Internet Society - News Headlines

DNS Privacy & IPv6 Security @ APTLD 75

Internet Society - News Headlines - Mar, 19/02/2019 - 08:36

The Internet Society will be actively contributing to the APTLD 75 meeting on 20-21 February 2019 in Dubai, United Arab Emirates.

Our colleague Jan Žorž will not only be presenting on DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) during the DNS Operations, Security, and Privacy session (20 February, 11.30-12.30 UTC+4), but will then be presenting on IPv6 connectivity issues during the Security in IPv6-enabled TLDs session (20 February, 14.30-15.30 UTC+4).

He’ll be in good company in what’s shaping up to be a great programme featuring a number of DNS luminaries covering technical, policy, internationalisation and data protection issues, as well as abuse handling and registry and registrar training. Other sessions of particular interest include 5G mobile networks, the implications of Alternative DNS Root Servers, and emerging trends in the DNS.

The Asia-Pacific Top-Level Domain (APTLD) Association is a non-profit organisation of ccTLD (Country Code Top-Level Domains) registries in the Asia-Pacific region that was founded in 1998. It organises two meetings each year for its members, with APTLD 75 being held in conjunction with the 6th Middle East DNS Forum.

If you’re interested in attending then you can register at http://www.aptld75.ae/reg/end.php

Further Information

The post DNS Privacy & IPv6 Security @ APTLD 75 appeared first on Internet Society.

The Week in Internet News: Researchers Develop AI Writing App but Worry about Fake News

Internet Society - News Headlines - Ven, 15/02/2019 - 22:39

Too easy to fake: OpenAI, a research institute in San Francisco, has developed an Artificial Intelligence program to write news articles, but has declined to release a full-featured version of it because of fears that the AI could easily produce fake news, the MIT Technology Review says. OpenAI, associated with AI skeptic Elon Musk, will make only a simplified version publicly available. The institute will publish a research paper outlining its work.

Secure your IoT: Eleven organizations, including the Internet Society and Mozilla, have asked retailers to stop selling Internet-connected devices that don’t meet minimum security and privacy requirements, Techbizweb reports. A letter from the organizations, sent to Target, Walmart, Best Buy, and Amazon, asks them to publicly endorse minimum security and privacy guidelines for Internet of Things devices.

Competing in AI: U.S. President Donald Trump has signed an executive order meant to boost AI development in the country, The Hill reports. The order comes as some AI experts fear the U.S. is losing ground to China. Trump’s order directs federal agencies to prioritize and set aside funding for AI programs.

Broadband for all: Botetourt County in Virginia, where only about 70 percent of residents have access to Internet service, is moving forward on a community broadband network, Roanoke.com says. The country is partnering with electric cooperatives and other companies to expand broadband service.

Do you know the risks of what you’re buying? Get IoT smart!

The post The Week in Internet News: Researchers Develop AI Writing App but Worry about Fake News appeared first on Internet Society.

Learn More about IXPs at the Middle East Network Operators Group

Internet Society - News Headlines - Ven, 15/02/2019 - 21:14

Internet Exchange Points are now considered to be an integral part of the Internet infrastructure worldwide. In very simple terms they are layer 2 switches that are used to route traffic that can be kept local instead of sending that traffic to the nearest major Internet node (usually located in Europe) and back. None of the countries of the Middle East contain enough globally-connected major Internet infrastructure so basically, all Internet traffic generated and terminated in the same country has to be routed through Europe. With well-implemented Internet Exchange Points, local Internet traffic stays local. Examples of local Internet traffic are financial transactions with your bank through online banking, requesting copies of your birth record from an e-government service, or any interaction with locally-hosted content.

Internet Exchange Points have three main benefits: lower latency, better cost efficiency, and control-of-traffic-sovereignty.

In the day and age of instant gratification and communications through social media and videos, latency, or the time it takes to fetch a web page, needs to be minimal and under 10ms as per industry standard (every 100km causes 1ms delay). In order to optimize the user experience, content providers have built their own global networks and spread their servers across the planet in an attempt to be as close as possible to the final users. Anyone and everyone who wants to provide content on the Internet today either has its own global network (Google, Apple, Facebook, Amazon, Microsoft, etc.) or gets that service from Content Delivery Networks (CDNs) such as Akamai, Cloudflare, etc. By placing the content near the Internet Exchange Point and routing it through the IXP facility, IXP are major contributors to reducing latency.

With the advent of 5G and the Internet of Things (IOT), having IXPs contribute to reducing latency is even more crucial. You need your cloud-computing services to be as close to your self-driving vehicle as possible. The more responsive your car is, the safer it will be.

Cost efficiency is a a direct benefit of using an IXP. For example, it uses less international bandwidth, which is still very expensive in Arab countries. The average cost of international bandwidth in North America and Europe is less than 1USD per Mbps. In the Arab world, it starts at 10USD per Mbps. Often in our countries, the price of international bandwidth and/or fiber local loop is simply incapable of keeping up with user demand.

Now about sovereignty. At a basic level, sovereignty is redundancy. Sovereignty means being self-sufficient as much as possible. A good example is the earthquake that hit Haiti few years ago. The undersea cable connecting Haiti to the Internet was broken and Haiti became disconnected from the world. Luckily, Haiti had an Internet Exchange Point and the island was able to operate much needed local services, such as government-operated emergency response, radio link, etc. Additionally, if major international content providers were available at the IXP, Haiti could still have access to outdated but somehow relevant data.

Many Arab governments require their data to remain within their national geographical borders. In practice, this data routes itself routinely out of the region and back due to a lack of viable IXPs in the region. All would benefit from enacting their sovereignty by developing sustainable IXPs in their countries. Let’s apply sovereignty instead of talking about it.

One main misconception about IXPs is that they are a point of congregation for telecom operators only. In fact, successful IXPs are the ones that allow content providers and telecom operators to come together. Any network that has many users (such as universities, large banks, municipalities, e-government services, etc.) or that has content (newspapers, television stations, etc.) should peer at the IXP.

Another misconception is that local content is not available. It is true that the region consumes mainly international content, but building IXPs and enabling the appropriate environment to let them thrive contributes in its turn to the development and usage of local content.

The Internet Society has been helping to build IXPs across the world in Asia, Latin America, Africa, and the Middle East. We bring best practices and lessons learned from around the world and customize the learnings to the case at hand in each country. Every country is different and the main stakeholders are different. We bring international experts who have built IXPs around the world to transfer their knowledge in technology, community building, and IXP governance.

So where one can learn more about IXPs? By attending the Middle East Network Operators Group (MENOG), IXP stakeholders can share their experience and learn from each other. Like the Internet, IXPs also are evolving – and there is no substitute for meeting other network operators and staying up to date on the latest developments. MENOG 19 will take place in Beirut this year, from 31 March – 4 April, and all are welcome to participate by registering here: https://www.menog.org/meetings/menog-19/

The post Learn More about IXPs at the Middle East Network Operators Group appeared first on Internet Society.

We Are on This Road Together

Internet Society - News Headlines - Gio, 14/02/2019 - 17:10

Twenty-six-year-old software engineer Akah Harvey N L has fun building things and sharing his knowledge with local communities in Cameroon. While an undergraduate, Akah took part in the Google Summer of Code, giving him the opportunity to develop an application for one of the largest software organizations in the world. He is now a code reviewer for the online learning platform, Udacity, and leads software development training at Seven Academy in Cameroon. Akah is a 25 under 25 awardee and a cofounder of Traveler, a road safety and emergency app.

