The encrypted-email company, popular with security-conscious users, has a plan to go mainstream.

Since its founding in 2014, ProtonMail has become synonymous with user-friendly encrypted email. Now the company is trying to be synonymous with a whole lot more. On Wednesday morning, it announced that it’s changing its name to, simply, Proton—a nod at its broader ambitions within the universe of online privacy. The company will now offer an “ecosystem” of linked products, all accessed via one paid subscription. Proton subscribers will have access not just to encrypted email, but also an encrypted calendar, file storage platform, and VPN.

This is all part of CEO Andy Yen’s master plan to give Proton something close to a fighting chance against tech giants like Google. A Taiwanese-born former particle physicist, Yen moved to Geneva, Switzerland, after grad school to work at CERN, the nuclear research facility. Geneva proved a natural place to pivot to a privacy-focused startup, thanks to both Switzerland’s privacy-friendly legal regime and to a steady crop of poachable physicists. Today, Yen presides over a company with more than 400 employees and nearly 70 million users. He recently spoke to WIRED about the enduring need for greater privacy, the dangers of Apple's and Google's dominance, and how today’s attacks on encryption recall the rhetorical tactics of the War on Terror.

This interview has been condensed and lightly edited.

**WIRED: You're in the online privacy business. To start super broadly, how do you define privacy?**

**Andy Yen**: These days, all Google and Apple and Big Tech talk about is privacy, so the best way to give our definition is to give the contrast. The way Google defines privacy is, “Nobody can exploit your data, except for us.” Our definition is cleaner, more simple, and more authentic: Nobody can exploit your data—period. We literally want to build things that give us access to as little data as possible. The use of end-to-end encryption and zero-access encryption allows that. Because fundamentally, we believe the best way to protect user data is to not have it in the first place.

**If you ask someone, “Would you like more privacy or less?” they always say more. But if you watch how people actually behave, for most people, data privacy is not a very high priority. Why do you think that is?**

Privacy is inherent to being human. We have curtains on the windows, we have locks on our doors. But we tend to disconnect the digital world from the physical world. So if you take the analogy of Google, it's someone that's following you around every single day, recording everything that you say and every place you visit. In real life, we would never tolerate that. On the internet, somehow, because it's not visible, we tend to think that it's not there. But the surveillance that you don't notice tends to be far more insidious than the one that you do.

**Your company has come out in support of reforms to strengthen antitrust enforcement. But a lot of people argue that privacy and competition are in conflict. Apple will say, “If you force us to allow more competition on the platform that we run, then that will reduce our control over the security and the privacy of the user. So if you make us increase competition, that will bring privacy down.” And then you see the flip side of the argument, which is when Apple or Google implements some new privacy feature that may hurt competitors. How do you think about these potential conflicts?**

What Apple is basically claiming is, you need to let us continue our use of app store practices because we're the only company in the world that can get privacy right. It’s an attempt to monopolize privacy, which I don’t think makes any sense.

If you look at the FTC lawsuit against Facebook, the theory is that privacy and competition are two sides of the same coin. If you're not happy with Facebook's privacy practices, what is the alternative social media that you can go to other than Facebook and Instagram? You don't really have that many options. We need more players out there. If they had to compete, then competition would force privacy to be a selling point.

The same is true for other services that we offer. Today, Google controls the Android operating system, which is used by the majority of people, and they can preload all their applications as a default on your user devices. So they have a massive advantage already because users don't change the defaults. So even though their privacy practices are quite terrible for most people, there's no real pressure to change it because the alternatives don't really exist. And if they do exist, Google's able to hide them, because they set the defaults on their devices. So if you want to fix the privacy issue, the best way to do it is to have more competition, because then there will be user choice, and users tend to choose what is more private, because, as you said, everybody wants more privacy.

**Europe’s new Digital Market Act has a controversial section requiring the biggest messaging platforms to let competitors interoperate with them, while still preserving end-to-end encryption. But quite a lot of people** **argue** **that you can't actually do both of those things. So here's a place where privacy and competition really do seem to be conflicting with each other technologically.**

I have to say, this has been around since the early '90s. PGP is basically interoperable encryption, based on the email standard. So it may not be technologically the easiest to do. But to say it’s technologically impossible is also not correct.

**Another EU proposal** **would require companies to implement methods of detecting child sex abuse material, or CSAM, on their platforms. People are very alarmed about the implications of that for encryption.**

We're still in the process of analyzing it, so I can’t comment specifically on the details of the proposal. But these proposals are not new. In fact, they've been coming up in various forms over the past decade. What is novel and different this time is that these proposals used to be packaged under “terrorism.” Now, they’re packaged under CSAM. It was very clever to repackage this idea into a topic that is even more toxic, which makes informed debate difficult. Obviously, CSAM is a horrible problem, something that the world is better without. But a wholesale attack on encryption can have unforeseeable consequences that are not always completely understood or considered by the drafters of these proposals.

**Do you think that this** _**is**_ **a wholesale attack on encryption, though? The people making these proposals say, “We're not attacking encryption. You just have to figure out a way to monitor for CSAM.”**

Well, there is really no practical way in today's technology to do that in a way that doesn't weaken encryption.

