Privacy

France's data protection watchdog has slammed Microsoft Windows 10 for collecting excessive amounts of personal data and failing to use strong security controls. Under the country's data protection laws, Microsoft may now face up to $1.7 million in fines.

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

Microsoft has until Sept. 30 to respond to the notice from the chair of the National Data Protection Commission. Under French law, this independent authority, also known as CNIL, has the power to levy fines for violating France's data protection laws. And the agency has not hesitated to use that power before, for example against Google.

CNIL claims that Windows 10 has numerous problems relating to how it collects user data, implements specific security controls and handles cookies, which are often used for tracking users and serving related advertising.

The agency has also accused Microsoft of continuing to transmit data under the now defunct Safe Harbor provisions. The European Court of Justice last year ruled that the provisions were illegal, and they're now due to be replaced by a new agreement called Privacy Shield. But in the interim, any organizations that have continued to rely on Safe Harbor - without demonstrating compliance with EU data privacy laws using some other legal technique - have left themselves exposed to enforcement actions by European regulators.

Now, according to the formal notice served by CNIL, Microsoft could face up to 1.5 million euros ($1.65 million) in fines for two of its alleged data privacy law violations as well as 7,500 euros ($8,260) for a third.

Microsoft says in a statement that it has built strong privacy protections into Windows 10 and is continually working on improvements.

"We will work closely with the CNIL over the next few months to understand the agency's concerns fully and to work toward solutions that it will find acceptable," according to a statement from David Heiner, Microsoft's vice president and general counsel.

Finding: Windows 10 Leaks Personal Data

The formal request from CNIL to Microsoft follows an examination that the agency conducted earlier this year of Windows 10, including watching its behavior when connected to the internet. CNIL has also queried Microsoft about its related privacy polices.

Regulators say they found that Windows 10, released in July 2015, collects a variety of diagnostic and usage data for apps downloaded by users, including the time spent using the apps (see Windows 10: Security, Privacy Questions).

"Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service," according to CNIL's notice to Microsoft.

CNIL also notes that while Windows 10 lets users pick a four-character PIN to access their Microsoft account and purchase apps, "the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential."

Furthermore, users are allowed to create a PIN of "0000," the agency says. "This weak password without a combined mechanism to limit the number of unsuccessful authentication attempts does not ensure the security or confidentiality of the data," CNIL says.

The operating system also installs advertising trackers known as cookies without properly informing users of this in advance "or enabling them to oppose this," CNIL alleges, which would violate EU law.

No Safe Harbor

The move by CNIL against Microsoft follows the European Court of Justice invalidating the 15-year-old Safe Harbor framework in October 2015, ruling that the United States failed to provide an adequate level of protection for EU citizens' data, as required under European law (see EU Court Invalidates U.S.-EU Data Sharing Agreement). The ruling was fueled, in part, by former National Security Agency contractor Edward Snowden's leak of secret intelligence documents in 2013 that showed how U.S. authorities were running a mass surveillance program that amassed European's personal data.

The court's decision set off a scramble to create a new framework under which technology companies could legally transfer personal data between the U.S. and European Union without having to demonstrate full compliance with all EU regulations. The sides reached an agreement in February, and a commercial pact - Privacy Shield - was passed on July 12. Companies can start self-certifying with Privacy Shield beginning on August 1 (see 'Privacy Shield' to Replace Safe Harbor).

Under the new agreement, the U.S. government agreed to limit its access to Europeans' data, commit to regular reviews of data handling practices and ensure compliance by companies through the U.S. Federal Trade Commission.

Microsoft's Heiner writes that the company intends to adopt Privacy Shield and will issue an updated privacy policy in August. Microsoft says it adhered to the Safe Harbor framework, as well as other legal measures, while negotiators worked toward a new data-sharing pact.

"As we state in our privacy statement, in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States," Heiner writes.

Legal Uncertainty

But it's unclear if whatever arrangements Microsoft had in place will stand up to CNIL's scrutiny, which may leave the company vulnerable to fines. On June 6, for example, a German regulator fined three companies - software maker Adobe; fruit juice maker Punica, which is a subsidiary of PepsiCo; and Anglo-Dutch consumer goods group Unilever - for failing to establish "allowed alternative methods even six months after the cessation of the Safe Harbor Agreement," according to the Hamburg Commissioner for Data Protection and Freedom of Information. "The data transfer of these companies to the USA was thus without any legal basis and unlawful."

But the German regulator said that after it launched its related investigation, all three companies had "changed their data transfer legally to standard contractual clauses." As a result, it imposed fines that collectively totaled just 28,000 euros ($31,000) against the three companies.

