Ryan Polk

Author Archives: Ryan Polk

EU Internet Society Chapters Call on European Commission to Follow the Path of Strong Encryption. Here’s Why You Should Too.

Internet Society Chapters in Europe are warning the European Commission that its recent plea for Member States to help find ways to access encrypted communications could make millions of citizens and countries more vulnerable to harm and terrorism online.

Representing digital security experts who share the Internet Society’s mission for a bigger and stronger Internet, several EU chapters issued statements expressing concern about the danger of the Commission’s request for backdoor access to encrypted communications in its Counter Terrorism Agenda. It was announced the same week the European Medicines Agency was victim to a major data breach when cyber attackers unlawfully accessed sensitive documents about COVID-19 vaccines.

End-to-end encryption is crucial to the security of European citizens, its economy, and the national security of its Member States. It is our strongest digital security tool online because it keeps data and communications private between the sender and receiver. Even the European Commission relies on Signal, an end-to-end encrypted messaging app, to secure its communications.

A recent report signed by over 50 leading cybersecurity experts shows how there is no way to give law enforcement access to end-to-end encrypted communications without putting all users at risk.

Encryption backdoors are dangerous because Continue reading

European Union, Use Facts to Make Cybersecurity Decisions – Not Myths

Nearly 450 million EU citizens are counting on the Council of the European Union to make decisions that protect their safety. The Council has a duty make these decisions based on reliable information.

In the next week, the Council of the European Union is expected to consider a resolution that argues that law enforcement “must be able to access data in a lawful and targeted manner.” This resolution is the first step of a wider push by the European Union to demand law enforcement access to encrypted data.

But are they relying on accurate information to make their decisions?

A report leaked from the European Commission in September, Technical solutions to detect child sexual abuse in end-to-end encrypted communications, tries to analyze different ways to spot illegal content in private communications that use end-to-end encryption. This leaked report could influence their decison-making on encryption policy in the EU.

The EU Commission’s report alludes to the idea that some access methods may be less risky than others. However, the bottom line is that each method presents serious security and privacy risks for billions of users worldwide.

Don’t take just my word for it. According to the Internet Society and the Continue reading

Encryption Helps America Work Safely – And That Goes for Congress, Too

This opinion piece was originally published in The Hill.

Over the past month, Americans across the country have adapted to a new reality of life, which includes social distancing to curb the spread of COVID-19. For those fortunate enough to be able to do so, that means learning to work, attend educational classes and socialize from afar using the Internet. For a huge number of Americans, social distancing means little to no work – and even greater uncertainty. Businesses, schools and government entities everywhere are asking the same question, “can we perform our work online and, just as importantly, can it be done securely?” 

As Congress acts to respond to COVID-19, it faces a similar challenge. With some Congressional members and staff testing positive for COVID-19, and others choosing to self-isolate, lawmakers are exploring whether they can perform the most critical aspects of their office remotely – deliberation and voting. For Congress to be able to vote remotely on legislation, measures to ensure the integrity of these communications is critical. If even one vote is changed or blocked by a criminal or foreign adversary, the legitimacy of congressional decisions, and thus Congress as a whole, will be called into question. Any digital voting solution would need to rely on strong encryption to be secure.

Encryption is a critical tool to provide confidentiality and integrity to digital communications. Encryption enables much of the flexibility needed for staff to work from Continue reading

Strong Encryption Is Central to Good Security – India’s Proposed Intermediary Rules Puts It at Risk

Security and encryption experts from around the world are calling on the Indian Ministry of Electronics and Information Technology (MeiTy) to reconsider proposed amendments to intermediary liability rules that could weaken security and limit the use of strong encryption on the Internet. Coordinated by the Internet Society, nearly thirty computer security and cryptography experts from around the world signed “Open Letter: Concerns with Amendments to India’s Information Technology (Intermediaries Guidelines) Rules under the Information Technology Act.”

MeiTy is revising proposed amendments to the Information Technology (Intermediaries Guidelines) Rules. The proposed amendments would require intermediaries, like content platforms, Internet service providers, cybercafés, and others, to abide by strict, onerous requirements in order to not be held liable for the content sent or posted by their users. Freedom from intermediary liability is an important aspect of communications over the Internet. Without it, people cannot build and maintain platforms and services that have the ability to easily handle to billions of people.