I am a software engineer and it’s hard to talk about anything I do without talking about the Internet. Beyond using the Internet for communication – reducing the distance between people with a speed that’s yet unrivaled – lies the gamut of useful services that help me accomplish my day-to-day tasks, like running client-server applications, downloading tools for my work, synchronizing software projects, collaborating on global impactful software projects with people I have never met, mentoring people online who are learning how to code on MOOC platforms, and even traveling the world. The ways in which the Internet simplifies peoples’ lives is difficult to accurately quantify. From social media to education, science, and research, the Internet is now considered one of the most significant inventions of humanity after fire and the electric lamp.

The Internet establishes a level platform for everyone, irrespective of race, gender, or age to express their creativity in ways that were, not so long ago, difficult to imagine. It offers limitless opportunities. But it’s important going forward that we educate people, as skills become more technical and the future of work changes. I have had the privilege of working with people from the largest software foundations in the world and their wisdom and guidance were invaluable in shaping the way I approached learning technology. It made it so much easier for me to understand the world I live in and to be able to enjoy sharing that knowledge with literally anyone willing to learn.

Everyone should learn about technology. It opens one’s mind to a whole new set of possibilities and can unlock hidden potential beyond our wildest imaginations.

The first step is for people to gain consciousness of their environment. Engineers, manufacturers, and developers need to be conscious that they have a moral obligation to build tools that save, not hurt. The very foundation of the Internet is violated when we fail to implement basic user privacy rights. Privacy and security should be built in by default. And users need to be aware of the long-term effects of upcoming technologies and how they are expected to be prepared. Read the Terms & Conditions. Read the updated privacy policy messages they see at the bottom of their screen. Both parties have a role to play in achieving a better society online.

It all starts, however, with keeping the Internet free and as open as possible for the less privileged to afford. Cost and distribution of bandwidth in Africa are still the most limiting factors for Internet access.

When the Internet was shut down in the country, we were developing the roadside safety app, Traveler. It made us realize how badly we needed to include a failsafe in our system to ensure we were not crippled during such events. And it presented some real challenges; finding out what could be achieved using different types of connections, and the amount of information being processed in real time. It’s hard to conceive that the absence of basic Internet connectivity could still be an issue in the 21st century. But that is how it is in Africa. Hopefully we will see improvements, major stakeholders who are interested in the development of our continent.

We are all on this road together. Stop and ask for help on your journey. Learn as you go so that you can empower those coming after you.

Visit #CountMyVoice and help build an Internet that’s for everyone!

The post We Are on This Road Together appeared first on Internet Society.

Do You Want Privacy With That?

Internet Society - News Headlines - Mar, 12/02/2019 - 17:30

You may have heard about CloudPets being pulled off shelves for recording kids’ voices and that data being leaked, or the EU recalling kids’ smart watches for giving away children’s location in real time. If you’re shopping for any sort of Internet-connected device, you should be worried about your privacy and investigating how much data your new gadget is collecting. That’s why we’ve joined Mozilla in calling on big retailers in the US like Target, Walmart, Best Buy, and Amazon to publicly endorse and apply our minimum security and privacy guidelines and stop selling insecure connected devices.

From the letter: “Given the value and trust that consumers place in your company, you have a uniquely important role in addressing this problem and helping to build a more secure, connected future. Consumers can and should be confident that, when they buy a device from you, that device will not compromise their privacy and security. Signing on to these minimum guidelines is the first step to turn the tide, and build trust in this space.”

In total, the letter is co-signed by 11 organizations: Mozilla, Internet Society, Consumers International, ColorOfChange, Open Media & Information Companies Initiative, Common Sense Media, Story of Stuff, Center for Democracy and Technology, Consumer Federation of America, 18 Million Rising, Hollaback

5 Minimum Security Standards for IoT Devices

Encrypted communications
The product must use encryption for all of its network communications functions and capabilities. This ensures that all communications are not eavesdropped or modified in transit.

Security updates
The product must support automatic updates for a reasonable period after sale, and be enabled by default. This ensures that when a vulnerability is known, the vendor can make security updates available for consumers, which are verified (using some form of cryptography) and then installed seamlessly. Updates must not make the product unavailable for an extended period.

Strong passwords
If the product uses passwords for remote authentication, it must require that strong passwords are used, including having password strength requirements. Any non unique default passwords must also be reset as part of the device’s initial setup. This helps protect the device from vulnerability to guessable password attacks, which could result in device compromise.

Vulnerability management
The vendor must have a system in place to manage vulnerabilities in the product. This must also include a point of contact for reporting vulnerabilities or an equivalent bug bounty program. This ensures that vendors are actively managing vulnerabilities throughout the product’s lifecycle.

Privacy Practices
The product must have a privacy policy that is easily accessible, written in language that is easily understood and appropriate for the person using the device or service. Users should at minimum be notified about substantive changes to the policy. If data is being collected, transmitted or shared for marketing purposes, that should be clear to users and, as in line with the EU’s General Data Protection Regulation (GDPR), there should be a way to opt-out of such practices. Users should also have a way to delete their data and account. Also in line with GDPR, this should include a policy setting standard retention periods wherever possible.

These five are a subset of our IoT Trust Framework, a more comprehensive set of principles manufacturers, resellers, and policymakers can use to help secure IoT devices and their data.

We hope that this letter opens the discussion with large retailers so that we can work together to increase consumer confidence that the devices they bring into their lives will not do them harm. We’re committed to helping improve the safety and trustworthiness of all types of IoT products.

Here’s What You Can Do Today
  • Check out our #GetIoTSmart page for consumer and enterprise IoT safety checklists and to keep up to date on our latest IoT activity for news and tips
  • Reach out to your favorite retailer to (1) share our tips and advice, (2) express your thoughts on privacy and security, and (3) ask them to commit to endorsing minimum security standards in the products they sell. — Tell them to #GetIoTSmart!

The post Do You Want Privacy With That? appeared first on Internet Society.

Future Thinking: Alissa Cooper on the Technical Impact of Internet Consolidation

Internet Society - News Headlines - Mar, 12/02/2019 - 15:24

In 2017, the Internet Society unveiled the 2017 Global Internet Report: Paths to Our Digital Future. The interactive report identifies the drivers affecting tomorrow’s Internet and their impact on Media & Society, Digital Divides, and Personal Rights & Freedoms. While preparing to launch the 2019 Global Internet Report, we interviewed Alissa Cooper to hear her perspective on the forces shaping the Internet’s future.

Alissa Cooper is a Fellow at Cisco Systems. She has been serving as the Chair of the Internet Engineering Task Force (IETF) since 2017. Previously, she served three years as an IETF Applications and Real-Time (ART) area director and three years on the Internet Architecture Board (IAB). She also served as the chair of the IANA Stewardship Coordination Group (ICG). At Cisco, Cooper was responsible for driving privacy and policy strategy within the company’s portfolio of real-time collaboration products before being appointed as IETF Chair. Prior to joining Cisco, Cooper served as the Chief Computer Scientist at the Center for Democracy and Technology, where she was a leading public interest advocate and technologist on issues related to privacy, net neutrality, and technical standards. Cooper holds a PhD from the Oxford Internet Institute and MS and BS degrees in computer science from Stanford University.

The responses below are Cooper’s personal views and do not represent the views of the IETF.

The Internet Society: This year we’re focusing our Global Internet Report report on consolidation in the Internet economy. We’re specifically investigating consolidation trends in the access, services, and application layers of the Internet respectively, as well as consolidation trends acting vertically across layers (e.g., companies gaining dominance in more than one of the Internet’s layers). Have you noticed a trend in this regard?

