Information Technology

A new independent body will oversee training and standards in the UK cybersecurity industry, bringing the sector in line with other professions including law, medicine and engineering.
The UK Cyber Security Council is designed to provide the industry with a single government voice and to help boost job prospects for information security professionals of all experience levels by working with training providers to accredit courses and qualifications, as well as providing employers with information required to recruit effectively to ensure their security capabilities.

More on privacy

It aims to boost job prospects around the country by giving budding and existing workers a clear roadmap for building a career in cybersecurity. The council will also focus on boosting the diversity of people pursuing careers in the industry.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
Funded by the Department for Digital, Culture, Media & Sport (DCMS), the body will work closely with the National Cyber Security Centre (NCSC) and aims to be a ‘one-stop shop’ for people people looking to enter or further their careers in information security. 
“Cybersecurity is a growing industry in the UK and it’s vital for high standards of practice and technical expertise to be at the heart of the profession as it develops,” said Chris Ensor, the NCSC’s deputy director for cyber growth.
“We look forward to working with the Council to help ensure that future generations of cybersecurity professionals have the skills and support they need to thrive and make the UK the safest place to live and work online.”

The establishment of the UK Cyber Security Council comes following a consultation on developing the UK cybersecurity profession, which found there was support for establishing a new industry body. It will be chaired by Claudia Natanson, who has served as CSO at DWP and MD at BT Secure Business Service.
“Having spent many years in cybersecurity, I’m very aware of the excellent work done by many varied organisations – but I’m also conscious that the time for an umbrella organisation has come in order to drive the profession forward in a unified way,” said Natanson.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
“It’s a privilege and a challenge to be part of the leadership of the Council, knowing that the future security and prosperity of the UK depends in part on the Council succeeding in its mission to develop the profession,” she added.
The Council will formally launch on March 31 and has appointed an inaugural Board of Trustees to help guide the organisation over the coming years.
MORE ON CYBERSECURITY More

The portable, secure and rugged diskAshur M2 comes in capacities ranging from 120GB to 2TB.
Image: iStorage
Supplied in a sturdy carrying case, the diskAshur M2 from iStorage is thinner and sleeker than previous models and has its own sliding sleeve to protect the keypad from getting knocked while it’s in a bag or pocket, as well as to keep dust out of the USB 3.2 Micro-B SuperSpeed data and power port on one end. 
There’s even a rubber gasket that makes the whole thing waterproof when the sleeve is fitted (IP68, up to 30 minutes in 1.5m of water); iStorage also claims it’s shock and crushproof (up to 2.7 ton) and we saw no errors after dropping it off a few desks and tables in the office. 
Flash storage isn’t going to suffer the kind of head crashes a hard drive might, but more importantly you don’t want it to be easy to crack open if an attacker wants to try the kind of hardware assault that involves disassembling the device (although there are built-in protections against the usual physical and monitoring attacks, and the components are encased in resin). 

The diskAshur M2 is supplied with short USB-A and USB-C cables for device connection.
Image: iStorage
The size of a small bar of chocolate or a feature phone, the M2 feels heavy for its size but is nicely balanced; you can stand it on one end if it’s not plugged in. But the USB-A and USB-C cables supplied are rather short, so it’s probably going to end up flat on the table next to your device where you can type in the PIN when you need it. That device can be pretty much anything with a USB port, including Android, Chrome, thin clients and embedded systems, as well as Windows, macOS and Linux, because the hardware encryption means you don’t need to install any software. You can even use the M2 as a boot drive. 
Previous versions of the diskAshur had a built-in cable, and the datAshur USB stick needed an adapter for mobile or USB-C devices. Switching that for separate cables makes the M2 more flexible, but since USB Micro-B SuperSpeed connectors aren’t particularly common you’ll need to have the right cable with you — making the carrying case more of a necessity than a nicety. 
When it’s unplugged, all the data is automatically encrypted using AES-XTS 256-bit hardware encryption (make sure any data transfers are finished first). The user PIN to unlock the drive to use it like a normal SSD can be seven to 15 digits long; the system blocks simple repeats and sequential PINs and having letters on the number keypad means you can use a passphrase that’s easier to remember than a string of numbers (we’d suggest avoiding the easily guessed suggestions in the manual though). Even so, there’s a polymer coating so the keys don’t wear down and give attackers a hint. 
There’s a wide range of admin features, from enforcing the length of user PINs (and whether to require special characters that use the Shift key) to setting how long the drive stays unlocked when it’s not in active use (the default timeout is short enough to annoy most users). 