The letter highlights concerns with these new rules, specifically requirements that intermediaries monitor and filter their users’ content. As these security experts state, “by tying intermediaries’ protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit Continue reading

Improving Internet Trust: Ironing out the Details

We all can make some pretty rash decisions under stress. I once burned a hole through my undershirt instead of ironing my button-down shirt because I was so nervous before a presentation.

The Internet has its challenges and sometimes can seem like a scary place. In the 2019 survey, the CIGI-Ipsos Global Survey on Internet Security and Trust, 62% of respondents who said they distrust the Internet cited a lack of Internet security as a reason why.

When it comes to facing challenges on the Internet, everyone, from average Internet users to government officials, tends to act the same way I do before presentations – frantically and with questionable results.

In pursuit of security, some governments are making decisions that could harm the Internet as we know it. They’ve taken actions that could weaken digital security, have the potential to fracture the Internet, and some have even shut the Internet down in their country. Like burning a hole through an undershirt and having to wear a wrinkled button-down shirt to a presentation, these actions do little, and make things worse.

The survey results highlighted in our report, “The State of User Privacy and Trust Online,” tell a Continue reading

The Internet Is Your Oyster: MANRS at International Telecoms Week

What do oysters, clams, and mussels have in common with network operators? Hint: it’s not just that they are both in Atlanta this week, either in exhibits in the Georgia Aquarium or for the 2019 International Telecoms Week.

It’s that both bivalves and network operators play an incredibly important role for their ecosystems: they filter the bad stuff out and leave things a lot cleaner.

As water quality is vital to life in the ocean, the global routing system is vital to the smooth functioning of the Internet. The routing system’s decentralized structure, made up of thousands of independent networks tied together through business decisions and trusted relationships, provides flexibility, scalability, and overall durability.

However, despite its strengths, thousands of routing incidents occur every year. Some of these can be pretty scary, with route hijacks sending government traffic through the networks of foreign adversaries; route leaks slowing parts of the global Internet to a crawl; or hackers using spoofed traffic to take down websites in distributed denial of service (DDoS) attacks.

Network operators can help mitigate these problems by using stronger filtering policies to block spoofed traffic coming from their networks (helping guard against DDoS attacks) and filter route announcements Continue reading

A New Survey Shows Few Actively Encrypting More Because of Internet Distrust

A new survey shows that only a handful of people who said they distrust the Internet are actively choosing encryption in response.

The survey, called the CIGI-Ipsos Global Survey on Internet Security and Trust, was conducted by Ipsos on behalf of the Canadian think tank the Centre for International Governance Innovation (CIGI). The Internet Society (ISOC) and the United Nations Conference on Trade and Development (UNCTAD) are partners in the survey, which is now in its fifth year.

The survey asked more than 25,000 individuals in 25 economies their opinion on Internet security, privacy, and trust.

Trust is very personal. The word “trust” may mean different things to different people. What we consider to be trust is constantly evolving and is shaped by many factors including our culture, our education, and our experience. 

The survey asked users how much they agree or disagree with the statement “Overall, I trust the Internet”. We did not ask users how much they trust the Internet to perform in specific ways or to provide a specific user experience. However, the question provides a rough indicator of positive or negative attitudes towards the Internet.

74% of respondents in 2019 agreed with the statement Continue reading

Fact or Fiction? With IoT It’s Not Always Clear

Recently, owners of expensive smart shoes found themselves at loose ends. Unable to pair the shoes to their smart phone app, they couldn’t tighten their self-lacing sneakers. It sounds like science fiction, but this really happened.

From dental sensors that can monitor what a person eats to kitty litters that can track a cat’s every movement, it can be difficult to sort fact from fiction when it comes to the Internet of Things (IoT). Can you tell which is real and which is not?

Fact or Fiction? The voice came from inside the Arizona man’s home – his home security camera to be exact. “You’ve never met me. I’m just a hacker.” Fortunately, it was a friendly hacker, alerting the household to a vulnerability in their home security system.

