entities that hold assets that are classified as systems of national significance. According to the Bill’s exposure draft, the risk management program would have to identify hazards to critical infrastructure assets and likelihood of them occurring. In addition, entities would be required to submit an annual report about the risk management program and if any hazards had a significant impact on critical infrastructure assets. Looking at the proposed enhanced cybersecurity obligations in the Bill’s exposure draft, government is seeking for entities that have systems of national significance to have an incident response plan for addressing cyber attacks. This incident response plan would have to be shared with the Home Affairs secretary. These entities would also be required to undertake cybersecurity exercises to build cyber preparedness, make vulnerability assessments to identify vulnerabilities for remediation, and provide system information to build Australia’s situational awareness. In regards to the proposed requirement to provide system information, the Bill is seeking to give Home Affairs the power to compel relevant entities into installing system information software. The government has also used this second Bill to amend “key sector and asset definitions” to clarify which entities are deemed to hold critical infrastructure assets. Among the definitions that would be amended under the Bill is “critical domain name system”, which clarifies that an asset is critical if it administers an Australian Domain Name System. The exposure draft also seeks to amend the definition of “critical data storage or processing asset” to provide clarity to industry about the types of entities that will be captured as responsible entities for critical data storage or processing assets. Under the amended definition, entities are deemed to hold critical infrastructure if they provide any data storage or processing services to government. Data storage in this instance is defined as a service provided on a commercial basis that enables end-users to store or back-up data or a data processing service provided on a commercial basis that involves the use of one or more computers. Data processing, meanwhile, includes computerised data actions such as retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal. Home Affairs will be accepting feedback on this exposure draft until February 1. Related Coverage More

The US Senate passed the The National Defense Authorization Act (NDAA) on Wednesday, approving the $768 billion annual defense spending bill that was packed with cybersecurity provisions. The bill now heads to the desk of President Joe Biden. In an explainer document released alongside the text of the bill, the US House of representatives armed services committee said the cyber provisions in the bill would initiate “the widest empowerment and expansion of CISA through legislation since the SolarWinds incident.” In addition to significantly more cybersecurity investments, the bill gives greater budget authority to the Commander of US Cyber Command, “modernizes” the relationship between the Department of Defense Chief Information Officer and the National Security Agency’s components responsible for cybersecurity while also establishing a program office within Joint Forces Headquarters-DODIN to centralize the management of cyber threat information products across the Defense Department. The bill also mandates the first taxonomy of cyber weapons and cyber capabilities and requires the Defense Secretary to create a software development and acquisition cadre to assist with developing and acquiring software by providing expert advice, assistance, and resources. A grant program created by Congress will fund cybersecurity research in coordination with Israel. A National Cyber Exercise program is also outlined in the bill. It will force CISA and other government bodies to test the National Cyber Incident Response Plan and, “to the extent practicable, simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident.” An amendment also requires CISA to update its incident response plan at least every two years. The DOD is now required to submit a report on how its Cybersecurity Maturity Model Certification program affects small businesses thanks to the bill. Experts also touted the addition of the apprentice program to expand the available cyber talent as well as the Veteran training program. CISA is given more funding for a program called “CyberSentry” that provides “continuous monitoring of cybersecurity risks to critical infrastructure that own or operate industrial control systems that support national critical functions.”

Bill Lawrence, CISO at SecurityGate, said CyberSentry was a somewhat controversial provision because it says CISA “may access all network traffic, including the content of communications, as stored within the CyberSentry stack to further analyze the origins of an alert and/or evaluate the state of the network.”  “There are valid reasons for CISA to help protect US critical infrastructure just as their are valid reasons for CI owners and operators to not want government sensors on their networks, as well as valid arguments from security providers that the government is giving cyber services away for free (using taxpayer money, of course),” Lawrence said. “DHS does include a great deal of privacy considerations in the CyberSentry write-up.  It would be helpful to also read about the tactical and strategic objectives of this program and see if rapid information sharing with all CI asset owners and operators is included, and help determine if this juice is worth the squeeze on the commercial providers. I have my apprehensions.” But what garnered the most interest was what the bill was lacking, namely a cyber incident reporting provision that was hotly debated and ultimately scuttled at the last minute. For months, Democratic and Republican Senators jockeyed over the language of a cyber incident reporting provision in the NDAA. In November, two Democrats — Gary Peters and Mark Warner — worked alongside two Republicans — Rob Portman and Susan Collins — to introduce a new amendment to the NDAA that would have forced critical infrastructure owners and operators as well as civilian federal agencies to report all cyberattacks and ransomware payments to CISA.But by December, The Washington Post reported that Florida Senator Rick Scott took issue with the ransomware reporting provision and called it too broad, asking senators to limit the language to enterprises in the 16 critical industries. Sources told CyberScoop’s Tim Starks that debate over the ransomware language ran too long and negotiators in the House and Senate ended up leaving the entire provision out. Lawrence noted that some companies had issues with reporting breaches or ransomware attacks within 72 hours of discovery and ransom payments within 24 hours of payout. He explained that smaller organizations do not have 24/7 security operations center available to them which limits their ability to respond to such incidents, much less tell the US government what is happening during incident response. Rep. Bennie Thompson and Rep. Yvette Clarke noted that cybersecurity incident response legislation was included in the House NDAA which passed in September. The two — who respectively serve as Chairman of the Committee on Homeland Security and Chairwoman of the Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation — explained in a statement that there were intensive efforts to get cyber incident reporting in the bill but “ultimately the clock ran out on getting it in the NDAA.” “There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today – well past the NDAA deadline. This result is beyond disappointing and undermines national security,” Thompson and Clarke said. “We had hoped to mark the one-year anniversary of the discovery of the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk. Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA. We are profoundly disappointed that the momentum we had coming into the NDAA did not yield success but are fully committed to working across the aisle and with the Senate to find another path forward.”  More