Alissa Cooper: Yes, although I think it would be useful to develop more quantitative measures to demonstrate the trend over time.

If yes, how does this the trend impact the IETF?

Standards development always has a strong and multifaceted relationship to market dynamics. From a technical perspective, trends toward consolidation have caused engineers in the IETF to consider the implications of their technical designs. If we design standardized communication protocols in certain ways, such protocols may be more likely to support distributed or decentralized infrastructure or services. Conversely, there are design choices we can make that could reinforce consolidation or the offering of certain services from a smaller and smaller number of large companies. This question about whether the building blocks that we design in the IETF are reinforcing the consolidation trend has come into sharper focus in recent times.

The consolidation trend also has the potential to affect who participates in the IETF and how those in the industry view the value of standardization. Larger, more prosperous companies tend to have a greater ability to support standardization work, which is often paid for out of R&D or innovation budgets. As the mix of companies that provide Internet infrastructure and services changes, the composition of IETF participants tends to change as well. That mix can also affect corporate standardization strategy. More dominant players might standardize if they perceive that it reinforces their own technology – or they might chose not to, if they perceive that it is unnecessary given their dominant position.

Could you tell us more about Hypertext Transfer Protocol Version 3 (HTTP/3) as an example of how digital dominance, or scale, can drive standard development?

HTTP/3 is a work-in-progress aiming to define how HTTP traffic will be carried over a new transport protocol, QUIC, which is also in development. Historically, there have been two main transport protocols that have seen wide deployment on the open Internet: the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). Many other transport protocols have been designed and standardized over the decades, but few have seen wide deployment. Some of the reasons for this include the existence of equipment in the middle of the network that filters transport protocols it does not recognize, and the difficulty of getting support for new transport protocols into the many different operating systems running on Internet-connected devices today.

QUIC is designed specifically to overcome these barriers. QUIC traffic, including the metadata that identifies the protocol, is always encrypted, so networking equipment cannot filter it based on the metadata or the traffic content. And QUIC is built on top of UDP, so it does not require operating system modifications in order to be deployed. Thus QUIC and HTTP/3 are instructive if we look at what it takes to get a protocol deployed at scale on today’s Internet, which is truly a heterogenous network of networks.

QUIC began as an experiment at Google before it was brought to the IETF for standardization, and Google has a large deployment of its own, pre-IETF version of QUIC. I think the fact that a company with such a large footprint on the web – both from the browser/mobile device side and the server side – was interested in standardizing this definitely caused others to become more interested in participating in the effort. But this is certainly not a case where a single large company has dominated the standards process; in fact we have seen quite the opposite, with participation from dozens of organizations and individuals as well as major improvements to the IETF version of the protocol that are incompatible with Google’s existing deployed version.

Do you consider this a positive or negative example of digital dominance? If successful, could it allow a dominant browser provider to gain significant market power (as argued here)?

If QUIC and HTTP/3 deliver on their design goals – improving performance and security – then my expectation would be that all browsers and web servers that choose to implement them will reap those benefits. I think in general wider use of encryption at the transport and application layers is a positive development because it helps to protect end users’ data in transit to the sites and services to which that data was destined anyway. It creates an impetus to re-think how certain network management and measurement functions that previously required access to unencrypted data can work. This may require some re-engineering, but my hope is that it will not detract from the overall positive impacts of transport protocol evolution.

An IETF working document (or Internet Draft), Considerations on Internet Consolidation and the Internet Architecture, was recently published. Can you tell us more of what’s being investigated and proposed?

The Internet Architecture Board (IAB) provides long-range technical direction for the Internet’s development. This draft document arose out of conversations that the IAB has had concerning consolidation on the Internet. We have tried to tease out the technical and economic factors that may be contributing to consolidation. This includes looking at the underlying security and privacy properties of networks and services and the evolution of content delivery. The draft currently poses questions and does not provide many answers. The IAB is continuing to discuss how we can learn more about why expectations for decentralized protocol deployment are or are not coming to fruition in practice.

Much of the public debate seems to focus on consolidation from predominantly a perspective of negative implications. Can you think of any positive aspects of consolidation?

Sure. In some cases larger entities can have faster, broader, positive impacts on end users. Today, if one or a small handful of the largest web properties, content delivery networks, or email service providers chooses to deploy a new security technology or implement a performance-enhancing feature, those improvements can benefit millions or billions of users on short order. Furthermore, the ability of larger entities to collect more data about what is happening on the network can help improve the quality of the services they provide, for example by enhancing their ability to identify denial-of-service attacks or spam.

Is competition law the only solution to consolidation problems? If “code is law,” how can the technical community help prevent the potentially negative consequences of consolidation trends?

There are people in the technical community who are trying to identify the relationships between technical design choices and consolidation, but many of the drivers for the consolidation we are witnessing are based in business and economics, not purely in technology. I always found Lessig’s articulation of how technical, economic, social, and legal influences reinforce one another to be a more compelling framework for understanding the shape of the environment in which technology exists than the more simplistic “code is law” tag line. Specifically when it comes to dominance and market power, competition law is likely the most powerful tool available, and one whose application could yield both immediate and longer term effects unlike any that may be achievable merely by shifting the design of the sorts of technical building blocks that we specify in the IETF.

Is there hope, from a technical perspective, in data portability as a way of addressing consolidation concerns?

The main barriers to data portability are not technical ones. We have a multiplicity of ways to port data of all kinds between services in a standardized fashion, if the incentive or regulatory requirements to do so were in place.

What are your fears for the future of the Internet?

My biggest fear is that as the Internet gets more deeply ingrained into society, that it will be increasingly blamed for society’s ills. I believe in tackling problems at their source. At times that means deploying a technological solution or regulating how technology is used, but at other times it means regulating behavior or inspiring behavioral change.

What are your hopes for the future of the Internet?

The Internet has a long history of serving as an open, global platform for communication and human connection. My hope is that even as market dynamics shift, technology evolves, and geopolitics change, the fundamental properties that have made the Internet the most successful communications medium in human history will remain solid and flourish.

We’re getting ready to launch the 2019 Global Internet Report. Read the concept note.

Image ©IETF LLC

The post Future Thinking: Alissa Cooper on the Technical Impact of Internet Consolidation appeared first on Internet Society.

The Week in Internet News: Google Moves to Make it Easier to Encrypt Cheap Android Devices

Internet Society - News Headlines - Lun, 11/02/2019 - 14:49

Easier encryption? Google engineers have created a new encryption regime that can run on cheap and underpowered smartphones, Wired.com reports. The Google effort takes established cryptographic tools and implements them in a more efficient way.

Email encryption required: The EU’s GDPR privacy regulation requires encryption at least at the transport layer for email, according to a recent ruling by Germany’s data protection authority. The ruling also suggests that transport layer encryption may not be enough for sensitive personal information, TechDirt says.

Encryption proposal questioned: India’s proposal to require tech companies to hand over encrypted communications is “not possible,” WhatsApp has said. The proposed rules are “not possible today given the end-to-end encryption that we provide and it would require us to re-architect WhatsApp, leading to a different product, one that would not be fundamentally private,” WhatsApp said in a Financial Times story.

Federal action: The U.S. White House is planning to take executive action to promote research and development related to Artificial Intelligence, advanced manufacturing, quantum computing, and 5G wireless technology, Reuters reports. There’s some concern that the U.S. is losing ground to countries like China.