Fact: The hacker had a solution: turn on two-factor authentication. When using IoT devices, consumers can take this simple step, plus a few others, to help protect their privacy and security.

Fact or Fiction? A couple returned home to find that their carpet had been worn through by their overzealous Internet-connected vacuum cleaner. A hacker had programmed it to clean one square foot of their carpet for several Continue reading

In India, Days Left to Comment on Rules That Could Impact Your Privacy

The public has until 31 January to comment on a draft set of rules in India that could result in big changes to online security and privacy.

The Indian government published the draft Information Technology [Intermediary Guidelines (Amendment) Rules] 2018, also known as the “Intermediary Rules” for public comment.

When it comes to the Internet, intermediaries are companies that mediate online communication and enable various forms of online expression.

The draft Intermediary Rules would change parts of the Information Technology Act, 2000 (the “IT Act”), which sets out the requirements intermediaries must meet to be shielded from liability for the activities of their users. The draft rules would also expand the requirements for all intermediaries, which are defined by the Indian government and include Internet service providers, cybercafés, online companies, social media platforms, and others. For example, all intermediaries would have to regularly notify users on content they shouldn’t share; make unlawful content traceable; and deploy automated tools to identify and disable unlawful information or content, among other new requirements.

Here’s some more background:

  • News reports are citing a number of concerns about the draft rules. Ours centers on their potential impact on the use of encryption.
  • Encryption is the process Continue reading

Customer Data Isn’t Always an Asset: Lessons from the Marriott Data Breach

As data analytics have improved, the massive amounts of data that companies acquire from their customers has only gained in economic value. In the corporate world of today, this data can be a real asset for companies. However, as today’s news, that the records of over 500 million guests of Marriott International’s Starwood division hotels were involved in a data breach, makes clear, corporate thinking about the value of customer data needs to be reevaluated.

Especially when it comes to corporate acquisitions, companies need to start treating customer data as a potential liability, as well as an asset.

In September 2016, Marriott International acquired Starwood for $13.6 billion. When Marriott International sought to buy the Starwood hotel chain, Starwood’s customer data, played a central role in their reasoning for the acquisition. Citing higher income and better brand loyalty among program members,  Arne Sorenson, the Marriott CEO, specifically referred to Starwood’s loyalty program as a “central, strategic rationale for the transaction.” Loyalty programs, in addition to attracting repeat customers, also “provide hotels with a wealth of information on their guests” which hotels can use to “create laser focused marketing campaigns for various different kinds of guests.”

While Continue reading

IoT Tales of Horror (Inspired by Real-Life Events)

Happy Halloween! In some parts of the world, people are celebrating this holiday of horror by dressing up as monsters or other frights and watching scary movies. But sometimes these tales can be just a little boring. Pod people? Headless horsemen? Replicant children? Whatever.

I present the real horror stories of Halloween – and every other day of the year. These tales are inspired by real-life events and are guaranteed to give you a chill. (And not just because your smart thermostat is being controlled by a shapeshifting clown who lives in the sewer!)

I(o)T
In the fall of 2018, a group of kids work together to destroy an evil malware, which infects connected toys and preys on the children of their small town.

Inspired by the terrifying vulnerabilities found in everyday connected toys.

Night of the Living Devices
There’s panic across the Internet as connected devices suddenly begin attacking critical Internet infrastructure. The film follows a group of network operators as they frantically work to protect the Internet from these packet spewing, infected devices.

Inspired by the harrowing events of the 2016 Dyn attack.

Rosemary’s Baby Monitor
A young family moves into a house billed as the “smart Continue reading

Routing, and Water, Are All about Trust: Introducing “Routing Security for Policymakers”

Introducing the new Internet Society white paper, “Routing Security for Policymakers

The global routing system is a lot like a water system in a city. It’s vitally important to the Internet and we tend to overlook it until something goes wrong.

Routing determines how packets (data sent over a network or networks) containing information, like email messages, website data, and voice-over-IP (VoIP) calls, move from one place to another on the Internet. However, despite its importance, many people only think about the Internet routing when they hear about a major routing incident in the news or can’t reach their favorite websites.

Both the water system and the routing system are, at their core, built on trust. 

