AXEL.org

Blog

Is High-Speed Fiber Coming to a Farm Near You?

Promises of blazing-fast fiberoptic internet throughout the United States have a long and disappointing history of being broken. With President Joe Biden’s recent $1.9 trillion stimulus bill and a $3 trillion infrastructure plan unveiling, the topic is back in the public discourse. However, telecoms like ATT are pushing back.

A brief history lesson

This isn’t the first time the telecoms and politicians discussed a widespread deployment of fiber internet. The first time it came up was back in the 1990s. One of the touted benefits of deregulating the telecommunications industry through the passage of the Telecommunications Act of 1996[1] was that companies agreed to lay fiber to supply millions of citizens with broadband internet. Unfortunately, it never materialized.

As of 2014, a researcher estimated that telecom corporations charged customers a collective $400 billion for the non-existent fiber network[2]. You can imagine how that number has ballooned in the eight years since.

To be fair, these sensationalized figures don’t tell the whole story. The massive increase in demand after the internet boom in the 90s and eliminating the profit cap meant that these businesses could and did charge more. This increased profits, which attracted significantly more outside capital investment than a profit-capped industry could expect.

While it didn’t result in the fiber networks promised, the telecoms did increase capital investments heavily over the past 25 years.  It just went in different directions, such as mobile wireless technology and cable broadband.

The United States is competitive with the world in average broadband speeds, currently ranking 12th[3], behind only much smaller countries. In fact, the countries ahead of the US average 100K square miles, while the United States covers nearly 4 million square miles. So, contrary to popular belief, it hasn’t been a disaster. Still, the speeds offered never hit the projections, and there is a vast divide between urban and rural residents.

 Green Acres isn’t the place to be for fast internet

The Federal Communications Commission (FCC) reports that, as of 2019, over 25% of people in rural areas don’t have access to broadband internet versus 1.7% of urban residents[4]. Since 2015, the FCC’s standard definition of broadband is 25Mbps download and 3Mbps upload speeds[5].

To put that into perspective, one feed of HD-quality Netflix video requires a 5Mbps download connection, and 4K Netflix video bumps the requirement up to 25Mbps. Furthermore, a Full-HD Zoom call requires a 3.8Mbps upload speed, meaning those only meeting the threshold of broadband couldn’t make a Zoom call at the highest quality. And over a quarter of the rural community doesn’t meet that threshold.

Government-backed solutions

To remedy this situation, United States President Joe Biden unveiled a large-scale $3 trillion infrastructure proposal in late March with money set aside for rural broadband expansion[6]. Details are scarce, but the main talking points of the plan are:

  • 100% broadband coverage throughout America
  • “Future-proof” infrastructure built in underserved areas such as rural and tribal lands (many take this to mean fiber, specifically)
  • Prioritization of funds toward networks owned by or affiliated with local governments
  • Telecoms must disclose prices for services transparently
  • Subsidies for low-income people

The infrastructure proposal isn’t the only recent development on this front. Democrats in Congress introduced a $94 billion bill called the ‘Accessible, Affordable Internet for All Act’ on March 10[7]. Its goal is to impact rural communities in a similar way to the electrification efforts of the 20th century by building or modernizing its broadband infrastructure. So, why the big push? What are the potential benefits?

Benefits of rural broadband access

More educational opportunities. The COVID pandemic created problems for rural communities. Students that don’t have access to high-speed internet couldn’t participate in distance learning and are at risk of falling behind. Providing adequate broadband solutions ensures this isn’t a problem in the future.

Job creation. With the proliferation of remote work, high-speed fiber allows those in the country to have the same job opportunities as those in urban areas. This could lead to significant economic expansion in regions that haven’t yet benefited from the shift to knowledge-based industry.

Higher real estate values.  Access to broadband internet makes real estate more attractive to potential buyers. In fact, a 2016 study concluded that homes with fiber internet capability boost their value by over 3%[8].

More healthcare options. Telemedicine has become an important part of the healthcare industry that those without the internet can’t utilize. Fixing this reduces the burden on small local healthcare systems and provides more options to rural residents.

AT&T is not a fan

As you might expect, this focus on expanding broadband has corporate detractors. Telecom giant AT&T pushed back, releasing a critique of the plan in late March[9]. Here, the author argues that fiber isn’t necessary for the majority of use cases in rural America and that current subsidies couldn’t offset the price it would cost.

Another issue she raises is that many of the proposed solutions discussed above mandate “symmetrical” download and upload speeds. For instance, this means that if a home has a 100Mbps download speed, it would also need a 100Mbps upload speed. This would require fiber connections, as current cable and wireless technologies aren’t equipped to handle such large upload capacities. The author claims this is impractical and that most users wouldn’t need the additional upload speed.

AXEL’s take on the situation

Everyday users indeed download much more than they upload on average. However, more upload capacity could have beneficial results. Content creators, video streamers, and anyone uploading large documents regularly would see their capabilities increase significantly.