Both admins and users can flip the drive into read-only mode — and if that’s set by an admin, users can’t change it, so you can use this for distributing content without worrying that it will be accidentally deleted, infected by malware or otherwise tampered with. 
If the user PIN is typed in wrong ten times in a row, it’s automatically deleted, so you can set one-time user recovery PINs to let people regain access to their data. All the previous diskAshur features are still there, like the choice of a device reset or a self-destruct PIN that deletes the data, encryption key and PINs so you can re-issue a previously used drive to another employee and ensure data deletion. 
But configuring those, or even creating user PINs, still requires a fiddly sequence of pressing various combinations of shift and lock keys on the device with various digits and watching the three-colour LEDs blink or turn solid in patterns that few people are going to bother memorising. Even unlocking the drive as a user means pressing two keys, typing in the PIN, pressing another key and then watching the green and blue LEDs flash for a few seconds. 
Even with the limitations of a numeric keyboard, we continue to find this unnecessarily complex and it’s the most annoying aspect of iStorage’s otherwise useful products. 

Top: moderate performance when copying a 12GB selection of files. Above: better results when handling large sequential files.
Images: Mary Branscombe / ZDNet
With a USB 3.2 Gen 1 connection, the M2 can theoretically deliver 370MB/s read and write speeds, although the encryption can slow that down. Copying a 12GB selection of files showed rather variable performance that didn’t get close to the theoretical maximum, but delivered similar write speeds to a USB 3.0 flash drive (for comparison we used a Kingston DataTraveler Ultimate 3.0 Generation 2). CrystalDiskMark showed closer to the theoretical speed with large sequential files. 
But in use, disk performance isn’t going to slow you down — although the drive settings might. The short timeout limit meant that both the benchmarks and the large file copy initially failed and required a Windows drive repair, with the drive light activity staying on even after the drive had disappeared from Windows Explorer. We found our test unit would lock after a few minutes even after we extended the timeout to the maximum 99 minutes, which was equally annoying. 
You’re also paying for the security, with prices starting at £155 for the 120GB version; we looked at the £515 2TB model. 

Image: iStorage
The diskAshur M2 offers a welcome combination of features from iStorage’s previous SSD and USB stick models: the one-time PIN from earlier diskAshur models and the protective cover from dataAshur. It’s also smaller, neater and more rugged than earlier offerings. But the interface continues to be opaque and occasionally frustrating, so build in time for training and user support.
RECENT AND RELATED CONTENT
Encrypted USB flash drive you can unlock with your smartphone (or Apple Watch)
cloudAshur, hands on: Encrypt, share and manage your files locally and in the cloud
diskAshur2 and datAshur Pro, First Take: Secure but pricey mobile drives
Seagate IronWolf 510 SSD, hands on: An enterprise-class cache to speed up your NAS
OWC Envoy Pro FX external SSD
Read more reviews More

Image: CD Projekt Red
Polish game developer CD Projekt Red, the maker of triple-A games like Cyberpunk 2077 and The Witcher series, has disclosed today a ransomware attack.
In messages posted on its official social media channels, the gaming studio said the attack took place yesterday when a threat actor gained access to the company’s corporate network.
“Although some devices in our network have been encrypted, our backups remain intact. We have already secured our IT infrastructure and begun restoring the data,” the company wrote on Facebook and Twitter.
The game maker also published a copy of the attacker’s ransom note, in which the hackers claimed they obtained copies of the source code for games like Cyberpunk 2077, Gwent, and The Witcher 3, along with an unreleased version of The Witcher 3 game.

