you get important news and warnings about security and privacy on internet, plus a bonus for investors!
(Be patient – loading of this page takes few seconds.)
On the PRIVACY page, you will find my recommendations for a broad strategy to protect your computer from hackers.
But here, I give you the latest news and advice on this subject. You alone can take care of your own security and privacy and this requires some knowledge, strategy and constant vigilance.
If you know of any news sources in German, send me their web addresses and I will try to add them to this page.
* Copyrights belong to each article's respective author.
** Although this website should be free from tracking and other hazards, I can't guarantee that, of course.
If you keep an eye on security headlines, you may have seen the news that up to one in five work passwords include the company name.
This is according to new research by data protection specialists Acronis, which also suggests that around 80 percent of companies don’t have an established password policy. Both stats are concerning from the point of view of businesses’ online security – but they are trivial to fix if you use an enterprise password manager.
People use the name of the company they work for as part of their password to make it memorable. When people are forced to remember passwords, especially those that they need to change regularly, it carries the unintended consequence of making passwords less secure.
People rotate through minor variations of the same base password, such as using their company name with a few extra characters on the end, to check off password policy requirements while still being able to remember their password.
The problem is that hackers can guess the company part of the password, while the remaining characters are easy to crack through computational brute force compared to a truly random password of sufficient length. To put it more simply: Lack of effective password policy puts company data at risk.
You can implement a better password policy in 24 hours by requiring that everyone in the company use 1Password to create the passwords they use at work. Out of the box, 1Password generates strong, unique passwords, and remembers and fills them in for you.
1Password makes the problem of weak passwords go away; because 1Password remembers passwords for everyone in your company, they’re no longer tempted into using the kind of weak, memorable password this research describes. And, after you’re set up with 1Password, you can use Watchtower to find and update weak passwords to stronger ones.
1Password Business includes Advanced Protection, which lets you set stricter Master Password requirements for your team to make sure their logins and other important information is safely protected. It also lets you manage two-factor authentication and create rules for how and where your team can use 1Password – for example, preventing logins from countries where no team members are present, and requiring up-to-date apps.
Even if you’re using an identity provider, take note. The prevalence of shadow IT makes it almost inevitable that people in your organization – with the absolute best intentions – are using software and services you’re not aware of to get things done. In the process, they’re very possibly putting company data on external services behind weak passwords (because, hey, they’ve already gone to the trouble of memorizing one work password they can reuse).
Our hearts sink when we see headlines like these because we know there’s a better way. Time and again we see businesses choose against prioritizing their security, and it’s a mistake that can cost businesses eight- or even nine-figure sums.
You can try 1Password Business for free today. When you sign up, your whole team can use 1Password Families at home for free – a great perk that encourages better online security practices both at home and at work.
Sign up for 1Password Business today and get your first 14 days free.Try 1Password free
Right now at 1Password, we’re in the process of a large-scale development effort focused on the apps that our customers use every day on macOS, iOS, Windows, Android, and in the browser.
We kicked off this effort with the addition of a new platform where we’ve never had a desktop app before: Linux. At the genesis of this project we had a lot of internal discussions about programming languages, tech stacks, toolkits, and more. However, one thing we never disagreed on was our commitment to continue building great apps.
We’ve been developing native apps since 2004 so we understand the value they bring to our customers – things like offline access, deep integration with system features, and the ability to manage more than passwords. With every new platform we support, we strive to deliver an experience that feels like the 1Password you know and love, but also feels right at home on the platform you’re using.
If you’re a 1Password customer there’s a good chance you’re using it on two or three platforms. Maybe you’ve got it installed on your phone or tablet and have set up Password AutoFill on iOS or Android.
On your computer, you might be using 1Password in your browser every day to quickly and easily sign in to websites.
You might have also installed our desktop app for Mac or Windows (or even jumped on the Linux beta I mentioned earlier!).
No matter where you use 1Password, I can guarantee there’s a great experience waiting for you. And that’s not by accident. Every app in the 1Password ecosystem was built with express purpose:
We don’t believe in a one-app-fits-all approach – there is no single solution that fits the bill for all the different ways our customers can and want to use 1Password.
Flexibility, performance, and security are crucial when it comes to keeping your most important information safe, whether that’s for you, your family, or your team. With the 1Password apps you can access your data whenever and wherever you need to:
Our approach to building software has enabled us to create some fantastic features over the years, and all our apps work together to create a seamless experience, whatever your platform. But we’re really excited about what’s to come, which is why we’re working hard on new features that you’ll find in our upcoming betas.
Ultimately, our goal at 1Password is to make it easy to stay safe online. The simplest way to do that is to give our customers complete control over how they store and use their data. We’re continuing our efforts to bring the best possible experience to all our customers – whether that’s families, businesses, power users, or novices. Keep your eyes peeled for more stories on how and why we build the 1Password apps, coming soon.
Using another password manager? Make the switch and we'll give you six months free when you sign up.Try 1Password free
2020 is over – we can finally say it out loud. While we may not be able to put everything behind us, there are a few things we can pack up and wave a cheery goodbye to. The first one that comes to mind? Bad online security.
While it might not be the most obvious new year’s resolution, scrubbing up online habits can be a little more exciting than ushering in a reduced Netflix schedule.
Internet use changed dramatically over the past year, as companies moved to remote work and families opted for virtual gatherings. This shift in online activity comes with an increase in vulnerabilities due to careless online habits, like weak passwords and reusing the same password for multiple accounts (hint: Changing the number at the end just isn’t good enough).
The good news is that, with a few simple changes, you can set yourself up for security success this year.
Think of your email as the gateway to each of your other accounts. That said, it’s a logical first step when buttoning up your online security.
Use a password manager with a random password generator to create a strong, unique password – at least 20 characters with a mix of numbers, symbols, and uppercase and lowercase letters. That means no personal information like your birthday, address, or phone number.
If you think your email may have been compromised, head to Have I Been Pwned to confirm. Founded by Troy Hunt, a leader in the security development space, HIBP keeps an updated list of websites that have been “pwned”, and can also alert you if a future breach occurs.
And if you really want to make sure you aren’t affected by a data breach, we’ve built this functionality right into 1Password. Watchtower alerts you to security problems with the websites you use, so you can update any compromised passwords right away.
You can also follow @1PWatchtower on Twitter for regular updates.
Multi-factor authentication (MFA) adds a second layer of protection and should be used wherever it is available. It doubles down on identity verification and requires an authentication code after the correct password has been entered.
MFA can be managed digitally on your phone or by using hardware-based authentication, which relies on a physical device such as a YubiKey. YubiKey is easily integrated with 1Password and provides a range of authentication options including two-factor, multi-factor, and passwordless.
Certain sites only offer MFA through text messages, or SMS, which actually presents its own security risks. We only recommend using SMS for MFA if it’s the only option available.
If there’s ever a case where your password has been compromised, two-step authentication makes it more difficult for hackers to access the account. Don’t overthink this extra step; you can set up 1Password as an authenticator and make it easy to sign into sites where MFA is turned on.
Here’s another easy one: Stop snoozing the update notifications on your devices and turn on automatic updates. That goes for browsers and apps as well – turning on automatic updates is one of the easiest ways to defend against security vulnerabilities and takes care of the pesky notifications at the same time.
Your router (along with smart home devices) can be an entryway for hackers. Many routers are shipped with the default password and username “admin”, which is essentially a welcome mat for privacy breaches. It’s a good idea to update these default settings as soon as possible. Use a password generator (like the one built in to 1Password) to generate a strong, random password and lock down your home network.
Don’t be a victim of passwords past. Have an old blog or untouched social media account? Or maybe you don’t use PayPal anymore since Venmo took over. Old accounts can still hold valuable data and sometimes be more vulnerable to attack. Back in 2013, a simple security flaw compromised millions of MySpace accounts, but the details around this weren’t disclosed until three years later.
Lesson learned. Delete any inactive accounts (only after removing personal information like credit card details, date of birth, or your home address) or update them with a strong password that isn’t used anywhere else.
Prioritizing online safety in the new year doesn’t have to be complicated. Any new devices you may have acquired over the holidays are a great place to start. Make 1Password your first download to secure your apps and accounts, and if your device supports biometric unlock, set it up with 1Password.
Ready to take it to the next step? If you purchase a $50 gift card you’ll get $10 towards any YubiKey 5 Series by Yubico – the security key that provides strong two-factor authentication with a simple touch.
When we started these 1Password for Good initiatives at the beginning of 2020, we had no idea just how much “good” the year ahead was going to need.
For the 1Password team, the project has become an important reminder that helping others connects us to a wider, more diverse community. And despite 2020 being an incredibly difficult year for us all, there were still a lot of positive things happening around the world.
We embarked on a mission to aid people and communities who needed a helping hand around the world. No, we didn’t get on a plane, but we did manage to help build a well in Malawi, plant 100,000 trees for global reforestation, and feed over 30,000 people in Canada. Here’s a look at some of the good we’ve put out into the world over the last year.
Hand-washing became – and continues to be – one of the strongest defenses against the spread of COVID-19. But while many of us were busy stockpiling toilet paper, yeast, and hand sanitizer, other communities were facing the very real danger of not having access to clean water.
Clean water is not only vital for good health, but it is also essential to live. We donated to charity: water to help bring clean water to Malawi. Our donation goes towards building a new well in the country to provide communities with potable water.
Anthony Marinos of charity: water said it best: “With this newfound access to clean and safe water, communities can improve health, increase education rates, empower women, and grow their local economies”.
As the pandemic took root, clean water wasn’t the only challenge impoverished communities faced – food insecurity grew in Canada by 39 percent. With a hard-hit economy and record unemployment, many Canadians were faced with the difficulty of consistently putting food on their table.
Enter FeedON, a team working to end poverty and hunger by supporting local communities and food banks. We contributed to FeedON’s mission and were able to provide over 30,000 healthy meals to children, adults, and seniors. At a time when people need help more than ever, we are proud to help combat food insecurity in Canada.
Eden Reforestation Projects is a nonprofit that helps reduce extreme poverty by employing local villagers at a fair wage to grow, plant, and guard forests. Combatting the effects of deforestation through tree-planting has the positive benefits of providing habitats for animals, controlling flooding and erosion, and replenishing soil with nutrients.
Eden Reforestation Projects has planted more than 443 million trees to date, and last year we were able to help plant over 100,000 trees in areas severely affected by deforestation. Eden Reforestation Projects is considered one of the most cost-effective reforestation projects in the world, and we’re excited about the work they’re doing to reduce poverty through reforestation.
Traditionally, in Canada and the United States, Thanksgiving is a holiday that invites people to reflect on what they are thankful for. In 2020 we decided to show our gratitude for groups contributing to their communities by helping support the work they do.
From October 12 - November 26, the time spanning between Canadian Thanksgiving and Thanksgiving in the United States, we pledged to donate $1 to charity for every 1Password family account created during that time frame.
Thank you to the over 66,500 people who signed up during that time – we’ll be donating $70,000 USD to our three chosen charities: Big Brothers Big Sisters of Canada, Food Banks Canada, and the Canadian Mental Health Association. Thank you to everyone who signed up during our campaign – you’ve really helped make a difference.
While donations are an important part of doing good, we also wanted to help protect those who are making significant, positive impacts in our world. The 1Password for Good initiative allows us to support nonprofit and non-governmental organizations, and individual families making remarkable contributions, by offering them a monthly discount or a completely free account.
One such organization is an international non-governmental relief agency that operates in nearly 100 countries worldwide, managing logistics and infrastructure on a massive scale.
“Like all large enterprises, we depend on a central directory for authentication and authorization, but unlike many other enterprises our work takes place in conflict-affected countries. We cannot stop operating if an office or entire country is isolated from the network – which happens a lot in our working environment. Thus, using 1Password is the best way for us to handle disaster recovery and emergency access to our resources when everything else is broken. Thanks to 1Password for Good we are able to continue our mission securely”.
– Joel Snyder
2020 was a difficult year for so many people, and we’re glad we’re in a position to be generous to a variety of causes.
Thank you to our chosen programs – charity: water, Eden Reforestation, FoodON, Big Brothers Big Sisters of Canada, Food Banks Canada, and the Canadian Mental Health Association – for the great work they do making the world a better place to live for everyone. If you’re in a position to do good, do good.
Today we’re publishing a new report which has some great insights into the state of online security, password use, and password sharing in the home.
It’s a must-read for anyone interested in improving their family’s online security, or with a professional interest in consumer-level security. Please feel free to download the report right away, but I did also want to take a moment to share a few highlights and thoughts.
Kicking off on a note of optimism, I’m personally delighted to see that, according to our survey, 40% of parents talk about online security with their preschool children. Yes, that number could be higher, but it still amounts to a huge number of parents talking about online safety with young children. The idea that 40% of little ones are budding security and privacy advocates is very heartening indeed.
Perhaps inevitably, though, points of concern do arise – particularly when we dig into the areas of password use and password sharing. One remarkable stat for me was that, of the people that have kept their first ever password for an online service, 12% cite nostalgia as the reason.
Now, we don’t recommend changing a perfectly good password for no reason, but I’m somewhat concerned that people may be clutching on to insecure passwords out of emotional attachment. If a password is short, non-random, or reused elsewhere, we can’t recommend changing it strongly enough.
I’d also like to highlight one of the insights we’ve seen into how passwords are shared inside of families. I say inside – turns out that, apparently, 55% of dads are OK with their kids sharing their video streaming password with friends.
We recommend password sharing, as long as it’s done securely. For things like family streaming media accounts it makes total sense, and we’ve built both 1Password Business and 1Password Families with the means to share passwords in a safe and controlled way. That said, we don’t recommend letting the kids WhatsApp your Netflix login to all and sundry.
The insights into working from home gave rise to further surprises. These include the insight that 51% of parents let their children access work accounts.
I hope the implications for data security don’t need to be explained, but one quote from a parent brings home why this can be a bad idea at a level we can all relate to: “Once my boy accessed my work laptop. He accidentally deleted my presentation”. And that’s the worst kind of deleted: the irretrievable, start all over again kind.
Please do take a look at the full report for many more data points on these and other areas. In particular, there’s a section on end-of-life planning I haven’t touched on here that tacitly poses some tough questions for the security and technology industries to grapple with.
And suffice to say our talented team of designers and illustrators have gone to town to create some charts for you to pore over. We created this report, in part, to stimulate conversation – so if there’s anything you’d like to discuss with us as a result, please do let us know. Happy reading! ☕️
Sign up for 1Password Families today and get your first 14 days free.Try 1Password Families free
So…that was 2020, huh? Ouch. This past year, we witnessed a massive shift in how we live our daily lives — we moved to at-home work, and online everything. Now, more than ever, an emphasis must be placed on security.
But there’s more to it. As we introduce more layers of security to our lives, we need to be aware (and wary) of what comes with them.
As I wrote in a previous post, the most fundamental (also, very unofficial) security principle is to think backwards. How much do you know about the ‘security’ products in your home? That question came up in a discussion last week, and something else struck me.
People trust 1Password with everything.
They store their identities, access to their money, personal documents, and so much more in our product because they believe in us. That’s an honour and a privilege. It’s also a responsibility — one we don’t take lightly.
We’ve made a commitment to you, and part of that commitment is full transparency. So, with this From the Security Desk blog post, the team and I will reveal what we (don’t) know about you.