AI could go awry: Microsoft has warned investors that its AI efforts could go in a different direction than the company wants and could hurt its reputation, Business Insider reports. “AI algorithms may be flawed,” Microsoft wrote in a quarterly report. “Datasets may be insufficient or contain biased information. Inappropriate or controversial data practices by Microsoft or others could impair the acceptance of AI solutions. … Some AI scenarios present ethical issues.”

No. 1 in fake news: India has the most fake news and Internet hoaxes in the world, according to a survey by Microsoft, detailed in the Evening Standard. Sixty-four percent of Indians have encountered fake news, compared to 57 percent of world residents. In some cases, fake news in India has turned deadly, with more than 40 people killed in the country last year during what the paper called a “plague of smartphone-fueled mob murders.”

Encryption is under threat around the world. It’s up to all of us to take action to protect encryption, protect our data, and protect one another.

The post The Week in Internet News: Google Moves to Make it Easier to Encrypt Cheap Android Devices appeared first on Internet Society.

DNS Flag Day

Internet Society - News Headlines - Ven, 08/02/2019 - 15:00

The 1st of February was DNS Flag Day, which is an initiative of several DNS vendors and operators to address the problems of DNS name server implementations that are not in compliance with long-established DNS standards. This is causing the DNS to not only be unnecessarily slow and inefficient, but prevent operators from deploying new functionality including mechanisms to protect against DDoS attacks.

DNSSEC and other extended features of the DNS require EDNS0 (Extension Mechanisms for DNS – RFC 6891), and properly implemented name servers should either reply with an EDNS0 compliant response, or provide a regular DNS response if they don’t understand.

However, a lot of name server software is not implemented properly which has meant resolvers have had to incorporate workarounds when name servers don’t respond correctly. These cause unnecessary retries, delays, and prevent the newer features of the DNS being used.

As a result, the vendors of the most commonly used DNS software (BIND, Ubound, PowerDNS and Knot) will no longer be supporting these workarounds in new versions of their software, whilst a number of public DNS resolver operators (CleanBrowsing, Cloudflare, Google and Quad9) will no longer resolve hostnames served by broken name server implementations.

This may mean sites become unreachable, which makes it imperative that DNS administrators and domain name holders check whether their authoritative name servers are compliant with the DNS standard from 1987 (RFC1035) or the newer EDNS standard from 1999 (RFC2671 and RFC6891).

The DNS Flag Day website has some helpful information on what DNS administrators and domain name holders need to do, and there’s also a tool to check whether your domain is affected. So if you haven’t already done so, please check your domain for compliance as soon as possible!

Further Information

The post DNS Flag Day appeared first on Internet Society.

A Free and Open Course on Data Protection in the Post-GDPR World

Internet Society - News Headlines - Gio, 07/02/2019 - 17:30

Last year, we published “The Dawn of New Digital Rights for Finnish Citizens,” about the launch of the New Digital Rights MOOC, a collaboration between Open Knowledge Finland and the Internet Society’s Finland Chapter. Raoul Plommer wrote, “The aim of the project is to make citizens more aware of their digital rights, initially focusing on explaining GDPR (General Data Protection Regulation) and MyData…through a MOOC platform and series of workshops that create content and train people and organizations to use it.” Plommer has written an update on the project:

We have come a long way from the beginning of last year, when we were given funding for the project from Internet Society’s Beyond the Net Funding Programme, and Eurooppatiedotus, which is a sub-organization of the Finnish Foreign Ministry.

It took us several months to agree on what is essential to know about the General Data Protection Regulation (GDPR) and how we would present it to the general public. It was also challenging to get all the content done without actually paying everyone for all their hard work. Both of our funders had a strict limit on how much money could be spent on salaries (15% and 30%). On the other hand, they both allowed paying companies and outsourcing work to people outside the organization, which made the progress unnecessarily tricky, but at least possible.

Here’s what we’ve done:

  1. Seven workshops on creating content, including a larger workshop day after the GDPR day on the 25th of May, with 23 people making data requests to different organizations.
  2. So far, two training workshops, of which one was for students in Tampere, and another for pensioners’ IT-trainers in Helsinki. In the latter, they even wrote a blog about the session.
    We’re still trying to confirm the date for a third training session for Boy Scouts in February, and hopefully will be able to set the date for it next week.
  3. We’ve received a decent amount of coverage in the media:
    Helsingin Sanomat (the biggest newspaper in Finland)
    MTV Uutiset
    GDPR Today
    We’re also waiting on another Finnish reporter to go through our course material and write a story about his experience – hopefully it’ll happen soon!
  4. Had the launch event on the 15th of January in Eurooppasali.
  5. We’ve had 2/4 of the introductory/feedback webinars, which take place on Tuesdays, at 16 UTC.
  6. I applied for a session to present our project at RightsCon 2019 and hopefully we’ll get accepted!

I also want people to be aware that the license for the whole project is Creative Commons 4.0, which essentially means that we want people to do anything they want with the material, without asking for a separate permission to do so, even for commercial purposes.

Most of all, we want as many people as possible to know their rights and how to exercise them. This is really for all of our benefit.

Do you have a great idea to make your community better via the Internet? Apply for a Beyond the Net grant, which funds projects up to $30,000 USD, and follow Beyond the Net on Twitter!

This post was first published at digirights.infowhere you can find more photos from the project.

The post A Free and Open Course on Data Protection in the Post-GDPR World appeared first on Internet Society.

In Southeast Asia, Improving Livelihoods Through Crowdsourcing

Internet Society - News Headlines - Mer, 06/02/2019 - 15:45

The Southeast Asia region is one of the fastest growing regions in the world today. With rich natural resources, it has evolved into a highly industrialized region, inviting investors from all over the world. The riches however, are not enjoyed by all. According to one ASEAN report, close to 36 million of its population are still living below the international poverty line, with 90% of these people in Indonesia or the Philippines.

Realizing that ASEAN’s greatest asset is its people, various initiatives have been carried out to promote community-driven activities and people-to-people interactions aimed at narrowing the income gap in the region. Today, it still remains relevant for ASEAN member states to partner with private organizations to identify and finance poverty eradication programs in order to realize the Sustainable Development Goals and ASEAN Vision 2025.

The Internet Society Malaysia Chapter, through the Beyond the Net Medium & Large Grant programme, and in collaboration with Malaysian’s Ministry of Women, Family and Community Development, the University Utara Malaysia, and the Council of Deans for ICT Eduction (Region IX) Philippines, aims to train 400 women in Malaysia and the Philippines to use the MyHelper crowdsourcing application so that they can earn extra income by performing non-digital tasks. This three-pronged project provides opportunities for women to develop essential entrepreneurial skills through ICT, empowers women to start their own businesses, and use the Internet to improve their livelihoods.

MyHelper Mobile Apps
MyHelper is a mobile-based crowdsourcing application which allows people to seek and perform non-digital tasks in order to supplement their income. Built on the Android platform, the application is free and easy to use. The application also is easily customizable so that it can be used in other countries where English is not the primary language.

Under this program, volunteers are engaged to train and support women in their development efforts. The Internet Society Malaysia Chapter believes that poverty eradication requires a multidimensional approach which encompasses education, health, and standard of living, and can only be achieved via sustainable, holistic, and inclusive strategies that include the development of human capital.

This article was originally published on https://intercrowd.blogspot.com/.

We’re looking for ideas from people all over the world on how to make their community better using the Internet. The Internet Society Beyond the Net Funding Programme funds projects up to $30,000.00 USD. 

