David Meyer

The World Wide Web Foundation and the United Kingdom Law Society have both strongly criticized the British government for attempting to fast-track the new Data Retention and Investigation Powers (DRIP) Act, which is meant to keep existing surveillance powers going but which will actually expand them greatly.

According to the World Wide Web Foundation, which is headed up by web inventor Tim Berners-Lee, the British government’s assertion that the bill needs to be rushed through as emergency legislation “seems at best incompetent, and at worst manipulative,” as the law could easily have been debated over recent months. The Law Society, which represents British lawyers, warned that history shows emergency laws tend to be “used for purposes for which they were not intended.”

An investigation by the German broadcasters ARD and WDR has apparently demonstrated the targeting by the National Security Agency of a German student called Sebastian Hahn, who runs a node on the anonymization network Tor. It has also shown that anyone searching for “privacy-enhancing software tools” online may be marked for surveillance.

Tor (“The Onion Router”) works by bouncing traffic off a series of servers so that it’s near-impossible to trace who’s browsing what. It’s partly funded by the US Department of State because it’s handy for dissidents in repressive regimes, but Edward Snowden’s leaks already showed in 2013 that the NSA has been targeting Tor because it believes terrorists also use it.

Meanwhile, according to an English-language ARD article -- and partly written by members of the Tor project -- the NSA “tracks all connections to a server that hosts part of an anonymous email service at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) in Cambridge, Massachusetts.”

What’s more, the broadcasters reported -- again based on the source code -- that the actual contents of emails sent over the Tor network are extracted for scrutiny, not just the emails’ metadata about senders, recipients and timing.

The Russian parliament, the Duma, has passed a bill that would require web service providers to store Russians’ personal data within the country’s borders.

The bill was passed on its first reading.

This is a similar move to that proposed in other countries such as Brazil, following Edward Snowden’s US National Security Agency revelations. However, Brazil dropped its plans for mandating local data storage.

If approved by the Federation Council, the Russian requirement will go into effect in September 2016, meaning companies like Google and Twitter would need to establish data centers in Russia by then if they want to continue trading legally there.

What is more, those that don’t comply may find their services blocked on the order of telecommunications regulator Roskomnadzor, according to Lenta.ru. In other words, this may be a precursor to the shutting-off of major international web services in Russia at some point in the coming years.

Europeans traveling around the union will pay a lot less for mobile data, voice and SMS. The most drastic cut will be for data, with the retail price cap dropping from 45 euro cents ($0.62) per megabyte to 20 cents ($0.27).

This represents the last stage in the grading-down of data roaming premiums within the European Union (there were no retail caps on roaming data before mid-2012, when a 70 cent cap was introduced). It’s far from being the end of the story, though -- a major package of telecommunications reform that’s almost been signed into law will do away with intra-EU roaming premiums altogether.

There’s a huge political driver behind all of this, in the creation of a true EU single market -- in practical terms, EU politicians are trying to erase the borders between member states, and that’s not possible when crossing a border results in massive bill shock. For European startups, this is essential, particularly if their apps and services are intended to be used on the move.

The complete elimination of roaming fees within the EU will take place at the end of 2015, if member states give final approval to measures already backed by the European Commission and the European Parliament.

The German government is ditching Verizon as its network infrastructure provider, and it’s citing Edward Snowden’s revelations about NSA surveillance as a reason.

The aftermath of the Snowden leaks has seen China institute heavy vetting of US equipment and Brazil cancel big orders of US military kit. However, despite the fact that the bugging of Chancellor Angela Merkel provided a major diplomatic upset, until now Germany’s response has been more bark than bite. No longer. The German ministry of the interior said it would let its existing contract with Verizon expire as it tries to provide “an infrastructure with an increased level of security.”

Verizon currently manages Germany’s federal administrative infrastructure, through a contract that will run out in 2015. The statement cited the increasing prevalence of malware and other hacking threats, and it also explicitly called out the links -- exposed by “the NSA affair”-- between foreign intelligence agencies and private firms. It said it wanted one company to manage all its government networks.

The US Department of Justice has said it may extend certain privacy rights to European citizens to help them enjoy the same sort of data protections abroad as they do at home.

Attorney General Eric Holder said that the US intended to “take legislative action in order to provide for judicial redress for Europeans who do not live in the US,” according to a welcoming statement by EU justice chief Viviane Reding. As Reding said, this could remove a major stumbling block in data protection negotiations between the US and the European Union.

The burgeoning Internet of Things is a great idea but it won’t really take off without some serious breakthroughs in security, said Dan Kaufman, director of the Information Innovation Office at the Defense Advanced Research Projects Agency (DARPA).

Kaufman pointed out that the PC industry was unusual in that customers pay thousands of dollars for products that are broken from the start -- you buy a new machine and the first thing you have to do is patch it -- and this model won’t fly when you’re dealing with smart homes and so on.

“If we don’t have a fundamentally new security model, then I don’t know how we’re going to enjoy the Internet of Things,” Kaufman said. “Patch Tuesday for your car or your insulin pump doesn’t make a whole lot of sense.”

That said, DARPA is working on it. Kaufman noted that the defense research agency is trying to build an unhackable operating system, and it’s starting with the real-time operating systems that power embedded systems, such as those that will underpin the Internet of Things.

EBay users are being advised to change their passwords after hackers compromised some employees’ log-in credentials to break into the eBay corporate network.

The company said in a statement that the hackers broke into a database including “encrypted passwords and other non-financial data” and had not got their hands on any financial or credit card information, but best practice dictates users should change their passwords anyway.

The stolen information may include customer names, phone numbers, dates of births, email addresses, physical addresses, and encrypted passwords. The breach took place between late February and early March but was not detected until recently. PayPal data is not affected, being stored in a different (and fully encrypted) system.

[Commentary] Personal online security benefits everyone; well, almost everyone. Putting these measures in place wouldn’t be easy, and it would be unpopular in some quarters, but I think it would certainly be worth trying:

• Responsible disclosure: A neutral body such as the International Telecommunication Union should administer the disclosure scheme, monitoring compliance around the initial quiet-tap-on-the-shoulder stage and ensuring the transparency of subsequent public disclosures.
• Audit everything: This scheme should be funded by all countries and administered by the ITU or perhaps a standards-setting body like the IETF or the W3C. It should not be expensive, particularly when taking into consideration the public costs of dealing with attacks.
• Encrypt everything: The W3C’s HTTP Working Group is already trying to ensure that open web use will become encrypted by default. The IETF and others are also now focused on improving the usability of online security and on encouraging standards-setters to think about security from the start.
• Informed consent: The difference between opting in and out is vast. Shifting from an opt-out to an opt-in model would certainly add friction to sign-up and update processes, and it would require a standardized template that people broadly understand, but it’s the only honest way to process people’s data.
• Privacy-friendly principles and evolutionary rules: The core principles should ideally be enshrined in a global Internet bill of rights, respected by countries and translated into national law as closely as possible. And here’s the overarching principle that should set the tone for the rest: the rights people enjoy offline should apply just as much online

The UK telecommunications regulator Ofcom has just released an interactive “map” of the country’s radio spectrum, showing which frequencies are assigned to which use types -- all the way from the 8.3-11.3 kHz band (weather stations) to the 250-275 GHz band (radio astronomy).