Small town lawyers, for example, could upload documents to clients and colleagues via secure file-transfer applications like AXEL Go faster. It would increase efficiency and work output to allow them to focus on more critical matters. It could allow for more robust services and provide a way to enhance digitization efforts. AXEL supports the ongoing push for rural access to fiber internet and hopes it continues to progress rapidly.

AXEL Go

Fiber internet connections combined with the high-performance, decentralized file-sharing network of AXEL Go would improve your productivity greatly. AXEL Go is backed by secure technology such as the InterPlanetary File System, blockchain, and military-grade encryption. Also, we never collect your personal data and sell it to shady third parties. Your data stays your private property at all times.

Sign up today and receive a free 14-day trial of our Premium service with all features unlocked. After the trial period, you can choose to continue with the Premium account for only $9.99/month or use our Basic service free of charge. Together, we can make the internet a better place for everyone.

[1] “Telecommunications Act of 1996”, FCC.gov, https://www.fcc.gov/general/telecommunications-act-1996#:~:text=The%20Telecommunications%20Act%20of%201996,any%20market%20against%20any%20other.

[2] Bruce Kushnick, “The Book Of Broken Promises: $400 Billion Broadband Scandal And Free The Net”, Huff Post, Sept. 9, 2014, https://www.huffpost.com/entry/the-book-of-broken-promis_b_5839394

[3] “Speedtest Global Index”, Speedtest.net, Feb. 2021, https://worldpopulationreview.com/country-rankings/internet-speeds-by-country

[4] FCC, “2019 Broadband Deployment Report”, FCC.gov, May 29, 2019, https://docs.fcc.gov/public/attachments/FCC-19-44A1.pdf

[5] Micah Singleton, “The FCC has changed the definition of broadband”, TheVerge.com, Jan. 29, 2015, https://www.theverge.com/2015/1/29/7932653/fcc-changed-definition-broadband-25mbps

[6] Jim Tankersley, “Biden Team Prepares $3 Trillion in New Spending for the Economy”, The New York Times, March 22, 2021, https://www.nytimes.com/2021/03/22/business/biden-infrastructure-spending.html

[7] Jon Brodkin, “Democratic-led Congress gets serious about universal broadband funding”, ArsTechnica.com, March 11, 2021, https://arstechnica.com/tech-policy/2021/03/democratic-led-congress-gets-serious-about-universal-broadband-funding/

[8] Ellen Satterwhite, “Study Shows Home Values Up 3.1% with Access to Fiber”, FiberBroadband.com, June 29, 2016, https://www.fiberbroadband.org/blog/study-shows-home-values-up-3.1-with-access-to-fiber

[9] Joan Marsh, “Definiing Broadband For the 21st Century”, ATTpublicPoliy.com, March 26, 2021, https://www.attpublicpolicy.com/wireless/defining-broadband-for-the-21st-century/

Privacy Labels Reveal Interesting Insights About Popular Cloud Drives

In late 2020, Apple launched its Privacy Label initiative[1]. Now, all apps sold through the App Store need to include a privacy label with future updates. These labels inform consumers about how the application collects and uses consumer data. Since millions of people use file-sharing and cloud storage platforms to transfer and store their personal content, we believed it’d be interesting to compare the privacy labels of the Big Tech offerings to AXEL Go.

A primer on terminology

Before getting into the comparison, it’s important to define the terms you’ll see often. Apple separated the data the apps collect into three different categories.

Data Used to Track You. This is the most troublesome category. It means that the app tracks personal information explicitly to form a coherent picture of your identity. This could stretch across your entire internet usage or even into your real-life shopping habits. It’s a tactic Facebook notoriously employs[2], and it’s by far the most invasive type of data collection.

Companies engaged in these activities link data generated from the app with information from third parties for targeted advertising or analytics. These organizations potentially even share their data sets (including your exact location) with shady data brokers. If possible, we recommend ditching apps that track you like this.

Data Linked to You. This includes much of the same types of data as the previous category, except it is not tracked across your full web experience. It’s still linked to your identity, however, and is still sold to third parties regularly. Avoid it when you can.

Data Not Linked to You. This is data that the company has explicitly anonymized. It could mean removing direct identifiers like user ID/Name/Device ID and data manipulation to prevent re-linkage or de-anonymization. To claim this, you must not ‘fingerprint’ or use other data sets to establish a potential identity.

Now, onto the comparison.

Dropbox

This image has an empty alt attribute; its file name is dropBox2-1.jpg

Source: https://apps.apple.com/us/app/dropbox-cloud-storage-backup/id327630330

DropBox comes out the worst in this comparison. It’s the only one with entries in the ‘Data Used to Track You’ category, making it a significant threat to the privacies of over 600 million users worldwide. It also collects a vast amount of data, including:

  • Contact Info (Name, email address, phone number, physical address, etc.)
  • Identifiers (Screen name, handle, account ID, etc.)
  • Purchases (Purchase history)
  • Contacts (List of your phone’s contacts, address books, social graphs, etc.)
  • Search History (information regarding searches you made in-app)
  • Usage Data (App launch info, taps, scrolling data, clicks, views, biometric eye data, etc.)
  • User Content (in this case, content stored on DropBox servers)
  • Diagnostics (crash logs, performance metrics, etc.)