Executive Editor Mathew J. Schwartz contributed to this story.

Breach Preparedness , Cybersecurity , Data Breach

Amit Yoran, president of RSA, the security division of EMC Corp., urges Asian organizations and governments to make a fundamental shift in their mindset and consider problems from a diverse point of view in responding to today's advanced threats.

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

"It's critical to challenge your perspectives and observe how advanced organizations start looking at the problem in all its accuracy," Yoran says.

He shared his insights as the keynote speaker at the launch of RSA Conference 2016 Asia Pacific & Japan in Singapore. The topic: how critical it is to start thinking out-of-the-box in understanding the nuances of breaches and threats and their impact on business (see coverage of Yoran's 2015 Keynote at RSA APJ: Asia Needs Resilient Cyber Defense).

"Stop relying solely on technologies in preventing attacks. It's time to create a cybersecurity program that links breaches and threats that impact business," he says.

Focus on Business Needs

Yoran set the stage for the conference, exhorting the industry that it's time for a strategy driven by business needs and not purely technological needs.

He expects practitioners to take proactive steps and quickly detect and investigate attacks. The reason: As per RSA's research, almost 90 percent of the organizations in APJ are not satisfied with attack detection and investigation methods.

What's irksome, he says, is that security professionals are suspicious of new technologies and unable to exploit the first-mover advantage.

"The industry's aware that technology serves as the single greatest leverage point, as it determines efficiency, competitiveness and can even transform markets and industries fundamentally," Yoran says. "Yet it's unable to exploit it to the fullest."

CISOs must realize they are dealing with focused adversaries with creativity, patience and persistence, who are unpredictable, with a wide range of tools at their disposal (see: Upgrading Security: Setting the Right Priorities).

"Attackers can orchestrate their attacks until they succeed. One should remember we are dealing with human ingenuity ... a powerful thing," he says.

He warns CISOs they will not magically find that next great firewall, sandbox or host armament that will keep adversaries out. Defense requires major overhauling - which is not happening.

Yoran suggests that may be because the choices are confusing, or doing something different might demand a new thought process. "But you can get good results by being bold and making changes to the existing processes," he stresses.

Adapt to Changes

While it's accepted that technology is foundational to defense, intelligence and civil services, it's also constantly evolving. CISOs must adapt to these changes fast, Yoran says. If not, they will lose out.

He maintains that executives and boards are asking more questions about cybersecurity than ever before. After all the money spent, they want to know the impact on business if there's a breach.

"CISOs must be prepared to address these questions," he says. "CISOs must understand to what degree security incidents impact business continuity, intellectual property and damage reputation."

Organizations should use analytics and detection methodologies and take advantage of improved visibility to help identify anomalies in the network, systems and user behaviour, he recommends.

"CEOs and boards don't care about whether the breach was caused by the Angler toolkit exploiting a vulnerability in Internet Explorer," he says. "What they do care about is overall impact to the business. We need to unite the details of security with the language of business."

Reactions from Security Leaders

Some security leaders and practitioners at the RSA Conference in Singapore say Yoran stated the obvious, while there are unique and daunting challenges specific to the region.

One security practitioner from the insurance sector, who asked not to be named, says an important question to answer is: "What are the actionable items recommended which directly impact the change or help make the change?"

Sydney-based Alex Holden, CISO of Holden Security Consulting, argues that Yoran's comments are not specific to the region and can resonate well with the western world. "The core issues on cybersecurity transcend geography," he says. "It was an inspiring talk, but the keynote should have been a more detailed call to action rather than general inspiration."

Bikash Barai, CEO and founder of Cigital India, says the keynote hit hard on core challenges affecting this region, resonating well with practitioners' concerns. However, it's hard to change culture - just building security awareness and urging a change in the mindset is not enough. "It's important to regulate the change and processes in a systematic manner," he says.

A philosophical approach will not have a major impact, Baraj says. Instead, a hard core strategy recommendation is what works.

Yoran says there are no ready answers. "But be curious and learn new nuances as you build your cybersecurity strategy," he says.

"Many struggle with red tape or leadership that doesn't yet understand or appreciate how your efforts differ from the regulatory compliance regimes," he adds. "Don't give up."

Cybersecurity , Privacy

As Japan preps for its official in-country launch of the augmented reality game Pokémon Go, the government's cybersecurity organization has issued a related, nine-point safety and privacy guide.

See Also: Detecting Insider Threats Through Machine Learning

The warnings come after reports that some users have faced robbers, been hit by cars and even been shot at by suspicious homeowners. Meanwhile, the U.K. Coast Guard has documented what appears to be the first case involving teenagers stealing a rowboat to chase a rare Pokémon across a lake.