The post In Southeast Asia, Improving Livelihoods Through Crowdsourcing appeared first on Internet Society.

Routing Security – Getting Better, But No Reason to Rest!

Internet Society - News Headlines - Mar, 05/02/2019 - 15:00

Editor’s note: This is an abridged version of a post that was first published on MANRS.org. Read the full version.

In January last year I looked back at 2017 trying to figure out how routing security looked like globally and on a country level. I used BGPStream.com – a great public service providing information about suspicious events in the routing system.

The metrics I used for this analysis were number of incidents and networks involved, either by causing such incidents, or being affected by them.

An ‘incident’ is a suspicious change in the state of the routing system that can be attributed to an outage or a routing attack, like a route leak or hijack (either intentional or due to a configuration mistake). BGPStream is an operational tool that tries to minimize false positives, so the number of incidents may be on the low side.

Of course, there are a few caveats with this analysis – since any route view is incomplete and the intents of the changes are unknown, there are false positives. Some of the incidents went under the radar. Finally, the country attribution is based on geo-mapping and sometimes gets it wrong.

However, even if there are inaccuracies in details, applying the same methodology for a new dataset – 2018 – gives us a pretty accurate picture of the evolution.

Here are the highlights of some changes in routing security in 2018, compared to 2017.

  • 12,600 (a 9.6% decrease) total incidents (either outages or attacks, like route leaks and hijacks).
  • Although the overall number of incidents was reduced, the ratio of outages vs routing security incidents remained unchanged – 62/38.
  • About 4.4% (a decrease of 1%) of all Autonomous Systems on the Internet were affected.
  • 2,737 (a decrease of 12%) Autonomous Systems were a victim of at least one routing incident.
  • 1,294 (a 17% decrease!) networks were responsible for 4739 routing incidents (a 10.6% decrease).

The bottom line – we did much better last year than the year before. Is it accidental, or part of a positive trend? This is hard to say yet, although in my experience there is much more awareness, attention, and discussions of the challenges of routing security and helpful solutions recently.

Let us look in more details at what was happening in the global routing system in 2018.

Although comparing just two years cannot say a lot about a long-term trend, overall, I feel we are moving in the right direction. More awareness and attention to the issues of routing security in the network operator community, rejuvenated interest to RPKI and some positive trends I provided here support this.

I’d like to believe that efforts like MANRS also contributed to this positive trend.  MANRS, an industry-driven initiative supported by the Internet Society, provides an opportunity to strengthen the community of security-minded operators and instigate a cultural change. MANRS defines a minimum routing security baseline that networks are required to implement to join. The more service providers join MANRS, the more gravity the security baseline gets, the more unacceptable will be lack of these controls, the fewer incidents there will be, and the less damage they can do.

This baseline is defined through four MANRS Actions:

  • Filtering – Ensure the correctness of your own announcements and of announcements from your customers to adjacent networks with prefix and AS-path granularity
  • Anti-spoofing – Enable source address validation for at least single-homed stub customer networks, your own end-users, and infrastructure
  • Coordination – Maintain globally accessible up-to-date contact information
  • Global Validation – Publish your data, so others can validate routing information on a global scale.

Maintaining up-to-date filters for customer announcements could mitigate many route leaks. Preventing address squatting could help ward off things like spam and malware. Keeping complete and accurate routing policy data in Internet Routing Registry (IRR) or Resource Public Key Infrastructure (RPKI) repositories are essential for global validation that helps prevent BGP prefix hijacking. Having updated contact information is vital to solving network emergencies quickly.

Last year the community also developed MANRS for IXPs. Another baseline, allowing an IXP to build “safe neighborhood” with the participating networks. Most important, and therefore mandatory for joining, Actions are:

  • Prevent propagation of incorrect routing information. Requires IXPs to implement filtering of route announcements at the Route Server based on routing information data (IRR and/or RPKI).
  • Promote MANRS to the IXP membership. IXPs joining MANRS are expected to provide encouragement or assistance for their members to implement MANRS actions.

In 2018 we saw a significant uptake in MANRS, too. In one year the number of participants more than doubled, reaching 120, and the MANRS IXP Programme grew up to 28 IXPs in a year.

Let us hope all the positive trends continue in 2019. And it is not hope alone – every network can influence this future. Because once connected to the Internet – we are part of the Internet.

The post Routing Security – Getting Better, But No Reason to Rest! appeared first on Internet Society.

The Week in Internet News: Japan to Probe Residents’ IoT Devices

Internet Society - News Headlines - Lun, 04/02/2019 - 15:03

Government hacking: Japanese government workers will be able to hack into residents’ Internet of Things devices in an attempted survey of IoT insecurity, ZDNet reports. The Japanese government recently approved an amendment that allows the survey by employees of the National Institute of Information and Communications Technology. The government hacking effort is part of Japan’s preparation for the Tokyo 2020 Summer Olympics. Government officials are worried that other hackers might use compromised IoT devices to launch attacks against the games.

Evolving encryption: A story at TechTarget looks at the evolution of the Let’s Encrypt certificate authority, established in 2016. The free and automated certificate authority is “changing the industry in interesting ways” by making the certificate process less cumbersome, the story says. Meanwhile, a story at CSO Online looks at the Electronic Frontier Foundation’s efforts to encrypt the entire Internet and says that Let’s Encrypt is an important piece of that campaign.

Lagging encryption: Less than 30 percent of enterprise businesses encrypt their data across their on-premises environments, within their cloud services or on their mobile devices, according to a survey from French aerospace and security vendor Thales Group. A Computer Business Review story notes that encryption still isn’t widespread, even though 60 percent of organizations acknowledge they’ve been breached.

No deal: A judge has rejected a proposed settlement in for massive data breaches disclosed by Yahoo in 2016, Ars Technica says. The proposed settlement would have paid out $50 million to affected users, but U.S. District Judge Lucy Koh was unimpressed. Yahoo has not committed to any budget increases for data security and has made “only vague commitments as to specific business practices to improve data security,” she wrote.

Jail for fake news: A Thai man has been arrested and faces up to five years in jail for posting inaccurate information on his website, The Australian reports. The man had posted a story saying toxic smog in the Thai capital had killed a woman, but authorities said the story wasn’t true.

Patenting intelligence: The U.S. and China are gobbling up Artificial Intelligence patents faster than other countries, Al Jazeera reports, citing a U.N. study. Among companies, IBM had the largest AI patent portfolio with 8,920 patents, followed by Microsoft with 5,930, and a group of mainly Japanese tech conglomerates.

Do you know the risks of what you’re buying? Get IoT smart!

The post The Week in Internet News: Japan to Probe Residents’ IoT Devices appeared first on Internet Society.

Community Network Champions Take a Rural Dip in India

Internet Society - News Headlines - Ven, 01/02/2019 - 15:57

By Digital Empowerment Foundation

In the last 25 years, half the world has been connected to the Internet and the almost infinite opportunities it has to offer. Most of these, among the 3.5 billion connected individuals of the world, are people who are largely economically empowered, literate, and reside in urban or accessible areas. However, there is also half the world that is yet to get online and access what the Internet has to offer them.

The biggest barrier to widespread connectivity is the high cost of infrastructure. With many telecom companies unwilling or unable to build infrastructure in far flung and rural areas, large swathes of the world have remained in media darkness. Evidently, most of those who are excluded from digital ecosystems are people who are largely at the bottom of the pyramid and reside in rural or inaccessible areas. They are people who have not been connected by the mainstream Internet Service Providers (ISP) – and who may have to wait a long time to be connected.