We don’t have access to anything you enter in 1Password. We do store what we’ve dubbed service data, which is used to provide you with our service, and to support you when needed.
When you sign up for 1Password, we ask for your name and email address. We like to know your name, so we know how to greet you, but the information you provide is entirely up to you. We use your email address to register and locate your account on the server. We can view the language in which you use 1Password, your account picture (look at that face!), the devices you use, and the names you’ve given those devices (some people get very creative).
We can see the type of account you have, when it was created, and when it was last accessed. We can view your subscription status and your payment method. And, as an identifier, we have the first eight non-secret characters of your Secret Key.
We can view the total number of vaults, items, and files in your account. We also log the IP address from which you access 1Password. The location information we store is restricted to a few employees, and only accessed when necessary.
The only thing we see about your 1Password usage comes in the form of Universally Unique Identifiers (UUID), which are generated completely at random. UUIDs contain no information about you, your device, your items, or anything else. I’ll provide a UUID from my account as an example:
We also believe everyone has equivalent rights to privacy, and honour all access requests to the personal information we’ve stored. These requests aren’t limited to EU citizens. If you want to see your own service data, reach out to us — it’s yours, after all.
Our commitment to you.
Your trust in us is paramount, and we cherish it. On behalf of every single one of us here at 1Password, thank you. We’re incredibly humbled and proud to be something you count on.
And, to 2021, you’ve got a (ridiculously) low bar to reach. Go ahead. Impress us.
* Copyrights belong to each article's respective author.
** Although this website should be free from tracking and other hazards, I can't guarantee that, of course.
When using the DuckDuckGo all-in-one privacy browser extension for desktop Firefox, Chrome, or Edge, or our own mobile browser for iOS and Android, one of the ways we protect your browsing is through our Smarter Encryption technology. It detects unencrypted (HTTP) connections to websites and automatically upgrades them to encrypted (HTTPS) connections when possible, keeping your personal data like your search terms, the exact pages you visit, and anything you type into a website private from possible network snoopers.
Today, we’re proud to announce another milestone bringing our best-in-class privacy protection technology to millions more people: The Electronic Frontier Foundation (EFF) is incorporating data from Smarter Encryption into their HTTPS Everywhere browser extension. EFF has been defending digital rights and privacy for over 30 years and Smarter Encryption itself was inspired by their pioneering work.
When Smarter Encryption launched, out of the gate it was far more comprehensive than similar technologies because it is automatically generated by crawling the web, and re-crawling continuously to ensure that users don't face any breakage when websites change. This automated process has enabled us to keep up with the growing number of websites adopting HTTPS solutions such as Let’s Encrypt (co-founded by EFF, Mozilla and University of Michigan) – something that has become increasingly difficult for maintainers of crowd-sourced approaches. On DuckDuckGo Search, for example, the full Smarter Encryption dataset derived from our automatic crawling now covers around 90% of all website clicks from search results.
If you have the HTTPS Everywhere extension installed in your browser, you don’t need to do anything and shouldn't notice anything different other than seamlessly enjoying even greater encryption protection. You can of course also make use of the technology by using the DuckDuckGo app/extension or by simply starting your web searches on DuckDuckGo Search.
If you’d like to use the Smarter Encryption code or dataset yourself, non-commercial users are free to do so under the Creative Commons CC BY-NC-SA 4.0 license. For commercial use, please reach out directly to our Partnerships team.
“We're delighted that DuckDuckGo's Smarter Encryption is now available in HTTPS Everywhere. When we started the project, the vast majority of the internet was not protected. Now it is, and preserving and completing that work is vital for us all. There is no group better suited to do this than DuckDuckGo.”
– Jon Callas, EFF Director of Technology Projects
We think everyone deserves simple privacy protection, which is why we build privacy technology like Smarter Encryption and Tracker Radar, making it easy for people to take back their privacy without sacrifice. We’re delighted we are now more closely working with EFF to further this mission.
Note: Google recently announced their plan to use HTTPS by default in Chrome for direct navigation. That means it only affects website addresses (URLs) typed directly into the address bar that do not have an "http://" or "https://" prefix. It should not be confused with the greater protection Smarter Encryption provides, which covers all clicks and interactions as you browse the web, including clicks from social media, search engines, and other websites.
If you're a Google Chrome user, you might be surprised to learn that you could have been entered automatically into Google's new tracking method called Federated Learning of Cohorts (FLoC). It groups you based on your interests and demographics, derived from your browsing history, to enable creepy advertising and other content targeting without third-party cookies. After a short trial period, Google decided not to make this new tracking method a user choice and instead started automatically including millions in the scheme. If you're reading this in Chrome while logged in to a Google account, yes, that likely means you too, and if not now, then eventually.
Note that even if you change these settings, we also recommend installing the DuckDuckGo Chrome extension to get holistic privacy protection when using Chrome, including private search, tracker blocking, Smarter Encryption, and Global Privacy Control. For non-Chrome desktop browsers, you can get our extension here.
With browsers dropping support for third-party cookies, FLoC is Google's approach for replacing them. It's being developed in the open and is claimed by Google to be good for privacy. However, it has received widespread criticism from privacy experts, including from EFF who say it's a "terrible idea" and implored Google "please don't do this." We agree with their assessment, and, in a world where it does exist, it should be explicitly opt-in for users (free of dark patterns). In addition, while Google isn’t phasing out third-party cookies in Chrome until at least 2023, FLoC is already live today in 2021.
With FLoC, by simply browsing the web, you are automatically placed into a group based on your browsing history (“cohort”). Websites you visit will immediately be able to access this group FLoC ID and use it to target ads or content at you. It's like walking into a store where they already know all about you! In addition, while FLoC is purported to be more private because it is a group, combined with your IP address (which also gets automatically sent to websites) you can continue to be tracked easily as an individual.
Google itself maintains detailed profiles of users, built up over time from what they've learned about users (including through passive trackers lurking on most websites), but with FLoC they're now exposing your derived interests and demographics from this profile to the websites you visit via FLoC IDs. Although the cohorts you belong to over time are non-descriptive and represented by an anonymous-looking number, it won't be long before people or organizations work out what FLoC IDs really mean, e.g. what interests and demographic information they are likely correlated with.
But don't just take it from us. Google itself has said this new approach is at least 95% as effective as third-party cookie tracking, continuing the ability to target people based on age, gender, ethnicity, income, and many other factors. This targeting, regardless of how it's done, enables manipulation, discrimination, and filter bubbles that many people would like to avoid.
Please also note that FLoC IDs will also be accessible by third-party trackers lurking on websites. As we’ve explained recently, to protect yourself from these trackers, you need to stop them from loading in your browser, which is also accomplished by the DuckDuckGo extension and app.
Websites can take steps to protect the privacy of their users by opting out of FLoC, which would be applicable to all their visitors. It's done by simply sending the following Permissions-Policy HTTP response header:
We're disappointed that, despite the many publicly voiced concerns with FLoC that have not yet been addressed, Google is already forcing FLoC upon users without explicitly asking them to opt in. We're nevertheless committed and will continue to do our part to deliver on our vision of raising the standard of trust online.
As yet another sign of how privacy is now completely mainstream, the major desktop browsers are stepping up their privacy promises. For example, you may have been hearing about how even Google’s Chrome browser is supposedly planning to eliminate “third-party cookies" by 2023, a move Apple’s Safari browser has already mostly carried out and Mozilla’s Firefox browser has partially made.
You may be wondering then, will eliminating third-party cookies and related developments completely prevent trackers that are lurking behind websites from getting your browsing history? Unfortunately, the answer is no. We know this is super confusing and would like to help you make sense of it all as well as help you actually block these invasive cross-site trackers!
The issue is that once such trackers are loaded in your browser, they have a ton of ways to track you beyond just third-party cookies (e.g., by another form of cookies called first-party cookies, by your IP address, and much, much more). And many of these mechanisms cannot be turned off because the browser needs them to properly function.
Blocking third-party cookies and related mechanisms do partially restrict cross-site trackers (which is a good thing for sure), but the reality is that as long as a tracker is still being loaded in your browser, it can definitely still track you — a bit less easily, but tracking is still tracking, and the most prevalent cross-site trackers (those from Google and Facebook) are certainly still tracking you. In this context, browser privacy tech that just restricts trackers after they have loaded is like using an umbrella in a hurricane: You’re still gonna get wet!
Therefore, to really stop a cross-site tracker, the kind that tries to track your activity from site to site, you have to prevent it from actually loading in your browser in the first place. This is a critical blocking feature that we provide in our all-in-one privacy browser extension for desktop Chrome, Firefox, Edge, and Safari, as well as in our own mobile browser for iOS and Android.
Blocking trackers from even loading also has major benefits beyond privacy: increased speed and less data usage. In our tests on a sample web page (WebMD.com), using our tracker blocking resulted in 66% fewer files loading, 34% less data transferred, and, consequently, increasing page load speed by 46% (see bottom section for details).
To sum up, to really stop trackers, you need to totally block them from loading in your browser — just placing restrictions on trackers after they load (like preventing them from using third-party cookies) won't cut it. That's the story in a nutshell, and below is more detail if you want to dig deeper, including how you can see it working in your own browser.
To dig in a bit further, let’s define a cross-site web tracker as anything that can load on a web page to track your web activity across sites, e.g., your browsing history. To do so, a cross-site web tracker has to do three things:
When you go to a website, it loads the web address (URL) at the top of the browser. What you may not realize, though, is that websites also ask your browser to load many more web addresses (URLs) in the background, and some of those are to third-party trackers. In Firefox (used in the images below), you can see this by going to Tools -> Web Developer -> Network, and then refreshing the page. (Other browsers have similar mechanisms, e.g., in Chrome you can do the same by going to View -> Developer -> Developer Tools, clicking on Network on the panel that comes up, and then refreshing the page.)
A visit to WebMD.com using the desktop versions of the major browsers with default settings actually results in hundreds of web requests! Many of those are images and code from WebMD itself to display what you see on screen, but among them is a web request to Google Analytics, the most prevalent cross-site tracker on the Internet, lurking behind 72% of the top 10K websites. (The second most prevalent tracker is Google Global Site Tag and third is Facebook Pixel.)
When your browser makes this web request to Google Analytics, it exposes your IP address in the process – the string of numbers that identifies your device on the Internet (e.g., 126.96.36.199). Your IP address alone can make a pretty effective tracking ID, especially in most desktop situations where it doesn't change frequently because both the device and Internet connection are stable. And embedded information within these types of requests can contain a lot more information about your activity along with other identifiers, which is often why URLs are so long!
In other words, third-party cookies are just one of many browser mechanisms available to trackers, but even without them trackers can still track you through many other methods, including via the information sent in the initial loading web request.
“However, we note that it is possible to circumvent blocks on third-party cookies, by asking advertisers and publishers to implement equivalent tracking code using first-party cookies.
(i) For instance, Google Analytics tags are currently implemented using first-party cookies. (See section above on Google Analytics, Floodlight, and Google Tag Manager.)
(ii) To take another example, Facebook Pixel collects data from non-Facebook properties which is used for Facebook’s advertising services, and websites can implement Facebook Pixel using first-party cookies. This means Facebook Pixel can work with browsers blocking third-party cookies.”
That is, the two most prevalent cross-site trackers aren't really constrained by current or upcoming default tracker restrictions. The report goes further saying that a world without third-party cookies in particular will likely strengthen Google and Facebook’s digital advertising duopoly. Fortunately, there is a way to effectively curtail invasive cross-site web trackers: By stopping them from loading in your browser in the first place.
To really stop cross-site web trackers, you need to totally block them from loading in your browser, as opposed to just restricting them after they load. That is the only way to stop the Google Analytics tracker, the Facebook pixel tracker, and hundreds of other trackers from stalking you across the Internet, including through your IP address. By doing so, your browser will then stop automatically sending any of your information to these trackers just by visiting an unrelated website, making it harder for them to use your browsing history for filter bubbles, creepy ads, and more.
To use another metaphor, regular privacy browser tech is like locking the back door of the house (third-party cookies) and a few windows (related restrictions) but leaving the front door wide open (IP address) along with the rest of the windows (many other forms of tracking including first-party cookies). Google Analytics is doing just fine in this situation, as are most of all the rest of the major trackers. To stop these trackers effectively, you have to board up the whole house and not let them see inside at all. Here’s what that looks like with our browser extension and in our own browser:
We simply prevent the browser from allowing that initial tracker web request to even get off the ground. And, using our Tracker Radar technology, we are continually crawling the web ourselves to identify the universe of these requests. Our product vision is privacy, simplified, and so we block as many trackers as we can while simultaneously not breaking website functionality. This is of course a constant effort since trackers are continually changing.
As you might imagine, this is also a challenging technical problem. Without some additional privacy technology like we provide in our product, blocking some of these hidden trackers — like Google Analytics — can break some sites based on how tightly they’ve been integrated into website functionality. But we think a tracker blocker that doesn’t prevent the most prevalent hidden tracker from loading isn’t a credible tracker blocker (as Google Analytics is by far the most prevalent). We are now also starting to work on blocking initial requests of visible third-party content like video embeds, with more to come on that in a future post.
The result of using the DuckDuckGo app & extension on a web page is that potentially hundreds of behind-the-scenes tracker requests are blocked before they even load, meaning not just greater privacy but also additional benefits like less data transfer and faster load times. That's because so much of the data associated with a website nowadays is actually just for tracking you!
|Browser-Only Average||Browser + DuckDuckGo Extension Average|
|Data Transferred (MB)||8.1||5.4|
|Page Load Time* (seconds)||16.2||8.8|
|Google Analytics Tracker||Allowed to load||Blocked from loading|
|Facebook Pixel Tracker||Allowed to load||Blocked from loading|
* Page load time measured using the loadEventEnd property.
While Google, Facebook, and others work hard to have their trackers get around browser roadblocks in pursuit of your data, we provide the tool to really push back without changing how you use the Internet. For everyone who’s had enough: the DuckDuckGo app & extension lets you take back your online privacy now.
Note: Google recently announced how they plan to replace third-party cookies. It's of course bad for privacy too, but the tracker blocking technology in our app & extension should continue to be effective at preventing trackers from receiving this new tracking information (along with your IP address) by still preventing them from loading in the first place.
At DuckDuckGo, we believe that everyone deserves simple online privacy protection. That’s why we pack our DuckDuckGo mobile apps and browser extensions with so much to keep you private online, including best-in-class tracker blocking, private search, and Smarter Encryption. It's also why, just a few months ago, we announced being a founding member of a new standards effort called Global Privacy Control (GPC), which is a browser or device setting that, when enabled, signals to all visited websites a preference for privacy.
While we already block most tracking while browsing, we believe GPC will ultimately provide additional legal protection in certain jurisdictions for situations where websites might otherwise sell or share your data with other companies that may profit or benefit from it (such as selling data you give them to advertisers or data brokers after your visit).
We’re also thrilled to announce that several major publishers, including The New York Times, The Washington Post and Automattic (makers of WordPress), have committed to implementing GPC, and the New York Times has already done so.