Japan's National Center of Incident Readiness and Strategy for Cybersecurity, which reports to the Japanese government's cabinet, issued the safety guide via its website as well as Twitter. The organization says the guidance - covering everything from watching for trains and heatstroke to carrying backup power supplies and having a fallback communications strategy - applies to adult and child players alike.

"Please pass this on to people around you, especially to children, so everyone can enjoy the game, and play it safely," NISC tweeted on July 20.

Japan's NISC #cybersecurity agency issues 9-point safety guidance for Pokémon users https://t.co/bE3cK8RbXW pic.twitter.com/E2J8pVT5hT

The guidance comes as the popularity of Pokémon Go - a game in which players chase virtual creatures in real-world locations - continues to explode. The concept is based on the trading-card game Pokémon, short for pocket monsters, that was first released in Japan in 1996.

Twenty years later, software maker Niantic, backed by both Nintendo and Japanese consortium The Pokémon Company, has released an augmented reality version of the game, which so far has been rolled out in 35 countries, including Australia, Britain, Canada and the United States, which as of July 18 had 21 million active Pokémon Go users.

But Japan has been absent from the release list, although there are rumors that its localized version of Pokémon Go could be released as soon as Thursday. The rollout has been delayed because of Niantic prepping additional server capacity after details of McDonald's sponsorship of the game leaked. McDonald's will see 3,000 of its fast-food locations turned into virtual gyms where Pokémon players can do virtual battle to earn "PokéCoins" virtual game currency, the Guardian reports. But according to an alleged memo between the fast-food chain and the game makers, after the surge of interest following the leaked McDonald's sponsorship report, they worried that existing demand would exceed capacity.

Players Face Real-World Hazards

As Japan now ramps up for the local launch of Pokémon Go, officials are clearly cognizant of the risks of users staring at their smartphones while attempting to navigate a variety of privacy as well as outdoor hazards.

NISC's guidance urges users to employ "cool names that are different from real names" as well as to beware of fake versions of Pokémon Go designed to sneak malware onto their devices. Authorities also recommend all users carry backup power supplies and that children have a fallback communications plan in case their smartphone runs out of power. The guidance also recommends users pack plenty of water, watch for signs of heatstroke and avoid "dangerous zones" when chasing virtual creatures.

To date, Pokémon Go users in other countries have already faced a variety of real-world hazards. Some players have been shot at by a Floridian homeowner, fallen off a cliff or been hit by a car.

Meanwhile, the U.K. Coast Guard on July 19 reported that it had been dispatched "to investigate reports of a group of twenty youths taking a rowing boat without permission to chase a Pokémon across New Brighton marine lake." The coast guard reported that when it arrived, the teenagers had already left.

To date, thankfully, there have been no reports of Pokémon Go leading to fatalities.

Investors Chase Nintendo's Stock

No one knows if the Pokémon Go hype will hold, potentially heralding a new age of gaming in which children desert living rooms en masse to chase virtual creatures outdoors. By every measure, however, the game so far continues to be a smash success. That includes the value of Nintendo's stock price, which has gained $18 billion since Pokémon Go was first released on July 6. On Tuesday, $6.6 billion in shares were exchanged - worth more than the combined turnover seen that day on the stock exchanges of Australia, Germany, Hong Kong and Switzerland, Bloomberg reports.

Meanwhile, analysts estimate that Apple could earn $3 billion in revenue from Pokémon Go within the next two years, thanks to users purchasing PokéCoins via the app store, the Guardian reports.

"We believe Apple keeps 30 percent of Pokémon Go's revenue spent on iOS devices, suggesting upside to earnings," Needham & Company brokerage analyst Laura Martin wrote in a July 20 client note, Reuters reports. Apple's stock price, meanwhile, has increased by 5 percent in value since the release of the game.

"It's been nuts," Andrew Clarke, Hong Kong-based director of trading at Mirabaud Asia Ltd., tells Bloomberg. "The hype over the game is huge. There's been nothing like this since ... I can't remember really."

DDoS , Risk Management

Following the failed July 15 military coup in Turkey, the government has blocked access to the whistleblowing website WikiLeaks after it published nearly 300,000 internal Turkish government emails.

See Also: 2016 Enterprise Security Study - the Results

WikiLeaks says the published information is not related to the coup plotters. "The material was obtained a week before the attempted coup. However, WikiLeaks has moved forward its publication schedule in response to the government's post-coup purges," the organization says. "We have verified the material and the source, who is not connected, in any way, to the elements behind the attempted coup, or to a rival political party or state."