Australia and the United States have entered into a landmark CLOUD Act agreement to bolster efforts in preventing serious organised crime, terrorism, ransomware attacks, critical infrastructure sabotage, and child sexual abuse. The Clarifying Lawful Overseas Use of Data Act, known as the CLOUD Act, is a US legal instrument that allows for law enforcement to access data across borders. “Signing the CLOUD Act Agreement will enable our two nations’ law enforcement agencies to share important digital information and data with each other, under carefully defined legal authorities and safeguards,” said Karen Andrews, Australia’s Minister of Home Affairs. Through the bilateral agreement, Australia’s law enforcement agencies gain the ability to issue orders compelling US service providers to provide communications data for the purposes of combatting serious crime directly on US-based companies, and vice versa. Previously, Australian law enforcement agencies could only rely on mechanisms such as mutual legal assistance agreements to access crucial evidence from other countries, which have been flagged as complex and time-consuming by Home Affairs. It’s the second CLOUD Act agreement to come into force, after a similar one was finalised between the UK and US in 2019. “This agreement paves the way for more efficient cross-border transfers of data between the United States and Australia so that our governments can more effectively counter serious crime, including terrorism, while adhering to the privacy and civil liberties values that we both share,” said US Attorney-General Merrick Garland.

Australia and the US have been working on an agreement since 2019, but Australia needed to implement other legislation over the past two years in order to establish the required framework for a CLOUD Act agreement to exist. Over that span, the Australian government has faced scrutiny over its push for a CLOUD Act agreement, with privacy advocates like Australian Privacy Foundation saying such an agreement “conflated bureaucratic convenience with what is imperative”.The CLOUD Act agreement comes off the heels of Australia announcing various initiatives in recent months to prevent crime. In December alone, Australia has announced the Online Safety Youth Advisory Council, passed “Magnitsky-style” and Critical Infrastructure cyber attack laws, commenced work on electronic surveillance law reforms, and proposed anti-trolling laws. The Australian government also started work on a new ransomware plan back in October.While some of those initiatives have drawn praise, others have drawn criticism for being rush jobs and lacking nuance.  The bilateral agreement will now undergo parliamentary and congressional review processes in both countries before it is finalised. Related Coverage More

As the fallout from the Log4j vulnerability continues, cybersecurity experts are debating what the future might hold. Tom Kellermann, VMware’s head of cybersecurity strategy, said the Log4j vulnerability is one of the worst vulnerabilities he has seen in his career — and one of the most significant vulnerabilities ever to been exposed.Log4j, a Java library for logging error messages in applications, was developed by the Apache Software Foundation. Kellermann called Apache “one of the giant supports of the bridge between the world’s applications and compute environments,” adding that the exploitation of Log4j will “destabilize that support and… destabilize the digital infrastructure that’s been built on top of it.” 

more coverage

But his greatest concern is that someone further weaponizes the vulnerability by creating a worm, which Kellermann described as a polymorphic type of malware that can essentially spread on its own. “One of the most significant [worms] from back in the early 2000s was Code Red,” Kellermann told ZDNet. “We haven’t seen a widespread global impact like that since then. If this vulnerability were to be weaponized by one of the cyber communities — whether it be intelligence services, one of the four major rogue powers in cyber, or one of the major cybercrime cartels — that’s when things will get more interesting.” The possibility of a worm has generated significant conversation in the cybersecurity community. Cybersecurity expert Marcus Hutchins called fears of a worm “overblown” in multiple Twitter threads.  “Firstly, there’s already mass exploitation (you can spray the entire internet from one server). Secondly, worms take time and skill to develop, but most attackers are racing against the clock (patching and other attackers),” Hutchins wrote on Twitter. 

