Robin Wilton
Author Archives: Robin Wilton
- Home → Author's archive:
Robin Wilton
What Is a Man in the Middle (MITM) Attack?
Simply put, MITM is an attack in which a third party gains access to the communications between two other parties, without either of those parties realising it. The third party might read the contents of the communication, or in some cases also manipulate it. So, for example, if Gerald sends Leila a message, intending it to be private, and Max intercepts the message, reads it, and passes it on to Leila, that would be a MITM attack. If Gerald wants to transfer £100 to Leila’s bank account, and Max intercepts the transaction and replaces Leila’s account number with his own, that would also be a MITM attack (in this case, Max is putting himself ‘in the middle’ between Gerald and his bank).
Why should I care?
Partly because MITM attacks can undermine so much of our modern way of life. In a connected life, we depend on the reliability and security of every connection. It’s not just about your conversations, messages and emails, either. If you can’t trust the connections you make to websites and online services, you may be vulnerable to fraud or impersonation, and if your connected devices and objects can’t communicate securely and reliably, they may put Continue reading
IoT Privacy for Policymakers: Solutions Need Informed Discussion
The consumer Internet of Things market is growing exponentially – one prediction suggests that people will be using 25 billion connected devices by 2021. These new products promise innovation and convenience, but they can also erode privacy boundaries and expose consumers to risk without their knowledge or consent. Is that a good bargain?
The policy brief “IoT Privacy for Policymakers” explores this question and more.
Do consumers have enough information and choice to make meaningful decisions? Do vendors and service providers have the opportunity and incentive to bring privacy-enhancing innovations to the market? Can the downsides of IoT be mitigated through policy actions – and if so, how?
“IoT Privacy for Policymakers” explains the scope and nature of IoT privacy and the issues it raises. As ever, those issues are multi-party. They cross the boundaries of jurisdictions and sectoral regulations. There are no single-stakeholder solutions, so a multistakeholder approach is needed. Solutions need informed discussion that includes consumer rights, economic incentives, technical options, and regulatory measures. This paper is a positive step in that direction.
The policy brief also includes a “how to” on implementing Privacy by Design and four Guiding Principles and Recommendations:
- Enhance User Continue reading
Transparency, Fairness, and Respect: The Policy Brief on Responsible Data Handling
It’s been a little over a year since the European Union’s General Data Protection Regulation (GDPR) was implemented, but almost immediately, people noticed its impact. First, there was the flurry of emails seeking users’ consent to the collection and use of their data. Since then, there’s also been an increase in the number of sites that invite the user to consent to tracking by clicking “Yes to everything,” or to reject them by going through a laborious process of clicking “No” for each individual category. (Though some non-EU sites simply broadcast “if we think you’re visiting from the EU, we can’t let you access our content.”) There was also the headline-grabbing €50 million fine imposed on Google by the French supervisory authority.
In its summary of the year, the EU Data Protection Board (EDPB) reported an increase in the number of complaints received under GDPR, compared to the previous year, and a “perceived rise in awareness about data protection rights among individuals.” Users are more informed and want more control over the collection and use of their personal data.
They’re probably irritated by the current crop of consent panels, and either ignore, bypass, or click through them Continue reading
CEOs and Encryption: The Questions You Need to Ask Your Experts
Barely a week passes without something in the news that reminds us of the critical role encryption plays in securing our data. It is a technology that protects so much of what we rely on, as individuals protecting our privacy, as companies securing our business assets and transactions, and as governments responsible for critical national infrastructure.
As a CEO, I needed to know what questions I should be asking my technical experts about encryption and its use, so I asked my staff to produce this paper. I found it to be so useful that I thought we should share it with other executives as they try to understand and manage this complex but indispensable technology.
We believe, at the Internet Society, that encryption is a MUST for protecting what is one of the most valuable assets we manage—data. We hope this paper can be helpful to you.
