AI Tool Seeks To Help Users Understand Complex Privacy Policies

By Marilia Wyatt, CyberPrivacy

Carnegie Mellon University’s tool aims to help users understand vague and complicated privacy policies on the internet to inform their decisions about their data.

The  ‘Usable Privacy Policy Project’ extracts annotations from privacy policies by combining crowdsourcing, machine learning, and natural language processing techniques.  It also uses artificial intelligence algorithms to crawl websites’ privacy policies and identify those that have language about data collection and use, data retention and security, user choice to remove/edit data, third-party sharing,  among others. The AI capability also rates each privacy policy based on readability.

“Through our work we hope to overcome the limitations of current natural language privacy policies without imposing new requirements on service providers,” said Norman Sadeh Lead Principal Investigator Professor Carnegie Mellon University. “We found that the text of the policies is often vague and ambiguous, and people tend to struggle to interpret and determine what personal information is collected, how it’s used, and what other entities it’s shared with,” Sadeh said. “From a legal standpoint, this is problematic.”

The Project also seeks to help organizations improve their privacy policies, assist regulators to assess policies, and inform ongoing public policy debates.

The Project is funded by the National Science Foundation under its Secure and Trustworthy Computing (SaTC) program and includes several affiliate universities.  Learn about it here.

Further Reading:

Project Newsletter June 2016

(Video) Carnegie Mellon’s new AI reads privacy policies for you

(Video) Usable Privacy Policy Project: An Overview (December 2017)

Daniel J. Solove, UNDERSTANDING PRIVACY, Harvard University Press, May 2008

Alan Westin’s Legacy of Privacy and Freedom


Thousands of Android Apps for Kids Violate Privacy Law, Insecurely Transmit Data

By Marilia Wyatt, CyberPrivacy

More than half of Android apps targeted explicitly at kids under 13 may be violating U.S. privacy law: the Children’s Online Privacy Protection Act (COPPA), according to mobile app security researchers.

The March 2018 study led by researchers at the International Computer Science Institute at the University of California, Berkeley — revealed that 40% of 5,855 apps analyzed (2,344) do not use TLS (the standard method for securely transmitting data) in at least one transmission containing identifiers or other sensitive information.  Meaning there could be the case that almost half the examined apps are not taking ‘reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children,’ the researchers wrote.

Apps with poorly/missing TLS configurations can increase the risk of man-in-the-middle attacks, remote code execution, and unauthorized information disclosure.

The report adds the apps that are potentially improperly collecting and insecurely transmitting children’s data are all included in Google’s Designed for Families program (DFF).  An app under the DFF program means that developers have (1) certified to Google the intended audience includes children under 13; (2) received guidance from Google on COPPA compliance; and (3) affirmed their compliance with the law.

As more data is collected about kids on the devices they use, types of data accessed on their apps create significant privacy and security risks.  It’s important for parents to clearly understand why apps are asking for certain permission access, how securely the data is transmitted and stored, and for the developer community to integrate privacy and security considerations earlier on and in all phases of the app development life cycle.

To help parents understand their children’s app privacy implications, researchers published their results on AppCensus –  a database that aims to provide app users “better transparency into how their mobile apps use and misuse their personally identifying information.”

Research highlights about violations and trends:

  •  19% of children’s apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps
  • 73% of the tested applications transmitted sensitive data over the internet. While accessing a sensitive resource or sharing it over the internet does not necessarily mean that an app is in violation of COPPA, none of these apps attained verifiable parental consent
  • Efforts by Google to limit tracking through the use of a resettable advertising ID have had little success: of the 3,454 apps that share the resettable ID with advertisers, 66% transmit other, non-resettable, persistent identifiers as well, negating any intended privacy-preserving properties of the advertising ID
  • 40% of the apps studied shared children’s personal info insecurely
  • 39% violated Google’s terms regarding persistent identifiers
  • 19% shared private info with third-party services that aren’t supposed to be used in children’s apps
  • 5% collected children’s physical locations or contact data without obtaining parental consent
  • 28% of the apps accessed sensitive data protected by Android permissions

See PDF. 

Further Reading: 

Thousands of Android Apps Potentially Violate Child Protection Law

Report Finds More Than Half of Android Apps for Children Are in Violation of COPPA


4 Ways Businesses Can Up Their Game Against Insider Threats

By Marilia Wyatt

  • Enhance business cybersecurity against insider threats by keeping rules for employees simple and easy to understand.
  • Customize effective security training and guidance for employees by following the same playbook that attackers use.
  • Foster an open environment for information sharing among IT and security teams and employees to enhance security.
  • Eliminate rules that complicate password practices for employees.