Obviously, some of this data is more sensitive than other types. For instance, diagnostic information is potentially less harmful than giving up the contents of your cloud storage to what amounts to corporate surveillance. Regardless, it’s all info that they can link to you for identification purposes.

Google Drive

Source: https://apps.apple.com/us/app/google-drive/id507874739

Google isn’t known for its commitment to privacy. Although its cloud service, Google Drive, fares a bit better than Dropbox, there’s still not much to like. It collects the same types of data and adds “Location” into the mix. Why would a cloud storage application need to know your location? Unknown, but it likely isn’t a valid reason. It’s unspecified whether they monitor your ‘Precise Location’ or ‘Coarse Location,’ but Google doesn’t deserve the benefit of the doubt. Assume they know exactly where you are at all times when you’re using any of their services, including Drive. They also collect the nebulously-termed “Other” data, which Apple doesn’t define. If you’re one of the over one billion users[3] of Drive, consider alternatives.

Microsoft OneDrive

This image has an empty alt attribute; its file name is onedrive.jpg

Source: https://apps.apple.com/us/app/microsoft-onedrive/id477537958

Of the Big Tech offerings, Microsoft’s OneDrive is the least offensive. It collects the least amount of data and doesn’t track you across websites. However, the personal information it does collect is still sensitive—especially Contact Info, Identifiers, and User Content. So, Microsoft not only collects your personally identifying information but, like its major competitors, it still mines user content. It’s an inexcusable invasion of privacy that anyone who cares about such matters can’t look past.

AXEL Go

This image has an empty alt attribute; its file name is axelGo.jpg

Source: https://apps.apple.com/us/app/axel-go/id1462043114

The Silicon Valley mainstays don’t value your privacy. At the end of the day, they make a lot of money from your data alone. However, that doesn’t mean there aren’t any good options. Privacy-based alternatives like AXEL Go exist.

Our team designed the entire platform to promote privacy, security, and data custody.  And that starts with the fact that AXEL doesn’t collect any data linked to its users. In fact, AXEL is the only competitor in this comparison that doesn’t link data to your identity. Most of the information we manage is diagnostic, and usage data, which helps our developers see how you’re using the app to inform future improvements. Any contact info we store is sufficiently anonymized so that nobody can link it back to you. We respect everyone’s right to privacy.

Try AXEL Go

If you’re used to sharing and storing data online with platforms such as Google Drive or Dropbox, AXEL Go is a breath of fresh air. Our simple, intuitive user interface is a breeze to navigate while still offering industry-leading security and privacy features.

The platform is backed by secure technology like the InterPlanetary File System, blockchain, and military-grade encryption. Together with the fact that only AXEL emphasizes users take control of their personal information, you’ve got an application that stands above the competition. Try it out today and see the AXEL difference. Basic accounts are free, and you can upgrade to a Premium account with all features for only $9.99/month. Help usher in a better internet. Join the AXEL Revolution.

 

[1] Nick Statt. “Apple launches new App Store privacy labels so you can see how iOS apps use your data”, The Verge, Dec. 14, 2020, https://www.theverge.com/2020/12/14/22174017/apple-app-store-new-privacy-labels-ios-apps-public

[2] Aaron Holmes, “Facebook knows what you’re doing on other sites and in real life. This tool lets you see what it knows about you.”, Business Insider, Mar. 17, 2020, https://www.businessinsider.com/facebook-clear-history-offline-activity-tracker-tool-how-to-use-2020-1

[3] Shoshana Wodinsky, “Google Drive is about to hit 1 billion users”, The Verge, Jul. 25, 2018, https://www.theverge.com/2018/7/25/17613442/google-drive-one-billion-users

The Ethical Responsibility for Data Security in Finance, Law, and Healthcare

It’s difficult to argue that the vast majority of businesses today don’t have an ethical responsibility to adequately protect and secure their customers’ data. However, it’s an even more crucial aspect for organizations with known fiduciary duties to their clients or consumers, such as those in the Finance, Legal, Healthcare, and Insurance sectors. Let’s dig into each of these industries in the United States, look at their unique ethical demands regarding data security, and find some common solutions.

Finance

The financial industry includes banks, investment firms, real estate companies, and insurance organizations. According to the International Monetary Fund, it is the sector targeted most by hackers[1]. It makes sense. In a 2020 survey by Verizon Communications, researchers found that 86% of data breaches are primarily for money[2]. Who has more money than the financial industry?

Hackers target these institutions in a variety of ways. One of their most common tactics is attempting to gain access to customer login info. Direct attacks against an organization’s reserves gain immediate attention and mitigation, but hackers can take over a user account and move around smaller sums for much longer periods.