So who will take the responsibility of connecting them?

It has to be the community themselves.

Over the years, community network providers have proved to be great enablers for bridging the digital divide. Some of these networks are located in Latin America, Africa, Asia Pacific, Europe, and even the U.S. Passionate and innovative community members have been able to leverage varying technology, tools, regulations, and socioeconomic and cultural conditions to bring Internet connectivity to their people. However, these efforts are scattered around the globe, and mostly implemented in silos.

In an effort to amplify such efforts across the Asia Pacific and learn from each other, the Internet Society and Digital Empowerment Foundation organized a 10-day experiential learning program for Community Network Champions from the region, as a follow-up to its second annual Community Network Exchange. As part of this program, eight participants from Haiti, Bahrain, Nigeria, Kyrgyzstan, Philippines, Kenya, and Indonesia traveled to New Delhi and Guna to immerse themselves in intensive training on deployment of wireless networks, its operations, and management.

In these 10 days, Roel Vincent Vistal, Dhinesh Pandian, Ahmed Abdulali Abdulaziz Husain Alaali, Asanbaev Isabek, Reynold Guerrier, Erzhigit Imamov, Irine Chepngetich Misoi, and Paul Henry Yauko not only learned how Digital Empowerment Foundation is using unlicensed spectrum and frugal technology to connect the unconnected (most recently through its DIY Internet in a Box solution), but also brainstormed on new ideas for connectivity, challenges of community networks and policy recommendations for connecting the rest (while navigating multiple hospitality and logistical challenges of staying in rural India).

Reynold was particularly impressed by the commitment of the wireless engineers in Guna to change the destiny of their community through a bottom-up approach rather than wait for a top-down movement. Ronel could see how availability of communication services is essential to delivery of basic services, educational materials, disaster preparedness, governance, pump priming of local economy, and training local human resources, among many others. And Isabel particularly saw potential of MeraApp, an Android-based mobile application developed by Digital Empowerment Foundation to make entitlements accessible and available to the citizens, for people in Kyrgyzstan.

The Community Network Champions are now back in their home countries with revived energy and commitment to establish, scale up and strengthen community networks in their regions and bridge the digital divide.

Community networks work! Join the movement to help close the digital divide. #SwitchItOn

The post Community Network Champions Take a Rural Dip in India appeared first on Internet Society.

Internet Society Botswana Chapter Hosts Webinar on the Internet of Things

Internet Society - News Headlines - Gio, 31/01/2019 - 14:57

The Internet of Things (IoT) is upon us. The exponential advancements are fast becoming a reality and Africa is a part of the current wave. On 13 December 2018, the Internet Society Botswana Chapter held an Internet of Things webinar at the University of Botswana Library to discuss local IoT-related implications. In attendance were approximately seventy-five individuals, including members of the public, academia, the developer community, and students.

A quick Internet search reveals that IoT can be synonymous with tracking and monitoring systems, wearables, and smart homes. These may not be relatable in the African context, but IoT prospective usage in farming, irrigation, and utilities management brings it home and introduces the possibilities of IoT being used to provide solutions that fit Africa’s needs. It therefore becomes important to implement a multistakeholder approach where governments and regulators provide high speed connectivity, infrastructure, and the right policies to foster local innovation.

The interactive session offered the participants an appreciation of the current IoT situation in Botswana. A remote presentation by Steve Olshansky, Internet technology program manager at the Internet Society explained the Internet Society’s view of IoT, the  OTA IoT Trust by Design Framework, and why we should ensure security and privacy are engrained in IoT’s development and use. The OTA Framework document notes that that all stakeholders have a role to play in securing IoT including manufacturers, suppliers, consumers, and regulator/policymakers. Describing “data as a double-edged sword,” Steve noted that accountability by all stakeholders becomes crucial, especially given privacy concerns.

Solomon Kembo, president of the Internet Society Zimbabwe Chapter, gave a presentation on the local Chapter efforts with regards to IoT. Highlighting the progress made thus far in implementation of IoT concepts, Solomon also described technical IoT framework perspectives. The Botswana Chapter’s collaboration with the Zimbabwe Chapter on IoT shows how Chapters can work together to achieve common objectives.

The Q&A session was a key indicator that the local Chapter needs to invest in future public awareness training exercises on IoT and engage with policymakers. In summary the concerns noted were:

  • Are stakeholders in Botswana ready to embrace IoT and related trends?
  • How can local entrepreneurs leverage current digital trends?
  • How can regulators and policymakers address cybersecurity concerns?
  • What learnings can we adopt from regions that have embraced IoT technologies?

This conversation is key in unlocking the digital possibilities for communities in Botswana and beyond. The call to attendees was to embrace trending technologies with caution and to implement relevant context-based solutions.

We’re looking for new ideas from people all over the world on how to make their community better using the Internet. The Internet Society Beyond the Net Funding Programme funds projects up to $30,000.00 USD.

The post Internet Society Botswana Chapter Hosts Webinar on the Internet of Things appeared first on Internet Society.

International Approach to Internet Policy Declining, Some Experts Say

Internet Society - News Headlines - Mer, 30/01/2019 - 15:23

A long-time multistakeholder and international approach toward creating Internet policy is breaking down, with individual nations and some large companies increasingly deciding to go their own way and create their own rules, some Internet governance experts say.

The multistakeholder decision-making model that created the Internet’s policy standards over the last two decades has largely fallen apart, with countries pushing their own agendas related to privacy, censorship, encryption, Internet shutdowns and other issues, some of the experts said Tuesday at the State of the Net tech policy conference in Washington, D.C.

Recent efforts to keep the Internet safe for free expression and free enterprise are “mission impossible,” said Steve DelBianco, president and CEO of Internet-focused trade group NetChoice.

Back in the early 2000s, the Internet was enabling the disruption of governments and powerful businesses by providing users ways to work around those organizations, DelBianco added. “Fifteen years later, I’d have to say that governments and big businesses have regained their footing and are reasserting control,” he said.

Many nations are looking for new ways to control Internet content and users, added Laura DeNardis, a communications professor at American University and a scholar focused on Internet architecture and governance.

For many years, there have been “two clashing world views” about the Internet, but a heavy-handed government control model pushed by China and Russia seems to be gaining traction, she said. Many other countries still believe in a “free flow of information,” she said, and the clash of the two models will have wide-ranging effects on foreign policy, free expression, the digital economy, and the Internet itself.

Some countries pushing for a more sovereign control of the Internet have advanced data localization laws, and some have created local redirects in the Domain Name System as a way to drive users to government-approved sites, she noted.

These government efforts to control the Internet is a “sea change” from the previous multistakeholder, international model, DeNardis added.

The concerns from Tuesday’s panelists came about three months after Freedom House warned of a trend toward “digital authoritarianism” in a report on Internet freedom.

Countries that believe in free expression shouldn’t give up, however, said Drew Mitnick, policy counsel at digital rights group Access Now. International pressure can make countries rethink Internet shutdowns and overly aggressive cybersecurity laws, he said.

Last November, more than 60 countries, 100 companies, and 100 other organizations signed the France-sponsored Paris Call for Trust and Security in Cyberspace, showing some international agreement on Internet issues, Mitnick noted. However, the U.S. did not sign on to the agreement, and French President Emmanuel Macron followed the document with a speech calling for increased censorship and for a defense against the excesses of the Internet, DelBianco noted.