More broadly, we believe GPC can be a legally binding invocation of your opt-out rights under the California Consumer Privacy Act (CCPA), and potentially other rights in other jurisdictions such as the EU under the General Data Protection Regulation (GDPR). That means if you download the latest version of the DuckDuckGo app or extension and visit The New York Times from certain regions including California, Europe, Brazil, UAE, and Bermuda, you will have automatically invoked these opt-out rights, and they will take action accordingly (e.g., see the NYT Privacy FAQ).
The initial impetus for GPC came from CCPA requiring businesses to respect browser settings that allow consumers to opt out of the "sale" of their personal data (with "sale" broadly defined as value exchange). Under the CCPA Final Statement of Reasons - Appendix E #73, California Attorney General Xavier Becerra explicitly stated that consumers can exercise their privacy rights by utilizing privacy-by-design products:
"The consumer exercises their choice by affirmatively choosing the privacy control […] including when utilizing privacy-by-design products or services"
DuckDuckGo is certainly a privacy-by-design product. By simply installing our app or extension, you are expressing your preference for privacy, without needing to fiddle with additional settings to further confirm this preference. We are private by default. So, it follows that GPC would be enabled by default along with all of our other privacy features like tracker blocking, private search, and Smarter Encryption.
Simply download and use the DuckDuckGo Privacy Browser from Google Play, or update to version 5.73.0 or newer. You can check the version number by press the menu icon (three dots) at the top right of the app, selecting "Settings" and scrolling to the bottom.
Simply download and use the DuckDuckGo Privacy Browser from the Apple App Store, or update to version 7.61.11 or newer. You can check the version number by press the menu icon (three dots) at the top right of the app, selecting "Settings" and scrolling to the bottom.
Simply download and use DuckDuckGo Privacy Essentials for Chrome, Firefox, Brave or Microsoft Edge (Safari is not supported at this time), or update to version 2021.1.8 or newer. You can check the version number by right-clicking on the DuckDuckGo extension icon in your browser's toolbar and selecting "Manage extensions".
Once installed, you can test whether GPC is working by going to globalprivacycontrol.org and checking that you see "GPC signal detected" at the top of the webpage.
This is the eighth in our series of posts about search preference menus.
Today we are requesting a trilateral meeting among Google, the European Commission, and alternative search engines to improve the search preference menu displayed to consumers when they activate Android phones in the European Union. We have conducted extensive research on flaws in this preference menu and believe our insights can ensure Google and the European Commission implement an effective remedy to correct Google's anticompetitive conduct as established in the Commission's Android case.
October 27, 2020
RE: Request for Trilateral Meeting among Google, the European Commission, and Alternative Search Engines to Improve Search Preference Menu
(Google Android 40099)
Dear Executive Vice President Vestager,
We are companies operating search engines that compete against Google. As you know, we are deeply dissatisfied with the so-called remedy created by Google to address the adverse effects of its anticompetitive conduct in the Android case. We understand that Google regularly updates you regarding its pay-to-play auction, but it appears that you may not be receiving complete or accurate information.
We are writing to request a trilateral meeting with your office, ourselves, and Google, with the goal of establishing an effective preference menu. Our respective designees could work in advance to create a tight agenda for this meeting to ensure it is productive and collaborative.
We are heartfelt supporters of the Commission's ambition to remediate entrenched Google competition harms. We are asking to put these intentions into practice now, making full use of your existing tools.
Thank you in advance for your consideration.
You can download the PDF version of this letter here. (Note: Currently waiting for upload)
This is the seventh in our series of posts about search preference menus.
Dear Google, one of the most repeated lines you’ve used to fend off antitrust inquiries is to say search competition is “only one click away.” The recent House Antitrust Subcommittee report notes that “in an internal presentation about [Microsoft] Internet Explorer’s default search selection, Google recommended that users be given an initial opportunity to select a search engine and that browsers minimize the steps required to change the default search provider.” Finally, something we can agree on!
So, Google, given that you’ve often said competition is one click away, and you’re aware a complicated process suppresses competition, why does it take fifteen+ clicks to make DuckDuckGo Search or any other alternative the default on Android devices? Google search is made the default on Android devices in two ways, through the home screen search bar and default browser. Here is how someone can change both:
Now you need to either make DuckDuckGo your default browser or make DuckDuckGo your default search engine in your preferred browser. Similar number of steps in either case, but we'll do the former since it is much better for privacy.
This long process puts unnecessary roadblocks in the way of people getting to use the service they want. Right now there is no global device search setting on Android, which is why this is so many steps. However, it doesn’t have to be this way. Switching default search engines can and should be one click via a properly designed search preference menu that users see automatically on device setup and can be sent back to in Settings (also in one click).
Given your stance on one-click competition, Google, will you commit to allowing consumers to select their preferred search engine in one click?
Consumers are fed up with dark patterns and other technology abuses. Study after study shows the vast majority of people want more privacy online, and at least 20% of people would pick a search engine other than Google if presented with the above search preference menu. Google, please stop using your dominance in a non-search market (e.g., via Android and Chrome) to further your dominance in the search market, and let consumers pick their default search engine in actually only one click.
We've been providing users with mapping features within DuckDuckGo Search for many years, along the way improving them with greater accuracy, dark mode, local re-querying and more. Now we're excited to announce a big step forward with the introduction of directions – private, as always, and like our embedded maps, powered by Apple's MapKit JS framework and already familiar to millions of users.
You'll now see a new addition to location and map search results that will help you plan trips by showing you a route overview, distance and travel time. Look out for it both at the top of search results that display a map, as well as within our expanded map module. Let's see an example of the latter…
Route planning was a missing piece in DuckDuckGo Search. Integrating it means our maps now have the functionality you expect with the privacy you deserve, with no trade-offs.
We believe online privacy should be simple and accessible to everyone, period. With the introduction of privacy regulations worldwide, consumers are gaining more rights to limit the sale and sharing of their personal data. While this is a great idea in theory, it doesn't amount to much if it is hard for consumers to take advantage of their rights.
At present, consumers must invoke most all online privacy rights manually, website by website. That's why we're proud to be a founding member of a new effort to create a simple browser-oriented setting for users to more easily express their preference for privacy, called Global Privacy Control (GPC). With this setting, users can enable it once, and then the browser will express their preference for privacy to every website they visit. We've been working with other organizations to define a technical specification for GPC that we hope becomes a widely-adopted standard.
Starting today, using the current technical specification, we are launching GPC in an initial experimental phase within our mobile DuckDuckGo Privacy Browser (for iOS/Android) and within our desktop DuckDuckGo Privacy Essentials browser extension (for Firefox/Chrome), making this new setting available to over ten million consumers.
Browser settings such as "Do Not Track" have been available in the past, but most websites were not designed to recognize or respond to users' preferences, and they were not legally required to do so. For many years DuckDuckGo has advocated for laws worldwide that would bring legal teeth to browser privacy settings like Do No Track, going so far as to even draft our own legislation. Thankfully, the California Consumer Privacy Act (CCPA) is now leading the way here, requiring businesses to respect browser settings that allow consumers to opt out of the sale of their personal data. In his recent US Senate testimony, California Attorney General Xavier Becerra explained:
One provision of our regulations intended to facilitate the submission of a request to opt out of sale by requiring businesses to comply when a consumer has enabled a global privacy control at the device or browser level, which should be less time-consuming and burdensome. I urge the technology community to develop consumer-friendly controls to make exercise of the right to opt out of the sale of information meaningful and frictionless.
We are excited to be part of the answer to AG Becerra's call to action by offering consumers GPC as a means to invoke their CCPA “do not sell” rights across multiple websites. Although currently CCPA rights are only available to California residents, certain companies such as Microsoft have committed to extend this right to all US residents. And at the same time, we also intend to work with data protection authorities in other countries to help ensure GPC is legally binding in more jurisdictions, such as in the EU where the General Data Protection Regulation (GDPR) is in force.
In this initial experimental phase for GPC, you can participate by downloading our mobile app and desktop browser extension, and then enable GPC in Settings (see instructions below). Once enabled, we will send the “do not sell or share” GPC signal on your behalf to every website you visit. Then, when you visit early-adopting sites like The New York Times (while using our app or extension), those sites will accept the signal and respect your preference for more privacy.
We expect more commitments will follow from other organizations that will either send or respect the GPC signal. However, since Global Privacy Control (GPC) is a new standards effort, most websites won't recognize it yet. Currently websites are only required to act on the signal to the extent applicable laws compel them to do so.
Once installed, you can test whether the GPC setting is working by going to https://global-privacy-control.glitch.me/ and checking the "Client-side detection" section.
This is the sixth in our series of posts about search preference menus.
An Antitrust Remedy that Hurts Competition
As explained in this series, we believe search preference menus — ones that change all search defaults and include the most common Google alternatives — can enable consumers to easily express their search preferences and significantly increase competition in the search market. Our most recent large-sample user testing shows that when a search preference menu is designed properly, then Google’s search mobile market share could immediately drop by around 20% (with potentially greater market change shift over time).
However, Google’s current search preference menu in the EU is not properly designed, evidenced by the just released Q4 2020 auction results, listing which search engines will appear on the menu. DuckDuckGo, despite being the Google alternative that consumers most want to select, will no longer appear in most countries. As a result, many EU residents buying a new Android device will no longer have an easy way to adopt a private search engine.
The central problem with Google’s search preference menu is that it is a pay-to-play auction in which only the highest bidders are on the menu. This auction format incentivizes bidders to bid what they can expect to profit per user selection. The long-term result is that the participating Google alternatives must give most of their preference menu profits to Google! Google’s auction further incentivizes search engines to be worse on privacy, to increase ads, and to not donate to good causes, because, if they do those things, then they could afford to bid higher.
Why Was DuckDuckGo Eliminated?
Despite DuckDuckGo being robustly profitable since 2014, we have been priced out of this auction because we choose to not maximize our profits by exploiting our users. In practical terms, this means our commitment to privacy and a cleaner search experience translates into less money per search. This means we must bid less relative to other, profit-maximizing companies.
We predicted this outcome but chose to participate as long as we could since offering consumers an easy way to get simple privacy protection is more important than a boycott. We weren’t eliminated sooner for two reasons. First, prices were temporarily depressed due to less bidders because we believe not all eligible companies submitted the initial paperwork on time to participate in early rounds. Second, we didn't have adequate data on auction outcomes and how it impacted our business until this round. With this information, we bid what is long-term sustainable, and we were eliminated.
How to Make a Preference Menu that Works
There is a better way. Our series of posts on search preference menus explains in detail how to design one that actually empowers consumers and increases search competition. In our proposal, there is no auction. Alternative search engines with the most market share in each market are shown on the first screen, randomly ordered. The remaining alternative search engines are available by scrolling, also randomly ordered.
Our research shows that such a preference menu can be a great remedy. The European Commission should take action now and require Google to overhaul its preference menu design. The current remedy is not a remedy at all – it is fundamentally rigged by Google to benefit Google. The Commission has said they have been waiting on data to act: such data is now available. To expedite this process, we are sending the Commission our data that demonstrates exactly how the current process inevitably eliminates DuckDuckGo.
There's big news today for iPhone and iPad users tired of the constant tracking, ad targeting and manipulation when using the Internet: iOS 14 now allows you to set certain browsers as the default browser (other than Safari), and DuckDuckGo Privacy Browser is now an officially approved default browser.
The DuckDuckGo app is a fully featured web browser and search app, packed with best-in-class privacy technology. It:
You should know that "Incognito Mode" isn’t actually private. Our goal with DuckDuckGo Privacy Browser is to allow you to be private by default, all the time, without sacrifice. That's why our apps and extensions get downloaded over 100,000 times a day. After you install DuckDuckGo Privacy Browser, here's how you can now make it the default browser in iOS 14:
Once set, any web links you click in other apps (e.g., Mail, Messages, etc.) will open in DuckDuckGo Privacy Browser, keeping your online activity private, as it should be.
Also new in iOS 14, our browser provides home screen search widgets that allow you to search privately right from your home screen. Here's how to get that set up:
By letting users set up their devices such that DuckDuckGo Privacy Browser is at their fingertips, iOS 14 is making best-in-class privacy protection more accessible. And that's the way privacy should be – simple, on by default, and available to all.
* Copyrights belong to each article's respective author.
** Although this website should be free from tracking and other hazards, I can't guarantee that, of course.
** Although this website should be free from tracking and other hazards, I can't guarantee that, of course.
Microsoft today released fixes to plug at least 55 security holes in its Windows operating systems and other software. Four of these weaknesses can be exploited by malware and malcontents to seize complete, remote control over vulnerable systems without any help from users. On deck this month are patches to quash a wormable flaw, a creepy wireless bug, and yet another reason to call for the death of Microsoft’s Internet Explorer (IE) web browser.
While May brings about half the normal volume of updates from Microsoft, there are some notable weaknesses that deserve prompt attention, particularly from enterprises. By all accounts, the most pressing priority this month is CVE-2021-31166, a Windows 10 and Windows Server flaw which allows an unauthenticated attacker to remotely execute malicious code at the operating system level. With this weakness, an attacker could compromise a host simply by sending it a specially-crafted packet of data.
“That makes this bug wormable, with even Microsoft calling that out in their write-up,” said Dustin Childs, with Trend Micro’s ZDI program. “Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.”
Kevin Breen from Immersive Labs said the fact that this one is just 0.2 points away from a perfect 10 CVSS score should be enough to identify just how important it is to patch.
“For ransomware operators, this kind of vulnerability is a prime target for exploitation,” Breen said. “Wormable exploits should always be a high priority, especially if they are for services that are designed to be public facing. As this specific exploit would not require any form of authentication, it’s even more appealing for attackers, and any organization using HTTP.sys protocol stack should prioritize this patch.”
Breen also called attention to CVE-2021-26419 — a vulnerability in Internet Explorer 11 — to make the case for why IE needs to stand for “Internet Exploder.” To trigger this vulnerability, a user would have to visit a site that is controlled by the attacker, although Microsoft also recognizes that it could be triggered by embedding ActiveX controls in Office Documents.
“IE needs to die – and I’m not the only one that thinks so,” Breen said. “If you are an organization that has to provide IE11 to support legacy applications, consider enforcing a policy on the users that restricts the domains that can be accessed by IE11 to only those legacy applications. All other web browsing should be performed with a supported browser.”
Another curious bug fixed this month is CVE-2020-24587, described as a “Windows Wireless Networking Information Disclosure Vulnerability.” ZDI’s Childs said this one has the potential to be pretty damaging.
“This patch fixes a vulnerability that could allow an attacker to disclose the contents of encrypted wireless packets on an affected system,” he said. “It’s not clear what the range on such an attack would be, but you should assume some proximity is needed. You’ll also note this CVE is from 2020, which could indicate Microsoft has been working on this fix for some time.”
Microsoft also patched four more security holes its Exchange Server corporate email platform, which recently was besieged by attacks on four other zero-day Exchange flaws that resulted in hundreds of thousands of servers worldwide getting hacked. One of the bugs is credited to Orange Tsai of the DEVCORE research team, who was responsible for disclosing the ProxyLogon Exchange Server vulnerability that was patched in an out-of-band release back in March.
“While none of these flaws are deemed critical in nature, it is a reminder that researchers and attackers are still looking closely at Exchange Server for additional vulnerabilities, so organizations that have yet to update their systems should do so as soon as possible,” said Satnam Narang, staff research engineer at Tenable.
As always, it’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any kinks in the new armor.
But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.
So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.
And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.
If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.