Another method they use is stealing sensitive financial documents. It provides the malicious agents with a treasure trove of confidential data to use for identity theft.

So, what ethical obligation do they have to their clients for securing this data? Since they’re such huge targets, financial institutions tend to employ data protection strategies that are more sophisticated than average. In 2020, the Federal Trade Commission proposed amendments to the Safeguards Rule and the Privacy Rule in the Gramm-Leach-Bliley Act. Under these proposals:

  • Financial institutions would need to safeguard customer data more robustly, such as utilizing encryption for all information.
  • Customers could opt-out of data sharing policies between banks and third-parties.
  • Banks would require employees to pass multi-factor authentication (MFA) to access client data.

The FTC has not ratified these amendments yet, but they would serve as a much-needed update to the current regulatory framework.

Law

Legal professionals now face an even greater risk to their clients’ personal information. Being the processors of strictly confidential information always put large targets on them. But, the COVID-19 pandemic forced many lawyers out of the office and courtroom and into their den. Working from home is the new normal for legal pros, and that means more cybersecurity risks. Whereas they probably worked in a closed system at the office that IT experts monitored daily, it’s much more challenging to evaluate weaknesses in everyone’s home networks. Coupled with the fact that lawyers, on the whole, aren’t the most technically literate people in the world, and you’ve got a recipe for data breaches.

The American Bar Association gives broad ethical expectations for data security throughout its Model Rules of Professional Conduct[3]. A recent formal opinion published by the organization outlines them in greater detail[4], specifically for those engaged in a virtual practice. This opinion has the following provisions:

  • Lawyers must make “reasonable efforts to prevent inadvertent or unauthorized access [to client data].” Today, a reasonable attempt goes well beyond attaching a confidential document to an email and sending it off with nothing but the hope that it doesn’t fall into the wrong hands.
  • Virtual practitioners should look into setting up Virtual Private Networks (VPNs), keeping the computer’s operating systems updated so that security patches stay current, utilizing file encryption, using MFA, setting strong passwords, and changing them regularly.
  • Legal professionals must vet software and hardware providers to ensure proper security.
  • Lawyers should never use smart speakers (Alexa, Google Home, etc.) or virtual assistants (Siri) when conducting confidential business. These “helpers” listen to every word that is said and can be hacked easily by malicious agents.

Hopefully, The ABA codifies the recommendations given in this opinion into its formal standards.

Healthcare

The medical industry also deals with extremely private, confidential information and is susceptible to drawing attention from hackers. 2020 was an especially bad year for this, as the rise of COVID-19 caused a 55% spike in data breaches compared to 2019[5]. It’s a chilling reminds of how opportunistic threat actors can be. Sensing healthcare providers were stretched to the max and short on resources, they attacked.

Common reasons to target the healthcare industry include stealing patient medical records for resale on the Dark Web, identity theft purposes, or extortion schemes, and ransomware attacks to cripple critical systems until the organizations pay a hefty fee.

The United States Department of Health and Human Services set national regulations about healthcare data security through the HIPAA Security Rule. Here are some of the guidelines:

  • Organizations must have physical and technical security measures enacted for hosting sensitive health data. Examples include facility access limits, computer access controls, and strict limitations on attempts to transfer, remove, or delete patient records.
  • Technical systems must have automatic log-off settings, file encryption capabilities, regular audit reporting, and detailed tracking logs of user activity.

With COVID cases declining and vaccinations increasing, the healthcare sector could soon return to normal and start allocating more cybersecurity resources. At least for the first time in over a year, there’s cause for optimism.

Conclusion

With cyberattacks on the rise, there’s still much room for improvement in these industries. Organizations should go above and beyond legal requirements if adequate cybersecurity is a priority. Combining the right technical solutions with a plan of ongoing education is crucial. Usually, the weakest links in a network are the employees themselves. Train them regularly on the basics of phishing techniques and how to spot them. You’ll have a more resilient workforce who won’t fall for common scams that can put your organization at serious risk.

AXEL Go

Part of the equation is still using suitable technical systems. If your company transfers or stores confidential data, you need to ensure it’s locked down. AXEL Go is a decentralized, private and secure file-sharing and storage platform. It offers industry-leading security features that set it apart from the typical Big Tech applications. It uses blockchain technology, advanced file sharding, the InterPlanetary File System, and military-grade encryption to keep important documents away from hackers. Try AXEL Go and gain access to all of its premium features for only $9.99/mo. It’s the safest way to share and store online.