Image: CD Projekt Red
But despite the threat of a sensitive leak, the game maker said it wouldn’t be paying any ransom demand.
“We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data,” the company said.
“We are still investigating the incident, however at this time we can confirm that —to our best knowledge — the compromised systems did not contain any personal data of our players or users of our services.”

The game maker said it already notified local authorities.
CD Projekt Red now becomes the fourth major gaming studio to fall victim to a ransomware attack over the past 12 months after attacks on Ubisoft and Crytek by the Egregor gang, and the attack on Capcom by the Ragnar Locker gang.
The attacker behind the CD Projekt Red attack has not been yet identified. More

Image: Ukraine Ministry of Internal Affairs
Ukrainian police arrested a 39-year-old man last week on accusations of developing and advertising one of the most advanced and widely used phishing toolkits of the underground hacking scene.
The suspect, whose name was not released to the public, was arrested last week, on Thursday, February 4, in the Ternopil region of Ukraine, following an international investigation between law enforcement agencies in Australia, the US, and Ukraine.
Suspect identified as uPanel author
Sources familiar with the investigation told ZDNet the suspect was the author of a phishing tool named uPanel, sometimes also referred to as U-Admin.
Fred HK, an independent malware security researcher who studied the toolkit in a report last year, described uPanel as the following:
“U-Admin is a control panel for receiving logs from phishing kits, and controlling victim interaction. U-Admin is also used with injections, which are snippets of code that are injected into a victims’ browser, enabling the attacker to gather more information from their victims. […] U-Admin is not sold on its own, it is included when you purchase one of their phishing pages/injects.”

Image of the uPanel store hosted on the dark web.
Image: Fred HK
According to information shared with ZDNet by threat intelligence firm Intel 471, uPanel was sold via a dedicated website hosted on the dark web and advertised on one a popular underground cybercrime forum, where the author went by the nickname of kaktys1010.
According to early versions of the author’s ads, the uPanel kit has been available for sale since 2015, with its price ranging from $80 to $800, depending on the features buyers wanted to have included in their panels.
uPanel had more than 200 customers

In a press release from the Ukrainian Ministry of Internal Affairs last week, officials said that uPanel had more than 200 active customers based on data they obtained after seizing computers, laptops, and smartphones from the suspect’s residence.
Officials believe the uPanel phishing toolkit was used in phishing operations that caused tens of millions of US dollars in losses to financial institutions in 11 countries, such as Australia, Spain, Italy, Chile, the Netherlands, Mexico, France, Switzerland, Germany, the US, and the UK.
Australian law enforcement said that more than 50% of all phishing attacks that targeted Australian users in 2019 were carried out using uPanel.
Investigators said the suspect didn’t just create the phishing kit and advertised but also spent a great deal of time and effort in providing tech support to its customers.
A video released by Ukrainian officials with footage from the suspect’s arrest is available below:
[embedded content] More

Image: ZDNet
Spammers have inundated the Python Package Index (PyPI) portal and the GitLab source code hosting website with garbage content, flooding both with ads for shady sites and services.
The attacks were unrelated to each other.
PyPI flooded with more than 10,000 listings
The biggest of the two attacks took place on PyPI, the official package repository for the Python programming language, and a website that hosts tens of thousands of Python libraries.
For the past month, spammers have been abusing the fact that anyone can create entries on the PyPI website to generate pages for non-existent Python libraries that basically served as giant SEO ads for various shady sites.
The pages usually contained a soup of search-engine-friendly keywords for various topics, ranging from gaming to porn and from movie streaming to giveaways, and a shortened link at the bottom, often leading to a site trying to obtain payment card data, according to ZDNet’s tests.

