AXEL.org

data privacy

A Breakdown of Virginia’s New Privacy Law

On March 2nd, Virginia Governor Ralph Northam signed a comprehensive data privacy bill into law, making it the second state behind California to enact formal privacy regulations[1]. While it’s difficult to argue this development is a bad thing, the fact that it had widespread approval from Big Tech opens it to scrutiny. Here, we look at the law’s provisions, compare it with California’s measures, and assess the areas where it’s lacking.

Who does this affect?

The Virginia Consumer Data Protection Act (VCDPA) will significantly affect entities known as ‘data brokers.’ A data broker can be one of the high-profile corporations from Big Tech (i.e., Google, Amazon, etc.) or the lesser-known companies operating in the shadows that gather, analyze, package, and sell consumers’ personal information. According to the VCDPA, data brokers must hit specific thresholds for the law to apply to them. These stipulations include:

  • “Persons” (remember folks, corporations are people too) must do business in Virginia or sell products and services that target Virginia residents.
  • The organizations have to control the data of at least 100,000 Virginia residents. (This number is decreased to 25,000 residents if the company receives half or more of its revenue from selling personal information)

There are several exemptions, however. For example, organizations do not have to abide by these regulations if:

  • The data they collect from individuals pertains to employment or other commercial information. This means employees aren’t protected from their company’s data collection, and business-to-business data is still a free-for-all.
  • They are in the financial services, research, credit reporting, healthcare, or educational industries.
  • They are a designated non-profit.

So, already there appear to be some loopholes.

What are the new privacy provisions?

The VCDPA outlines new expectations that applicable data brokers must follow.

  • Data brokers must gain explicit consent before processing “sensitive data.” This would include racial makeup, religious beliefs, health records, sexual orientation, genetic data, or a person’s precise geolocation.

It also grants consumers a variety of new data rights.

  • The right of access. Now, Virginians can request to know all the information a company collects on them.
  • The right of correction. Consumers can request a company correct wrong information, and they have to comply.
  • The right of deletion. Individuals can request the deletion of their data.
  • The right to opt-out of targeted advertising, data selling, and profiling.

Unfortunately, there are more exemptions for these too. Organizations can get out of many of these information requests if they feel it cause an “unreasonable burden.” They also do not need to comply if the data collected is pseudonymized (meaning they replaced identifying info with pseudonyms.)

Starting in 2023, any company found in non-compliance with the terms of the VCDPA will have 30 days to correct their course or be subject to a $7,500 fine for each violation.

Compared to the CPRA

California is the other state with data privacy laws on the books. The recently passed California Privacy Rights Act (CPRA) set the national standard. How does the VCDPA stack up? Overall, they’re very similar. There are a few key differences, though:

VCDPA is more limited in scope. It’s a bit semantic, but where the CPRA exempts specific personal data types, the VCDPA exempts entire industries like healthcare and education. This slightly shrinks the net of data protections.

VCDPA doesn’t apply to employees or commercial data. Under the CPRA, employees have the same protection as consumers. Unfortunately for Virginians, the VCDPA explicitly excludes employee or business-to-business data.

VCDPA has no private right of action. This means that residents aren’t allowed to sue offending companies for damages. California’s privacy law enables individuals the right to sue for up to $750 for violations.

Criticism

Privacy groups like the Electronic Frontier Foundation (EFF) levied scathing critiques of the bill[2]. Other than the lack of private right to action as mentioned above, it was also slammed for facilitating ‘pay-for-privacy’ programs, where businesses could charge consumers not to collect and sell their information.

Another complaint is that the law would force consumers to opt-out of collection rather than opt-in. Obviously, this creates an unnecessary barrier to privacy and makes the default invasive. Most people are too busy to go searching for opt-out links. It’s why some privacy advocates believe it protects the interests of companies more than consumers. The fact that Big Tech behemoths Amazon and Microsoft both offered support for the bill[3] backs up this assertion.

Regardless, it’s better than nothing. And, like the CPRA following up the CCPA after only a few years, it is possible to improve on privacy regulations in the future. Nothing is perfect, and in squabbling over the details, sometimes advocacy groups lose sight of the forest for the trees.

Any regulatory improvement is good, and the process is likely to be iterative over time. The VCDPA may not be a giant leap toward the end goal of robust data privacy laws, but it’s a healthy first step. One they can build upon and provide an example to the rest of the country. At some point, federal data privacy laws will be on the table, and having test programs like this will inform lawmakers about what works and what doesn’t.

Building solutions and bringing awareness to data custody

AXEL is committed to providing data custody to its users. We never sell your information to third parties or mine your account for data. Our developers design privacy-based software solutions that keep your content away from the greedy hands of data brokers and Big Tech. AXEL Go is a blockchain-backed file-sharing and storage platform with optional encryption features. You can share and store files online without the worry of who else can see them. Take data privacy into your own hands. Ditch Big Tech and try AXEL Go today.

 

[1] Cat Zakrzewski, “Virginia governor signs nation’s second state consumer privacy bill, The Washington Post, March 2, 2021, https://www.washingtonpost.com/technology/2021/03/02/privacy-tech-data-virgina/

[2] Hayley Tsukayama, “Virginians Deserve Better Than This Empty Privacy Law”, EFF.org, Feb. 12 , 2021, https://www.eff.org/deeplinks/2021/02/virginians-deserve-better-empty-privacy-law

[3] Cat Zakrzewski, “The Technology 202: Virginia is poised to pass a state privacy law”, The Washington Post, Feb. 11, 2021, https://www.washingtonpost.com/politics/2021/02/11/technology-202-virginia-is-poised-pass-state-privacy-law/

Should Privacy be a Human Right?