 

[1] Jennifer Elliott and Nigel Jenkinson, “Cyber Risk is the New Threat to Financial Stability”, IMF.org, Dec. 7, 2020, https://blogs.imf.org/2020/12/07/cyber-risk-is-the-new-threat-to-financial-stability/

[2] “2020 Data Breach Investigations Report”, Verizon, May. 19, 2020, https://enterprise.verizon.com/resources/reports/dbir/?CMP=OOH_SMB_OTH_22222_MC_20200501_NA_NM20200079_00001

[3] American Bar Association, “Model Rules of Professional Conduct”, Americanbar.org, https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/model_rules_of_professional_conduct_table_of_contents/

[4] American Bar Association Standing Committee On Ethics And Professional Conduct, Formal Opinion 489, Americanbar.org, March 10, 2021, https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba-formal-opinion-498.pdf

[5] “Healthcare Breach Report 2021: Hacking and IT Incidents on the Rise”, Bitglass, Feb. 17, 2021, https://pages.bitglass.com/rs/418-ZAL-815/images/CDFY21Q1HealthcareBreachReport2021.pdf?aliId=eyJpIjoiOE54NGRRTkhCZDY3aUxGMiIsInQiOiJ0RTZ1QVZXbnFPUGRhZXhVbmhyMmVnPT0ifQ%253D%253D

A Breakdown of Google’s Alternative to the Third-Party Cookie

In an effort to distance itself from its less-than-stellar reputation on privacy, Google is developing and testing an alternative to third-party tracking cookies. It’s called the Federated Learning of Cohorts (FLoC), and the company claims it solves commonly-cited privacy issues with personalized advertising. Skeptical?

What is a cookie?

While most people know the term “cookie,” they might not understand precisely what they do. Before getting into Google’s replacement, here’s s a brief synopsis:

A cookie is a small file that stores pieces of user data to improve their web browsing experience. Each web server collects visitors’ browsing history, settings, or preferences and saves the data in a file. The next time the user visits that site, the server pulls the cookie’s information and provides a customized experience. This can manifest in several ways, such as saving:

  • Display language preferences.
  • Shopping carts between sessions.
  • Login information.
  • Authentication data so that users don’t have to enter a CAPTCHA.

These are examples of first-party cookies. The website you visit actually collects the data. It is difficult to imagine an internet without first-party cookies. Nobody wants to input all of their information every time they view a site. However, there is another type called third-party cookies.

Third-party cookies

Unaffiliated domains create third-party cookies, which track users across multiple sites. They use this data for retargeting campaigns and personalized advertising. Third-party cookies are receiving backlash from consumers and privacy advocates alike.

These are unlikely to be anonymized in any meaningful way, which leads to persistent tracking. So, unknown to the end-user, advertisers can craft detailed profiles on individuals and market directly to them across the entire internet. Not only is this a blatant invasion of privacy, but it is also susceptible to abuse from predatory companies.

Google’s response to the cookie crumbling

Google recently decided to ban third-party cookies across its ad platform and block them by default on its popular Chrome browser[1]. So, has the search giant finally seen the light and found a newfound commitment to privacy? One peek at their advertising revenues should tell you all you need to know (over $37 billion in Q3 2020[2] alone). Google will not stop tracking people through mobile devices and will still target individuals with ads based on user behavior on their first-party application. Google is large and diverse enough that even first-party cookies pose a problem.

But at least they won’t be sharing individuals’ data with third-party advertising companies anymore, right? The technical answer is “right,” but it’s a bit more complicated. What they’ve really done is create a different way to track people for personalized ads. They have many projects aiming to replace the functionality of third-party cookies under a less toxic name.  The proposals seem to follow an avian theme for some reason, such as PIGINTURTLEDOVESPARROWSWANSPURFOWLPELICANPARROT, PARAKEET, and so on. But one idea has really taken flight…

Enter the FLoC

The FLoC project is deep into its testing phase and has been already delivered tangible results to advertisers (approximately 95% return on ad spend compared to third-party cookies[3]). FLoC stands for Federated Learning of Cohorts. A name that not only rolls right off the tongue but is also definitely not confusing and immediately makes its meaning known.

Snark aside, a FLoC clusters larger groups of people with similar interests together under a shared ID number (their “cohort”) and serves those within the group personalized ads. It uses sophisticated Machine Learning algorithms to analyze variables like the URLs visited, website content, and the typically nebulous “other factors.” So, Google still pulls this data from browsing history, but the information gets calculated on the user’s device rather than sent back to a Google server. This local data gets compiled with thousands of other users to remain private.

Privacy advocates, however, don’t see this as a suitable solution.

Issues with FLoC

Even looking past Google’s dubious past (and present) regarding privacy, the FLoC project raises concerns.

  • Fingerprinting. Millions of websites use hidden code to pull details about their visitors’ computers, and therefore, identities. With FLoC, Instead of distinguishing an individual’s browser from hundreds of millions of others, advertisers only have to worry about how many reside in a particular cohort (thousands?). Google is trying to mitigate this, but there’s no solution coming soon, and the project is already rolling out. Evidently, it’s not a top priority.
  • Contextual identification. Companies could combine a cohort ID with other information, such as data obtained from having a ‘Login with your Google account’ option to identify people. Furthermore,  advertisers can infer demographics from a particular Cohort since people with similar browsing interests can likely be siloed into fairly accurate groups. Google claims it will protect ‘sensitive info’ like race and sexual preference, but its effectiveness is unknown. There’s less recourse for this when it does happen, too, because they’ll have plausible deniability about targeting these ‘protected’ entities.
  • Exploitation. FLoCs could result in the proliferation of exploitative practices. For instance, a cohort of people visiting sites about credit repair could receive ads for payday loans or other manipulative products and services.