The FBI confirmed this week that a relatively new ransomware group known as DarkSide is responsible for an attack that caused Colonial Pipeline to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. Here’s a closer look at the DarkSide cybercrime gang, as seen through their negotiations with a recent U.S. victim that earns $15 billion in annual revenue.
New York City-based cyber intelligence firm Flashpoint said its analysts assess with a moderate-strong degree of confidence that the attack was not intended to damage national infrastructure and was simply associated with a target which had the finances to support a large payment.
“This would be consistent with DarkSide’s earlier activities, which included several ‘big game hunting’ attacks, whereby attackers target an organization that likely possesses the financial means to pay the ransom demanded by the attackers,” Flashpoint observed.
In response to public attention to the Colonial Pipeline attack, the DarkSide group sought to play down fears about widespread infrastructure attacks going forward.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic],” reads an update to the DarkSide Leaks blog. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.
Like other ransomware platforms, DarkSide adheres to the current badguy best practice of double extortion, which involves demanding separate sums for both a digital key needed to unlock any files and servers, and a separate ransom in exchange for a promise to destroy any data stolen from the victim.
At its launch, DarkSide sought to woo affiliates from competing ransomware programs by advertising a victim data leak site that gets “stable visits and media coverage,” as well as the ability to publish victim data by stages. Under the “Why choose us?” heading of the ransomware program thread, the admin answers:
“High trust level of our targets. They pay us and know that they’re going to receive decryption tools. They also know that we download data. A lot of data. That’s why the percent of our victims who pay the ransom is so high and it takes so little time to negotiate.”
In late March, DarkSide introduced a “call service” innovation that was integrated into the affiliate’s management panel, which enabled the affiliates to arrange calls pressuring victims into paying ransoms directly from the management panel.
In mid-April the ransomware program announced new capability for affiliates to launch distributed denial-of-service (DDoS) attacks against targets whenever added pressure is needed during ransom negotiations.
DarkSide also has advertised a willingness to sell information about upcoming victims before their stolen information is published on the DarkSide victim shaming blog, so that enterprising investment scammers can short the company’s stock in advance of the news.
“Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges,” DarkSide explains. “If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”
DarkSide also started recruiting new affiliates again last month — mainly seeking network penetration testers who can help turn a single compromised computer into a full-on data breach and ransomware incident.
“We have grown significantly in terms of the client base and in comparison to other projects (judging by the analysis of publicly available information), so we are ready to grow our team and a number of our affiliates in two fields,” DarkSide explained. The advertisement continued:
“Network penetration testing. We’re looking for one person or a team. We’ll adapt you to the work environment and provide work. High profit cuts, ability to target networks that you can’t handle on your own. New experience and stable income. When you use our product and the ransom is paid, we guarantee fair distribution of the funds. A panel for monitoring results for your target. We only accept networks where you intend to run our payload.”
DarkSide has shown itself to be fairly ruthless with victim companies that have deep pockets, but they can be reasoned with. Cybersecurity intelligence firm Intel 471 observed a negotiation between the DarkSide crew and a $15 billion U.S. victim company that was hit with a $30 million ransom demand in January 2021, and in this incident the victim’s efforts at negotiating a lower payment ultimately reduce the ransom demand by almost two-thirds.
The first exchange between DarkSide and the victim involved the usual back-and-forth establishing of trust, wherein the victim asks for assurances that stolen data will be deleted after payment.
When the victim counter-offered to pay just $2.25 million, DarkSide responded with a lengthy, derisive reply, ultimately agreeing to lower the ransom demand to $28.7 million.
“The timer it [sic] ticking and in in next 8 hours your price tag will go up to $60 million,” the crooks replied. “So, you this are your options first take our generous offer and pay to us $28,750 million US or invest some monies in quantum computing to expedite a decryption process.”
The victim complains that negotiations haven’t moved the price much, but DarkSide countered that the company can easily afford the payout. “I don’t think so,” they wrote. “You aren’t poor and aren’t children if you f*cked up you have to meet the consequences.”
The victim firm replies a day later saying they’ve gotten authority to pay $4.75 million, and their tormentors agree to lower the demand significantly to $12 million.
The victim replies that this is still a huge amount, and it tries to secure additional assurances from the ransomware group if it agrees to pay the $12 million, such as an agreement not to target the company ever again, or give anyone access to its stolen data. The victim also tried to get the attackers to hand over a decryption key before paying the full ransom demand.
The crime gang responded that its own rules prohibit it from giving away a decryption key before full payment is made, but they agree to the rest of the terms.
The victim firm agrees to pay an $11 million ransom, and their extortionists concur and promise not to attack or help anyone else attack the company’s network going forward.
Flashpoint assesses that at least some of the criminals behind DarkSide hail from another ransomware outfit called “REvil,” a.k.a. “Sodinokibi” (although Flashpoint rates this finding at only “moderate” confidence). REvil is widely considered to be the newer name for GandCrab, a ransomware-as-a-service offering that closed up shop in 2019 after bragging that it had extorted more than $2 billion.
Experts say ransomware attacks will continue to grow in sophistication, frequency and cost unless something is done to disrupt the ability of crooks to get paid for such crimes. According to a report late last year from Coveware, the average ransomware payment in the third quarter of 2020 was $233,817, up 31 percent from the second quarter of last year. Security firm Emsisoft found that almost 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware in 2020.
Last month, a group of tech industry heavyweights lent their imprimatur to a task force that delivered an 81-page report to the Biden administration on ways to stymie the ransomware industry. Among many other recommendations, the report urged the White House to make finding, frustrating and apprehending ransomware crooks a priority within the U.S. intelligence community, and to designate the current scourge of digital extortion as a national security threat.
Further reading: Intel 471’s take on the Colonial Pipeline attack.
How much is your payroll data worth? Probably a lot more than you think. One financial startup that’s targeting the gig worker market is offering up to $500 to anyone willing to hand over the payroll account username and password given to them by their employer, plus a regular payment for each month afterwards in which those credentials still work.
New York-based Argyle.com says it’s building a platform where people who work multiple jobs and/or side hustles can improve their credit and employment options by pooling all of their gig work data in one place.
“Consumers’ access to financial security and upward mobility is dependent on their access to and control over their own employment records and how easily they can share those records with financial institutions,” Argyle explained in a May 3 blog post. “We enable access to a dataset that, for too long, has gone unstandardized, unregulated, and controlled by corporations instead of consumers, contributing to system-wide inequalities.”
In that sense, Argyle is making a play for a discrete chunk of a much larger employment data market dominated by the major credit bureaus, which have been hoovering up and selling access to employment data for years.
The 800-lb. gorilla there is Equifax, whose The Work Number product has for years purchased employment data flows from some of the world’s largest companies (employees consent to this sharing as part of their employment contract, and The Work Number makes it fairly easy for anyone to learn how much you earn).
The Work Number is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. It also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.
On its blog, Argyle imagines a world in which companies choose to integrate its application platform interface (API) and share their employee payroll data. At the same time, the company appears to be part of an effort in which non-salaried workers are prompted to repay their erstwhile employers’ trust by selling payroll credentials.
If Argyle is worried these two goals might somehow conflict, that is not obvious by looking at some of its direct-to-consumer efforts.
The website pictured below prompts visitors to “connect payroll,” and those who proceed agree to have their payroll data shared with a company called Earnin, a mobile payday loan app that lets users get an advance on their upcoming paycheck.
Clicking “Connect Payroll” brings up a list of payroll login pages for brand name companies, including Walmart, Starbucks, Amazon, Uber, Chipotle, etc., with a search feature that reveals login pages for everyone from the Federal Bureau of Investigation (FBI) to the Federal Reserve and Federal Trade Commission (FTC).
Here’s what comes up when you search by “Department of” at this site:
Drilling down into individual companies listed here produces a username and password form that in some cases is modified to request an employee identifier other than a username, such as a employee ID, associate or partner number instead. Here’s the login page for Starbucks employees:
The site pictured above actively checks if any submitted credentials are working, by submitting them directly to the employer in question. This Argyle status page indicates the system’s “data connection status” to countless employers.
Some of you may be thinking, “How many of us actually know or have our payroll passwords?” According to Argyle, plenty of people do.
“At Argyle, we are intimately familiar with how likely someone is to know the password for their employment account or payroll system, because we’ve seen hundreds of thousands of users successfully (and unsuccessfully) provide their credentials,” Argyle’s Billy Mardsen wrote on Apr. 1. “We closely monitor their success rate—what we call conversion—because it drives the performance of the products and applications that our clients build on top of Argyle.”
KrebsOnSecurity first heard about this company via Twitter from security researcher Kevin Beaumont, who pointed to a nest of domains associated with Argyle’s API — nearly all of which are offline now. At the time, Beaumont and others digging into this suspected the sites were part of an elaborate phishing scam.
These sites, which seemed to be grouped around a recent recruitment effort variously called “Workers United,” “UniteAtWork,” “WageCompete” and “CommonGrounds,” indicate that Argyle’s platform has been pivotal in a slew of campaigns paying employees at specific companies up to $100 for their payroll account passwords. Here’s one seeking T-Mobile employees:
Another recent promotion targeted employees at J.P. Morgan Chase, the largest financial institution in the United States:
Argyle declined multiple interview requests for this story, so it’s not clear how much of a role — if any — the company may have played in these various sites. But code prebuilds and instructions published in the company’s name on Github strongly suggest Argyle was instrumental in the WageCompete initiative.
Also, this page over at Scopeinc.com says the WageCompete program is provided by Argyle Expert Services.
Here’s a graphical look at the various websites mentioned here and their ties to Argyle’s API (click to enlarge):
One of the sites in that graphic above that’s connected to Argyle’s API — workerresearchalliances[.]com — is currently live and includes the same verbiage about participants getting paid for their payroll credentials. The terms and conditions of the “WorkersApp beta program” were set by a company called Workers Research Alliances LLC, incorporated in February. The address for Workers Research Alliances is just a few blocks from Argyle’s office in New York City.
Steve Friedl, an IT consultant in the payroll service bureau industry, said it appears Argyle has been paying people to help them refine their API and data scraping technology.
“They are not paying this money just to be able to sell people services, they are doing so to maintain their screen-scraping software API,” Friedl said. “This is essentially paying employees to help Argyle hack their payroll provider.”
Last fall Argyle announced it had landed a $20 million investment from Bain Capital, among others. The company’s co-founder, Shmulik Fishman, is described as a “disruptor” who says he wants to make credit scores obsolete.
“We’re fearless,” Fishman told Authority Magazine. “We do things other people dare not do.”
That much is clear. Hey, I can get behind almost anything that disintermediates the creaky old credit bureaus in a straightforward and consumer-friendly way. And the last time I checked, it’s not against the law to give someone your password, or to induce someone to do so willingly in exchange for something else (unless maybe you work for a federal agency).
But I wonder how many of the companies listed on all these payroll connect sites will respond to knowing their brands and logos are associated with a site that asks their employees to give away passwords.
KrebsOnSecurity contacted multiple high-level sources at major companies whose login pages are shown in these payroll connect programs running on Argyle’s platform. None of those sources were authorized to talk to the media, but all seemed fairly horrified at what they were seeing, and each said their employer’s legal departments were launching their own investigations.
Beaumont said he’s worried that in some companies, an employee’s payroll credentials may work to gain access to other parts of the organization — meaning some employees may be giving away more than they realize.
“My concern is some companies use single sign-on for payroll,” Beaumont said. “That’s a lot of access for a data harvesting company.”
John Bernard, a pseudonym used by a convicted thief and con artist named John Clifton Davies who’s fleeced dozens of technology startups out of an estimated $30 million, appears to have reinvented himself again after being exposed in a recent investigative series published here. Sources tell KrebsOnSecurity that Davies/Bernard is now posing as John Cavendish and head of a new “private office” called Hempton Business Management LLP.
John Davies is a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail before being cleared of murdering his wife on their honeymoon in India.
Davies’ fraud convictions stemmed from a series of U.K. companies he set up supposedly to help troubled companies reorganize their debt and turn things around. Davies ended up looting what little money his clients had left and spending it on lavish cars, home furnishings, vacations and luxury watches.
In a three-part series published last year, KrebsOnSecurity exposed how Davies — wanted by authorities in the U.K. — had fled the country, taken on the surname Bernard, remarried, and moved to his new (and fourth) wife’s hometown in Ukraine.
After eluding justice in the U.K., Davies reinvented himself as The Private Office of John Bernard, pretending to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago and who was seeking private equity investment opportunities.
In case after case, Bernard would promise to invest millions in hi-tech startups, only to insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.
Bernard found a constant stream of new marks by offering extraordinarily generous finders fees to investment brokers who could introduce him to companies seeking an infusion of cash. Inside Knowledge and The Private Office both closed up shop not long after their exploits were detailed here late last year.
But it appears Davies has just assumed a new name. KrebsOnSecurity recently heard from an investment broker who previously represented multiple clients that got fleeced by Mr. Bernard/Davies over the years. That broker said he was blown away to hear Davies’ unique British accent on a recent call with a client that had been in investment talks with a Northern Ireland firm called Hempton Business Management.
This time, the source said, Davies was introduced by handlers on the call as John Cavendish.
“I just sat in on a call and John’s voice is unmistakable,” said the broker, who asked to remain anonymous. “He stumbled on the beginning of the call trying to remember which last name he was supposed to use. Immediately they go back to the standard script about the types of deals they are looking for. They want to be minority investors in private transactions and they are industry agnostic. Their deal sizes are investments in the $5-20 million range, they prefer to not use big 4 firms for due diligence, and they have some smaller firms they use which are better suited for smaller investment deals.”
The source forwarded me some correspondence from Hempton Business Management, and I noticed it was sent from a Mariya Kulykova. This is interesting because Mr. Bernard’s personal assistant in Ukraine was a Mariya Kulikova (Ms. Kulikova deleted Bernard’s former companies from her LinkedIn profile shortly after last year’s series).
The company’s website says Hempton has been around since 2017, but the domain name was only registered in late November 2020. There is no information about who runs or owns the company on its site.
Hemptonllp[.]com was registered via Gandi, the same French registrar John Bernard/Davies has used over the years with his dozens of phantom companies.
Hempton Business Management’s only presence on LinkedIn appears to be a help wanted ad from a few weeks ago, for a marketing position at an office in Kyiv, Ukraine.
In response to an emailed request for comment on the apparent connections, Mr. Cavendish forwarded the message to a James Donohoe, who replied that he was the owner of Hempton. Donohoe said the domain was new because the company recently re-branded, although he declined to discuss the matter further.
“This sounds like an accusation of a big fraud?,” Donohoe wrote. “I have never had any dealings with a John Clifton Davies or John Bernard. You really are a cheeky little bugger aren’t you!”
Mr. Donohoe did not respond to further requests for comment.
Hempton appears to be part of a network of corporate facades designed to lead any investigators into a labyrinth of entities that exist only on paper. Hempton is what’s known as a “shelf corporation,” an aged or seasoned company that was formed but never used as a business. Shelf corporations are registered solely for the purposes of being resold to others at a later date. Simply put, their resale allows new enterprises to appear older, more established, and trusted.
“Perhaps the leading reason for acquiring an aged entity in general is credibility,” explains TBA & Associates, a company co-registered in the UK and New Zealand that has created hundreds of shelf companies for sale (PDF), including Hempton Business Management LLP in 2017.