With the advancements in the mass surveillance technology used by governments and corporations, maintaining individual privacy has never been more important. AXEL believes privacy is a fundamental human right that these powerful institutions need to acknowledge. Without a vigorous defense of this position, influential organizations will inevitably erode privacy protections and lead society down a dark, Orwellian path.

Privacy law – not a new thing

Citizens demanding basic privacy is not a new phenomenon. Formal privacy law goes all the way back to 1361 AD in England[1]. Nevermind modern accouterments like cellphones, back then niceties such as plumbing and an easily traversable road system weren’t fathomable. It was the time of King Edward the III, with England and France engaged in what was to be known as ‘The 100 Years War.’ In other words, a LONG time ago.

The Justices of the Peace Act outlawed peeping toms and eavesdroppers under the penalty of imprisonment. It was a way to stop the town weirdo from spying on neighbors from behind a cow or haycart.

Today these concerns seem quaint, as every computer, cellphone, smartwatch, digital assistant, or any other piece of internet-connected technology is the equivalent of an eavesdropping creep. On the plus side, medicine advanced past the practice of bloodletting as a cure-all. So, we’ve got that going for us.

A decree from the United Nations

Fast-forward over half a millennium to 1948. The newly-formed international coalition, the United Nations, released the United Nations Declaration of Human Rights[2]. This short document outlined various human rights for all people. Article 12 states, “No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence, nor to attack upon his honor and reputation. Everyone has the right to  the protection of the law against such interference or attack.”

While these UN guidelines are clear and concise, they lacked any true enforcement capabilities. Fantastic ideals in theory; often ignored in practice.

United States privacy law history

Unfortunately, The United States Constitution doesn’t explicitly guarantee privacy as a right. However, not all is lost. Throughout the years, there have been legal arguments that other liberties imply privacy rights. Examples include:

  • Stanford Law Review April 2010. A piece in the prestigious legal journal by Orin Kerr outlined an argument that sought to apply the Fourth Amendment to internet privacy[3]. The focus is on police-related intrusions, specifically dealing with warrant requirements for digital surveillance.
  • Griswold v. Connecticut. This 1965 case set the precedent that the Constitution grants privacy rights against government intrusion implicitly from other liberties established in the Bill of Rights[4]. While the case pertained to marital relations, the ruling set a precedent for the more general concept of implicit rights.

The current state of privacy

Two-thirds of countries have privacy regulations on the books[5]. So, everything’s all good, right? Time for privacy advocates to pack it up and celebrate their victory! No, things are not all rainbows and sunshine in this space. In fact, the situation is pretty bad.

Government privacy intrusions

The U.S. government spying on its citizens is nothing new. The practice dates back at least 70 years. Over this time, many groups (political activists, civil rights leaders, union participants, the far-Left, the far-Right, you name it) became surveillance targets of federal agencies like the FBI, CIA, and NSA. However, the devastating 9/11 attacks combined with advancing digital technology created a perfect storm for privacy intrusion at a scale never before seen.

The details of which were outlined by whistleblower Edward Snowden in 2013[6]. Here are a few significant revelations of the leaks:

  • The NSA collected millions of peoples’ cellphone metadata (i.e., when calls are made/to whom) and location information[7]. A federal appeals court finally ruled this tactic illegal in 2020[8].
  • The NSA can easily break internet standard encryption methods to view private emails, financial transactions, and other personal data[9].
  • The NSA implemented a program code-named PRISM where the Big Tech companies would mine user data and turn it over to the agency upon request[10].

These only scratch the surface of the Snowden leaks. The story received enormous press coverage over the years, putting pressure on the federal agencies for more transparency. It is naive to think organizations like the NSA stopped using these tactics, though. After all, the courts didn’t ban illegal phone metadata collection until seven years after initial disclosure, after multiple other scandals[11].

Corporate intrusions

Of course, the government doesn’t have a monopoly on invading peoples’ privacy. Corporations are big players in the game, too (although, as seen in the PRISM program, the two entities can work together.)

Big Tech has a notorious reputation in this regard. Companies such as Facebook, Google, and Amazon collect so much personal data that their algorithms probably know people better than they know themselves.

The most known scandal involved Cambridge Analytica, a Big Data firm that bought user data from Facebook and used it to serve targeted political ads, allegedly resulting in a shift toward Donald Trump’s election[12].

Regardless of that hypothesis’s validity, data mining and selling are an everyday occurrence in Big Tech’s world. All one has to do is read the privacy policies or terms of service agreements the companies provide to get a glimpse at the breadth of knowledge they have about individuals. Easier said than done since those policies are thousands of words of legalese, but decipher them, and it becomes quite creepy.

Tougher legislation

Data privacy and protection are now mainstream topics. As such, some governments are enacting stronger legislation. The Gold Standard of these laws is the General Data Protection Regulation (GDPR) in the European Union. It is the most comprehensive data privacy law to date.

California took the main framework of the GDPR and passed a similar law called the California Privacy Rights Act (CPRA), which will take a few years to implement fully. While these are the best laws currently in effect, they still have loopholes that will undoubtedly lead to exploitation. Do they go far enough to protect everyone’s personal information? Only time will tell.

Be proactive

The GDPR and CPRA are much needed, but people should take matters into their own hands as well. Stop relying on “free” software from the megacorporations and search for privacy-based alternatives.

AXEL Go is the perfect solution for anyone looking for a private, secure file-sharing and storage platform. It has blockchain implementation, runs on the un-censorable InterPlanetary File System, and utilizes military-spec AES 256-bit encryption to ensure your files aren’t compromised. Sign up for a free Basic account and receive 2GB of online storage and enough network fuel for hundreds of typical shares. AXEL truly believes privacy is an inalienable human right. That’s why AXEL Go has industry-leading privacy features that will only get better. Download it today.

