This week we continue our look back at some of the year’s biggest cyber stories in our final cyber wrap for 2016!
China finally adopted its controversial new cybersecurity law on 7 November, much to the dismay of the international community. The law states that companies must provide ‘technical support’ and data access to the government on matters of crime and national security, the vague definition of which has led to concerns that encryption back doors will be demanded. Any data gathered by companies in China will now have to be stored in-country—a requirement known as data-localisation—and companies will be subject to invasive security certification processes, which some believe could pose a threat to intellectual property rights. Despite official denials from the Chinese Foreign Ministry, such concerns sparked an outcry from the international business community and a petition to Premier Li Keqiang from more than 40 global business groups.
The legislation also requires real-name registration for instant messaging services and criminalises online content that undermines ‘national honour’ or subverts China’s sovereignty. Online privacy advocates are worried that the law will further repress freedom of online expression in China, and lead to increasing self-censorship. The implementation rules are still to be formulated, and are expected to come into force on 1 June 2017. Watch this space.
Privacy and data protection took a front seat in the European debate in 2016. The new US–EU data sharing agreement, Privacy Shield, was agreed in June this year. The agreement regulates the transatlantic transfer of EU data by US companies, in place of the ‘Safe Harbour’ model that was struck down last October by the European Court of Justice. The scheme features ‘a number of additional clarifications and improvements’ in response to concerns about US mass surveillance of European citizens. The new data transfer pact, designed by the US Department of Commerce and the European Commission, and which includes stronger restrictions was brought into force on 12 July.
Europe’s data protection focus continued with string of crackdowns on various corporations. Microsoft received a formal notice in July for collecting ‘excessive’ user data through Windows 10 and failing to comply with the French Data Protection Act. The Chair of the National Data Protection Commission, France’s privacy watchdog, accused the company of continuing to transfer data to the US under the provisions of the old Safe Harbour agreement.
Privacy feathers were also ruffled in August when WhatsApp announced a new information sharing deal with Facebook, involving the disclosure of user phone numbers. However, 28 European data collection authorities pushed back with an open letter to WhatsApp’s CEO. This protest, along with investigations in the UK, France and Italy prompted Facebook to stop collecting WhatsApp user data from its European customers. Other companies, including Google, also had run-ins with European privacy regulators this year, and the continent’s focus on data protection is likely to continue into 2017.
The rift between the US government and Apple over access to the iPhone used by Syed Farook, one of the San Bernardino attackers, became the focal point of the encryption debate this year. US law enforcement’s push for Apple to build a back door into the smart phone was resisted and described by Apple CEO Tim Cook as dangerous government ‘overreach’. But in an unexpected twist, the Department of Justice revealed that a third party had provided an alternative method to access Farook’s phone data that ultimately rendered Apple’s cooperation unnecessary.
The divisive court case prompted the release of controversial draft legislation intended to outlaw end-to-end encryption, and the creation of a bipartisan encryption working group under the House Judiciary Committee and House Energy and Commerce Committee. The group just released its year-end report, concluding that ‘any measure that weakens encryption works against the national interest’, laying the ground work for further debate next year.
Russian efforts to influence the US Presidential election campaign caused a major splash this year. The media coverage was dominated by the leak of Democratic National Committee (DNC) donor lists and opposition research by supposed lone-hacker Guccifer 2.0 and the dissemination of more than 20,000 confidential DNC emails via Wikileaks. In October, the US Intelligence Community released a statement that it was ‘confident’ that the Russian government was behind these incidents, which were allegedly designed to undermine Hillary Clinton’s candidacy and ensure a more Putin-friendly administration under Donald Trump. While Trump continues to dismiss the intel agencies’ conclusion as a ‘laughing point’, President Obama is pushing in the opposite direction, suggesting that Russian President Vladimir Putin had a direct hand in these operations and ordering a full investigation into the issue. The US has been criticised for its lack of response to these incidents and Obama says the US will respond ‘at a time and place of our own choosing’. The key question is how these tensions will play out under the new Trump administration.
There are a whole range of interesting cyber developments on the horizon so be sure to follow ICPC’s commentary in 2017. See you next year!