“Business relationships are frequently influenced by the length of time a company has been in existence,” TBA continues. “This is often true when establishing financial and client/vendor relationships.”
Documents from the UK business record index Companies House show two entities as officers in Hempton: ABA Group & Associates LTD, and Harper & Partners Ltd. Both of these are shelf companies in Hong Kong that are listed for sale in the same TBA PDF advertisement linked for Hempton.
Searching Companies House for information on ABA Group and Harper & Partners leads to a dizzying number of other shelf companies in Hong Kong, Belize and the U.K. — all of which also were recently listed for sale by TBA.
The only person’s name attached to each of these companies is a Joaquim Magro de Almeida, a rather mysterious 72 year-old Portuguese business consultant. OpenCorporates says this same guy is an officer in 313 active companies. The U.K.’s Companies House lists Mr. Almeida as one of three officers in Euro Forex Investments Ltd., which Reuters says was a sprawling pyramid scheme that stole $1 billion from at least 3,700 victims in China, the United States and elsewhere.
This 2017 story from New Zealand financial news site interest.co.nz follows a trail of various other investment scams leading back to TBA shell companies, and to Mr. Almeida, too.
In my first report on John Davies, I noted that before becoming John Bernard he previously used the pseudonym “Jonathan Bibi” with an address in the offshore company haven of Seychelles. That identity was tied to a number of fraudulent cryptocurrency and binary options investment schemes.
Fraudsters are drawn to complexity, and they typically incorporate their shell or shelf companies in countries with little to no oversight or background checks tied to the creation and maintenance of corporate entities. As we’ve seen here, the U.K. is a favorite of fraudsters and money launderers worldwide. In a scathing 2017 report titled Hiding in Plain Sight (PDF), Transparency International found some 766 UK corporate vehicles were alleged to have been used in 52 large-scale corruption and money laundering cases approaching £80 billion.
Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.
These attacks begin with an emailed link that when clicked loads not a phishing site but the user’s actual Office 365 login page — whether that be at microsoft.com or their employer’s domain. After logging in, the user might see a prompt that looks something like this:
These malicious apps allow attackers to bypass multi-factor authentication, because they are approved by the user after that user has already logged in. Also, the apps will persist in a user’s Office 365 account indefinitely until removed, and will survive even after an account password reset.
This week, messaging security vendor Proofpoint published some new data on the rise of these malicious Office 365 apps, noting that a high percentage of Office users will fall for this scheme [full disclosure: Proofpoint is an advertiser on this website].
Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy, said 55 percent of the company’s customers have faced these malicious app attacks at one point or another.
“Of those who got attacked, about 22 percent — or one in five — were successfully compromised,” Kalember said.
Kalember said Microsoft last year sought to limit the spread of these malicious Office apps by creating an app publisher verification system, which requires the publisher to be a valid Microsoft Partner Network member.
That approval process is cumbersome for attackers, so they’ve devised a simple work around. “Now, they’re compromising accounts in credible tenants first,” Proofpoint explains. “Then, they’re creating, hosting and spreading cloud malware from within.”
The attackers responsible for deploying these malicious Office apps aren’t after passwords, and in this scenario they can’t even see them. Rather, they’re hoping that after logging in users will click yes to a approve the installation of a malicious but innocuously-named app into their Office365 account.
Kalember said the crooks behind these malicious apps typically use any compromised email accounts to conduct “business email compromise” or BEC fraud, which involves spoofing an email from someone in authority at an organization and requesting the payment of a fictitious invoice. Other uses have included the sending of malware-laced emails from the victim’s email account.
Last year, Proofpoint wrote about a service in the cybercriminal underground where customers could access various Office 365 accounts without a username or password. The service also advertised the ability to extract and filter emails and files based on selected keywords, as well as attach malicious macros to all documents in a user’s Microsoft OneDrive.
“You don’t need a botnet if you have Office 365, and you don’t need malware if you have these [malicious] apps,” Kalember said. “It’s just easier, and it’s a good way to bypass multi-factor authentication.”
KrebsOnSecurity first warned about this trend in January 2020. That story cited Microsoft saying that while organizations running Office 365 could enable a setting to restrict users from installing apps, doing so was a “drastic step” that “severely impairs your users’ ability to be productive with third-party applications.”
Since then, Microsoft added a policy that allows Office 365 administrators to block users from consenting to an application from a non-verified publisher. Also, applications published after November 8, 2020, are coupled with a consent screen warning in case the publisher is not verified, and the tenant policy allows the consent.
Microsoft’s instructions for detecting and removing illicit consent grants in Office 365 are here.
Proofpoint says O365 administrators should limit or block which non-administrators can create applications, and enable Microsoft’s verified publisher policy — as a majority of cloud malware is still coming from Office 365 tenants that are not part of Microsoft’s partner network. Experts say it’s also important to ensure you have security logging turned on so that alerts are generated when employees are introducing new software into your infrastructure.
When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. When cybercriminals develop the same habit, it can eventually cost them their freedom.
Our passwords can say a lot about us, and much of what they have to say is unflattering. In a world in which all databases — including hacker forums — are eventually compromised and leaked online, it can be tough for cybercriminals to maintain their anonymity if they’re in the habit of re-using the same unusual passwords across multiple accounts associated with different email addresses.
The long-running Breadcrumbs series here tracks how cybercriminals get caught, and it’s mostly through odd connections between their online and offline selves scattered across the Internet. Interestingly, one of the more common connections involves re-using or recycling passwords across multiple accounts.
And yes, hackers get their passwords compromised at the same rate as the rest of us. Which means when a cybercrime forum gets hacked and its user databases posted online, it is often possible to work backwards from some of the more unique passwords for each account and see where else that password was used.
Of all the stories I’ve written here over the last 11 years, probably the piece I get asked most to recount is the one about Sergey “Fly” Vovnenko, a Ukrainian man who in 2013 hatched and executed a plan to buy heroin off the dark web, ship it to our house and then spoof a call to the police from one of our neighbors saying we were dealing drugs.
Fly was the administrator of a Russian-language identity theft forum at the time, and as a secret lurker on his forum KrebsOnSecurity watched his plan unfold in real time. As I described in a 2019 story about an interview Fly gave to a Russian publication upon his release from a U.S. prison, his propensity for password re-use ultimately landed him in Italy’s worst prison for more than a year before he was extradited to face charges in America.
Around the same time Fly was taking bitcoin donations for a fund to purchase heroin on my behalf, he was also engaged to be married to a young woman. But Fly apparently did not fully trust his bride-to-be, so he had malware installed on her system that forwarded him copies of all email that she sent and received.
But Fly would make at least two big operational security mistakes in this spying effort: First, he had his fiancée’s messages forwarded to an email account he’d used for plenty of cybercriminal stuff related to his various “Fly” identities.
Mistake number two was the password for his email account was the same as his cybercrime forum admin account. And unbeknownst to him at the time, that forum was hacked, with all email addresses and hashed passwords exposed.
Soon enough, investigators were reading Fly’s email, including the messages forwarded from his wife’s account that had details about their upcoming nuptials, such as shipping addresses for their wedding-related items and the full name of Fly’s fiancée. It didn’t take long to zero in on Fly’s location in Naples.
While it may sound unlikely that a guy so enmeshed in the cybercrime space could make such rookie security mistakes, I have found that a great many cybercriminals actually have worse operational security than the average Internet user.
Countless times over the years I’ve encountered huge tranches of valuable, dangerous data — like a botnet control panel or admin credentials for cybercrime forums — that were full of bad passwords, like password1 or 123qweasd (an incredibly common keyboard pattern password).
I suspect this may be because the nature of illicit activity online requires cybercrooks to create vast numbers of single- or brief-use accounts, and as such they tend to re-use credentials across multiple sites, or else pick very poor passwords — even for critical resources.
Regardless of their reasons or lack thereof for choosing poor passwords, it is fascinating that in terms of maintaining one’s operational security it actually benefits cybercriminals to use poor passwords in many situations.
For example, it is often the denizens of the cybercrime underground who pick crappy passwords for their forum accounts who end up doing their future selves a favor when the forum eventually gets hacked and its user database is posted online.
It really stinks that it’s mid-2021 and we’re still so reliant on passwords. But as long as that’s the case, I hope it’s clear that the smartest choice for all Internet users is to pick unique passwords for every site. The major Web browsers will now auto-suggest long, complex and unique passwords when users go to set up a new account somewhere online, and this is obviously the simplest way to achieve that goal.
Password managers are ideal for people who can’t break the habit of re-using passwords, because you only have to remember one (strong) master password to access all of your stored credentials.
If you don’t trust password managers and have trouble remembering complex passwords, consider relying instead on password length, which is a far more important determiner of whether a given password can be cracked by available tools in any timeframe that might be reasonably useful to an attacker.
In that vein, it’s safer and wiser to focus on picking passphrases instead of passwords. Passphrases are collections of multiple (ideally unrelated) words mushed together. Passphrases are not only generally more secure, they also have the added benefit of being easier to remember. Their main limitation is that countless sites still force you to add special characters and place arbitrary limits on password length possibilities.
Finally, there’s absolutely nothing wrong with writing down your passwords, provided a) you do not store them in a file on your computer or taped to your laptop, and b) that your password notebook is stored somewhere relatively secure, i.e. not in your purse or car, but something like a locked drawer or safe.
Further reading: Who’s Behind the GandCrab Ransomware?
Some of the world’s top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes.
In a 81-page report delivered to the Biden administration this week, top executives from Amazon, Cisco, FireEye, McAfee, Microsoft and dozens of other firms joined the U.S. Department of Justice (DOJ), Europol and the U.K. National Crime Agency in calling for an international coalition to combat ransomware criminals, and for a global network of ransomware investigation hubs.
The Ransomware Task Force urged the White House to make finding, frustrating and apprehending ransomware crooks a priority within the U.S. intelligence community, and to designate the current scourge of digital extortion as a national security threat.
The Wall Street Journal recently broke the news that the DOJ was forming its own task force to deal with the “root causes” of ransomware. An internal DOJ memo reportedly “calls for developing a strategy that targets the entire criminal ecosystem around ransomware, including prosecutions, disruptions of ongoing attacks and curbs on services that support the attacks, such as online forums that advertise the sale of ransomware or hosting services that facilitate ransomware campaigns.”
According to security firm Emsisoft, almost 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware in 2020.
“The costs of ransomware go far beyond the ransom payments themselves,” the task force report observes. “Cybercrime is typically seen as a white-collar crime, but while ransomware is profit-driven and ‘non-violent’ in the traditional sense, that has not stopped ransomware attackers from routinely imperiling lives.”
It is difficult to gauge the true cost and size of the ransomware problem because many victims never come forward to report the crimes. As such, a number of the task force’s recommendations focus on ways to encourage more victims to report the crimes to their national authorities, such as requiring victims and incident response firms who pay a ransomware demand to report the matter to law enforcement and possibly regulators at the U.S. Treasury Department.
Last year, Treasury issued a controversial memo warning that ransomware victims who end up sending digital payments to people already being sanctioned by the U.S. government for money laundering and other illegal activities could result in hefty fines.
Philip Reiner, CEO of the Institute for Security and Technology and executive director of the industry task force, said the reporting recommendations are one of several areas where federal agencies will likely need to dedicate more employees. For example, he said, expecting victims to clear ransomware payments with the Treasury Department first assumes the agency has the staff to respond in any kind of timeframe that might be useful for a victim undergoing a ransomware attack.
“That’s why we were so dead set in putting forward comprehensive framework,” Reiner said. “That way, Department of Homeland Security can do what they need to do, the State Department, Treasury gets involved, and it all needs to be synchronized for going after the bad guys with the same alacrity.”
Some have argued that making it illegal to pay a ransom is one way to decrease the number of victims who acquiesce to their tormentors’ demands. But the task force report says we’re nowhere near ready for that yet.
“Ransomware attackers require little risk or effort to launch attacks, so a prohibition on ransom payments would not necessarily lead them to move into other areas,” the report observes. “Rather, they would likely continue to mount attacks and test the resolve of both victim organizations and their regulatory authorities. To apply additional pressure, they would target organizations considered more essential to society, such as healthcare providers, local governments, and other custodians of critical infrastructure.”
“As such, any intent to prohibit payments must first consider how to build organizational cybersecurity maturity, and how to provide an appropriate backstop to enable organizations to weather the initial period of extreme testing,” the authors concluded in the report. “Ideally, such an approach would also be coordinated internationally to avoid giving ransomware attackers other avenues to pursue.”
The task force’s report comes as federal agencies have been under increased pressure to respond to a series of ransomware attacks that were mass-deployed as attackers began exploiting four zero-day vulnerabilities in Microsoft Exchange Server email products to install malicious backdoors. Earlier this month, the DOJ announced the FBI had conducted a first-of-its-kind operation to remove those backdoors from hundreds of Exchange servers at state and local government facilities.
Many of the recommendations in the Ransomware Task Force report are what you might expect, such as encouraging voluntary information sharing on ransomware attacks; launching public awareness campaigns on ransomware threats; exerting pressure on countries that operate as safe havens for ransomware operators; and incentivizing the adoption of security best practices through tax breaks.
A few of the more interesting recommendations (at least to me) included:
-Limit legal liability for ISPs that act in good faith trying to help clients secure their systems.
-Create a federal “cyber response and recovery fund” to help state and local governments or critical infrastructure companies respond to ransomware attacks.
-Require cryptocurrency exchanges to follow the same “know your customer” (KYC) and anti-money laundering rules as financial institutions, and aggressively targeting exchanges that do not.
-Have insurance companies measure and assert their aggregated ransomware losses and establish a common “war chest” subrogation fund “to evaluate and pursue strategies aimed at restitution, recovery, or civil asset seizures, on behalf of victims and in conjunction with law enforcement efforts.”
-Centralize expertise in cryptocurrency seizure, and scaling criminal seizure processes.
-Create a standard format for reporting ransomware incidents.
-Establish a ransomware incident response network.
Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.
Bill Demirkapi, an independent security researcher who’s currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.
Demirkapi encountered one lender’s site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API — a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.
“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi said. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”
KrebsOnSecurity put that tool to the test, asking permission from a friend to have Demirkapi look up their credit score. The friend agreed and said he would pull his score from Experian (at this point I hadn’t told him that Experian was involved). The score he provided matched the score returned by Demirkapi’s lookup tool.
In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.
For example, in my friend’s case Bill’s tool said his mid-700s score could be better if the proportion of balances to credit limits was lower, and if he didn’t owe so much on revolving credit accounts.
“Too many consumer finance company accounts,” the API concluded about my friend’s score.
The reason I could not test Demirkapi’s findings on my own credit score is that we have a security freeze on our files at the three major consumer credit reporting bureaus, and a freeze blocks this particular API from pulling the information.
Demirkapi declined to share with Experian the name of the lender or the website where the API was exposed. He refused because he said he suspects there may be hundreds or even thousands of companies using the same API, and that many of those lenders could be similarly leaking access to Experian’s consumer data.
“If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem,” he explained.
Nevertheless, after being contacted by this reporter Experian figured out on its own which lender was exposing their API; Demirkapi said that vendor’s site now indicates the API access has been disabled.