 

 

 

[1] English Parliament, “Justices of the Peace Act 1361”, legislation.gov.uk, https://www.legislation.gov.uk/aep/Edw3/34/1

[2] The United Nations, “The Universal Declaration of Human Rights”, un.org, 1948, https://www.un.org/en/universal-declaration-human-rights/#:~:text=Article%2012.,against%20such%20interference%20or%20attacks

[3] Kerr, Orin S. “Applying the Fourth Amendment to the Internet: A General Approach.” Stanford Law Review 62, no. 4 (2010): 1005-049. Accessed February 24, 2021. http://www.jstor.org/stable/40649623

[4] “Griswold v. Connecticut.” Oyez. Accessed February 24, 2021. https://www.oyez.org/cases/1964/496

[5] “Data Protection and Privacy Legislation Worldwide”, UNCTAD, Feb. 4, 2020, https://unctad.org/page/data-protection-and-privacy-legislation-worldwide

[6] Glen Greenwald, “Edward Snowden: the whistleblower behind the NSA surveillance revelations”, The Guardian, June 9, 2013, https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance

[7] Barton Gellman, Ashkan Soltani, “NSA tracking cellphone locations worldwide, Snowden documents show”, The Washington Post, Dec. 4, 2013, https://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html

[8] Josh Gerstein, “Court rules NSA phone snooping illegal -after 7-year delay”, Politico, Sept. 2, 2020, https://www.politico.com/news/2020/09/02/court-rules-nsa-phone-snooping-illegal-407727

[9] Joseph Menn, “New Snowden documents say NSA can break common Internet encryption”, Reuters, Sept. 5, 2016, https://www.reuters.com/article/net-us-usa-security-snowden-encryption/new-snowden-documents-say-nsa-can-break-common-internet-encryption-idUSBRE98413720130905

[10] Barton Gellman, Laura Poitras, “U.S., British intelligence mining data from nin U.S. Internet companies in broad secret program”, The Washington Post, June 7, 2013, https://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html

[11] Zack Whittaker, “NSA improperly collected Americans’ phone records for a second time, documents reveal”, Tech Crunch, June 26, 2019, https://techcrunch.com/2019/06/26/nsa-improper-phone-records-collection/

[12] Dan Patterson, “Facebook data privacy scandal: A cheat sheet”, Tech Republic, July 30, 2020, https://www.techrepublic.com/article/facebook-data-privacy-scandal-a-cheat-sheet/

Here’s Why Free Software Can Be a Poison Pill

There was a time when consumer expectations did not demand software be free. Sure, there has always been freeware, but it wasn’t the norm. If someone in the 1980s wanted a word processor, they expected to pay for it!

Today, these expectations have flipped. Why would someone pay for software or web services? Social media platforms are free. Big Tech companies like Google offer free alternatives to traditionally-paid programs such as word processors, spreadsheets, and visual presentation software. What’s the harm? The services are high-quality and users aren’t out a dime. It’s a win-win, right? Well, much like your relationship status during college, it’s complicated.

A costly endeavor

The truth is, software development is expensive. It’s always been expensive. And, even with the proliferation of outsourcing, it remains so today. It is a highly specialized skill requiring considerable knowledge and continued education. The median pay for a developer in the United States was over $107,000 in 2019[1]. Prices for outsourced developers vary by country but expect to pay around $30,000 a year for quality work[2]. Many development teams employ a mixture of domestic and foreign help.

Unlike the 80s, where a small team could complete programs in a basement, now larger units are necessary to deal with the complexities of modern computing. Big Tech’s full-featured products certainly require these sizeable teams of high-cost developers. Their offerings also typically need massive investments in physical infrastructure to keep the services running for millions of potential users. Knowing all this, how do they provide the end products for free? Out of the goodness of the shareholders’ hearts?

The tradeoff

Unsurprisingly, no. Big Tech companies are some of the largest businesses in the world, with billions in yearly revenue. The “free” apps and services they provide do require a form of payment. Your personal data. As the saying goes,” If you aren’t paying for the product, you are the product.”

Today, tech megacorporations collect an absurd amount of data on their users (and in Facebook’s case, even non-users[3].)  The data they find most useful usually falls into the following categories:

  • Email receipts. Who people email consistently can be a wealth of information for data miners.
  • Web activity. Big Tech wants to know which sites everyone visits, how long they stay there, and a host of other browsing metrics. They track across websites, analyze likes and dislikes, and even assess mouse cursor movement.
  • Geolocation. When tracking internet activity isn’t invasive enough, many companies evaluate where people go in the real world. Most don’t understand that their phones’ GPS sensors aren’t strictly used for directions to their Aunt’s new house.
  • Credit card transactions. Purchase records outline a person’s spending habits. Since the entire point of collecting all of this data is to squeeze money out of the user in other ways, this info is extremely valuable.

Imagine the models companies can create of their users, given all of that information. They use these models to personalize advertisements across their platforms. Advertisements more likely to result in sales mean more revenue, so they have an incentive to collect as much data as possible. But that’s not the only way they monetize personal information. Many sell it to third-parties too. Are you creeped out yet?

Alternative data providers

Organizations called ‘alternative data providers’ buy up all of this information, repackage it, and sell it off to whoever wants it (usually financial institutions looking to gain broad insights about the direction of a given market.)

As of 2020, there are over 450 alternative data providers[4], and what happens to your information after they get their hands on it is about as opaque as it gets. This is especially the case in the United States, as there are no federal privacy laws that set clear expectations regarding personal data sales and stewardship. However, there is hope with the passing of California’s new privacy law that Congress will finally tackle the subject.