“One of the big reasons security rules often don’t work is because they are so complex they drive people to take shortcuts that defeat their purpose,” says Maarten Van Horenbeeck, VP of Security Engineering at Fastly, in the Harvard Business Review. 

According to Horenbeeck, who served in Amazon’s Threat Intelligence Team and held security roles at Google and Microsoft, businesses can better equip employees against targeted attacks by taking the following steps:

Use attackers’ playbook: improve security training to focus on attackers’ tactics 

IT personnel or those in charge of providing employee security training can customize sessions to teach employees what an attacker would do effectively in a targeted campaign. Horenbeeck calls this method as “teachable moments” because it provides focused information to specific individuals in a way that’s applicable to them.

He adds that current training techniques tend to overwhelm employees with general guidance and comprehensive information during mandatory half-day security training sessions.  Long, mandatory training sessions are typically ineffective because many people tune out due to information overload.

“…The most dangerous phishing emails — spear phishing attacks that are targeted at high-value employees — work because they are customized to fool exactly the person they are sent to. Requests for tax information and fake wire transfer requests look like they are sent from the CEO or CFO to someone in the finance department using the appropriate language,” Horenbeeck explains.

Eliminate rules that complicate password practices for employees

New guidelines by the National Institute of Standards and Technology (NIST) advise businesses to allow the use of password managers so that employees are able to paste passwords into fields.

The guidelines also recommend using multi-factor authentication and key fobs.

Foster open culture among employees, the IT department, and security team to enhance information sharing for improving cybersecurity

Horenbeek explains, “The security and IT teams need to be seen as trusted and helpful advisors to employees, instead of as regulators.” To improve this dynamic, he recommends that businesses increase opportunities for interaction between employees and IT.

This relationship-cultivation can be achieved during office hours to reduce the potential negative cultural and security effects that could come from animosity between IT staff and general employees.

IT staff should not treat employee questions and help requests as “annoyances” and employees should not treat IT and security staff as regulators.

The key takeaway is for all to work together to enhance cybersecurity as a unit

As the 2017 Verizon Data Breach Investigations Report reveals, employee alerts are one of the most common methods to discover cyberattacks. So providing them with information/tools needed to identify attacks is a major part of businesses’ security program.

Ohio Lawmakers Propose Legislation To Provide Businesses Data Breach Defense In Court

By Marilia Wyatt

Proposed legislation in Ohio seeks to incentivize businesses to voluntarily adopt a cybersecurity framework in return for an affirmative defense or “safe harbor” in court should a data breach still occur.

Senate Bill 220, the Data Protection Act was introduced Oct 17th by State Sens. Bob Hackett (R-London) and Kevin Bacon (R-Minerva Park).

The point is for Ohio businesses to be proactive in instituting certain defenses to guard against data breaches.

Importantly, the bill does not create a minimum cybersecurity standard for businesses to achieve or impose liability for not obtaining or maintaining one; instead, it intends to provide an evolutionary standard for business risk.

To meet the safe harbor requirements, businesses must create, maintain, and comply with administrative, technical, and physical safeguards for the protection of personal data by using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology, or other industry recognized information security framework.

Further, a judge would be responsible for determining whether a business qualifies or not for a safe harbor provision, states data protection attorney Brian H. Lam, in The National Law Review.

The legislation is part of state Attorney General DeWine’s CyberOhio Initiative. Launched in 2016, its objective is to provide Ohio businesses with support on cybersecurity issues to enhance their success, according to the website.

“As businesses beef up their cybersecurity, consumers will benefit from the additional protection as well,” explained DeWine, who endorsed the legislation in a statement.

CyberPrivacy will continue to monitor this pending legislation and give our readers an update as it unfolds.

Further Reading:

Proposed Ohio Law May Encourage Businesses to Adopt Cyber Standards

Data Protection Act Will Incentivize Cybersecurity to Protect Consumer Data

Lawmakers Offer Legal Carrot to Defeat Data Breaches

U.S. House Approves the NIST Small Business Cybersecurity Act

By Marilia Wyatt

The U.S. House of Representatives on Oct.11th approved the NIST Small Business Cybersecurity Act (H.R. 2105), sponsored by Rep. Daniel Webster (R-Fla.) and co-sponsored by Rep. Lamar Smith (R-Texas), according to a statement by the House Committee on Science, Space, and Technology.  The companion bill S.770 was approved by the U.S. Senate on Sept. 28th.