Conclusion

This project is already well underway. The days of personalized advertising are here to stay. There’s simply too much money at stake for it to go away without explicit regulation. FLoC only applies to the Chrome browser, which happens to be by far the most popular web browser. If you don’t want to participate in these shenanigans, you’ll have to use a privacy-focused browser. FLoC seems like a step in the right direction over third-party cookies, but it’d be hard to be worse than them. Valid concerns still exist, and privacy-oriented people likely won’t celebrate this stopgap.

Stay private

AXEL promotes the concept of data custody and prioritizes keeping user data secure and private. If you don’t want Big Tech companies like Google mining your information and tracking you incessantly, break free from their hegemony. Share and store files online without anxiety. AXEL Go is a safe, privacy-focused platform that utilizes blockchain technology, the InterPlanetary File  System, and AES 256-Bit encryption. Take back control of your digital privacy. Try AXEL Go today. For $9.99, you can upgrade to a premium account and unlock all of its unique features.

[1] David Temkin, “Charting a course towards a more privacy-first web”, Blog.google, March 3, 2021, https://blog.google/products/ads-commerce/a-more-privacy-first-web/

[2] Kim Lyons, “YouTube brings in $5 billion in ad revenue as Alphabet and Google bounce back”, TheVerge.com, Oct.. 29, 2020, https://www.theverge.com/2020/10/29/21531711/google-alphabet-ad-revenue-youtube-waymo-cloud-search

[3] Chetna Bindra, “Building a privacy-first future for web advertising, Blog.google, Jan. 25, 2021, https://blog.google/products/ads-commerce/2021-01-privacy-sandbox/

The Microsoft Exchange Hack is Unparalleled

Barely two months after the massive SolarWinds attack (that experts are still attempting to unravel) comes news of perhaps an even larger successful attack. In a patch release on March 2nd, Microsoft announced they fixed four critical vulnerabilities to their Exchange Server email system. No big deal, right? Well, buckle up.

The scope

As it turns out, hackers exploited these zero-day (previously unknown) vulnerabilities for at least two months before Microsoft released the security patch. The security holes themselves were present for over ten years, so it may be an even more widespread issue. During the last two months, however, it seems as if over 30,000 organizations running Exchange  Server were compromised in the United States alone[1]. Worldwide, the number grows to hundreds of thousands of likely victims. And that could be a lowball estimate! According to former CISA Director Chris Krebs, “The numbers I’ve heard dwarf what’s reported here,” referring to a report indicating the 30K number. That’s staggering!

This image has an empty alt attribute; its file name is chrisKrebsMETweet.png

The situation

In early January, the red team ethical hacking group, DEVCORE, led by the Orange Tsai, first reported two of the four zero-day vulnerabilities to Microsoft[2]. Soon after, the cybersecurity firm Volexity detected actual attacks from then-unknown entities using the exploits[3]. By late January, analysts mapped out the breaches and deciphered some details.

The threat actors were installing backend “web shells” on the Exchange servers. Web shells are malicious code injected into web applications that can give hackers administrator access to the infected servers. Then, the cybercriminals can run commands at-will. In this case, it appears that the hackers stole private emails and primed the networks for other malicious activity. Some analysts worry that the affected systems may be vulnerable to future ransomware attacks[4].

The victims

The unfortunate truth is that nearly any organization running non-cloud-based Microsoft Exchange email servers could be a victim. As awareness of the hack spreads, the tally of compromised organizations grows. The scope of the attack is unprecedented. In an official statement, Microsoft claimed that the group responsible for the attack typically targets “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,[5]” but this attack appears much less selective.

According to the cybersecurity firm Huntress, many of the clients they confirmed as having the web shell installed do not it into these categories[6]. As the Senior Security Researcher of the company says, “These companies do not perfectly align with Microsoft’s guidance as some personas are small hotels, an ice cream company, a kitchen appliance manufacture, multiple senior citizen communities and other ‘less than sexy’ mid-market businesses.”

There have been some high-profile organizations already disclosing breaches, though:

  • European Banking Authority. On March 7th, the EBA, which has a supervisory role in the European Union’s banking industry, admitted hackers compromised their Exchange email servers[7]. Luckily, a security analysis turned up no evidence that the cybercriminals stole any data.
  • Norway’s parliament. The Norwegian parliament, the Storting, did not get off so easy. With the digital forensic investigation still underway, the governmental body admitted, “We know that data has been extracted, but we do not yet have a full overview of the situation.[8]” This is the second major breach the Storting experienced over the past three months.