“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian said in a written statement. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”
Demirkapi said he’s disappointed that Experian did exactly what he feared they would do.
“They found one endpoint I was using and sent it into maintenance mode,” he said. “But this doesn’t address the systemic issue at all.”
Leaky and poorly-secured APIs like the one Demirkapi found are the source of much mischief in the hands of identity thieves. Earlier this month, auto insurance giant Geico disclosed that fraudsters abused a bug in its site to steal drivers license numbers from Americans.
Geico said the data was used by thieves involved in fraudulently applying for unemployment insurance benefits. Many states now require drivers license numbers as a way of verifying an applicant’s identity.
In 2013, KrebsOnSecurity broke the news about an identity theft service in the underground that programmatically pulled sensitive consumer credit data directly from a subsidiary of Experian. That service was run by a Vietnamese hacker who’d told the Experian subsidiary he was a private investigator. The U.S. Secret Service later said the ID theft service “caused more material financial harm to more Americans than any other.”
Additional reading: Experian’s Credit Freeze Security is Still a Joke (Apr. 27, 2021)
In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States. Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space.
Dune Thomas is a software engineer from Sacramento, Calif. who put a freeze on his credit files last year at Experian, Equifax and TransUnion after thieves tried to open multiple new payment accounts in his name using an address in Washington state that was tied to a vacant home for sale.
But the crooks were persistent: Earlier this month, someone unfroze Thomas’ account at Experian and promptly applied for new lines of credit in his name, again using the same Washington street address. Thomas said he only learned about the activity because he’d taken advantage of a free credit monitoring service offered by his credit card company.
Thomas said after several days on the phone with Experian, a company representative acknowledged that someone had used the “request your PIN” feature on Experian’s site to obtain his PIN and then unfreeze his file.
Thomas said he and a friend both walked through the process of recovering their freeze PIN at Experian, and were surprised to find that just one of the five multiple-guess questions they were asked after entering their address, Social Security Number and date of birth had anything to do with information only the credit bureau might know.
KrebsOnSecurity stepped through the same process and found similar results. The first question asked about a new mortgage I supposedly took out in 2019 (I didn’t), and the answer was none of the above. The answer to the second question also was none of the above.
The next two questions were useless for authentication purposes because they’d already been asked and answered; one was “which of the following is the last four digits of your SSN,” and the other was “I was born within a year or on the year of the date below.” Only one question mattered and was relevant to my credit history (it concerned the last four digits of a checking account number).
The best part about this lax authentication process is that one can enter any email address to retrieve the PIN — it doesn’t need to be tied to an existing account at Experian. Also, when the PIN is retrieved, Experian doesn’t bother notifying any other email addresses already on file for that consumer.
Finally, your basic consumer (read: free) account at Experian does not give users the option to enable any sort of multi-factor authentication that might help stymie some of these PIN retrieval attacks on credit freezes.
Unless, that is, you subscribe to Experian’s heavily-marketed and confusingly-worded “CreditLock” service, which charges between $14.99 and $24.99 a month for the ability to “lock and unlock your file easily and quickly, without delaying the application process.” CreditLock users can both enable multifactor authentication and get alerts when someone tries to access their account.
Thomas said he’s furious that Experian only provides added account security for consumers who pay for monthly plans.
“Experian had the ability to give people way better protection through added authentication of some kind, but instead they don’t because they can charge $25 a month for it,” Thomas said. “They’re allowing this huge security gap so they can make a profit. And this has been going on for at least four years.”
Experian has not yet responded to requests for comment.
When a consumer with a freeze logs in to Experian’s site, they are immediately directed to a message for one of Experian’s paid services, such as its CreditLock service. The message I saw upon logging in confirmed that while I had a freeze in place with Experian, my current “protection level” was “low” because my credit file was unlocked.
“When your file is unlocked, you’re more vulnerable to identity theft and fraud,” Experian warns, untruthfully. “You won’t see alerts if someone tries to access your file. Banks can check your file if you apply for credit or loans. Utility and service providers can see your credit file.”
Sounds scary, right? The thing is — except for the part about not seeing alerts — none of the above statement is true if you already have a freeze on your file. A security freeze essentially blocks any potential creditors from being able to view your credit file, unless you affirmatively unfreeze or thaw your file beforehand.
With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). It is now free to freeze your credit in all U.S. states and territories.
Experian, like the other consumer credit bureaus, uses their intentionally confusing “lock” terminology to frighten consumers into paying for monthly subscription services. A key selling point for these lock services is they can be a faster way to let creditors peek at your file when you wish to apply for new credit. That may or may not be true in practice, but consider why it’s so important for Experian to get consumers to sign up for their lock programs.
The real reason is that Experian makes money every time someone makes a credit inquiry in your name, and it does not want to do anything to hinder those inquiries. Signing up for a lock service lets Experian continue selling credit report information to a variety of third parties. According to Experian’s FAQ, when locked your Experian credit file remains accessible to a host of companies, including:
-Potential employers or insurance companies
-Collection agencies acting on behalf of companies you may owe
-Companies providing pre-screened credit card offers
-Companies that have an existing credit relationship with you (this is true for frozen files also)
-Personalized offers from Experian, if you choose to receive them
It is annoying that Experian can get away with offering additional account security only to people who pay the company a hefty sum each month to sell their information. It’s also amazing that this sloppy security I wrote about back in 2017 is still just as prevalent in 2021.
But Experian is hardly alone. In 2019, I wrote about how Equifax’s new MyEquifax site made it simple for thieves to lift an existing credit freeze at Equifax and bypass the PIN if they were armed with just your name, Social Security number and birthday.
Also in 2019, identity thieves were able to get a copy of my credit report from TransUnion after successfully guessing the answers to multiple-guess questions like the ones Experian asks. I only found out after hearing from a detective in Washington state, who informed me that a copy of the report was found on a removable drive seized from a local man who was arrested on suspicion of being part of an ID theft gang.
TransUnion investigated and found it was indeed at fault for giving my credit report to ID thieves, but that on the bright side its systems blocked another fraudulent attempt at getting my report in 2020.
“In our investigation, we determined that a similar attempt to fraudulently obtain your report occurred in April 2020, and was successfully blocked by enhanced controls TransUnion has implemented since last year,” the company said. “TransUnion deploys a multi-layered security program to combat the ongoing and increasing threat of fraud, cyber-attacks and malicious activity. In today’s dynamic threat environment, TransUnion is constantly enhancing and refining our controls to address the latest security threats, while still allowing consumers access to their information.”
For more information on credit freezes (also called a “security freezes”), how to request one, and other tips on preventing identity fraud, check out this story.
If you haven’t done so lately, it might be a good time to order a free copy of your credit report from annualcreditreport.com. This service entitles each consumer one free copy of their credit report annually from each of the three credit bureaus — either all at once or spread out over the year.
What was the best news you heard so far this month? Mine was learning that KrebsOnSecurity is listed as a restricted competitor by Gartner Inc. [NYSE:IT] — a $4 billion technology goliath whose analyst reports can move markets and shape the IT industry.
Earlier this month, a reader pointed my attention to the following notice from Gartner to clients who are seeking to promote Gartner reports about technology products and services:
What that notice says is that KrebsOnSecurity is somehow on Gartner’s “non exhaustive list of competitors,” i.e., online venues where technology companies are not allowed to promote Gartner reports about their products and services.
The bulk of Gartner’s revenue comes from subscription-based IT market research. As the largest organization dedicated to the analysis of software, Gartner’s network of analysts are well connected to the technology and software industries. Some have argued that Gartner is a kind of private social network, in that a significant portion of Gartner’s competitive position is based on its interaction with an extensive network of software vendors and buyers.
Either way, the company regularly serves as a virtual kingmaker with their trademark “Magic Quadrant” designations, which rate technology vendors and industries “based on proprietary qualitative data analysis methods to demonstrate market trends, such as direction, maturity and participants.”
The two main subjective criteria upon which Gartner bases those rankings are “the ability to execute” and “completeness of vision.” They also break companies out into categories such as “challengers,” “leaders,” “visionaries” and “niche players.”
So when Gartner issues a public report forecasting that worldwide semiconductor revenue will fall, or that worldwide public cloud revenue will grow, those reports very often move markets.
Being listed by Gartner as a competitor has had no discernable financial impact on KrebsOnSecurity, or on its reporting. But I find this designation both flattering and remarkable given that this site seldom promotes technological solutions.
Nor have I ever offered paid consulting or custom market research (although I did give a paid keynote speech at Gartner’s 2015 conference in Orlando, which is still by far the largest crowd I’ve ever addressed).
Rather, KrebsOnSecurity has sought to spread cybersecurity awareness primarily by highlighting the “who” of cybercrime — stories told from the perspectives of both attackers and victims. What’s more, my research and content is available to everyone at the same time, and for free.
I rarely do market predictions (or prognostications of any kind), but in deference to Gartner allow me to posit a scenario in which major analyst firms start to become a less exclusive and perhaps less relevant voice as both an influencer and social network.
For years I have tried to corrupt more of my journalist colleagues into going it alone, noting that solo blogs and newsletters can not only provide a hefty boost from newsroom income, but they also can produce journalism that is just as timely, relevant and impactful.
Those enticements have mostly fallen on deaf ears. Recently, however, an increasing number of journalists from major publications have struck out on their own, some in reportorial roles, others as professional researchers and analysts in their own right.
If Gartner considers a one-man blogging operation as competition, I wonder what they’ll think of the coming collective output from an entire industry of newly emancipated reporters seeking more remuneration and freedom offered by independent publishing platforms like Substack, Patreon and Medium.
Oh, I doubt any group of independent journalists would seek to promulgate their own Non-Exclusive List of Competitors at Whom Thou Shalt Not Publish. But why should they? One’s ability to execute does not impair another’s completeness of vision, nor vice versa. According to Gartner, it takes all kinds, including visionaries, niche players, leaders and challengers.
** Although this website should be free from tracking and other hazards, I can't guarantee that, of course.
Modern business email tools are often built to get you in and out of your inbox as fast as possible, keeping you informed and organized. Often, however, this efficiency comes at the cost of privacy and security. You also need an email provider that helps keep your sensitive data secure, not one that is a …
The post Choosing the perfect email provider for your business appeared first on ProtonMail Blog.
Modern business email tools are often built to get you in and out of your inbox as fast as possible, keeping you informed and organized. Often, however, this efficiency comes at the cost of privacy and security. You also need an email provider that helps keep your sensitive data secure, not one that is a security risk in itself.
This is important because businesses — especially small- and medium-sized enterprises — are consistently targeted by hackers.
How should you structure your analysis of choosing the right email provider for your business?
Choosing your email service is a critical step for your business. It is one of the primary ways you communicate, both internally and with clients and customers.
We created this article to help you make this decision in a more structured way. Along the way, we provide information about ProtonMail to help you understand the capabilities of our service, but the checklist of criteria we have provided is applicable to any email service provider you are considering. While we hope you will consider ProtonMail, our objective here is to help you make the best decision for your businesses.
We recommend prioritizing the features you need around seven categories. Clicking any link here will take you straight to that section:
We also suggest understanding a few things about your current usage to keep in mind as you explore other providers’ options. This will help you stay focused on what matters most to you and your team.
If you need any assistance, you can always speak directly with someone on our business support team by writing to email@example.com.
Employees often have different levels of savviness when it comes to technology. You will want to choose an email service provider that is easy for your team to adopt and merge with their current workflow.
Being easy to use encompasses more than just a smart, intuitive user interface. Your email provider should have apps that your employees can use on their mobile devices so they can still work even if they’re on the move. It should also be able to integrate with IMAP/SMTP email clients to make it easier for your employees that are more comfortable with Outlook or Mozilla Thunderbird.
ProtonMail has been tested in all types of corporate environments, large and small, and our Professional plan can support teams of any size. Our email applications are designed to be clean, pleasant, and easy to learn. Encryption is automatic, and security features are built-in.
Getting started with ProtonMail is hassle-free because of its import-export tool for transitioning from old providers. Our apps for Android and iOS devices have intuitive interfaces and allow you to quickly respond to emails and manage multiple accounts while you are on the go. ProtonMail Bridge, which is a desktop app that runs in the background of your device, lets you add Proton encryption to email clients like Outlook, Thunderbird, and Apple Mail.
Team communications should be end-to-end encrypted, meaning only the sender and recipient can see the contents of the messages. That way, if a data breach occurs, no unencrypted information would be exposed to hackers or the public. While encryption is a non-negotiable baseline for choosing an email service provider, you must also consider each provider’s privacy policies.
ProtonMail uses end-to-end encryption at all stages of message transmission. We also use zero-access encryption, which means no one can access your inbox without your password, not even ProtonMail. If data falls into the wrong hands, it will be indecipherable. All of ProtonMail’s cryptography and user apps are open source, meaning the entire cryptographic community can independently audit our security methods.
Businesses must protect themselves against time-wasting spam and system-compromising phishing attacks. Phishing makes up more than half of all security threats facing organizations today. With the proper protections in place, your business will be safe from information leaks and financial attacks.
While protecting your inbox seems simple, many providers fail to offer the level of protection necessary. The process of filtering out spam, phishing, and viruses is complicated and requires sophisticated tools.
Two important anti-spoof tools you should look for are DKIM and DMARC. Domain Keys Identified Mail (DKIM) cryptographically verifies that an email was sent by a trusted email address, making it harder for attackers to spoof your domain. Domain-based Message Authentication, Reporting and Conformance (DMARC) is a failsafe that instructs your email server what to do in case an email you receive fails DKIM, making it harder for attackers to fool you with a spoofed email.
ProtonMail uses smart spam detection, spam lists, WKD, DANE, DMARC, SPF, and other powerful tools to ensure any messages that reach your inbox are clean. Teams using the ProtonMail Professional plan can take advantage of multiple email addresses per user to keep private addresses secret and end-to-end encryption to be sure messages are sent to and from those originally intended.
The amount of storage you will need depends on the size of your team. As your team may change over time, it’s a good idea to future-proof your email infrastructure by choosing a provider that has storage expansion options. B2B providers often limit certain elements of storage. Always be sure to check for limits on the number of users, addresses per user, gigabytes of storage per user, and organizational features like folders and tags.
The ProtonMail Professional plan gives each user 5 GB of storage, five addresses per user, and unlimited message sending. It also enables user hierarchy, which provides admins with the ability to monitor and maintain privileges across an entire company.
The ProtonMail apps for Android and iOS both offer multi-account support, making it easy for your employees to toggle between their different work emails. ProtonMail also offers ProtonContacts, a personal, encrypted contact database, and ProtonCalendar, an encrypted calendar, for every user on the team.
Some email service providers may boast strong features but fall short on compliance with privacy and data management regulations. Regulatory compliance shows that a provider takes your security seriously and isn’t just trying to market features with empty promises.
If your team deals with sensitive health data, your emails may need to be HIPAA compliant. If you have users in Europe, your team will need to comply with the GDPR privacy laws. The last thing you want to deal with is legal recourse for mishandling sensitive data, which could threaten your company’s reputation.
Where compliance covers your team externally, customer support provides a safety net internally. If you have trouble with your email provider, you want to know that your issue will be heard and dealt with promptly.
ProtonMail is HIPAA and GDPR compliant, verified by openly available and transparent legal statements. The service is backed by strict Swiss privacy laws that forbid access to user data and prevent snooping from governments. ProtonMail provides friendly, fast, and reliable support for all professional plan teams. Our Professional plan comes with dedicated support channels for business users.