He added that “a worm would need a novel exploitation technique to gain any real value over scanning,” In another thread, Hutchins wrote that 2017’s WannaCry ransomware attack “gave people a way overinflated sense of the threat posed by worms,” adding that worms “aren’t a worst case scenario (or even a worse case scenario) for most exploits.” “It’s not a case of there’s an exploit so there will be a worm (we never saw worms for any of the recent wormable RCEs and even if we had it’d be no worse than regular exploitation). WannaCry was written by North Korea, using an NSA exploit, stolen by Russia. Not the norm,” Hutchins explained. Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, told ZDNet that his biggest concern is around “wormability,” adding that he couldn’t “think of a worse scenario for Log4j exploits than malicious code that can replicate and spread itself with incredible speed, delivering ransomware payloads.”Povolny said worms like WannaCry demonstrated the type of impact that cybersecurity experts could expect, noting that even the WannaCry example was cut short from its true potential for spread and disruption due to a “kill switch.””We can’t hope to get as lucky this time — it’s not a matter of if, it’s a matter of when this will happen. Organizations of all sizes must be undergoing an aggressive reconnaissance and patching strategy while there is still time,” Povolny said. “If you ever watched the TV show ‘The Amazing Race’, it now seems to pale in comparison to the global race taking place as a result of Log4Shell [the vulnerability’s nickname]. Even as thousands of organizations worldwide continue to search for and patch this exceptional vulnerability, threat actors are working at a furious pace to weaponize and further refine exploits for the flaw.” Others, like BreachQuest CTO Jake Williams, said that while it is a certainty someone will create a worm that abuses the Log4Shell, it is unlikely to be like WannaCry, NotPetya, or previous worms that abuse system level processes. 

The vast majority of servers vulnerable to Log4Shell will be running the vulnerable process with very limited permissions, Williams explained, adding that in most cases, a worm exploiting Log4Shell would probably not be able to achieve persistence across process restarts. Because the process probably doesn’t have filesystem permissions, Williams said people should be less worried about ransomware payloads. “A malicious process can’t encrypt what it can’t write in the first place. While we should absolutely expect a Log4Shell worm to be created, we shouldn’t conflate the expected damage of a worm with what has been seen in previous high profile worms,” Williams said. Salt Security vice president Yaniv Balmas said his team is already seeing cases where the Log4Shell vulnerability is used by “common” cybercrime-related operations in order to spread ransomware, calling a wormable exploit a “valid scenario.” Balmas noted that even today, the world is still seeing artifacts from similar worms that were launched years ago. If someone decides to embed this vulnerability into a worm, Balmas said it would be “almost impossible to stop once it reaches a critical mass.””However, while not neglecting the impact of such a worm, that might not be the worst scenario because of the unbelievable easiness that this attack can be applied. Everyone with a basic computer and internet access could launch an attack against millions of online services within minutes,” Balmas said. Thankfully, some cybersecurity experts said the head start in dealing with detection, mitigation, and patching will help as they prepare for the worst. John Bambenek, principal threat hunter at Netenrich, said a worm would have been far worse last week. But the industry-wide work being done made sure many of the most vulnerable machines are in a better place. Others said that while the vulnerability is wormable, there has been no evidence to suggest this is a priority for threat actors at this time. Worms also require a significant amount of time and effort to develop, according to Digital Shadows senior analyst Chris Morgan. “This activity differs from the WannaCry incident, which saw a perfect storm of a highly exploitable vulnerability coinciding with an NSA-level exploit breach in EternalBlue. It’s still very much early days with regards to Log4j,” Morgan said. “While many threat actors will likely be at different stages of the kill chain, most actors will likely still be scanning for susceptible systems, attempting to establish a foothold, and identifying further opportunities, depending on their motivations. Efforts among actors at this stage are rushing to exploit before companies have a chance to patch, rather than spending time developing a worm.”Vectra CTO Tim Wade echoed that sentiment, noting that the Log4j vulnerability is still mostly at risk from attack by creative and adaptive human adversaries that may leave fewer fingerprints behind them as they undertake less overt attacks — such as extracting cryptographic secrets or API keys for present or future campaigns.  While a worm enabling further mass exploitation is problematic, Wade said less direct attacks “may introduce more lasting damage when they go undetected for great lengths of time.” More

Crypto platform AscendEX has pledged to reimburse their customers, who lost a total of $77.7 million in a hack on December 11.In a series of Tweets, the company said it is in the process of “standing up a new hot wallet infrastructure” and estimated that deposits and withdrawals would resume over the next two days. 