— Kathy Brown, CEO, Internet Society
The request Kathy mentions came after the San Bernardino shootings in California (which reinvigorated the debate about third party access to encrypted information), and after a former Director of the UK’s Government Communications Headquarters (GCHQ) had set out his view in these terms:
“Encryption is overwhelmingly Continue reading
Limited Time Only: Read our Springer/Nature Paper on Healthcare, Security, and Privacy
Last year, I was invited to contribute a paper to a special edition of the Health and Technology Journal published by Springer/Nature. The special issue addressed privacy and security, with a particular focus on healthcare and medical data. I’m happy to announce that now, for four weeks only, the publishers have made the whole issue available free.
From our accompanying blog post last July:
“The paper, “Trust and ethical data handling in the healthcare context” examines the issues associated with healthcare data in terms of ethics, privacy, and trust, and makes recommendations about what we, as individuals, should ask for and expect from the organisations we entrust with our most sensitive personal data.”
Although we can find several comprehensive and mature data protection frameworks around the world, current legal safeguards to not seem to prevent data controllers from indulging in:
- over collection
- insufficient care of personal data
- unexpected or unwelcome use
- excessive sharing
In my paper, I argue that a narrow focus on regulatory compliance can lead to a “checklist” mentality, obscure the real reasons why organisations should treat data with care and respect, and lead to poor outcomes for both the organisation and the individual. I Continue reading
Letter from Ethiopia: Can We Use Technology to Help Privacy Evolve?
I’m writing from Addis Ababa, where the African Union’s Specialist Technical Committee on ICT is having its biannual conference. I won’t report on that, as it’s still happening, but I can report that some of the hallway conversations have been both interesting and reassuring.
The topic of privacy came up over coffee, of course – and I was glad to hear that it is not only seen as a key issue for technology and governance, but it’s also seen as being closely interconnected with issues of cybersecurity. As readers of the Internet Society’s blogs will know, we think so too. You can’t have good privacy if you don’t have good security tools, and you can’t have good security in the absence of privacy.
As you would expect in a continent with all of Africa’s rich diversity, the cultural and social approaches to privacy can also vary widely, and people face exactly the same challenges as elsewhere, about how to translate them into workable technical and governance solutions. Today I will have a few minutes to set out some thoughts on that, in one of the afternoon sessions. I plan to suggest that we keep asking the “why?” question. Why Continue reading
ROCA: Encryption vulnerability and what to do about it
Researchers recently discovered a dangerous vulnerability – called ROCA – in cryptographic smartcards, security tokens, and other secure hardware chips manufactured by Infineon Technologies. These articles on Ars Technica and The Register give a good background.
Is this a serious problem?
Yes. It’s serious in practice and in principle. Infineon used a flawed key generation routine, which means those keys are easier to crack, and the routine is used in chips embedded in a wide variety of devices. It’s reckoned that the flawed routine has been in use since 2012 and has probably been used to generate tens of millions of keys. Naturally, many of those keys will have been generated precisely because someone had data or resources that they particularly wanted to secure.
It’s serious because a flawed implementation managed to get through all the development and standardisation processes without being spotted, and has been widely deployed on mass-market devices.
What’s the flaw, and why does it cause a problem?
The flaw affects keys generated for the RSA and OpenPGP algorithms, both of which are public key crypto systems. Public key cryptography is based on pairs of keys, one of which is made public and the other kept private:
New Paper on Online Privacy in the Wake of Pervasive Surveillance Revelations
In 2015, I was lucky enough to give an invited keynote at the 20th anniversary of the Ethicomp conference. I found that many of the issues up for discussion were ones in which the Internet Society also has a keen interest: for example — responsible innovation, the ethics of autonomous systems, and what do in the wake of Edward Snowden’s revelations about pervasive state monitoring of the Internet. The conference has now produced a special edition of the Journal of Information, Communication and Ethics in Society (JICES), specifically to report on a global set of surveys on the responses to Snowden. I was invited to write a paper for this special edition, to accompany the more traditional academic analyses of the surveys. My full article, “After Snowden – the evolving landscape of privacy and technology” is now available.
Writing the paper gave me a chance to step back and look at how the privacy advocacy community’s work has changed since Snowden – one of those rare moments in which the frog gets to hop out of the rapidly warming water and contemplate the saucepan. Here are a few of the trends I noted.
First, there has been Continue reading