Privacy policies

One way consumers can stay informed about an organization’s data collection guidelines is to read through its privacy policy and terms of service agreement. There, they can find general information about their practices. Unfortunately, organizations seldom list the specifics (i.e., which companies do they share with or sell the data to, etc.) These documents also tend to be excessively long and filled with confusing legalese. It makes it difficult to extract even basic information and leads to a frustrating user experience.

It’s no wonder that according to a Pew Research survey, only 22% of Americans read privacy policies “always” or “often” before agreeing to them[5]. Most just hit accept without a second thought. We recommend always looking into a company’s privacy policy and terms of service before using their products. If you don’t want to slog through the jargon, try out ToS;dr, a website that breaks down these documents into readable summaries. They also give Big Tech companies “privacy grades” based on what they find. A few examples include: (note: “E” is the lowest grade)

  • Facebook – E. Big surprise here. The company that stores data, whether the person has an account or not, did not score well.
  • Amazon – E. Although online retail is their bread and butter, Amazon also dabbles in providing free apps and services such as the Kindle App. They track people across websites and sell consumer data to third parties, among other egregious tactics.
  • Google – E. Google collects biometric data, shares info with third parties, retains data after erasure requests, and much more.

Search for your favorite social media platform or Big Tech service and see how it stacks up. Spoiler alert: probably not very well.

Another consideration

Open source projects have a poor reputation for cybersecurity since the developers are unpaid and less motivated to provide reliable support. Conversely, free Big Tech products typically get a pass on those risks. After all, their software is well-funded and receives developer support throughout its entire lifespan. This minimizes a few crucial points, though.

First, large tech corporations benefit immensely from a built-in following and the integrated marketing apparatuses at their disposal. This attracts a significantly higher baseline of users for any given service than a startup’s equivalent solution.  These massive user bases attract cybercriminals.

This leads to the second point; while these companies support their products and offer cybersecurity patches regularly, there will always be vulnerabilities. The services almost always run on centralized server farms, making for an enormous attack surface. And the products with the most users will always be the primary targets for phishing scams. So, it’s kind of a paradox. More marketing, support, and users lead to more attacks.

File sharing app examples

There are countless examples of vulnerabilities found in Big Tech apps and services, but here are a few examples in the file-sharing sector:

Google Drive: In the Fall of 2020, threat actors exploited a flaw in Google Drive to send push notifications and emails to users[6]. The messages contained malicious links containing dangerous malware. The situation affected hundreds of thousands of users.

Microsoft OneDrive: Although not officially breached, in April 2020, Microsoft announced a critical vulnerability in their OneDrive cloud app[7]. They quickly released a security fix, but it is unknown if hackers knew about the vulnerability beforehand or if they breached unpatched systems after Microsoft disclosed it.

Dropbox. In 2012, a hacker stole login credentials to over 68 million Dropbox users and sold them on the Dark Web. As if this weren’t bad enough, it took Dropbox three years to disclose the breach! So, during that time, nearly 70 million users were in danger.

ShareIt. This platform may be lesser-known in the United States, but it has 1.8 billion users worldwide and is very popular throughout Asia and Russia. A recent security audit found crucial exploits that could result in hackers stealing sensitive data[8]. Its website doesn’t even default to HTTPS, meaning security doesn’t seem to be a priority for the development team.

In conclusion, free platforms from multibillion-dollar corporations can be dangerous from both data collection and cybersecurity standpoints. Consumers should do their research and consider paying a small fee for privacy and security-focused competitors.

AXEL Go

AXEL is dedicated to giving data custody back to the user. We never sell personal information to third parties or mine accounts. Our file-sharing application, AXEL Go, utilizes blockchain technology, the InterPlanetary File System, and AES 256-bit encryption to provide the most secure cloud-sharing experience in the industry.

Sign up for AXEL Go and receive a free 14-day trial of our Premium service. Premium accounts receive five times more online storage than the Basic account, along with more security options and no restrictions on file sizes. After the trial, users pay $9.99/month to continue the Premium service or downgrade to the Basic account. So, stop worrying and share your documents securely with AXEL Go.

 

 

 

[1] “Occupational Outlook Handbook: Software Developers”, U.S. Bureau of Labor Statistics, 2019, https://www.bls.gov/ooh/computer-and-information-technology/software-developers.htm

[2] Julia Kravchenko, “How Much Does It Cost to Hire Developers: Software Developer Salary Guide 2018”, Hackernoon.com, March 12, 2018, https://hackernoon.com/how-much-does-it-cost-to-hire-developer-software-developer-salary-guide-2018-590fb9e1af2d

[3] Kurt Wagner, “This is how Facebook collects data on you even if you don’t have an account”, Vox, April 20, 2018, https://www.vox.com/2018/4/20/17254312/facebook-shadow-profiles-data-collection-non-users-mark-zuckerberg

[4] Rani Molla, “Why your free software is never free”, Vox, Jan. 29, 2020, https://www.vox.com/recode/2020/1/29/21111848/free-software-privacy-alternative-data

[5] Brooke Auxier, Lee Rainie, Monica Anderson, Andrew Perrin, Madhu Kumar, Erica Turner, “Americans and Privacy: Concerned, Confused And Feeling Lack Of Control Over Their Personal Information”, Pew Research Center, Nov. 15, 2019, https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/

[6] Lindsey O’Donnell, “Scammers Abuse Google Drive to Send Malicious Links”, threatpost, Nov. 2, 2020, https://threatpost.com/scammers-google-drive-malicious-links/160832/

[7] Davey Winder, “Windows OneDrive Security Vulnerability Confirmed: All You Need To Know”, Apr. 15, 2020, https://www.forbes.com/sites/daveywinder/2020/04/15/windows-onedrive-security-vulnerability-confirmed-all-you-need-to-know/?sh=517e144b6fa3

[8] Ron Amadeo, “’ShareIt’ Android app with over a billion downloads is a security nightmare”, ars Technica, Feb. 16, 2021, https://arstechnica.com/gadgets/2021/02/shareit-android-app-with-over-a-billion-downloads-is-a-security-nightmare/

What’s Inside California’s New Privacy Regulations

On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA or Prop 24), a ballot initiative expanding consumer privacy protections. It easily passed, securing over 56% “Yes” votes. We look into some of its major provisions and examine how it differs from a previous California privacy law.