Undoubtedly, the list of known organizations affected by the situation will increase significantly in the upcoming days.

The perpetrators

Microsoft has consistently assigned blame to a Chinese state-sponsored hacking group dubbed ‘HAFNIUM.[9]’ Details for this assessment are scarce. Evidently, the behavior and tactics are similar to known Advanced Persistent Threats (APTs) from China. The group also worked through leased VPN servers located in the United States, which may point toward a Chinese origin.

However, after the initial disclosure, cybersecurity firms reported that other APTs have joined in on the illicit fun. According to a report by the cybersecurity company ESET, at least ten other APTs are exploiting the Exchange flaws[10]. This includes Tick, LuckyMouse, Calypso,Websiic, Winnti Group, Tonto Team, Cobalt Group, Mikroceen, and three unknown groups. It’s unclear if there is any proper coordination between these factions. The majority -but not all- of them share connections to China, but the fact that multiple web shells were present on some of the affected servers indicates a lack of collaboration.

As was mentioned in our previous SolarWinds article, attribution of an attack is quite tricky. There are instances of APTs disguising their activity and successfully pinning it on a different country. And, as the Vault 7 Wikileaks dump proved, nations have sophisticated tools that obfuscate the attackers’ true origins[11]. However, with so many Chinese APTs linked to the situation, it becomes more challenging to deny involvement (unsurprisingly, the Chinese Communist Party has denied the allegations.)

Uncertainty

So, where do we go from here? As mentioned, Microsoft released a patch that fixed the vulnerabilities. If your organization runs an Exchange email server, install the patches immediately. Microsoft says that these fixes will not help systems already infiltrated with web shells. If you suspect an infection, have cybersecurity professionals analyze the network.

Other than that, there isn’t too much you can do. Experts are still evaluating the full extent of the attack, and nobody knows if/when further damage, such as ransomware, will occur. The situation’s historic magnitude makes it especially scary because it goes against the traditionally-cautious cyber strategy of China’s APTs. It’s brazen and impossible to ignore. What will the fallout be? Only time will tell.

Data security for all

Are you doing enough to protect your files from hackers and intruders? If you’re using a Big Tech solution for file-sharing and online storage, the answer is ‘no.’ Get serious about data security and use the private, safe file-sharing and storage platform AXEL Go. It utilizes blockchain technology, the InterPlanetary File System (IPFS), and robust password encryption to keep your documents out of reach from data mining corporations and hackers. Download it today for Windows, OSX, Android, or iOS and experience a better way to share.

 

[1] Brian Krebs, “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software”, Krebsonsecurity.com, March 5, 2021, https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/

[2] “What is ProxyLogon”, Proxylogon.com, March 2021, https://proxylogon.com/#timeline

[3] Josh Grunzweig, Mathew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, “Operation Exchange Marauder: Active  Exploitation of Multiple Zero-Day Microsoft Exchange vulnerabilities.

[4] Brian Krebs, “Warning the World of a Ticking Time Bomb”, Krebsonsecurity.com, March 9, 2021, https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/

[5] “HAFNIUM targeting Exchange Servers with 0-day exploits”, Microsoft.com, March 2, 2021, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

[6] John Hammond, “Rapid Response: Mass Exploitation of On-Prem Exchange Servers”, March 3, 2021, https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers

[7] Davey Winder, “EU Banking Authority Hacked As Microsoft Exchange Attacks Continue”, March 9, 2021, https://www.forbes.com/sites/daveywinder/2021/03/09/eu-banking-authority-hacked-as-microsoft-exchange-attacks-continue/?sh=29f2026d2fe0

[8] Richard Speed, “A nei! Noway’s Stortinget struck by Microsoft Exchange malware”, The Register, March 11, 2021, https://www.theregister.com/2021/03/11/stortinget_attack/

[9] “HAFNIUM targeting Exchange Servers with 0-day exploits”, Microsoft.com, March 2, 2021, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

[10] Matthieu Faou, Mathieu Tartare, Thomas Dupuy, “Exchange servers under siege from at least 10 APT groups”, March 10, 2021, https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

[11] “Vault 7: CIA Hacking Tools Revealed”, Wikileaks.org, March 7, 2017, https://wikileaks.org/ciav7p1/index.html

A Breakdown of Virginia’s New Privacy Law

On March 2nd, Virginia Governor Ralph Northam signed a comprehensive data privacy bill into law, making it the second state behind California to enact formal privacy regulations[1]. While it’s difficult to argue this development is a bad thing, the fact that it had widespread approval from Big Tech opens it to scrutiny. Here, we look at the law’s provisions, compare it with California’s measures, and assess the areas where it’s lacking.

Who does this affect?