A water system relies on hundreds of workers, its water suppliers, local farmers and companies, and countless others to deliver its service. The system is based on chains of trust, with each person or entity relying on the other to act appropriately.

Similarly, the global routing system is a complex, decentralized system made up of tens of thousands of individual networks. Independent business decisions and trusted relationships between individual network operators that are implementing the Border Gateway Protocol (BGP) determine how Continue reading

If We Care About the Internet, We Have to Be Willing to Do Our Part

Whether it’s playing dungeons and dragons over voice chat with my college friends hundreds of miles away, reading the latest movie reviews for summer blockbusters I’ll watch once they come out on video, or simply paying electrical bills, the Internet has become an important part of my life.

Yet, while I have come to rely on the Internet, I don’t always do what is best for it.

I don’t always patch my connected devices or applications, leaving them vulnerable to compromise and use in a botnet. I don’t look for security when buying an app or a device, let alone look at the privacy policies.

While I know I am hurting the overall security of the Internet, I find myself thinking, “I’m just one person, how much damage could I do?”

Unfortunately, according to one recent survey, there are a lot of people who act just like me. 

The results from the 2018 CIGI-Ipsos Global Survey on Internet Security and Trust* suggest that many users fail to make security a priority as they shop for Internet of Things (IoT) devices. (IoT refers to “scenarios where network connectivity and computing capability extends to objects, sensors and everyday items not normally considered computers, allowing these devices to generate, exchange and consume data with minimal human Continue reading

Deconstructing the Encryption Debate: The Internet Society-Chatham House Roundtable on Encryption and Lawful Access Report

Encryption is an important technical building block for Internet trust. It secures our infrastructure, enables e-commerce, ensures the confidentiality of our data and communications, and much more. Yet, because bad actors can also use encryption to hide their activities, it can present challenges for law enforcement.

How, or even if, law enforcement should gain access to encrypted content has remained a divisive issue for the last twenty years. Yet, even as encryption tools have grown in variety and use, the public debate has become over-simplified into a battle between those for and against encryption. That public debate often fails to address the nuances of the digital-communications and data-storage landscape, or how it has evolved. With both sides largely talking at each other, rather than listening to one another, there has been little headway towards a solution, or set of solutions, that is acceptable to all.

In October of 2017, the Internet Society and Chatham House convened an experts roundtable under the Chatham House Rule to deconstruct the encryption debate. They explored ways to bridge two important societal objectives: the security of infrastructure, devices, data, and communications; and the needs of law enforcement. The roundtable brought together a diverse set of Continue reading

From Chocolate to Fitness Trackers: Recognizing My Consumer Rights and Responsibilities

Two months ago, I read something that made me furious. A chocolate company had gradually reduced the size of my favorite chocolate bar by 30%. The greedy chocolate company – no, they were “Big Chocolate” now – were cutting corners in an attempt to trick everyday people like me. I vowed I would boycott them.

A week later I found myself in the checkout lane at the grocery store, eyeing my favorite chocolate bar. Five minutes later, I was eating it. I didn’t even have the decency to feel guilty.

I enjoy being justifiably outraged, I don’t enjoy taking the time to help fix the problem. Fixing things is a pain.

There’s no area I do this more with than cybersecurity and online privacy. I’m always infuriated by the latest data breach. I’m angry when a website forces me to download an app and make an account instead of allowing me to use my mobile browser.

Yet, I still download the app. In fact, I’ll continue to do business with a company after they’ve had a data breach, sold insecure Internet-connected devices, or even been caught spying on their customers through their TVs. And then I’m infuriated all over again six months later when the Continue reading

The Lazy Person’s Guide to Better Online Privacy

I consider myself a high-functioning lazy person. I do my laundry regularly, but leave clean clothes in a pile on the floor. I make it to work on time, but have to set my alarm for an hour earlier than I’d like because I hit the snooze button so many times. I will wear a blazer to my business casual office, but only to cover up my terribly wrinkled shirts… which I pick up off my bedroom floor each morning.

At the Internet Society, I work primarily on topics related to security and privacy. Through my work, I have the pleasure of learning about new vulnerabilities or computer viruses, how different apps and devices can or already are spying on me and selling my data, and all other manner of scary online threats. As you can imagine I’ve become increasingly paranoid about my online privacy.