Traditional allies the U.S. and European Union seem to have a diverging view of how to regulate the Internet, he added. Between Macron’s concerns about “dangerous ideas” on the Internet and the EU’S strong stance on individual privacy, Europe seems to be headed in a different direction than the U.S., he said.

The EU’s right to be forgotten, for example, gives residents the ability to have websites remove old information or links to information about them. But that right conflicts with the freedom of expression and the press valued in the U.S., with important news information sometimes removed from the public’s view in the EU, DelBianco said.

One audience member asked what Internet governance model will emerge if the international approach is dying. Some panelists urged supporters of an international, multistakeholder approach to keep fighting, while DelBianco suggested that bilateral agreements between countries may be the wave of the future.

“We can’t have this escalating battle where we block their content, and they block ours,” he said. “That doesn’t serve anyone’s best interest.”

Read “We Won’t Save the Internet by Breaking It.”

The post International Approach to Internet Policy Declining, Some Experts Say appeared first on Internet Society.

Call for Participation – ICANN DNSSEC Workshop at ICANN64 in Kobe, Japan

Internet Society - News Headlines - Mar, 29/01/2019 - 22:20

Will you be at the ICANN 64 meeting in March 2019 in Kobe, Japan? If so (or if you can get to Kobe), would you be interested in speaking about any work you have done (or are doing) with DNSSEC, DANE or other DNS security and privacy technologies?  If you are interested, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-kobe@isoc.org before  07 February 2019.

Call for Participation

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop during the ICANN64 meeting held from 09-14 March 2019 in Kobe, Japan. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.

For reference, the most recent session was held at the ICANN Annual General Meeting in Barcelona, Spain, on 24 October 2018. The presentations and transcripts are available at: https://63.schedule.icann.org/meetings/901549https://63.schedule.icann.org/meetings/901554, and https://63.schedule.icann.org/meetings/901555.

At ICANN64 we are particularly interested in live demonstrations of uses of DNSSEC, DS automation or DANE. Examples might include:

  • DNSSEC automation and deployment using CDS, CDNSKEY, and CSYNC
  • DNSSEC/DANE validation in browsers and in applications
  • Secure email / email encryption using DNSSEC, OPENPGPKEY, or S/MIME
  • DNSSEC signing solutions and innovation (monitoring, managing, validation)
  • Tools for automating the generation of DNSSEC/DANE records
  • Extending DNSSEC/DANE with authentication, SSH, XMPP, SMTP, S/MIME or PGP/GPG and other protocols

Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.
We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE. Examples of the types of topics we are seeking include:

1. DNSSEC Panel (Regional and Global)

For this panel, we are seeking participation from those who have been involved in DNSSEC deployment in the region and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC? We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2. DS Automation

We are looking at innovative ways to automate the parent child synchronization CDS / CDNSKEY and methods to bootstrap new or existing domains. We are also interested in development or plans related to CSYNC, which are aimed at keeping the glue up to date.
We would like to hear from DNS Operators what their current thoughts on CDS/CDNSKEY automation are.

3. DNSSEC/DANE Support in the browsers

We would be interested in hearing from browser developers what their plans are in terms of supporting DNSSEC/DANE validation.

4. DANE Automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:

  • How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?
  • What tools, systems and services are available to help automate DNSSEC key management?
  • Can you provide an analysis of current tools/services and identify gaps?
  • What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
  • What tools and services are now available that can support DANE usage?

We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to
dnssec-kobe@isoc.org  before ** 07 February 2019 **

We hope that you can join us.
Thank you,
Kathy Schnitt

On behalf of the DNSSEC Workshop Program Committee:
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Russ Mundy, Parsons
Ondřej Filip, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society
Mark Elkins, DNS/ZACR

The post Call for Participation – ICANN DNSSEC Workshop at ICANN64 in Kobe, Japan appeared first on Internet Society.

New UN Tool Maps Asia-Pacific Cybersecurity Landscape

Internet Society - News Headlines - Mar, 29/01/2019 - 14:59

News of cyber attacks and personal data breaches frequently make headlines nowadays, particularly in Asia Pacific*, and every time a new incident happens, it deals a blow to the trust of some users. Since cyber threats are grave and growing, society must understand how policymakers are addressing cybersecurity concerns, and what can be done to strengthen trust.

A United Nations agency recently launched a tool to do exactly that. Against the backdrop of increasingly complex cybersecurity policies around the world, the portal aims to “enhance informed participation in key policy processes by all relevant stakeholders”, thus facilitating information sharing, capacity building, and trust and cooperation in cyberspace. We spent some time with it to evaluate the state of cybersecurity in Asia Pacific and to highlight the importance of the issue.

The Cyber Policy Portal, released this month by the United Nations Institute for Disarmament Research (UNIDIR), maps the global cybersecurity capability landscape, covering all 193 of the UN Member States, 13 intergovernmental organizations, including the Association of Southeast Asian Nations (ASEAN), and a number of multilateral frameworks.

The interactive map draws from public information and, where applicable, carries links to original documents. Systematically, it answers some of the salient questions about a country’s cybersecurity capabilities: What policies are in place? Are they supported by any strategy documents or implementation frameworks? What is the agency responsible for cybersecurity? Is there a national Computer Emergency Response Team (CERT) or Computer Security Incident Response Team (CSIRT)? What laws are there? And, finally, is it part of any international cooperation?

It is encouraging to notice from the portal that most countries in Asia Pacific have adopted national cybersecurity strategies. Some countries, notably Australia, Indonesia, Japan, Malaysia, the Philippines, Singapore, Sri Lanka, and Thailand have detailed and up-to-date cybersecurity strategies in place, often backed up by legal and operational frameworks and dedicated agencies that address critical infrastructure protection requirements and emergency response. Others, including Laos, Myanmar, and Pakistan, have general information and communication technology (ICT) master plans that cover aspects of cybersecurity.

The exceptions include Bhutan, Timor-Leste,Tuvalu, and Vietnam, which have not developed a national cybersecurity strategy. Since cybersecurity is a threat that cuts across many domains, there is a clear need for a strategy that sets out a country’s vision, goals and priorities in ensuring that public and private entities and individuals are equipped to respond to the cybersecurity challenges of an ever more connected world. It also raises awareness and facilitates partnerships for a resilient and trusted Internet.

Another positive finding is that almost all APAC countries – with the exceptions of Island countries including Fiji, Solomon Islands, and Tuvalu – have in place national CERTs or CSIRTs, which play a crucial role in incident reporting and responses, thus improving cyber resilience. Like a fire department, the bodies are set up to manage critical events that threaten the availability and integrity of key information networks and systems.

The APAC region’s strength and consistency in the establishment of CERTs and CSIRTs reflect its relatively high level of cybersecurity awareness. It is no coincidence that cybersecurity has been the top concern for Internet users in Asia Pacific in the past two years, according to the Internet Society Survey on Policy Issues, done yearly by the Internet Society’s APAC Bureau. The region’s other pressing concerns include access, data protection, privacy, and Internet of Things (IoT). The Online Trust Alliance (OTA), an Internet Society initiative, has released the IoT Trust Framework, a strategic set of 30 foundational principles providing guidance for developers, device manufacturers, and service providers to help enhance the privacy, security, and life-cycle of their products.

But the UN portal sheds light on only part of what is necessary in the management of cyber risks. In fact, no single policy, strategy, or legislation can secure cyberspace by itself: the collaborative approach that helped to drive the growth of the Internet and allows it to thrive is essential for effective cybersecurity. This means participation not only by policymakers and a few big companies, but also security practitioners and developers, protocol developers, network operators, civil society groups, and researchers.