“[H.R. 2105] calls on the National Institute of Standards and Technology (NIST) to provide small businesses with guidance to help them identify, assess, manage and reduce their cybersecurity risks,” the press release explained.

Specifically,  H.R. 2105 does the following:

  • Directs the NIST director, in consultation with heads of other federal agencies, to disseminate within a year of the act’s enactment clear and concise guidelines, tools, best practices, standards and methodologies, based on the NIST Framework for Improving Critical Infrastructure Cybersecurity, to help small businesses identify, assess, manage and reduce their cybersecurity risks
  • Clarifies that use of such guidance by small businesses is voluntary
  • Directs the NIST director and heads of federal agencies that so elect to make the guidance available on their government websites
  • Specifies that funds to carry out this act are authorized out of existing spending

Commenting on the legislation, Rep. Webster noted: “Small businesses are especially vulnerable, with some reports noting that 43 percent of cyber-attacks specifically target. These small businesses are more susceptible to attacks due to the limited access to the tools they need to prepare for such an event. As the owner of a multi-generational small business, I know what small businesses can accomplish when equipped and empowered with the right tools. Recently, when my own business was attacked, I experienced the havoc a hacker can cause and the importance of cybersecurity. This bill will provide small businesses in my district, state and across the country with the tools they need to meet the threats and challenges of the modern world.”

Charman Smith of the House Committee on Science, Space, and Technology added:  “Small businesses account for more than half of all U.S. jobs, including nearly four and a half million in my home state of Texas. While many small businesses do not have the expertise to protect their computer systems and confidential information, it is crucial to our economy and our citizens’ security that these businesses secure their data. Congressman Webster’s NIST Small Business Cybersecurity Act helps achieve this goal by using NIST’s global cybersecurity expertise and requiring NIST to provide small businesses with guidance on identifying risks of cyber-attacks. October is National Cybersecurity Awareness Month and it is appropriate that Congress consider legislation to protect small businesses from cybersecurity attacks.”


Lawmakers Introduce ECPA Reform on Privacy & Fourth Amendment Safeguards On Digital Data

On July 27, Sens. Patrick Leahy (D-Vt.) and Mike Lee (R-Utah) introduced the ECPA Modernization Act of 2017, a bill to reform the Electronic Communications Privacy Act of 1986 (ECPA). Among many things, the bill requires that the government and law enforcement obtain a warrant before it can access emails, geolocation information, and other sensitive information. The bill aims to provide American’s their full Fourth Amendment rights regardless of which method of communications they use and where it is stored without compromising law enforcement’s ability to prosecute and solve crimes.

“Americans don’t believe the federal government should have warrantless access to their emails just because they are 180 days old,” Sen. Lee said in a press release, adding “They don’t believe the government should be able to always know where you are just because you are carrying a cell phone. It is long past time that Congress updated our federal laws to better protect Americans’ privacy.”

“Our digital privacy laws are woefully out of date and make no sense in the modern world,” said Sen. Leahy, adding “Americans expect and deserve strong, meaningful protections for their emails, texts, photos, location information and documents stored in the cloud. It’s time for Congress to enact broad reforms to ECPA and other privacy laws to bring these laws into the 21st Century.”


Towards an Internet Free of Censorship II Perspectives in Latin America

The development of the internet brings about new opportunities, challenges and problems that require creative solutions, capable of promoting further development, investment, sustainable growth, while fairly and squarely guaranteeing the rights of users. This new compilation of articles addresses some of the most salient issues within the Latin American legislative and regulatory agenda towards the internet. These are complex and thorny issues that have generated intense debate among scholars, legislators, practitioners, engineers, companies and users. The first article, authored by Carolina Aguerre, analyzes internet governance and the different local models developed in Latin America to assess their efficiency and impact. The second article, by Daniel Alvarez Valenzuela, offers an introduction to cyber security, highlighting the need to incorporate a human rights perspective towards its development. The third and fourth articles address zero-rating. Luca Belli explains the deep connection between access to the internet and zero rating policies, and Arturo Carrillo proposes an analysis of zero rating under the Inter-American system’s three part test: legality, necessity and proportionality. Last but not least, the fifth and sixth articles offer two different approaches to the “right to be forgotten”. Daphne Keller analyzes the European Directive and its (in) application to the Latin American context and Nelson Remolina reviews and criticizes the jurisprudence on the issue from the data protection perspective.