Reached out comment earlier today, the PyPI team said it was aware of the SEO spam flood.
“Our admins are working to address the spam,” Ewa Jodlowska, Executive Director of the Python Software Foundation, told ZDNet in an email on Monday.

“By the nature of pypi.org, anyone can publish to it so it is relatively common,” she added.
Shortly after the exec’s email, many of the spam listings created on the PyPI portal began to be removed, an operation that appears to be still underway.
GitLab project owners spammed via email
But while the spam attack on PyPI appears to have been going on for at least a month, a new one was detected at GitLab, a website that allows developers and companies to host and sync work on source code repositories.
An unknown threat actor appears to have spammed the Issues Tracker for thousands of GitLab projects with spam content on Sunday and Monday that, each, triggered an email to account holders. Just like the spam on PyPI, these comments also redirected users to shady sites.

Spamming source code repositories appears to be a new tactic for spam groups, which in previous years have usually focused on blogs, forums, and news portals, which have often seen their comment sections flooded with shady links.
GitLab was obviously not prepared for this kind of attack because its email system was overwhelmed and slowed down, with legitimate emails being delayed and queued, according to an incident status report the company published on Monday.

We confirmed that mail latency was caused by a user’s spam attack. Mitigation is in progress, as we drain the offending job processing queues. https://t.co/FRkUs3EQOU
— GitLab.com Status (@gitlabstatus) February 8, 2021

Things are back to normal now, but both incidents show the dangers of leaving systems open and unprotected on the internet.
While spam is not a sexy attack vector, many companies will often fail to secure servers, web apps, and subdomains and will often have these resources abused to either host or participate in spam attacks.
For example, Microsoft, one year later, still has a problem with spam groups hijacking subdomains on its official microsoft.com site to host shady content. More

The Attorney-General’s Department is currently in the midst of reviewing the Australia Privacy Act 1988. Since October, it has been calling for all interested parties to provide their two cents.
A reoccurring theme from many of the submissions has been to align the Act with international laws, such as Europe’s General Data Protection Regulation (GDPR). Facebook, for example, has suggested making such a change would prevent the creation of a “splinternet”. 
Adopting many elements of the GDPR would also provide for a more up-to-date definition of “personal information”, according to many. The Cyber Security Cooperative Research Centre (CSCRC), which is based out of Edith Cowan University in Western Australia, in its submission, called for the definition of personal information to be amended to align with the GPDR. As did Facebook.
AusPayNet submitted [PDF] that the definition of what constitutes personal data as seen in other data protection regulation should be used to reduce uncertainty and ensure the rights and freedoms of Australians are protected.
It said using the term “related to” rather than “about” an identifiable individual would also help.
Microsoft similarly believes [PDF] personal information should be defined in the Privacy Act to include information that relates to an identified or identifiable individual; likewise, DiGi [PDF], the not-for-profit association representing the digital industry in Australia, believes the definition of personal information in the Act should be updated to clarify that it captures technical data such as IP addresses, device identifiers, location data, and any other online identifiers that may be used to identify an individual.  
The Act currently limits the definition of “personal information” to that of an identified individual or an individual who is reasonably identifiable.