Moreover, it should be noted that when policies are indeed deemed necessary, it is important that they are flexible enough to evolve over time. It is clear the technology is going to change, and so the solutions should be responsive to new challenges.

Beyond the multilateral frameworks the portal covers, there is also an essential need to foster international collaboration, such as the Paris Call for Trust and Security in Cyberspace, one of many cross-border efforts.

In addition, amid an ever-shifting threat landscape, education and awareness programs are also vital to ensure governments and organizations of all sizes, as well as consumers, take the right steps to secure their own systems. Many APAC countries, including Singapore and Australia, have dedicated considerable resources to cybersecurity education, including innovative awareness campaigns aimed at the general public, but it is by far not the norm.

*The Asia Pacific region accounted for 35.9 percent of the global number of cybersecurity events in the first half of 2018, the highest in the world, according to the findings by digital security company Gemalto, as reported by CIO Asia. Gemalto said the region was subject to 27.2 percent of compromised records worldwide in the period. However, the actual figures could be much higher since most countries in Southeast Asia did not require a compulsory report of data breaches.

Read Why the Multistakeholder Approach Works.

Image: the Cyber Policy Portal’s interactive map, which covers all 193 member states of the UN.

The post New UN Tool Maps Asia-Pacific Cybersecurity Landscape appeared first on Internet Society.

The Week in Internet News: Placing Money on AI

Internet Society - News Headlines - Lun, 28/01/2019 - 15:00

AI manages your money: Artificial Intelligence may eventually replace your financial advisor, Forbes suggests. AI can already spot financial trends really fast, but it may eventually compete with the personal touch of a human advisor, the story says. “Because artificial intelligence learns so much faster than humans, it is simply a matter of time before artificial intelligence can read human nuances and have an emotional intelligence quotient that exceeds those of most humans. When that happens, in the next few years, financial advisers will have a hard time competing based on personal relationships.”

Banning news: Russia has moved to ban what the government defines as fake news, joining several other countries headed in the same direction, the Boston Globe reports. A second law bans the publication of information showing disrespect to government bodies and officials. The fake news law allows fines of up to US$15,000.

Less fake, more news: Despite headlines about the spread of fake news during the 2016 U.S. elections, a majority of U.S. residents didn’t see fake news on social media, two recent studies suggest. On Twitter, fake news appeared on the feeds of just 1.1 percent of users, according to one study detailed in Science.

Another approach: Staying on the topic of fake news, the Microsoft Edge browser is taking a different approach than policymakers trying to outlaw it, TechCrunch reports. Microsoft’s mobile Edge browser now installs with a built-in fake news detector called NewsGuard.

Constant monitoring: Internet of Things devices should be constantly evaluated and scored for security, a Computer Weekly story suggests. IoT users have a right to know about vulnerabilities in devices they use, Barracuda Networks told the publication.

Blockchain loves AI: The two technologies are match made in heaven, Forbes says. While blockchain and AI have both been victims of massive hype, blockchain can help secure the data that AI runs on, the story says.

Read the Internet Society’s Artificial Intelligence and Machine Learning policy paper and explore how it might impact the Internet’s future.

The post The Week in Internet News: Placing Money on AI appeared first on Internet Society.

This Data Privacy Day Take Steps to Protect Your Data

Internet Society - News Headlines - Dom, 27/01/2019 - 19:30

As champions of an open, globally-secure, and trusted Internet, International Data Privacy Day is a big deal around these parts.

But making sure you’re able to share what you want, when you want, should be something the world stands for more than once a year. Every day should be Data Privacy Day.

These days, it feels all too common to hear stories about policy or law enforcement officials trying to create backdoors into technologies like encryption. These backdoors could put our online security at risk.

Just a little over one month ago, Business Insider reported that smart home devices dominated Christmas 2018 sales on Amazon, while the Alexa app, which enables people to control those smart devices, was the most downloaded on Google Play and the Apple App store on Christmas Day.

As the Internet becomes more and more a part of our everyday lives, each of us can take actions to ensure that privacy and security are a top priority.

Let’s come together on Data Privacy Day to celebrate the possibilities an open, globally connected, trusted, and secure Internet brings. Here are ways you can help make it happen where you live:

(And don’t forget to make a cake!)

North America
My Privacy Online: Championing Trust in the Era of IoT

Asia
In India, Days Left to Comment on Rules That Could Impact Your Privacy

Europe
In addition to the Connect Smart tips from the Internet Society and Consumers International, the Internet Society France has started a working group dedicated to raising awareness of the security risks when using IoT devices. The IoT Working Group is part of a broader effort by the Internet Society to raise awareness of the security risks inherent in the use of IoT-connected devices. While the IoT Working Group is focused on France, the hope is the best practices it uncovers will feed into the work the rest of Europe is doing.

The post This Data Privacy Day Take Steps to Protect Your Data appeared first on Internet Society.

In India, Days Left to Comment on Rules That Could Impact Your Privacy

Internet Society - News Headlines - Dom, 27/01/2019 - 19:30

The public has until 31 January to comment on a draft set of rules in India that could result in big changes to online security and privacy.

The Indian government published the draft Information Technology [Intermediary Guidelines (Amendment) Rules] 2018, also known as the “Intermediary Rules” for public comment.

When it comes to the Internet, intermediaries are companies that mediate online communication and enable various forms of online expression.

The draft Intermediary Rules would change parts of the Information Technology Act, 2000 (the “IT Act”), which sets out the requirements intermediaries must meet to be shielded from liability for the activities of their users. The draft rules would also expand the requirements for all intermediaries, which are defined by the Indian government and include Internet service providers, cybercafés, online companies, social media platforms, and others. For example, all intermediaries would have to regularly notify users on content they shouldn’t share; make unlawful content traceable; and deploy automated tools to identify and disable unlawful information or content, among other new requirements.

Here’s some more background:

  • News reports are citing a number of concerns about the draft rules. Ours centers on their potential impact on the use of encryption.
  • Encryption is the process of scrambling or enciphering data so it can be read only by someone with the means to return it to its original state. End-to-end encryption is the most secure form of encryption available, in which only the sender and intended recipient can read the message.
  • Although you might not realize it, you rely on encryption every day. It protects you while you browse the web, shop online, use mobile banking, or use secure messaging apps.
  • By requiring the deployment of automated tools to identify and disable unlawful information or content on their platforms, the proposals in the draft Intermediary Rules could require intermediaries to break their end-to-end encryption or otherwise risk becoming liable for the activities of their users.
  • This weakens the technology meant to keep our private information private. That means it’s easier for anyone, anywhere, to access our stuff. And, with all intermediaries impacted by this decision, end-to-end encryption it’s not just messaging applications like WhatsApp or Signal affected, but also secure Voice over IP (VoIP) services, some cloud storage services, and much more.
  • We believe strong encryption is critical to the Internet and should simply be how things are done. We’re working to ensure encryption is available for everyone and it becomes the default.

If you  want to make your voice heard on these draft rules, now is the time.  The deadline to submit comments to India’s Ministry of Electronics and Information Technology (MeitY) is 31 January to:

  • gccyberlaw[at]meity[dot]gov[dot]in
  • pkumar[at]meity[dot]gov[dot]in
  • dhawal[at]gov[dot]in

The post In India, Days Left to Comment on Rules That Could Impact Your Privacy appeared first on Internet Society.