Eighty-seven percent of registered voters polled are very or somewhat concerned that a person or organization they don't trust could get access to private information stored on their electronic devices or mobile apps, ACT|The App Association found in a commissioned survey released Monday. On a media call, Doug Usher, who heads polling firm Purple Insights, said 71 percent of respondents believe the threat from cybercriminals and hackers is increasing, and only 2 percent think it is decreasing. Eighty percent said companies like Apple and Google should continue to build strong innovative safeguards to strengthen data encryption, and only 13 percent believe it's adequate, he said. More people trust companies than the federal government -- 54 percent vs. 21 percent, he said. Plus, overwhelming majorities, close to 90 percent, either believe back doors could be misused and make personal data more vulnerable or criminals and terrorists could use them to create additional threats. During the call, Purple Strategies CEO Steve McMahon, a longtime Democratic consultant, said it "surprised" him most that a "broad and universal agreement" exists among civil libertarians and national security supporters on all measures. "I suppose that's a good sign that it's not impossible to find common ground in Washington even today," he said. The nationwide survey of 1,250 registered voters was done via cellphone or landline April 11-14.
A House Commerce subcommittee named witnesses for its hearing Tuesday on encryption, featuring federal, state and local law enforcement officials and technology industry executives. In a notice, the Oversight and Investigations Subcommittee said it will focus on "the intersection of the benefits associated with strong encryption and the needs of law enforcement." Among the witnesses are Apple General Counsel Bruce Sewell, who testified before another House committee in early March on the FBI's legal fight with the company to get access to an iPhone used by one of the San Bernardino, California, mass shooters (see 1603010013). On the first panel are FBI Assistant Director for Science and Technology Amy Hess, New York City Police Department Intelligence Bureau Chief Thomas Galati, the National Sheriffs’ Association's Ron Hickman, and Charles Cohen, who heads Indiana's Internet Crimes Against Children Task Force. The second panel includes Apple's Sewell, RSA Security President Amit Yoran, Massachusetts Institute of Technology research scientist Daniel Weitzner, and University of Pennsylvania computer professor Matthew Blaze. The 10 a.m. hearing will be in 2123 Rayburn.
The Senate Judiciary Committee isn't planning to act on S-356, which would update the 1986 Electronic Communications Privacy Act (ECPA), until certain concerns about investigations by civil enforcement agencies are addressed, a spokesman for Chairman Chuck Grassley, R-Iowa, emailed Wednesday. The House Judiciary Committee unanimously approved its ECPA update bill, called the Email Privacy Act (see 1604130036), which creates a uniform warrant standard for law enforcement agencies to get access to people's electronic communications in all criminal investigations. HR-699, with 314 co-sponsors and headed to a full House vote, doesn't contain a carve-out for civil agencies like the SEC that had wanted an exception since they aren't allowed to obtain such warrants. Grassley's spokesman emailed that some of the chairman's "concerns relate to how some of these bills would hamper the civil enforcement of our securities, environmental, and consumer protection laws, the failure of these bills to address ongoing problems encountered by state and local law enforcement officials who must use the ECPA process to obtain information to solve serious crimes, and even how these bills could affect Congress’s ability to exercise its oversight responsibilities." S-356, which had a hearing in September, is sponsored by Sens. Mike Lee, R-Utah and Patrick Leahy, D-Vt.
The FBI shouldn't require any technology company to create codes that undermine security and introduce additional vulnerabilities, Mozilla Chief Legal and Business Officer Denelle Dixon-Thayer wrote in a blog post Thursday. She said that government surveillance can cause "massive harm" to user security and the Apple case is the latest example. Instead, she proposed that governments adopt basic principles to guide the scope of their surveillance activities. Governments should strengthen user security and minimize the impact of surveillance on user trust and security, and such surveillance activities should have "empowered, independent and transparent oversight," Dixon-Thayer wrote. She asked users to share the principles and encourage policymakers and governments to protect users from what she sees as surveillance harms.
Oracle is settling FTC charges that the company deceived consumers about security updates to its Java platform, standard edition software (Java SE) that's been installed in more than 850 million personal computers. The FTC said in a news release Monday that Oracle will be required to give consumers an easy way to uninstall older, insecure versions of Java SE under the proposed consent order. The company is also required to inform consumers via social media and its website about the settlement and how consumers can remove older versions of Java SE, which are vulnerable to hacking, the FTC said. The commission voted 4-0 to issue the complaint and accept the proposed consent order, which will be published in the Federal Register soon and then be subject to public comment until Jan. 20. At that time, the commission will decide whether to make the proposed consent order final. The FTC alleged Oracle had been aware of "significant security issues" with older Java SE versions, which support browser-based features such as calculators, online gaming, chat rooms and 3D images. The agency said the security flaws "allowed hackers to craft malware that could allow access to consumers' usernames and passwords for financial accounts" and launch phishing attacks. The FTC complaint also alleged Oracle promised consumers Java SE installed updates would protect their systems, but the company failed to say the update "automatically removed only the most recent prior version of the software" not earlier versions that might be installed. The agency said no versions released before Java SE version 6 update 10 were uninstalled. The FTC also alleged internal Oracle documents showed the company was aware of the problem in 2011 and "a large number of hacking incidents were targeting prior versions." Oracle had notices posted on its website about the need to remove older versions, but it didn't indicate the process didn't automatically remove older versions. Oracle did not comment.
Nearly 4.9 million customer or parent accounts and about 6.4 million related kid profiles worldwide were affected by the VTech data breach (see 1511300026), said the supplier of electronic learning toys Tuesday in an updated FAQ about the incident. The company said its Learning Lodge app store customer database was affected and its Kid Connect servers were accessed. "Kid profiles unlike account profiles only include name, gender and birthdate," the company said. VTech also listed the number of parent accounts and child profiles affected across 12 countries, the U.K., Latin America and a section called "Others." In the U.S., more than 2.2 million parent accounts and nearly 2.9 million child profiles were affected, followed by France where about 870,000 parent accounts and 1.2 million child profiles were breached. VTech also said there's no evidence any compromised data has been used or distributed criminally. It said "appointed data security legal specialists" are in the process of "liaising with local authorities" in the investigation.
California Gov. Jerry Brown (D) signed the California Electronic Privacy Communications Act (CalECPA SB-178) into law Thursday. The bill “protects Californians against warrantless law enforcement access to private electronic communications such as emails, text messages and GPS data that are stored in the cloud and on smart phones, tablets, laptops and other digital devices,” said one of the bill’s author’s, state Sen. Mark Leno (D), in a news release. CalECPA has support from Silicon Valley’s major tech companies, including Apple, Facebook, Google and Twitter, which have “seen a dramatic rise in requests from law enforcement for consumer data in recent years,” the release said. “Google has seen a 180 percent jump in law enforcement demands for consumer data in the past five years,” it said. “Last year, AT&T received 64,000 demands -- a 70 percent increase in a single year,” it said. “Verizon reports that only one-third of its requests had a warrant, and last year Twitter and Tumblr received more demands from California than any other state,” the release said. American Civil Liberties Union Technology & Civil Liberties Policy Director Nicole Ozer called Brown’s decision to sign the legislation into law a “landmark win for digital privacy,” in an ACLU news release. California now joins Maine, Texas, Utah and Virginia in updating privacy laws for the digital age, Leno's news release said. The ACLU hopes California’s legislation is used as a “model for the rest of the nation in protecting our digital privacy rights,” Ozer said. The Electronic Frontier Foundation and Center for Democracy & Technology also released statements supporting Brown’s decision to sign the legislation.