“Doing right by our customers is our obligation. Any impacted customers will be 100% reimbursed for their losses. Especially in the cryptocurrency industry, where community is the driving force of innovation, it is important for AscendEX to always remain true to our users,” the company said. “We plan to resume withdrawals gradually, beginning with Ethereum. Any user that wishes to withdraw their assets will be permitted to do so in an uninterrupted capacity once withdrawals reopen for the particular coin or token.”Blockchain security company PeckShield estimated that $77.7 million in total was taken across three chains: $60 million from Ethereum, $9.2 million from Binance Smart Chain, and $8.5 million from Polygon.The hack began on Saturday at 5pm EST when the company saw a number of unauthorized transfers from one of their hot wallets. The cold wallets were unaffected, and the company transferred all other assets there as they investigated the attack. Blockchain analytics firms were hired to help with the response, and law enforcement was notified. AscendEX contacted other crypto exchanges so that wallets involved in the theft could be blacklisted. It pledged to release a security post-mortem report in the coming days.

AscendEX is based in Singapore and closed a $50 million Series B funding round in November, with investments from Polychain Capital, Jump Capital, Alameda Research, and others. The company was founded in 2018 under the name “Bitmax” before switching to AscendEX.CoinDesk reported that the company claims to have more than one million retail and institutional clients. It has reportedly reached an average daily trading volume of more than $200 million.The AscendEX losses became the latest in a series of headline-grabbing attacks with eye-popping numbers. On Sunday, blockchain gaming company Vulcan Forged said around $140 million had been stolen from their users. They, too, were forced to reimburse victims. Last week, Crypto trading platform BitMart released an update on the devastating security breach that caused about $200 million in losses, writing that the breach was “mainly caused by a stolen private key that had two of our hot wallets compromised.”Hackers have repeatedly attacked cryptocurrency and DeFi platforms over the last year. Just last month, cybercriminals stole about $120 million from DeFi platform Badger. Other attacks in 2021 include thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September. In May, about $200 million was stolen from the PancakeBunny platform. The Record and Comparitech keep running tallies of cyberattacks on cryptocurrency platforms, noting recent attacks on Liquid, EasyFi, bZx, and many other platforms.  More

Meta has announced an expansion to its bug bounty platform to include vulnerabilities that can be abused for data scraping. 

On Wednesday, the company – recently rebranded from Facebook – said that the two new areas of research revolve around scraping bugs and scraped databases containing user information. Dan Gurfinkel, Security Engineering Manager, said that the inclusion of valid scraping bugs and exposed data sets in a bug bounty program are, to the firm’s knowledge, an “industry first.”  Meta/Facebook has been involved in numerous incidents around user data scraping. The most well-known is the Cambridge Analytica scandal, in which the data of up to 87 million users was scraped and shared without their consent.  More recently, information belonging to approximately 553 million Facebook users was dumped online. Meta said the mass data collection took place in 2019.  “We know that automated activity designed to scrape people’s public and private data targets every website or service,” Gurfinkel says. “We also know that it is a highly adversarial space where scrapers — be it malicious apps, websites or scripts — constantly adapt their tactics to evade detection in response to the defenses we build and improve.”To assist the company in fixing data-scraping issues across its apps and services rapidly, Meta is looking for reports on vulnerabilities that allow scraping limit mechanisms to be bypassed and those that permit scraping “at a greater scale than the product intended.” In particular, Meta is urging researchers to look for logic bypass issues, although rate limiting errors are in-scope, too. 

Scraped databases will include reports of unprotected and open public databases, discovered online, which contain at least 100,000 records of unique users, as well as sensitive information such as email addresses and phone numbers.  Financial rewards starting at $500 are on offer for scraping bugs and scraped database reports will be matched with charity donations. Feedback will be sought from the firm’s “top” bug bounty hunters before expansion.   Gurfinkel also outlined the company’s progress with bug bounties. Since 2011, the program’s launch, over 150,000 bug reports have been received and over 7,800 have been awarded a bounty payment. In total, Meta has now paid out over $14 million.  Over the course of 2021, Meta has awarded $2.3 million to researchers for 800 vulnerability reports out of approximately 25,000.  Earlier this month, Meta increased the scope of Facebook Protect, a service designed to enhance the security of user accounts considered to be at higher risk of compromise by threat actors.  By the end of this year, Facebook Protect should be rolled out to over 50 countries. In the same way as Google and Microsoft, Meta offers this service to individuals including lawyers, journalists, civil rights organization members, and political figures.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More