View PDF

Paper ‘Rethinks’ Privacy Self-Management and Data Sovereignty for Individual Control of Big Data

CyberPrivacy Brief:

  • In conjunction with the Bertelsmann Foundation, Center for Democracy & Technology released a paper that analyzes how data-protection legal regimes rooted on principles of individual control have been challenged with the rise of large data collection and processing in the rapidly evolving digital environment.

With a focus on data sovereignty, the paper evaluates approaches that could meet the requirements of big-data technologies and provide possible new alternatives for policy regimes to achieve individual control of data.



What the Public Knows About Cybersecurity


Before you read the report, test your cybersecurity knowledge by taking the interactive quiz. The short quiz tests your knowledge of questions recently asked in a national poll. After completing the quiz, you can compare your score with the general public and learn more about the terms and topics in each question.

Take the Quiz

In an increasingly digital world, an individual’s personal data can be as valuable – and as vulnerable – to potential wrongdoers as any other possession. Despite the risk-reducing impact of good cybersecurity habits and the prevalence of cyberattacks on institutions and individuals alike, a Pew Research Center survey finds that many Americans are unclear about some key cybersecurity topics, terms and concepts. A majority of online adults can identify a strong password when they see one and recognize the dangers of using public Wi-Fi. However, many struggle with more technical cybersecurity concepts, such as how to identify true two-factor authentication or determine if a webpage they are using is encrypted.

This survey consisted of 13 questions designed to test Americans’ knowledge of a number of cybersecurity issues and terms. Cybersecurity is a complicated and diverse subject, but these questions cover many of the general concepts and basic building blocks that cybersecurity experts stress are important for users to protect themselves online. However, the typical (median) respondent answered only five of these 13 knowledge questions correctly (with a mean of 5.5 correct answers). One-in-five (20%) answered more than eight questions accurately, and just 1% received a “perfect score” by correctly answering all 13 questions.

These are the key findings from an online survey of 1,055 adult internet users living in the United States conducted June 17-27, 2016.

Cybersecurity knowledge varies widely by topic and level of technical detail

Of the 13 questions in the survey, a substantial majority of online adults were able to correctly answer just two of them. First, 75% of online adults can correctly identify the strongest password from a list of four options. The correct password in this case is the password that does not contain words in the dictionary; does contain letters, numbers and symbols; and has a combination of both upper and lower case letters. A similar share (73%) is aware that if a public Wi-Fi network is password protected, it does not necessarily mean that it is safe to perform sensitive tasks, such as online banking, using that network.

Meanwhile, around half of internet users are able to correctly answer several other questions in the survey. Some 54% of internet users are able to identify examples of phishing attacks. Similarly, 52% correctly say that turning off the GPS function of a smartphone does not prevent all tracking of that device (mobile phones can also be tracked via the cellular towers or Wi-Fi networks to which they are connected).

Additionally, 49% of internet users know that Americans are legally entitled to get one free copy of their credit report annually from each of the three major credit bureaus. This issue is not specifically related to any technical aspects of cybersecurity, but cybersecurity experts recommend that anyone who uses the internet for financial or other sensitive transactions regularly check their credit reports to discover evidence of identity theft or other kinds of fraud. A similar share (48%) can correctly define the term “ransomware.” This refers to criminals accessing someone’s computer, encrypting their personal files and data, and holding that data hostage unless they are paid to decrypt the files.

Americans’ practical understanding of email and Wi-Fi encryption is also relatively mixed: 46% of internet users are able to correctly identify that the statement “all email is encrypted by default” is false. Some email services do encrypt users’ messages, but this is not a standard feature of all email services. At the same time, 45% correctly identify the statement “all Wi-Fi traffic is encrypted by default on all wireless routers” is also false.

Public knowledge of cybersecurity is lower on some relatively technical issues

Internet users’ understanding of the remaining cybersecurity issues measured in the survey is lower – in some cases dramatically so. For instance, 39% of internet users are aware that internet service providers (ISPs) are able to see the sites their customers are visiting while utilizing the “private browsing” mode on their internet browsers. Private browsing mode only prevents the browser itself, and in some cases the user’s computer or smartphone, from saving this information – it is still visible to the ISP. And one-third (33%) are aware that the letter “s” in a URL beginning with “https://” indicates that the traffic on that site is encrypted.

Meanwhile, just 16% of online adults are aware that a group of computers that is networked together and used by hackers to steal data is referred to as a “botnet.” A similar share (13%) is aware that the risks of using insecure Wi-Fi networks can be minimized by using a virtual private network, or VPN.