Your emails are an important business record, so before you can completely transition your business to a new email service, you’ll need to migrate your old emails and conversations. This can seem like a daunting task, especially when it is added to your already busy workload. You should always make sure that any email service you are considering has tools that simplify this process.
ProtonMail has both an Import-Export application and a more rapid Import Assistant to allow you to quickly and easily migrate all your important conversations yourself. And if your company is above a certain size, ProtonMail will handle migrating your emails for you.
Business email pricing is highly variable, ranging from free to as much as $20/month for some providers. The cost is usually contingent on a number of factors, including the number of users, the amount of storage, sending and attachment limits, and custom domain options.
ProtonMail Business plan pricing is straightforward and competitive: $6.25 per user per month. This includes 5 GB of storage per user, 5 email addresses per user, two custom domains, unlimited folders and labels, unlimited filter rules, and priority customer support. Our privacy and security features are already standard for every ProtonMail account.
While there is a lot to consider, it all boils down to the specific needs of your business. Keep in mind the core tenets of stability, security, and ease-of-use, and you will be good to go.
ProtonMail was built with these tenets at its core. Our service is trusted by thousands of companies and millions of individuals worldwide. If you are still not sure whether ProtonMail fits your team, feel free to write us at firstname.lastname@example.org.
The post Choosing the perfect email provider for your business appeared first on ProtonMail Blog.
Proton Calendar, our privacy-focused calendar app, is now available in beta on Android and web for everyone who has a ProtonMail account. Protected by the same end-to-end encryption used in ProtonMail, this simple, easy-to-use, and intuitive calendar will help you stay on top of your schedule while securing your data. If you already have ProtonMail, …
The post Proton Calendar beta is now available for everyone who uses ProtonMail appeared first on ProtonMail Blog.
Proton Calendar, our privacy-focused calendar app, is now available in beta on Android and web for everyone who has a ProtonMail account. Protected by the same end-to-end encryption used in ProtonMail, this simple, easy-to-use, and intuitive calendar will help you stay on top of your schedule while securing your data.
If you already have ProtonMail, you can try Proton Calendar beta on the web and Android devices (with the beta app for iOS coming soon).
You can download the Proton Calendar Android app beta from the Play Store.
We’ve built Proton Calendar from the ground up, so you can spend less time managing your day and more time enjoying it. It takes a lot of work to stay on top of your schedule, which is why we’ve made Proton Calendar simple and easy to use with seamless integration across your devices. With the Proton Calendar beta, you can:
Proton Calendar is integrated with ProtonMail. You can respond to event invitations you receive in ProtonMail web, including invitations from Google or Microsoft calendars.
You can also import your existing calendar to Proton Calendar with only a couple of clicks.
Millions of people around the world use ProtonMail every day to protect the privacy and security of their messages. That’s why we are using the same end-to-end encryption to keep your life events private, safe, and secure.
When you create an event in the Proton Calendar, your event’s details, including the title, description, location, and people you invite, are encrypted on your device so no one, not even us, can see them. Whether you’ve scheduled a doctor’s appointment, a bank visit, or a meet-up with old friends, you control who gets access to that information.
Thank you for choosing Proton Calendar beta, and don’t forget to share your feedback.
The post Proton Calendar beta is now available for everyone who uses ProtonMail appeared first on ProtonMail Blog.
As with all healthcare professionals in the United States, therapists need to be HIPAA compliant. They must follow the complex set of interlocking rules that make up the Health Insurance Portability and Accountability Act (HIPAA). The purpose of these rules is to secure patients’ Protected Health Information (PHI), as defined in the HIPAA Security Rule, …
As with all healthcare professionals in the United States, therapists need to be HIPAA compliant. They must follow the complex set of interlocking rules that make up the Health Insurance Portability and Accountability Act (HIPAA).
The purpose of these rules is to secure patients’ Protected Health Information (PHI), as defined in the HIPAA Security Rule, according to the criteria specified in the Privacy Rule.
Most therapists are solo practitioners who devote most of their professional time to helping patients, which can make taking the time to understand the complex requirements of HIPAA compliance a challenge.
This article is part of a series discussing various aspects of HIPAA compliance. ProtonMail is the world’s largest secure email provider, used by millions to protect their messages, and we provide HIPAA compliant email to thousands of organizations. In this article, we look at the aspects of HIPAA email compliance that are particularly relevant to therapists.
Everyone is familiar with email, making it a great way for therapists to communicate effectively with patients. It’s also more convenient than phone calls or teleconferencing solutions, as it allows therapists to engage in long-form conversations while giving them greater control over their time.
Email is also much easier for lone therapists to manage than complex web portals, which can be difficult to operate without a tech support team’s assistance.
However, a problem with most email services is that they are not secure. This is a major issue for therapists because their conversations often cover highly sensitive (and potentially damaging) personal matters.
HIPAA allows patients to waive their right to secure email communication once all reasonable efforts have been made to alert them about the privacy risks this involves. But this is not an ideal solution, given the highly sensitive nature of the PHI that therapists discuss with their patients.
A much better solution for therapists is to use a HIPAA compliant email service that can ensure sensitive information exchanged by email will remain private.
Therapists often hear their patients’ innermost thoughts, so as a simple duty of care, it is vital that you secure all forms of their sensitive data.
According to official Department of Health and Human Services guidelines, “generally, the Privacy Rule applies uniformly to all protected health information, without regard to the type of information.” This means that the following data is classed as PHI:
Psychotherapy notes, however, receive special protections. These are defined as any notes “documenting or analyzing the contents of a conversation” held during a therapy session.
Therapists must keep psychotherapy notes separate from other forms of PHI thanks to the particularly sensitive nature of the data they contain — and because they are primarily only of use to the therapist who made them.
While also sensitive, information about medication prescriptions, how and when treatment is furnished, symptoms, prognosis, information contained in a patient’s medical record, or anything else tangential to the contents of a conversation are not considered part of psychotherapy notes.
Under most circumstances, a therapist can only disclose their notes to a third party with their patient’s express permission (except in situations involving abuse or where the patient threatens to harm others).
Any email service a therapist considers for use for their practice should:
Therapists face unique issues when it comes to protecting patients’ PHI due to the highly personal nature of the information they must discuss.
Some experts argue that the 2013 HIPAA Omnibus Rule requires patients to opt-in to communication by email that involves exchanging PHI. Most experts, however, agree that properly informed consent is sufficient.
This means the therapist must fully alert patients about the privacy dangers of using email and offer alternative secure ways to communicate.
Of course, using an end-to-end encrypted email service that allows secure communication even when a patient uses an insecure email service addresses many of the security problems associated with more traditional email services.
Therapists are obliged to disclose the minimum amount of personal health information possible for the purpose at hand. This is particularly important when dealing with other healthcare professionals (HIPAA-covered entities) and business associates.
The Security Rule does not, strictly speaking, require encryption for emails, but achieving HIPAA compliance without using encryption is very hard. The problem is that encryption is a very complex subject that many find difficult to understand, no matter how much research they put into it.
Most email services (and all HIPPA compliant ones) use TLS encryption to secure emails in transit. That is, as they travel between your computer and the email server they are stored on.
However, there is no way of knowing if a recipient’s email service also uses TLS. If it doesn’t, then emails sent to them will be sent in plaintext, meaning their email service, their internet service provider, and, potentially, malicious actors can see what the email contains. You can address this problem by using a service that offers escrow email.
Most email services (and all HIPPA compliant ones) ensure that data is encrypted when stored on their servers. Again, it is difficult for a therapist to ensure that this is the case for their patient’s email service.
Another point to consider is that if you rely on your email provider to encrypt your emails, it can also decrypt them. That’s why it is vital you sign a business associate agreement (BAA) with your email provider to ensure it is a HIPAA compliant business associate.
An even better option is to use an email service that offers end-to-end encryption. With end-to-end encryption, emails are encrypted on your device before being sent to your email provider’s servers, so it cannot read them. These messages can then be securely delivered to your patient using an email escrow service.
This provides a robust extra layer of security for sensitive emails, although it does not replace the need to sign a BAA with your provider.
A business associate agreement (BAA) is a contract between a primary healthcare provider (a “covered entity”) and any business associate that it shares PHI with (for example, an email provider).
As a therapist, you are the covered entity, and the email service you use is your business associate. The BAA is basically a written guarantee from the business associate that it will follow all HIPAA rules.
Escrow email is a system used to deliver secure end-to-end encrypted emails to a recipient who uses a potentially insecure email service. If you use an escrow email, instead of receiving an email containing sensitive PHI in their inbox, your patients will receive an email that notifies them that an end-to-end encrypted message has been sent to them. To view this secure message, they would log in to a web portal using credentials that you have previously established.
With escrow email, the intended recipient is the only person who can read the email, no matter how insecure their email service is. ProtonMail’s Encrypt for non-ProtonMail users feature is such an escrow email system.
A secure form is an online HTML form that uses an SSL/TLS certificate to encrypt sensitive information such as PHI. Although popular with some therapists as a way for patients to submit details about themselves, similar results can be achieved using form-fillable PDF documents, which can be sent securely with escrow email.
Some HIPAA compliant email services offer the ability to create secure forms as a feature, but there are also plenty of stand-alone HIPAA compliant options available.
A therapist cannot treat a patient if that patient does not trust them with their thoughts and feelings. You can earn your patients’ trust by demonstrating to them that you take data security and privacy seriously.
ProtonMail is a HIPAA compliant email service developed by CERN scientists. It uses strong end-to-end encryption with email escrow to ensure your emails and any attachments remain private. We also use zero-access encryption, which means we encrypt your emails before we store them on our servers, meaning only you and your intended recipient can access your messages. This encryption is done automatically in the background, making it easy for anyone to send or receive a securely encrypted email.
A signed BAA is available on request — just email email@example.com for assistance.
It is important for your business to protect your patients’ data, not just to be HIPAA compliant, but because it is the right thing to do. Your patients are entrusting you with sensitive, highly personal information, so it is your legal and moral duty to protect it. ProtonMail is the world’s most popular encrypted email service and is fully HIPAA compliant, making it a safe and convenient choice for therapists.
Yes. The HIPAA Privacy Rule recognizes the importance of involving a patient’s friends and family in their mental health treatment. Therapists may communicate with such individuals if they have the patient’s consent and believe that doing so is in the best interests of the patient.
Needless to say, any such communication must be done using secure HIPAA compliant channels. For example, using a HIPAA compliant email service.
Therapists are subject to the same rules and penalties as other covered entities. Please see What is a HIPAA violation? for more details. Using a HIPAA compliant email service such as ProtonMail helps to reduce the chances of an unintentional HIPAA violation occurring.
Escrow email is a way to send end-to-end encrypted messages to users of email services that are not end-to-end encrypted. To view a message sent in this way, they need to log in to a secure web portal using a password you have previously shared with them. ProtonMail’s Encrypt for non-ProtonMail users feature is such a system, and it allows the recipient to reply in a way that is also end-to-end encrypted.
Over the past year, a lot has happened that we have not always been able to share on our blog due to all the work going on. Recently, we have been focused on building a completely new version of ProtonMail for web and mobile (which you can preview at beta.protonmail.com). We’re also working on launching …
Over the past year, a lot has happened that we have not always been able to share on our blog due to all the work going on. Recently, we have been focused on building a completely new version of ProtonMail for web and mobile (which you can preview at beta.protonmail.com). We’re also working on launching Proton Calendar and Proton Drive out of beta this year. But today, we wanted to share a few non-product updates.
As part of our increased European focus, we have recently become more active on public policy matters in Brussels, which is the seat of the European Union. Even though Switzerland is outside the EU, we have strong economic and business ties with the rest of Europe. A large portion of Proton’s users and employees come from the EU, and we also have offices in the EU.
Examples of the policy work we are now doing in the EU include our recent stance against anti-encryption proposals and our support for the Digital Markets Act. In line with both our culture of transparency and EU regulations, we are also now registered in the EU’s transparency register. Through our work with the EU, we hope to provide a voice for European citizens who are fed up with big tech abuses and government overreach into our private lives.
In 2015, Charles River Ventures (CRV) and Fondation Genevoise pour l’Innovation Technologique (FONGIT), made a small minority investment in Proton. Earlier this year, to align our shareholders with our ethos of putting users ahead of profits, the shares held by CRV have been transferred to FONGIT, a non-profit foundation. FONGIT’s mission is to foster sustainable economic development in Geneva, and it will also safeguard Proton’s Swiss identity. At the same time, we have also invited some of our individual users and supporters from Switzerland to become shareholders of Proton so that the community will be represented among Proton shareholders. As a result of these transactions, CRV has sold all the Proton shares that it previously held. Proton continues to be an independent company owned and controlled by our employees, who hold the vast majority of Proton shares.
All the way back in November 2019, we opened an office in Taipei, Taiwan. We intended to announce the office’s formal opening in February 2020, but after the COVID pandemic started, we decided to delay the announcement. One year later, COVID is still here, and so is our Taipei office, which has grown to become a major engineering and support office.
The main service that we provide, email, needs to be available 24/7, and having an office in Taipei allows us to reach 24/7 coverage because it helps cover the night shift in Europe. But it also gives us a presence in Asia, which is a critical frontier for internet privacy. Indeed, in 2020 and 2021, we have seen increased demand for ProtonMail and ProtonVPN in places like Hong Kong, Thailand, Myanmar, and Cambodia. Our presence in Taiwan allows us to better serve the Proton community in Asia.
We decided to locate Proton’s first Asian office in Taipei because Taiwan shares our deep belief in freedom and democracy. Taiwan ranks the highest among Asian countries in the Reporters Without Borders Press Freedom Index (even above the United States). Taipei also boasts a deep talent pool, and we look forward to better supporting the growing Proton community in Asia in the years to come.
For many years, Proton maintained a small outpost in San Francisco. This was done to assist with our 24/7 operations as San Francisco is 9 hours behind Switzerland, where we are headquartered. During the COVID pandemic, the small number of staff that we have in the US (2% of our total team) transitioned to working remotely on a permanent basis. As a result, we will no longer have a presence in Silicon Valley.
Last year, we asked the Proton community to help us select new datacenter locations. This was necessary because Proton is growing rapidly. Because of this growth, we had to move out of the Swiss bunker where ProtonMail was first hosted into a larger high-security datacenter in Zurich. We are quite different from most tech companies in that we do not use cloud service providers (such as Amazon Web Services) so that we can better safeguard our independence and the privacy of users’ data. We also do not rent servers or networks, preferring to own all of our hardware, operate our own networks (we are a member of RIPE and act as our own ISP), and own our IP addresses.
While we operated for many years solely out of Swiss datacenters (in Geneva and Zurich), this strategy poses several long-term risks, particularly as we roll out new bandwidth and storage-intensive services such as Proton Drive. First, there is a lack of geographic diversity, as placing all our servers in one country is essentially placing all our eggs in one basket, which reduces resilience. Second, Switzerland does not host any of Europe’s main internet exchange points, which means limited bandwidth and latency.