Yet, when it comes to online privacy, lazy and paranoid is a terrible combination.

I know what I should be doing to better protect my online privacy. I know I should update my devices regularly. I know I should be using two factor authentication when its available. But, like the clothes I know I should be folding, I Continue reading

This Holiday Season, Make Sure Your Smart Toy Isn’t a Toy Soldier

In the classic holiday story The Nutcracker, toy soldiers under command of a nutcracker spring to life to fight an army of evil mice. With the growth of smart toys, armies made up of toy “soldiers” could soon become reality. Using the same features that make them “smart,” smart toys can be taken over by outside actors and forced to do their bidding.

But rather than being led by a nutcracker to fight off evil rodents, real armies of toys could be led by criminals to attack you or me.

“Smart toys” (Internet or Bluetooth-enabled toys) are some of the most popular toys this holiday season. Internet or Bluetooth functionality enables smart toys to have amazing features. There are:

  • stuffed animals that play back messages sent from loved one’s smartphones
  • robots that teach children how to code
  • toys integrated with apps that teach reading and spelling skills while still providing physical exercise

Smart toys can do incredible things. Yet, if left unsecured, they not only present real privacy risks to the children and families who use them, but also security risks to everyone who relies on or uses the Internet.

Any Internet-connected device, be it a computer, connected thermostat, or smart toy, is at risk of being Continue reading

When It Comes to Smart Toys, It Pays to Shop Smart

When your in-laws give your child a loud toy for the holidays, you know you are going to have to hear it for the next few months. But when that toy connects to the Internet, how can you be sure that you’re the only ones listening?

This holiday season, “smart toys” (Internet or Bluetooth-enabled toys) are some of the most popular toys on the market. A lot of these toys look awesome, including:

  • remote control cars that connect with an app and allow you to race against AI controlled cars;
  • stuffed animals that play back messages sent from loved one’s smartphones; and
  • soccer balls that track your form when you kick them.

Smart toys come with fantastic features, but if left unsecured, smart toys can present a serious privacy risk to those who use them. For instance:

Unsecured smart toys present Continue reading

The Current Approach to Data Handling Isn’t Working – The Equifax Breach Illustrates Why

Are you from the United States or Canada? If so, there is a big chance you had sensitive personal information stolen in the biggest data breach of the summer. Equifax, a major consumer credit agency in North America, experienced a data breach resulting in the loss of the personal information of over 140 million individuals, which puts its victims at increased risk of identity theft and other forms of fraud. The Equifax breach is on a massive scale, but it is only the latest in a very long list of reported data breaches in recent years. According to Gemalto, over nine billion individual records have been lost or stolen in reported data breaches since 2013 – and the vast majority of breaches go unreported. Data handlers of all types continue to act irresponsibly, failing to protect the data of their users or to even attempt to apply basic data protection procedures.

How data handlers protect the privacy of user data isn’t working.

The dominant approach to data handling, based around the concepts of risk and compliance, is over 35-years-old. With this approach, data handlers try to adhere to regulatory requirements and minimize the risk to themselves – not necessarily Continue reading

Small Actions, Big Impact: Making the Internet More Secure

October is Cybersecurity Awareness Month in the United States (or Cyber Security Month in Europe) and we’ve never been so aware of the need for cybersecurity. Since the start of last October, we’ve seen massive DDoS attacks, including one that took parts of the Internet offline by targeting Internet infrastructure; countless data breaches, with nearly 2 billion records lost or stolen in just the first half of 2017; and a virulent case of ransomware which crippled the systems of major companies, healthcare providers, and average users. The seriousness of the cyber threats facing us is clear, but what isn’t clear to most are the solutions.

We all play a role in making the Internet more secure. And each of us have to take action if we want to be safer, our privacy to be better protected, and the opportunities enabled by the Internet to grow. This month, take a few small steps to make the Internet more secure. Even small actions, if done by many, can have a big impact.

To start, take the time to update your devices and software. Running updates is one of the easiest actions you can take. Updates can patch vulnerabilities, making it Continue reading