The GDPR defines personal data as: “Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of that natural person”.
The Human Rights Watch, meanwhile, has encouraged the consideration of the rights guaranteed to individuals under the GDPR, saying in its submission [PDF] many of which should form a fundamental part of a truly modernised Privacy Act.
Recognising a copy and paste of the EU law would not be the ultimate solution, Human Rights Watch added that the GDPR’s “rights of the data subject” section ensures there are clear and actionable rights for individuals. It believes the review of the Privacy Act should seek to provide the same, or similar.
In contrast, the Australian Financial Markets Association (AFMA) said it does not see an overarching need to amend the definition of personal information to expressly include technical information.
“The current definition of personal information does not imply the potential for exclusion of technical information as constituting personal information. We note the current definition is broad in scope, sufficiently so to include technical information to the extent that the information reasonably identifies an individual when combined with other data fields,” the AFMA said in its submission [PDF].
“We submit that it would not be appropriate to extend the definition of personal information to include personal information of the deceased given the well-recognised legal principles already applied in the Privacy Act.”
Fintech Australia, the body representing Australia’s fintech industry, has the interests of its data-hungry members at the forefront, arguing in its submission [PDF] a need for separate frameworks for how data is handled.
It has suggested a “simple framework” that is built to align with the relevant industry, rather than a one size fits all approach that is currently adopted with the principles based privacy regime.
“The overarching goal of the framework system should be to enable the development of a vibrant and innovative data economy in a way that maximises the certainty, transparency, trust and security of individuals to whom the data relates,” it wrote.
With calls for another GDPR mechanism, the right to erasure, coming from many submitters, Fintech Australia said it disagrees with such a concept.
“It is difficult in a practical sense to delete information from all systems; erasing data is not permitted in a lot of cases (such as for anti-money laundering purposes, know your client, and other requirements at law) and so the request may be futile and potentially gives individuals a misleading sense about what they can do with their information,” it said.
“It destroys a valuable resource for our digital economy as it may compromise an aggregated data set used for statistical or analytical purposes.”
MORE FROM THE PRIVACY ACT REVIEW More

Late last week, the government tabled the Commonwealth Ombudsman’s report on agency access to stored communications and telecommunications data for the 2018-19 financial year, and while the Ombudsman was upbeat about most agencies getting better, all agencies fell foul of sticking to the letter of the law in some way.
The irony is that the agencies inspected form the law enforcement arm at federal and state levels. The agencies looked at were Australian Criminal Intelligence Commission, Australian Federal Police (AFP), Crime and Corruption Commission Queensland, Department of Home Affairs, Independent Commissioner Against Corruption for South Australia, New South Wales Police, Queensland Police, Tasmania Police, Victoria Police, and Western Australia Police.
“We identified instances at all inspections in 2018-19 where agencies had accessed telecommunications data without proper authority. As such, the disclosure of the data was unauthorised,” the report [PDF] said in the section dedicated to telco data inspections.
Problems with the authorisations ranged from “administrative error”, such as in incorrect number or time period on a notice, to authorisation being made by those without authority to do so, failing to send written notices as required by law, and relying on oral notices.
“At all agencies, we identified instances where carriers had provided data that was not authorised because it was outside the parameters of the authorisation. This included instances where the carrier provided data that exceeded the time period authorised, or provided a different type of data than was authorised,” the report said.
The Ombudsman said although “many agencies” could identify and quarantine unauthorised data, at around half of the agencies, the inspections found further instances of unauthorised data.
Called out for an elevated level of criticism was Tasmania Police, which the Ombudsman said did not have a “well-developed compliance culture”.