An amendment to current regulations

In 2018, the California Consumer Privacy Act (CCPA) passed and became law. While it outlined a framework for many consumer privacy protections, many felt it was inadequate given the current state of corporate data collection. So, a mere two years later (and less than one year after the CCPA officially went into effect), the CPRA has made significant changes to these stipulations.

An overview of the changes

Here is a brief summary of the significant changes. You can view the full bill here if you enjoy reading 50 pages of legalese (hey, everyone has their preferences).

A higher threshold for mandated compliance

The CCPA required businesses that used 50,000 consumers’ or households’ personal information to comply with the bill’s privacy standards. The CPRA actually increases this number to 100,000 consumers or households. So, it lessens the regulatory burden on small to medium-sized businesses who traffic in personal information.

Is this a win for privacy advocates? It’s unclear. Nobody wants to shutter small businesses due to onerous regulation, but could these exemptions lead to exploitation? While the biggest privacy offenders such as Facebook and Google will fall under the regulatory umbrella, smaller companies get a free pass. Could this create a loophole where corporations spin their data collection arms off into smaller shell companies to avoid compliance? Until governments and organizations address these possibilities, it remains a concern.

A wider net

CCPA restrictions applied to companies receiving 50% or more of their revenue from selling personal data. This seemingly straightforward wording created a giant loophole for the serial data offenders. In many cases, corporations argued they didn’t actually “sell” personal information. They simply gave it away to increase advertising revenue.

The CPRA closes this loophole by injecting the term “sharing” into the clause. As defined by the bill: “sharing, renting, releasing, disclosing, disseminating, making available, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary, or other valuable consideration…” results in mandatory compliance (assuming the other qualifiers are also met). This is a much more encompassing definition and an overall win for privacy advocates.

New data categories

Whereas the CCPA treated most personal information generally, the CPRA creates more granular data categories with distinct regulatory differences. Specifically, the CPRA defines certain types of data as being “Sensitive Personal Information.” This includes:

  • Government identifiers such as social security numbers or driver’s licenses
  • Financial accounts and login information
  • Detailed geolocation data
  • Info regarding race, religion, philosophical beliefs, or sexual preference
  • Union membership status
  • The content of private mail, email, and text messages
  • Genetic information
  • Biometric data
  • Health records

Consumers can now request that businesses limit the use of their Sensitive Personal Information to only what is necessary to provide the desired services. Companies would then no longer be able to sell or share sensitive information without prior consent and authorization.

It also sets up disclosure and opt-out standards for the use of Sensitive Personal Information that organizations must follow. This includes providing opt-out links on their businesses’ homepage and respecting opt-out signals sent by the consumers when they visit their site.

Expanded consumer rights

The CPRA outlines new privacy rights and modifies others already defined in the CCPA. Examples include:

The right to correction. Consumers can now demand businesses update their personal information if it’s inaccurate.

The right to opt-out of profiling. Data collectors use your personal information to construct a “profile” of you, then utilize automated decision-making technology to serve advertisements based on the profile. The CPRA allows consumers to opt-out of this practice.

An expanded right-to-know. Previously, the CCPA entitled consumers to information collected on them for the past 12 months. The CPRA entitles residents to all data collected.

Greater protection for minors. Businesses that collect and sell the personal information of minors under the age of 16 are subject to triple fines per incident, or $7500.

A more robust right to delete. The CPRA strengthens Californians’ right to delete their personal information. Companies now not only must delete the data but inform third parties they’ve shared or sold the data to of the deletion request as well. Note, the right to delete is subject to certain conditions and exemptions.

A new government agency

Under the CCPA, enforcement falls under the California Attorney General’s responsibilities. This bill creates a dedicated government agency that will handle enforcement and penalties. California sure does love their government agencies! It’s called the California Privacy Protection Agency (CPPA); don’t worry if you can’t keep all the acronyms straight. The CPPA will have a $5 million budget in 2021, which will increase to $10 million from 2022 on.  Its creation will theoretically lessen the burden on the Attorney General’s office and make enforcement more feasible.

Regular audits

Another important provision of the bill is the requirement for companies to audit their cybersecurity practices. As the constant hacks over the past few years have shown, problems lie not only in data collection but also in data protection. Sensitive information needs to be secured with baseline standards to prevent future phishing attacks, cyber theft, and identity fraud.

Organizations must present the findings from these audits to the newly-formed CPPA on a “regular basis.” Hopefully, this incentivizes companies working with private data to invest more in their cybersecurity solutions and reduce data breaches.

Opposition

The CPRA is a controversial bill, with a diverse set of proponents and opponents. However, the opponents may not be who you’d imagine. While one might assume that the big technology corporations in Silicon Valley aren’t too happy with the bill, none came out in outright opposition. There are two common explanations for this:

  • Nobody in Big Tech wants to come out against consumer privacy explicitly. Facebook, Google, and the other tech players have all had their share of bad publicity regarding privacy concerns over the past few years. Saying, “Oh yeah, we want all of your data and don’t want you to have any recourse against it,” likely wouldn’t play well to the general user.
  • Big Tech has sunk its digital claws into the legislation and weakened it considerably. This is actually the standard line for many of those who have come out against it.

