Joseph Menn

Facebook CEO Mark Zuckerberg said the social network had no immediate plans to apply a strict new European Union law on data privacy in its entirety to the rest of the world, as the company reels from a scandal over its handling of personal information of millions of its users. Zuckerberg sadi that Facebook already complies with many parts of the law ahead of its implementation in May. He said the company wanted to extend privacy guarantees worldwide in spirit, but would make exceptions, which he declined to describe.

Facebook acknowledged that it has become a battleground for governments seeking to manipulate public opinion in other countries and outlined new measures it is taking to combat what it calls “information operations” that go well beyond the phenomenon known as fake news.

In a report and summary of response plans on its website, Facebook describes well-funded and subtle efforts by nations and other organizations to spread misleading information and falsehoods for geopolitical goals. These initiatives go much further than posting fake news stories to include amplification - essentially widening the circulation of posts through a variety of means - carried out by government employees or paid professionals, often using fake accounts.

Apparently, in 2015, Yahoo Inc secretly built a custom software program to search all of its customers' incoming e-mails for specific information provided by US intelligence officials. The company complied with a classified US government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

Some surveillance experts said this represents the first case to surface of a US Internet company agreeing to a spy agency's request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time. It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an e-mail or an attachment, apparently. Apparently, Yahoo Chief Executive Marissa Mayer's decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

Alarmed by mounting cyber threats around the world and across industries, a growing number of security experts see aggressive government action as the best hope for averting disaster.

Such fears and proposals on new laws and executive action to counter these threats were core topics in Las Vegas at Black Hat and Def Con, two of the world's largest gatherings for security professionals and hackers.

Long time tech industry researcher Dan Geer said the US government should require detailed reporting on major cyber breaches, in the same way that deadly diseases must be reported to the Centers for Disease Control and Prevention. Critical industries should be subjected to "stress tests" like the banks, Geer said, so regulators can see if they can survive without the Internet or with compromised equipment.

Geer also called for exposing software vendors to product liability suits if they do not share their source code with customers and bugs in their programs lead to significant losses from intrusion or sabotage.

A year after Edward Snowden exposed the National Security Agency's mass surveillance programs, the major US technology companies suffering from the fallout are uniting to shore up their defenses against government intrusion. Instead of aggressively lobbying Washington for reform, Google, Microsoft Corp and other tech companies have made security advancements their top priority, adopting tools that make blanket interception of Internet activity more difficult.

"It's of course important for companies to do the things under our own control, and what we have under our own control is our own technology practices," Microsoft General Counsel Brad Smith told Reuters. "I don't know that anyone believes that will be sufficient to allay everyone's concerns. There is a need for reform of government practices, but those will take longer."

As part of a "Reset the Net" campaign now reaching a mainstream audience, Google said it was releasing a test version of a program allowing Gmail users to keep email encrypted until it reaches other Gmail users, without the company decrypting it in transit to display advertising.

Google, Microsoft and Facebook moved to encrypt internal traffic after revelations by Snowden, a former NSA contractor that the spy agency hacked into their connections overseas. The companies have also smaller adjustments that together make sweeping collection more difficult.

"Anyone trying to perform mass surveillance is going to have a much harder job today than they would have even six months ago," said Nate Cardozo, a staff attorney with the civil liberties group Electronic Frontier Foundation.

Security industry pioneer RSA adopted not just one but two encryption tools developed by the US National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers.

Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw -- or "back door" -- that allowed the NSA to crack the encryption.

A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software's vulnerability. The professors found that the tool, known as the "Extended Random" extension for secure websites, could help crack a version of RSA's Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters. While Extended Random was not widely adopted, the new research sheds light on how the NSA extended the reach of its surveillance under cover of advising companies on protection.