“This was indicated by a large number of issues across several of its processes, including limited progress in addressing our previous inspection findings and significant variances in the level of awareness of requirements under the Act,” the report said.
“We considered that the required improvements could not be implemented without fundamental changes to the way Tasmania Police approaches compliance.”
In the telco data section, Tasmania Police received two recommendation and 10 suggestions, with failures in gaining consent to access data, a lack of record keeping on when communications data is destroyed, failing to destroy data when required, and data being destroyed without proper approval.
“At both the 2017-18 and 2018-19 inspections, we identified that all stored communications a particular carrier provided to Tasmania Police were received by a staff member who was not authorised to receive them,” the report stated.
The inspections also found Tasmania Police had an “ineligible issuing authority” around stored communication warrants.
“We were not satisfied that Tasmania Police had taken appropriate remedial action to manage the unlawfully accessed stored communications or that there was sufficient awareness within Tasmania Police of the existence of these invalid warrants,” the Ombudsman said.
Further, the inspections showed Tasmania Police failed to provide its annual report for 2017-18 to the Minister for Home Affairs, as required.
Previous instances of the report have seen the Department of Home Affairs dressed down for failing to handle stored communications data properly. In this instance, Home Affairs walked away with 11 suggestions in total.
“Over previous inspection periods we identified, and the department has disclosed, serious compliance issues relating to its use of stored communications powers. However, the scale and seriousness of these issues decreased as the department developed and implemented measures to improve its compliance,” the report said.
The department disclosed 74 instances of an unauthorised officer making authorisations for data, and 54 instances where received data was outside the period of the authorisations.
“In each instance, the department’s telecommunications data request system inputted the end time for authorisations as 00:00, rather than 23:59, which meant the period of the authorisation ended at the beginning of the day rather than the end,” the report said.
“While the department sought to address this through manual annotations on the authorisations, in some instances telecommunications data disclosed was dated after the end time of the authorisation and therefore outside of what was authorised,” the report said.
The AFP were handed three recommendations and 33 suggestions as the agency continued to issue successive foreign preservation notices, failed to gain consent of victims in one instance, failed to destroy data, and directed telcos to perform actions that were not required or did not have legal authority to perform.
The report said there were several instances where it could not be confirmed whether authorised officers had made “required considerations” prior to authorisation due to a lack of documentation. It also passed on multiple requests from foreign law enforcement without checking whether the request was permitted in Australia.
“We also identified that the AFP had made two foreign prospective authorisations (one of which had been extended) in the absence of the Attorney-General having made an authorisation … despite this being required before a foreign prospective authorisation can be made,” the report said.
“In our 2019-20 inspection, we found that the AFP was not able to account for the use and disclosure of the information it obtained under one of these authorisations and suggested that it do so.”
The AFP also received a number of stored communications warrants from a member of the Administrative Appeals Tribunal (AAT) that was not authorised to do so. This was a common issue amongst the agencies inspected, as were the issues of warrant templates not being in a prescribed form, and having incorrect wording in affidavits.
Victoria Police was also found to have authorised officers making requests without proper consideration, nor proper training or reference materials. The police force also does not have a system capable of quarantining unauthorised data. Consequently, Victoria Police received four recommendations and nine suggestions.
During the period covered by the report, NSW Police led the way with over 98,000 uses of its powers for historic records, followed by Victoria Police with 82,700, Queensland Police used the powers almost 25,300 times, the AFP used its powers for historic records 19,550 times.
For prospective records, Victoria Police used its powers almost 9,700 times, the AFP was next with 3,700 uses, followed by Queensland Police on 3,430.
Of those records, the Commonwealth Ombudsman only needed to look at 155 records from the AFP, 125 from Victoria Police, and 92 from Tasmania Police to find issues on which to base its report.
Updated at 12:14pm AEDT, 9 February 2021: Clarified number of agencies inspected was ten. Twenty agencies in total have access to stored communications and telecommunications in Australia.
Related Coverage More

Two of the largest social media platforms have asked that the Australian government consider implementing many of the elements present in Europe’s General Data Protection Regulation (GDPR) when refreshing the country’s 33-year old Privacy Act.
In a submission [PDF] to the Attorney-General’s review of the Privacy Act 1988, Facebook called for “effective privacy and data protection” as part of a “globally harmonised framework”. It believes failing to do runs the risk of creating a “splinternet”, where some countries or regions of the world adopt approaches to privacy and data protection that are mutually exclusive to other regimes.  
From 2017: How Europe’s GDPR will affect Australian organisations
To avoid this risk, Facebook has recommended that Australian privacy laws be reformed to make them more aligned with the “best practice privacy frameworks of Australia’s main trading partners and leading digital economies in the world”.
“Ensuring alignment with global norms enhances Australia’s global competitiveness and this type of regulatory harmonisation reduces unnecessary compliance costs and leads to increases in productivity,” it wrote.
Some alignments include changing “personal information” within the Act to “personal data” as defined in the GDPR; adopting “multiple flexible legal bases for using or disclosing data”, similar to the EU process; and implementing the right to erasure.
Facebook also claimed it is in “strong support” of a notification process that gives individuals a clear understanding of how their data is collected and how it will be used.