Surprising opponents include the California American Civil Liberties Union[1], Consumer Action[2], and the California League of Women Voters[3].

A Frequently cited concern

Those opposing the bill have similar problems with it. They conclude it’s a “pay-for-privacy” scheme that unfairly affects people without the financial means to pay. This is because a clause in the legislation says that a company can charge a consumer requesting privacy the amount of the collected data’s value. It helps tech organizations offset the advertising revenue lost and is a clear motivation for consumers to opt-in to data collection.

An unclear future

Though not everyone agrees that the CPRA is the best possible solution, it’s difficult to argue it isn’t more substantial than the CCPA. It will be fascinating to see the legislation’s future effects on the tech business and consumer privacy. If successful, it could set in motion a slew of similar bills in other states. If it becomes a bureaucratic quagmire, it might stall regulation throughout the country.

One quirk of the CPRA is that lawmakers can no longer amend it unless the amendment is to “further privacy rights.” That may sound good, but its nebulous wording could open up legal challenges down the road if aspects of it need adjustment.

AXEL’s commitment

At AXEL, we believe in everyone’s right to privacy. That’s why we develop file-sharing and cloud storage solutions that prioritize privacy and security. No government-enforced edicts are necessary for us to respect your personal information. It’s an integral component of our corporate philosophy. If you need to share or store files in a safe, private way, download AXEL Go for Windows, Mac, Android, or iOS. Get out from under the watchful eye of Big Tech and experience a better way to use the internet.

 

[1] Andrea Vittorio, “ACLU Among Activist Opposing Update to California Privacy Rules, Bloomberg Law, July 22, 2020, https://news.bloomberglaw.com/privacy-and-data-security/aclu-among-activists-opposing-update-to-california-privacy-rules

[2] Alegra Howard, Linda Sherry, “Consumer Action opposes California Proposition 24”, consumer-action.org, Aug. 19, 2020, https://www.consumer-action.org/press/articles/consumer-action-opposes-california-proposition-24

[3] “League of Women Voters Opposes Prop 24”, prnewswire, Oct. 28, 2020, https://www.prnewswire.com/news-releases/league-of-women-voters-opposes-prop-24-301162344.html

Phishing: Not as Relaxing as it Sounds

Phishing is a common form of cybercrime that has been around for decades. While there have been many permutations throughout the years (nobody wants your AOL passwords anymore), the basic concept remains the same.

For such a prominent tactic, it still works well enough for criminals to send off three billion phishing emails every day in hopes of catching the big one[1]! So, dust off the oars and make sure the rowboat isn’t leaking because it’s time to visit the phishing hole.

The basics of phishing

The term “phishing” refers to when cybercriminals deceive unsuspecting people to extract sensitive personal information or deploy malicious software payloads. It relates to traditional fishing in that a fisherman tricks the fish into thinking they will get a delicious meal, when in fact, they are the meal!

There are two main end goals for phishing attacks. These are:

Identity theft. In 2019, over 5% of consumers experienced some form of identity theft and suffered nearly $17 billion in losses due to it[2]. That’s more than the total GDP of Jamaica! Phishing attacks can procure the necessary information (names. addresses, social security numbers, etc.) for thieves to open fraudulent credit cards or apply for loans under their victims’ names.

Malware infection. Many phishing attempts lure unsuspecting victims into clicking a malicious link containing a virus or ransomware. Your computer could even be taken over entirely and added to a botnet to carry out DDOS attacks.

Different types of phishing

Spear phishing. These are more advanced, targeted phishing attacks. Whereas a typical phishing attempt may be mass-emailed out to millions of people hoping to snag a few victims, spear phishers strike specific companies, departments, or individuals. They send tailored messages designed to appear authoritative and legitimate. It has a much higher chance of success but takes more research to develop.

Vishing. Also known as Voice Phishing, here, the scammer calls the intended individual and poses as an authority figure. A common example is a visher calling an employee of a company as someone from IT. They try to get the employee to install “security updates,” which actually end up being malware.

It doesn’t have to be related to business, however. Another popular scenario is contacting older people as law enforcement to gain personal information for identity theft or extort payments for fake fines.  Sadly, criminals go to great lengths to achieve their fraudulent intentions.

Smishing. Since spam emails are frequent and well-documented, many people have caught on to blatant email phishing attempts. That must mean the swindlers have accepted defeat, right? No way. They are always coming up with different ways to deceive. That includes smishing, where phishers utilize SMS text messaging to carry out their schemes. People think text messages are more trustworthy than emails and are therefore more likely to click a bad link.

Whaling. Whaling is a subcategory of spear phishing where the mark is a high-level executive at a company. They have access to the most confidential data, and therefore, make for attractive targets.

Clone phishing. If a hacker accesses one person’s email, they can see who they’ve emailed. Clone phishing is where the bad actor sends an email to someone that’s identical to one they’ve already received. Except, the cloned email contains a malicious link or attachment.

Signs of phishing

Strange URLs from trusted brands. Phishers disguise themselves as trusted brands. Always check to make sure the links you’re following from brand emails are legitimate. We recommend copying and pasting links into your web browser bar instead of clicking them directly. This way, you have a better idea about whether or not the link looks suspicious.

Personal information requests. Companies and government agencies usually won’t require anyone to provide personal information via email or text. Err on the side of caution and refuse any such requests. If necessary, find the organization’s legitimate contact information from their verified website and call a representative.

Urgent, time-sensitive language. Phishers sometimes utilize scare tactics to make their targets feel like they need to act or risk enormous consequences. This is especially common when the phishers pose as law enforcement or legal professionals. Never pay for “fines” or “settlements” you had no idea about previously.