The purges have focused on removing people from various positions of power or influence who are seen to be opposed to the ruling Justice and Development Party, or AKP, headed by Turkish President Recep Tayyip Erdoğan. WikiLeaks said that its recent promise to publish the 300,000 emails and 500,000 documents, all relating to the AKP, led to its site facing a 24-hour distributed denial-of-service attack.

But on July 19, WikiLeaks said that it had successfully blocked the attack and proceeded with the release of the information, as part of what it's dubbed "OpTurkey." The organization has promised to translate the emails and documents from Turkish to English "to provide a better understanding of the ongoing situation in Turkey."

RELEASE: 294,548 emails from Turkey's ruling political party, Erdoğan's AKP #AKPemails https://t.co/1Yof7YZpH7 pic.twitter.com/GGzGS8oUrY

Inside Turkey, however, the government's communications watchdog is reportedly blocking all access to WikiLeaks. Anyone attempting to access the site instead sees a message from the Information and Communication Technologies Authority - known as the BTK - saying that due to an "administration measure" access to the website is being blocked.

President Takes to Social Media

The failed coup in Turkey saw warplanes firing on government buildings - including the parliament in the capital of Ankara - as well as tanks taking to the streets in major cities. But the coup was foiled after Erdoğan, who was on vacation in the resort town of Marmaris at the time of the attacks - and who evaded commandos sent to capture him - contacted a Turkish television station using his iPhone and the FaceTime application.

Television cameras showed Erdoğan live as he held a video chat with the news anchor, calling on citizens to take to the streets and put down the coup. The president also repeated that message via Twitter.

As Zeynep Tufekci, an assistant professor at the University of North Carolina School of Information and Library Science, writes in The New York Times, that's an ironic turn of events for a prickly politician whose government regularly bans dissidents' accounts on social media and slows down access to Twitter and YouTube, among other sites.

Post-Coup Purge

The coup was ultimately put down by pro-Erdoğan military forces as well as civilians who took to the streets. The government says the coup led to the deaths of at least 294 people, while 1,400 were wounded. But those official figures appear to refer solely to civilians, rather than any of the alleged coup plotters or military forces who supported them.

In the aftermath of the coup, President Erdoğan has been purging those deemed to be disloyal to his government. Authorities quickly rounded up 3,000 suspected military plotters, ranging from general and admirals to foot soldiers, as well as an equal number of prosecutors and judges, Reuters reports. An estimated 50,000 civil servants have also been arrested, fired or asked to resign, according to state-run media, while 20 news outlets that have been critical of the government have been blocked, the Guardian reports.

History of Censorship

Despite the "Internet [saving] Turkey's Internet-hating president" - as Tufekci puts it - the nation is unlikely to usher in a new era of press freedoms.

"The failed coup is a gift for President Erdoğan, giving him all the justification he needs to implement further clamp down measures against any dissenters, in the process sinking Turkey deeper into authoritarianism," says Mostafa Minawi, an assistant professor of history at Cornell University. "The failed coup will make the narrowing range of acceptable political opposition in Turkey ... even narrower. Much as we are witnessing in other parts of the world, aggressive populist politics is on the rise in Turkey." (See Brexit: What's Next for Privacy, Policing, Surveillance?)

The Turkish government regularly blocks or slows access to social media, according to Turkey Blocks, an organization that tracks the government's censorship.

The government also regularly attempts to excise unfavorable content from social media channels. In 2015, for example, the majority of all government-level requests to Twitter "to remove or withhold content" came from the Turkish government, followed by Moscow, according to Twitter's transparency report.

During the six-month period from July 2015 to December 2015, Twitter received 450 court orders and 1,761 government-level removal requests from Turkey, compared with 6 court orders and 1,729 removal requests from the Russian government.

"This reporting period also overlapped with Turkey's follow-up elections in November of 2015," Twitter notes. "Between July and December of 2015, we filed legal objections with Turkish courts in response to 66 percent of the Turkish orders received, focusing many of our efforts on those demands seeking removal of content critical of public figures or allegations of corruption. Our objections prevailed 6 percent of the time."

Turkey Fined Twitter

In December, meanwhile, Turkey's BTK communications watchdog fined Twitter 150,000 lira - worth about $50,000 - for failing to block content that was "praising terrorism, targeting the security forces and inciting hatred and violence."

The BTK didn't identify the offending content, but the government has been battling the outlawed Kurdistan Workers' Party, or PKK, which has continued to launch attacks on Turkish security forces.

On July 20, Turkish state media reported that the government had resumed airstrikes against PKK forces in northern Iraq for the first time since the failed coup, according to wire service Agence France-Presse.