Let’s not forget: How Cambridge Analytica used your Facebook data to help elect Trump
Snap Inc agrees with Facebook’s argument to align the Privacy Act with the GDPR, recommending the Attorney-General’s Department “review endeavours to pursue a principles-based and proportionate approach in its revisions to the Act, drawing on the strengths of, and the lessons learned from, the [GDPR] in Europe”.
Of concern to Snap is that the Privacy Act does not currently contain a controller/processor distinction. Under the EU’s rules, controllers are responsible for determining the means and purposes of data processing, and processors act on behalf of the instructions of controllers.
“This distinction between controllers and processors increases accountability between parties,” Snap says in its submission [PDF].
“To increase the flexibility, and thus efficiency, of Australia’s privacy legislation we recommend aligning with the definitions of controllers and processors as defined in the EU [GDPR].”
Controller/processor notions are present in privacy laws outside of Europe, such as India, Japan, and Brazil.
Snap said, from the outset, its privacy principles have aligned with those of the GDPR. It has asked the Australian government to follow the GDPR closely, in particular, its principles-based approach.
“The GDPR already covers a number of the areas that this consultation seeks to address, including transparency and proportionality,” Snap wrote.
“Consequently, we would urge the Attorney-General’s Department to, as far as possible, mirror the principles-based approach of the GDPR which provides sufficient flexibility for businesses to decide how they will comply with the standards set by the Regulation as well as sufficient flexibility for data protection authorities to apply the rules in a smart, contextual way.
“We would also urge against any undermining of the delicate balance of interests carefully struck during the GDPR negotiations.”
On consent, Snap said consent alone is not an effective way to manage personal information as it places a lot of responsibility on users, which can result in consent fatigue.
“The legislator should consider legitimate interest as a basis for processing, combined with the requirement for controllers to conduct legitimate interest assessments. Legitimate interests place the burden on controllers, and require them to think critically about the data they process. This creates an accountability framework, and also offers users a more seamless user experience, without jeopardising their privacy,” it wrote.
This makes consent more meaningful, Snap believes.
Facebook, however, said the current definition of consent in the Act is sufficient and provides sufficient flexibility for consumers and businesses.
Agreeing with Google, Snap also believes 13 should be the age at which parental consent is no longer required. While Facebook did not provide comment on the age of consent, in its submission, it pointed to “Messenger Kids”, which is a video and chat app specifically for those under the age of 13, as being an environment where children can “develop digital literacy and safe online behaviours” and be “empowered”.
Facebook has previously warned the looming changes to phone giant Apple’s operating system could negatively impact its advertising revenue, with Mark Zuckerberg arguing that Apple’s changes are aimed at benefiting iMessage and harm small businesses. It will also harm one of Facebook’s recipe to success — tracking-based ad targeting.
Snap also took concern with the iOS 14 changes, saying they present a risk of interruption to demand after they’re implemented, but the company said it’s prepared for the changes.
During the company’s Q4 earnings call, CEO Evan Spiegel said the policy changes Apple is making will impact Snap’s ability to “effectively measure and optimise advertising outside of Snapchat”.
“The reality is we admire Apple, and we believe that they are trying to do the right thing for their customers,” CNBC quotes Snap chief business officer Jeremi Gorman as saying. “Their focus on protecting privacy is aligned with our values and the way we’ve built our business from the very beginning. Overall, we feel really well prepared for these changes, but changes to this ecosystem are usually disruptive and the outcome is uncertain.”
MORE FROM THE PRIVACY ACT REVIEW More