Lastly, cybersecurity experts commonly recommend that internet users employ “two-factor” or “multi-factor” authentication on any account where it is available. Two-factor authentication generally requires users to log in to a site using something the user knows (such as a traditional password) along with something the user possesses (such as a mobile phone or security token), thus providing an additional layer of security in the event that someone’s password is hacked or stolen. But when presented with four images of different types of online login screens, just 10% of online adults are able to correctly identify the one – and only one – example in the list of a true multi-factor authentication process. In this case, the correct answer was a picture of a login screen featuring a temporary code sent to a user’s phone that will only help them login for a limited period of time. Several of the other answer options illustrated situations in which users were required to perform a secondary action before accessing a page – such as entering a captcha, or answering a security question. However, none of these other options are examples of two-factor authentication.

A significant share of online adults are simply not sure of the correct answer on a number of cybersecurity knowledge questions

Although the share of online adults who can correctly answer questions about cybersecurity issues varies from topic to topic, in most cases the share providing an actual incorrect answer is relatively small. Rather, many users indicate that they simply are not sure of the correct answer to a large number of the questions in this survey.

At the low end, around one-in-five online adults indicate they are not sure how to identify the most secure password from a list (17%), how to identify multi-factor identification (18%) or whether public Wi-Fi is safe for sensitive activities (20%). At the high end, a substantial majority of internet users are not sure what purpose a VPN serves (70%) or what a botnet does (73%). There are also a number of other questions in this survey where “not sure” responses are markedly more common than incorrect answers. These include the definition of ransomware, whether or not email and Wi-Fi traffic are encrypted by default, whether private browsing mode prevents ISPs from monitoring customer activity and how to identify whether or not a webpage is encrypted. In fact, there is only one question on the survey – how to identify a multi-factor authentication screen – for which a larger share of respondents answer incorrectly than indicate they are not able to answer the question at all.

Those with higher levels of education and younger internet users are more likely to answer cybersecurity questions correctly

Internet users’ knowledge of cybersecurity varies by several demographic factors. The most consistent differences are related to educational attainment.

Those with college degrees or higher answered an average of 7.0 of the 13 questions in the survey correctly, compared with an average of 5.5 among those who have attended but not graduated from college and an average of just 4.0 for those with high school diplomas or less.

Roughly one-quarter (27%) of those with college degrees answered 10 or more questions correctly, compared with 9% of those who have attended but not graduated from college and just 4% of those with high school diplomas or less.

On all 13 questions in the survey, there is at least an 11 percentage point difference in correct answers between the highest- and lowest-educated groups. And there are four questions with a difference of 30 percentage points or more between the highest- and lowest- educated groups. These include whether or not Wi-Fi traffic is encrypted by default on all wireless routers (a difference of 34 points); what “https://” in a URL refers to (32 points); whether or not all email is encrypted by default (32 points); and the definition of ransomware (31 points).

Cybersecurity knowledge also varies by respondent age, although these differences are much less dramatic than the differences pertaining to educational attainment. Indeed, on a number of these questions internet users age 65 and older are just as knowledgeable as those ages 18 to 29. For instance, older and younger users are equally likely to be able to identify a phishing attack, identify the most secure password from a list and know how many free credit reports Americans are entitled to by law. However, younger users score higher on certain questions – such as whether “private browsing” mode prevents ISPs from tracking users’ online activities (a 27 point difference) or whether turning off the GPS feature on a smartphone disables all tracking of that device (a 23 point difference).

Overall, 18- to 29-year-olds correctly answered a mean of 6.0 out of 13 questions, compared with a mean of 5.0 among those 65 and older.

Source: Pew Research Center, a nonpartisan fact tank that informs the public about the issues, attitudes and trends shaping America and the world. It conducts public opinion polling, demographic research, media content analysis and other empirical social science research.

Congressmen Introduce Bill To Provide States Privacy Training & Enhance Cybersecurity Coordination


On Feb. 16th, U.S. Senators David Perdue (R-GA) and Gary Peters (D-MI) re-introduced S. 412: State and Local Cyber Protection Act of 2017,  which aims to strengthen America’s cyber defense capabilities by increasing coordination with the Department of Homeland Security (DHS).

The Act seeks to amend the Homeland Security Act of 2002 to require State and local coordination on cybersecurity with the national cybersecurity and communications integration center as well as provide, in coordination with the Chief Privacy Officer and the Chief Civil Rights and Civil Liberties Officer of the Department, privacy and civil liberties training to State and local governments related to cybersecurity.