Too good to be true claims. Another classic phishing strategy! We’ve all likely received an email claiming we’ve won a lottery we never participated in, or been contacted by a “Nigerian Prince” who wants to reward us with untold riches. The old adage “If it sounds too good to be true, it probably is,” applies here.

Poor grammar or spelling. Many phishing attacks originate from outside the Western world. If the recent email from your boss is riddled with spelling or grammatical errors, you need to verify it came from a legitimate sender before you reply.

High-profile phishing incidents

Phishing has higher stakes than your Grandmother paying a fake parking ticket over the phone (as unfortunate as that is.) Here are a few high-profile incidents that made national news throughout the years.

Ukrainian Power Grid Attack. In December 2015, a spear phisher gained control of a portion of Ukraine’s power grid and caused an outage for over 225,000 people. Russian hackers were suspected to be the culprits[3].

Mia Ash. Throughout 2016-2017, a state-sponsored hacker group in Iran used the fake LinkedIn and Facebook profiles of Mia Ash to spear phish high-priority targets. Posing as a British photographer, the group friended senior employees in the region’s energy, tech, and telecommunications sectors. After lengthy conversations, “Mia” would send excel documents disguised as surveys that secretly contained malware[4].

The Walter Stephan Incident. In 2016, a major aerospace parts manufacturer, FACC, lost $47 million due to phishing. The malicious agent posed as FACC CEO, Walter Stephan, and demanded an employee transfer the enormous sum to a new account for an “acquisition project.” The project was fake, and the phisher made off with the largest known payout ever. Unsurprisingly, FACC later fired the CEO and CFO for the mishap[5].

How to prevent phishing

Never click strange links. If there’s even a passing thought of “Hmm. I wonder if I should click this,” Don’t! Hackers can compromise trusted friends and colleagues. Call and talk in person for verification if there’s a hint of fraud.

Ensure URL is https with a lock beside it. When browsing the internet, ensure the sites you visit are HTTPS (the “S” stands for “Secure”) and that there is a lock icon to the left of the web address. This means the site is safe. Stay away from websites still using the outdated HTTP protocol.

Use firewalls and antivirus software. Modern operating systems come standard with antivirus and firewall software. Use them and keep them updated to the most current versions. Hackers can breach older versions with known vulnerabilities, so it’s a good idea to activate their “auto-update” options.

Don’t put personal info online publicly. Spear phishers and whalers use readily available information found online to plan their attacks. This is why it’s important to consider everything you’re putting out to the world. Social media is a part of our lives, but being too transparent is dangerous. Find the right balance.

Block popups. Popups can be more than minor annoyances. Sometimes, ads with malware or cryptocurrency miners can sneak through and infect the devices of people who click them. Luckily, popular browsers have extensions that block all popups. Less annoyance. Less chance of a malware infection.

Secure your data

Phishing attacks won’t stop until they become ineffective. Hopefully, through education on the tactics phishers use, more people can protect themselves from identity theft and malware. Mistakes happen, however, and it’s challenging to account for all potential methods of attack. That’s why it’s vital to safeguard your data in other ways as well.

AXEL specializes in securing data at rest and in motion. Our file storage and sharing platform, AXEL Go, utilizes a system of decentralized servers to transfer your documents. This means there is no single point of failure like there is in a traditional server farm. It’s harder to pinpoint areas to attack in a decentralized system, and even if a particular node is compromised, we remove it from the system without affecting your files. Content can also be password protected using AES 256-bit encryption to provide an additional layer of security. Hackers can’t crack the encryption and thus aren’t able to access useful data. It’s the safest way to store and share your files. Visit axelgo.app today to learn more and signup for a  free, full-featured account with 2GB of storage.

[1] “More Than Three Billion Fake Emails are Sent Worldwide Every Day”, Security Magazine, June 11, 2019, https://www.securitymagazine.com/articles/90345-more-than-three-billion-fake-emails-are-sent-worldwide-every-day

[2] Krista Tedder, John Buzzard, “2020 Identity Fraud Study: Genesis of the Identity Fraud Crisis”,  Javelin Strategy, April 7, 2020, https://www.javelinstrategy.com/coverage-area/2020-identity-fraud-study-genesis-identity-fraud-crisis

[3] Kim Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid”, Wired, March 3, 2016, https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

[4] Danny Palmer, “How these fake Facebook and LinkedIn profiles tricked people into friending state-backed hackers”, ZDNet, July 27, 2017, https://www.zdnet.com/article/how-these-fake-facebook-and-linkedin-profiles-tricked-people-into-friending-state-backed-hackers/

[5] Reuters Staff, “Austria’s FACC, hit by cyber fraud, fires CEO”, Reuters, May 25, 2016, https://www.reuters.com/article/us-facc-ceo-idUSKCN0YG0ZF

Think Twice Before Using Email Attachments

Even with the increase in digital communication options nowadays, email continues to be very popular. It may not be the flashiest way to reach out, but over four billion people[1] know it gets the job done.

Unfortunately, however, there is a dark side to this ubiquitous messaging system. And no, it isn’t your mother’s chain letters about the horrible things that will happen to you if you don’t forward them to 10 friends. Somehow, it’s even worse. It is not to say you should stop using email; you just need to use it more intelligently. And that means stop using attachments!

Best reasons to stop sending attachments

Email attachments are dangerous for many reasons, especially if you send or receive sensitive documents.

Significant security risks. 90% of successful cybersecurity incidents take place through email[2]. The vast majority of these get delivered via attachments. In many cases, hackers employ phishing techniques to gain access to susceptible systems.