The Virginia Consumer Data Protection Act (VCDPA) will significantly affect entities known as ‘data brokers.’ A data broker can be one of the high-profile corporations from Big Tech (i.e., Google, Amazon, etc.) or the lesser-known companies operating in the shadows that gather, analyze, package, and sell consumers’ personal information. According to the VCDPA, data brokers must hit specific thresholds for the law to apply to them. These stipulations include:

  • “Persons” (remember folks, corporations are people too) must do business in Virginia or sell products and services that target Virginia residents.
  • The organizations have to control the data of at least 100,000 Virginia residents. (This number is decreased to 25,000 residents if the company receives half or more of its revenue from selling personal information)

There are several exemptions, however. For example, organizations do not have to abide by these regulations if:

  • The data they collect from individuals pertains to employment or other commercial information. This means employees aren’t protected from their company’s data collection, and business-to-business data is still a free-for-all.
  • They are in the financial services, research, credit reporting, healthcare, or educational industries.
  • They are a designated non-profit.

So, already there appear to be some loopholes.

What are the new privacy provisions?

The VCDPA outlines new expectations that applicable data brokers must follow.

  • Data brokers must gain explicit consent before processing “sensitive data.” This would include racial makeup, religious beliefs, health records, sexual orientation, genetic data, or a person’s precise geolocation.

It also grants consumers a variety of new data rights.

  • The right of access. Now, Virginians can request to know all the information a company collects on them.
  • The right of correction. Consumers can request a company correct wrong information, and they have to comply.
  • The right of deletion. Individuals can request the deletion of their data.
  • The right to opt-out of targeted advertising, data selling, and profiling.

Unfortunately, there are more exemptions for these too. Organizations can get out of many of these information requests if they feel it cause an “unreasonable burden.” They also do not need to comply if the data collected is pseudonymized (meaning they replaced identifying info with pseudonyms.)

Starting in 2023, any company found in non-compliance with the terms of the VCDPA will have 30 days to correct their course or be subject to a $7,500 fine for each violation.

Compared to the CPRA

California is the other state with data privacy laws on the books. The recently passed California Privacy Rights Act (CPRA) set the national standard. How does the VCDPA stack up? Overall, they’re very similar. There are a few key differences, though:

VCDPA is more limited in scope. It’s a bit semantic, but where the CPRA exempts specific personal data types, the VCDPA exempts entire industries like healthcare and education. This slightly shrinks the net of data protections.

VCDPA doesn’t apply to employees or commercial data. Under the CPRA, employees have the same protection as consumers. Unfortunately for Virginians, the VCDPA explicitly excludes employee or business-to-business data.

VCDPA has no private right of action. This means that residents aren’t allowed to sue offending companies for damages. California’s privacy law enables individuals the right to sue for up to $750 for violations.

Criticism

Privacy groups like the Electronic Frontier Foundation (EFF) levied scathing critiques of the bill[2]. Other than the lack of private right to action as mentioned above, it was also slammed for facilitating ‘pay-for-privacy’ programs, where businesses could charge consumers not to collect and sell their information.

Another complaint is that the law would force consumers to opt-out of collection rather than opt-in. Obviously, this creates an unnecessary barrier to privacy and makes the default invasive. Most people are too busy to go searching for opt-out links. It’s why some privacy advocates believe it protects the interests of companies more than consumers. The fact that Big Tech behemoths Amazon and Microsoft both offered support for the bill[3] backs up this assertion.

Regardless, it’s better than nothing. And, like the CPRA following up the CCPA after only a few years, it is possible to improve on privacy regulations in the future. Nothing is perfect, and in squabbling over the details, sometimes advocacy groups lose sight of the forest for the trees.

Any regulatory improvement is good, and the process is likely to be iterative over time. The VCDPA may not be a giant leap toward the end goal of robust data privacy laws, but it’s a healthy first step. One they can build upon and provide an example to the rest of the country. At some point, federal data privacy laws will be on the table, and having test programs like this will inform lawmakers about what works and what doesn’t.

Building solutions and bringing awareness to data custody

AXEL is committed to providing data custody to its users. We never sell your information to third parties or mine your account for data. Our developers design privacy-based software solutions that keep your content away from the greedy hands of data brokers and Big Tech. AXEL Go is a blockchain-backed file-sharing and storage platform with optional encryption features. You can share and store files online without the worry of who else can see them. Take data privacy into your own hands. Ditch Big Tech and try AXEL Go today.

 

[1] Cat Zakrzewski, “Virginia governor signs nation’s second state consumer privacy bill, The Washington Post, March 2, 2021, https://www.washingtonpost.com/technology/2021/03/02/privacy-tech-data-virgina/

[2] Hayley Tsukayama, “Virginians Deserve Better Than This Empty Privacy Law”, EFF.org, Feb. 12 , 2021, https://www.eff.org/deeplinks/2021/02/virginians-deserve-better-empty-privacy-law

[3] Cat Zakrzewski, “The Technology 202: Virginia is poised to pass a state privacy law”, The Washington Post, Feb. 11, 2021, https://www.washingtonpost.com/politics/2021/02/11/technology-202-virginia-is-poised-pass-state-privacy-law/