To address these risks, we have opened a new datacenter in Frankfurt next to the DE-CIX, Europe’s largest internet exchange point. Frankfurt was the location favored by the overwhelming majority of the community, and we selected it for that reason. The fact that we use zero-access encryption on our servers (meaning the data we store is encrypted so that we cannot decrypt it) means your data (your messages, calendar events, files, etc.) will remain private wherever our servers are located. However, Switzerland remains our legal jurisdiction under international law, as Proton is a Swiss company and headquartered in Switzerland.
By opening this new datacenter, we expect to be able to provide even higher reliability and faster speeds for users around the world.
In the months to come, we look forward to bringing you more announcements about upcoming Proton products and service updates. And as always, we remain committed to maintaining the highest levels of integrity and putting your interests first.
The Proton Team
This article is part of a series discussing various aspects of HIPAA compliance. ProtonMail is the world’s largest secure email provider, used by millions to protect their messages. We provide HIPAA compliant email to thousands of organizations, and we created this guide to explain how to select the best HIPAA compliant email provider for your …
The post Complete guide to selecting a HIPAA compliant email service appeared first on ProtonMail Blog.
This article is part of a series discussing various aspects of HIPAA compliance. ProtonMail is the world’s largest secure email provider, used by millions to protect their messages. We provide HIPAA compliant email to thousands of organizations, and we created this guide to explain how to select the best HIPAA compliant email provider for your organization.
The United States’ Health Insurance Portability and Accountability Act (HIPAA) is a complex set of laws that secures patients’ protected health information (PHI). All entities that have any contact whatsoever with PHI are required to be HIPAA compliant.
The regulatory body that oversees HIPAA, the Department of Health and Human Services (HSS), divides such entities into covered entities (primary healthcare providers) and their business associates (see What is HIPAA Compliance? for more details).
Covered entities can exchange relevant PHI with other covered entities and business associates so long as the information is communicated in a HIPAA compliant way.
Any third-party service used to facilitate this communication (such as an email provider) is considered a business associate and must itself be HIPAA compliant.
According to the Office for Civil Rights, the Security Rule requires covered entities to “implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to EPHI [electronic PHI]”.
Covered entities must carefully assess how they access the internet and how they plan to protect EPHI as it is transmitted. Once they select a solution, they must document the decision. So covered entities can send EPHI over the internet as long as adequate protections are in place.
There is no formal certification for HIPAA email compliance, so the main measure of whether an email service is HIPAA compliant is whether it follows all the regulations in the HIPAA Privacy Rule and the HIPAA Security Rule.
The Security Rule includes several provisions that are important for email HIPAA compliance:
You should consider the following security factors in your evaluation of whether an email service you’re considering satisfies the provisions outlined above.
Note that the recipient’s email service must also use TLS, or the data will be exposed in plaintext. This is unlikely to be a problem if the recipient’s email provider is also HIPAA compliant. A good email service uses SSL certificates from only the most trusted certificate authorities and secures the TLS connection with robust RSA encryption.
The National Institute of Standards and Technology (NIST) is a non-regulatory government agency that develops security and encryption standards and guidelines for the US government. Advanced Encryption Standard (AES) is a NIST-certified symmetric-key encryption standard that has no known vulnerabilities (when implemented correctly). The NIST recommends using key sizes of at least 128 bits. Stored EPHI must remain secure for at least 50 years after the patient’s death.
Although not strictly required for HIPAA compliance, end-to-end encryption ensures that only the intended recipient can access the emails you send. This means that even the email service you use can’t access E2EE emails stored on its servers.
A good HIPAA compliant email provider will have total control over its own servers and robust physical security measures in place to prevent unauthorized access to its servers.
It is important that when a contract between a covered entity and its business associate email provider ends, all data stored on the email provider’s servers is securely deleted. The email service also must destroy all printed reports or paper copies.
ProtonMail is a HIPAA compliant email service developed by CERN scientists. It uses OpenPGP end-to-end encryption to ensure that only authorized personnel within your organization and your business associates can access PHI data.
A good HIPAA compliant email service should protect PHI in the following ways:
Only authorized individuals should be able to access EPHI, so email accounts require strong access control. A good HIPAA compliant email service should require that users deploy strong passwords and two-factor authentication to secure their accounts.
Although technically not mandatory, encrypting a message while it is in transit to an email server and while it is stored on a server is, in reality, the only way to maintain HIPAA compliance. End-to-end encryption, where the email is encrypted all the way to the recipient’s inbox, even when they use an insecure third-party email service, is highly recommended.
It is important that the recipient of an email containing PHI has confidence that the email was not improperly modified in transit, and that the sender is genuinely the entity they think it is. OpenPGP and S/MIME allow the sender to digitally sign emails. Doing this guarantees the identity of the sender and provides data integrity. If the email has been tampered with in any way since it was signed, the data integrity verification will fail.
Technically speaking, encryption is not a mandatory requirement under the Security Rule. It is classed as “an addressable implementation specification,” which means that an entity must provide compelling and fully documented reasons for its decision not to use it.
A large part of the reason that encryption was not made mandatory was a recognition of the fact that security challenges and the standards developed to meet them change so fast that legislation needs to be flexible if it is to keep up with new developments in the security field.
In the context of emails, a HIPAA compliant entity must perform a risk analysis to decide if encryption is necessary. This plan must assess all threats to the confidentiality of emails sent over the internet and describe the measures that it will take to address these risks.
In practical terms, it is very difficult to do this without encrypting all messages. HIPAA does not specify any formal requirements for the encryption that must be used for email to be HIPAA compliant, but it must meet the standards detailed in the NIST guidelines on email security.
The most common ways in which the use of email can violate HIPAA regulations are:
The HHS states that patients are permitted to initiate unencrypted email communication with HIPAA compliant entities, but if “the provider feels the patient may not be aware of the possible risks of using unencrypted email or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue email communications.”
HIPAA compliant entities should therefore take great care to alert patients who communicate by email of the potential risks this poses to their PHI. These entities should receive a clearly expressed preference (or at least consent) to communicate by email from the patient before they proceed.
As discussed above, email providers have contact with PHI and so must sign a BAA guaranteeing that they comply with HIPAA regulations. End-to-end encrypted email services should be unable to access any emails from their own customers, but there is no guarantee that a patient will enable end-to-end encryption when sending an email. Entering text into email clients before it is encrypted is also a grey area.
Obtaining a signed BAA from your email provider is easy to do, so there is never an excuse for not doing it.
Although a signed BAA from your email provider is essential, it is not enough to make you HIPAA compliant. The BAA only guarantees that your email provider will store your email in a secure and HIPAA compliant way. It does not protect PHI when it is transmitted via third-party email providers (for example, the ones used by your patients).
As discussed above, you can maintain HIPAA compliance by receiving patient consent to send them emails, and the use of fully end-to-end encrypted email services can help address this issue. It is important, however, to be aware of this issue and make appropriate contingency plans for it.
In addition to technical safeguards, it is important to have administrative systems in place to ensure that EPHI is never leaked via email. These systems can include regular internal analysis and checks on policy updates. They can also include practices such as only divulging the minimum amount of PHI required to perform a given task.
HIPAA also requires physical safeguards for PHI, which in relation to email, primarily means that workstations are secured behind locked doors and that extra care is taken to secure laptops and other devices in public spaces.
Technical and administrative safeguards are well and good, but they are of little use if staff doesn’t (or doesn’t know how to) use them. Staff should be fully trained in all aspects of ensuring email communication containing PHI is secure.
Probably the biggest potential “Oh no!” moment when dealing with HIPAA compliant email is the realization that you sent EPHI to the wrong person. Any such violation should be fully documented, and measures should be taken to mitigate the situation and ensure it never happens again.
Another common simple mistake is unintentionally sending EPHI via insecure email. A strategy often employed by covered entities and business associates is to not send PHI via email at all. In theory, this removes the need to use a HIPAA compliant email service.
It is, however, all too easy to include PHI in emails, either by accident or because you are unaware that information such as personal contact details and payment details are PHI.
There are several encrypted messaging options that can help you achieve HIPAA compliance. However, given the sensitivity of EPHI, you want to be certain that the solution you choose inspires confidence in your patients. By selecting an easy-to-use email service that meets the criteria listed above, you will be HIPAA compliant and show your patients you take protecting their personal data seriously.
Founded by MIT and CERN scientists, ProtonMail is the world’s largest open source and end-to-end encrypted email service.
With a ProtonMail Professional account, you can create custom domain email addresses for your organization, and multiple user control levels and account types let you easily administer your organization and fine-tune security settings.
ProtonMail supports two-factor authentication, and can be accessed via any web browser, through its Android and iOS apps, or using a third-party email client, such as Outlook, Thunderbird, or Apple Mail.
ProtonMail is fully HIPAA compliant:
1. Ensure that your email service is HIPAA compliant
2. Sign a BAA contract with them.
3. Configure your email correctly. This is not usually a concern when using ProtonMail, as all email is end-to-end encrypted until it leaves our service. Although not difficult, a little extra care is always good when sending end-to-end encrypted emails to external recipients using PGP or ProtonMails’s end-to-end encrypted email system for non-ProtonMail or PGP users.
Other email services may require a more complex setup before emails can be sent in a HIPAA compliant manner.
4. When sending emails containing PHI to recipients who use insecure third-party email services, always take great care to ensure they provide informed consent before doing so.
5. Retain all emails. The HIPAA Privacy Rule establishes a patient’s right to demand access to their own PHI, so it is important to maintain an archive of all emails in order to comply. Although HIPAA does not specify a time limit for data retention, many US state laws do. In general, a retention policy of at least 6 years is recommended.
Yes, but robust measures must be taken to ensure PHI sent by email is protected in accordance with the Security Rule. A key element of this is using a HIPAA compliant email service.
You should always bear in mind, however, that the recipient’s email service may not be secure. If a patient consents, you can send PHI to them by email anyway, but you should first ensure they know the implications of doing this and are aware of alternative options.
Strictly speaking, no. But in practice, yes. If encryption is not used, then the covered entity or business associate must fully explain their reasoning and document the measures it used instead. It is very hard for an email service to be HIPAA compliant without encryption.
No. The provider must implement technical, administrative, and physical safeguards to ensure PHI is secure on its service. Covered entities and business associates must ensure that EPHI sent by email cannot be deliberately accessed by any unauthorized person.
The post Complete guide to selecting a HIPAA compliant email service appeared first on ProtonMail Blog.
Over the past two weeks, Microsoft clients using its Exchange servers, which includes tens of thousands of government agencies and private corporations around the world, have fallen victim to a series of hacks that have compromised their data. The breach started with a group of state-sponsored hackers attributed to China known as Hafnium, but more …
Over the past two weeks, Microsoft clients using its Exchange servers, which includes tens of thousands of government agencies and private corporations around the world, have fallen victim to a series of hacks that have compromised their data. The breach started with a group of state-sponsored hackers attributed to China known as Hafnium, but more and more actors jumped into the fray after some of the exploits became public.
This is a serious breach that has exposed private user data as well as corporate and state secrets, materially damaging many small and medium-sized businesses and undermining trust in many government agencies. It is also a prime example of how the current approach to user privacy and security is failing.
March 2: Microsoft announced that hackers, dubbed Hafnium, were using multiple 0-day exploits (i.e., previously undiscovered vulnerabilities) to remotely access its Exchange servers and steal data from its corporate and government users.
Essentially, these hackers took three steps and exploited four separate vulnerabilities:
Microsoft responded by releasing emergency security patches for the affected systems (Exchange Server 2019-2013) and sent out a free patch to cover Exchange Server 2010, suggesting these vulnerabilities may have existed for the past 10 years.
Two weeks after Microsoft’s initial announcement, experts estimated there were still tens of thousands of Microsoft Exchange Servers that needed to be patched. Furthermore, state-sponsored hackers had already begun exploiting sensitive systems well before Microsoft became aware of the problem.
March 11: Microsoft detected that some of the servers compromised by Hafnium were being infected by a new type of ransomware known as DearCry.
Multiple attackers began exploiting the same vulnerabilities as Hafnium to gain access to Microsoft Exchange Servers. They committed various attacks, including DearCry, which makes copies of target files, encrypts those copies, and then deletes the originals.
March 11 to March 15: The daily attacks attempted on Microsoft Exchange Servers increased 10 times, from roughly 700 to over 7200.
Experts estimate that almost 60,000 organizations (and maybe even more) could have been affected, ranging from small and medium-sized businesses up to the European Banking Authority. The majority of the DearCry attacks have focused on government and military organizations, followed by manufacturing and financial services, while the most attacked country has been the US, followed by Germany and the UK.
Almost every major technology company has had significant security incidents in the past. Microsoft itself also has a long history of security vulnerabilities in its products. The lesson to take away from these attacks’ success is not that these organizations are negligent or incompetent, but that security is hard.
In this incident, Microsoft was not attacked directly, but rather, hackers went after tens of thousands of organizations that run Microsoft Exchange software for their email. Regardless of whether it is Google, Microsoft, or their customers, cybersecurity is a form of asymmetric warfare.
Defenders must protect all possible entry points, while attackers only need to find a single weakness to get in.
A successful defense therefore needs to have multiple layers of security so that if one layer is breached, successive layers can keep attackers away from sensitive business data. When it comes to email, ProtonMail achieves this by utilizing zero-access encryption.
Whenever possible, ProtonMail encrypts an organization’s email on the client side. Even emails received from outside of an organization are encrypted before they are saved. The encryption is done in a way that prevents even ProtonMail itself from having the means to independently decrypt user data. This adds an extra layer of security because breaching a ProtonMail server does not necessarily expose user emails. Unlike in the case of Microsoft Exchange (or Gmail or any other regular email service that does not utilize zero-access encryption), a hacker would still need to find a way to decrypt the messages.
ProtonMail’s security model has prepared for a breach by investing in a technology that applies an extra layer of encryption to all messages on our servers.
Our zero-access encryption means we cannot access or read any user’s messages. Hackers cannot steal from us what we do not have access to. So even if ProtonMail ever were to be breached, a successful data exfiltration attack would be far harder to execute.
So why don’t all companies protect their users’ data with end-to-end or zero-access encryption? For one, strong encryption is difficult to do. The technology that underpins ProtonMail required years of research and work and was developed by scientists from CERN under the scrutiny of the open source community and independent security audits.
Then, there is also the issue of the business model a company uses. Corporations like Google make money by exploiting user data to sell ads. This is incompatible with technologies that prevent them from accessing user data, even if they are more secure.
This is not the first major security breach, nor will it be the last. And there is no reason to single out Microsoft. In fact, such an incident would have been exponentially worse if it had happened to Google or Facebook due to the significantly larger amounts of sensitive personal information stored by those companies. Protecting against risks like this is one of the reasons that millions of individuals and small and medium-sized businesses have switched to ProtonMail.
Proton relies on user subscriptions for revenue, not leveraging our users’ data or selling access to advertisers. This makes us relatively unique among tech companies in that we do not need to access or abuse our users’ data for our business model to work. It’s not just better for privacy, it is better for security. We believe that this approach leads to a better internet that serves the interest of all people.
Our vision is to make privacy the default on the internet and beyond ProtonMail with strong encryption. We’re also extending this approach to new services as well, applying similar protection to your schedule and files with the recently released beta versions of Proton Calendar and Proton Drive.
Sign up now and take a step toward an internet that puts protecting your data first.
** Although this website should be free from tracking and other hazards, I can't guarantee that, of course.