“Phishing” is when a malicious email looks legitimate. Bad actors research your company or acquaintances and send a phony email disguised as being from someone you trust. Usually, this will include an infected payload as an attachment that they ask you to open. Those not careful or inherently suspicious click it and potentially compromise the entire network. Hackers use phishing in combination with the following forms of malware to achieve their malevolent purposes:

  • Open the wrong attachment, and you could cost your company some serious money. Ransomware is a type of computer virus that maps attached storage drives and encrypts their data. The drives can’t be unencrypted unless the business pays a hefty ransom to the attackers. The estimated average payout for a successful ransomware attack is over $110K in 2020[3], with high-profile incidents fetching multimillion-dollar sums.
  • Zero-day exploits. Zero-day vulnerabilities are the security holes in software that even the developers are unaware exist. Hackers are crafty and find bugs to exploit that nobody else has considered. Obviously, they aren’t going to run and tell the developer about these flaws, so they only become known after an attack. If you run a Zero-day exploit from an attachment, you could give up complete control of your computer.
  • When criminals want to steal employee credentials, they turn to keyloggers. Keyloggers are computer programs that track user keystrokes. Every time the victim types, it is recorded in a separate file and transmitted back to the hacker. If you log in to any of your accounts during this time, the bad actor now has the same information. This can be extremely damaging if the malicious agent targets a high-level executive for keylogging. However, even if the victim is a low-level employee, the information gained from their account is useful for future phishing attacks.

Loss of confidentiality. Never use an attachment to transfer confidential material. While most people think of data breaches as being hacks, it’s a more encompassing term. Let’s say you send an email to a colleague containing privileged company financial information. That document is now out of your control.

The employee’s computer could become compromised, or the employee may be disgruntled and distribute it elsewhere. The point is, you cannot track the attachment after you send the email. This means you can never be sure anything sent in an attachment is secure.

Lack of flexibility. Sometimes, the file you want to send is too large to attach. Many email clients have strict maximum attachment sizes. Why deal with this hassle in the first place? Even if you can send large attachments, it’s a good possibility they won’t go through. Many spam filters or malware detectors flag bigger documents. There’s also a chance their email provider blacklists you and prevents future emails! Save yourself the headaches.

Sender’s remorse. You send off important documentation in an attachment only to realize later that you accidentally CC’ed Brian Stahl-a personal contact- rather than Brian Stalder-your CFO. We’ve all been there. Unfortunately, since you used email, you’re out of luck. Better hope Mr. Stahl is a standup guy!

Then, there’s the case of attaching the wrong file. MayEarningsStatement.xls looks so similar to MaysBirthdaySurprise.pdf. You’re busy, and sometimes busy people make mistakes. It shouldn’t be a big deal, but the irrevocability of attachments makes it a big deal.

Steps to improve security

We don’t recommend ever sending attachments, honestly. If you must, however, there are some steps you can take to make it a bit safer.

Authenticate the sender or recipient. Many phishing attempts come from emails that look similar to trusted ones but are slightly different. Before opening any attachment (or sending one), triple-check to ensure the address is valid.

Never open unsolicited email attachments. If you receive an email attachment out of the blue, even from a valid email address, call the person to confirm it’s legitimate. You never know if a cyber attack compromised their account.

Save and scan. Do not open email attachments directly from your inbox. Save them to your drive and scan them with antivirus software beforehand. It isn’t foolproof, but modern antivirus programs will catch the majority of malware.

Turn off automatic downloads. Many popular email clients do not offer automatic attachment downloads these days, but if you run custom or older clients, it’s something to consider. Check your settings to make sure you do not automatically download attachments.

A better way

Hopefully, you understand why you should be wary of email attachments. There are very few benefits and severe risks in ignoring this advice. So, how should you be sending and receiving confidential files? We recommend AXEL Go.

AXEL Go is a secure way to share and store information online. There are no file size limits, so you can send anything you want. More importantly, it provides industry-leading security options to safeguard you against data breaches and cyber-attacks.

With AXEL Go, you’re always in control. You set the expiration dates of your shared files and can prevent recipients from downloading them. This means if you don’t want sensitive documents sitting around on other peoples’ computers, it’s not a problem!  Combined with optional AES 256-bit password encryption, you can trust that important content stays confidential.

To make things even more secure, AXEL Go operates on the InterPlanetary File System (IPFS). It is a decentralized network with servers called nodes that function throughout the world. Files shared on this network are divided into small chunks and distributed to these nodes. It results in a system without a single point of failure. Traditionally, if the server farm holding your documents was under attack, your files were at risk. With IPFS, this isn’t the case. It’s the future of the internet, and AXEL Go runs on one of the largest IPFS networks in the world.

And finally, AXEL Go has full blockchain integration. Blockchain technology is a distributed ledger system where information is unchangeable once written to a block. While our blockchain doesn’t store your files, it does hold transactional details. So every time you share something, that data is timestamped to a block. This is an excellent feature for professionals, as they can transfer time-sensitive content with absolute proof of delivery.

Download today

These capabilities highlight why AXEL Go is the safer, objectively better alternative to email attachments. You can sign up for a free, full-featured Basic account and receive 2GB of storage to try it out for yourself. Download AXEL Go today for desktops or mobile devices and see why email attachments are a thing of the past.

[1] J. Clement ,“Number of e-mail users worldwide from 2017 to 2024”, statista.com, Mar. 25, 2020, https://www.statista.com/statistics/255080/number-of-e-mail-users-worldwide/

[2] “Report unveils most ulnerable sectors to phishing attacks”, Security Magazine, Sept. 14, 2020, https://www.securitymagazine.com/articles/93347-report-unveils-most-vulnerable-sectors-to-phishing-attacks

[3] Mathew J. Schwartz, “Ransomeware: Average Business Payout Surges to $111, 605”, bankinfosecurity.com, April 30, 2020, https://www.bankinfosecurity.com/ransomware-average-business-payout-surges-to-111605-a-14205