**The analogy to terrorism is interesting because, during the Bush-era War on Terror, there was a sense of literally anything being justified in the name of stopping terrorism. The US government was secretly spying on its own citizens. It was really hard to argue that we have to accept that some terrorism is going to happen. It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen and people are going to use digital tools to spread it. But at some point, I think you do have to defend the principle that we have to tolerate a certain amount of even the very worst things if we want to have meaningful civil liberties.**

If there was no privacy in the world, that world would be more “secure.” But that world does exist; it's called North Korea. And the people that live there probably don't feel very secure. As a democracy, you have to strike the right balance. The balance is not total mass surveillance of everybody, because we know that there are serious consequences to democracy and freedom as a result of that. It's not easy to find the right balance. But during the Bush years, with terrorism, I think they went to an extreme that really was a backsliding on democracy. And this is something that we need to avoid.

**But then on the flip side,** **you read stories** **about law enforcement catching really bad criminals, and in a lot of those stories, if that person had used a Tor browser and a ProtonMail account and a VPN, and so on, they might not have been caught. Do you ever worry about a future where all the bad guys get smart enough to use the best privacy tools, and it becomes too easy to evade the legal system entirely?**

Well, encryption and privacy technologies are what I would call dual-use. What is law enforcement also concerned about these days? People’s information being stolen, sensitive communications being hacked, emails of political campaigns being stolen by state actors and disseminated to shift the political balance. In order to prevent all of those potential ills, you need privacy, encryption, and good security. So, the same tools that people in law enforcement criticize are actually the same things that are shielding a lot of the internet ecosystem and the economy from a disastrous outcome. If you were to weaken or prohibit all of these security tools and privacy tools, then you would open the floodgate to a massive amount of cybercrime and data breaches.

**Proton has grown a lot over the years, but it’s still basically a rounding error compared to something like Google. We’ve talked about competition from a regulatory perspective, but on a practical level, how do you even try to compete with your massive rivals?**

The current plan is the launch of the Proton ecosystem. It's one account that gives you access to four privacy services: Proton Mail, Proton Calendar, Proton Drive, and Proton VPN. One subscription that gives you access to all those services. It's the first time anybody has taken a series of privacy services and combined them to form a consolidated ecosystem. That doesn't match all of Big Tech’s offerings, of course. But I think it provides, for the first time, a viable alternative that lets people say, “If I really want to get off of Google, I can now do it, because I have enough components to live a lot of my daily life.” For the first time, you’ll have a privacy option that’s not fully competitive with Google, but reasonably competitive, and that will start to break the dam. I don't know how it will go, but I think this is the future of privacy, and that’s why we're doing it.

**This is probably the first time I have ever thought about having an encrypted calendar.**

A calendar is essentially a record of your life: everybody you've met, everywhere you’ve been, everything that you have done. It's extremely sensitive. So you don't intuitively think about protecting that, but actually, it's essential.

**And by making that encrypted, who am I protecting that information from?**

Maybe it's the government requesting information on you. Maybe it's a data leak. Maybe it's a change in business model of your cloud provider at some point in the future that decides that they want to monetize user data in a different way. Your data is just one acquisition away from going across the border to a country that you didn't expect when you signed up for the service.

**Right. Elon Musk is about to own all my Twitter DMs.**

Exactly right. And with end-to-end encryption, no matter what happens, it's your data; you control it. It's just a mathematical guarantee.

**But what if I move all my stuff to the Proton ecosystem, and then like four years from now, you go out of business? What happens to my stuff?**

Proton has been around for eight years now. In the tech space, that's a long time. I think an indicator of what is sustainable in the long term is alignment between the business and the customers. Our business model is simple: Premium users pay us to keep theie data private, and our only incentive is to keep it private. Sometimes the easiest and simplest models are the ones that are the most durable. I strongly believe that Proton will be a company that outlives us.

Proton Is Trying to Become Google—Without Your Data

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.
Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.

Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022.

The list of bugs is as follows -

*   **CVE-2022-22784** (CVSS score: 8.1) - Improper XML Parsing in Zoom Client for Meetings
*   **CVE-2022-22785** (CVSS score: 5.9) - Improperly constrained session cookies in Zoom Client for Meetings
*   **CVE-2022-22786** (CVSS score: 7.5) - Update package downgrade in Zoom Client for Meetings for Windows
*   **CVE-2022-22787** (CVSS score: 5.9) - Insufficient hostname validation during server switch in Zoom Client for Meetings

With Zoom's chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.

Fratric dubbed the zero-click attack sequence as a case of "XMPP Stanza Smuggling," adding "one user might be able to spoof messages as if coming from another user" and that "an attacker can send control messages which will be accepted as if coming from the server."

At its core, the issues take advantage of parsing inconsistencies between XML parsers in Zoom's client and server to "smuggle" arbitrary XMPP stanzas — a basic unit of communication in XMPP — to the victim client.

Specifically, the exploit chain can be weaponized to hijack the software update mechanism and make the client connect to a man-in-the-middle server that serves up an old, less secure version of the Zoom client.

While the downgrade attack singles out the Windows version of the app, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impact Android, iOS, Linux, macOS, and Windows.

The patches arrive less than a month after Zoom addressed two high-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could lead to local privilege escalation and exposure of memory content in its on-premise Meeting services. Also fixed was another instance of a downgrade attack (CVE-2022-22781) in Zoom's macOS app.

Users of the application are recommended to update to the latest version (5.10.0) to mitigate any potential threats arising out of active exploitation of the flaws.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message

A spyware vendor called Cytrox was found to be using several zero-day vulnerabilities in Google's Chrome browser and the Android kernel component. 
The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

**Google**

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

**Vulnerabilities**

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

**Cytrox**

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

**Government spyware**

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.

CVE-2022-31263: Release v3.5.0 · mastodon/mastodon

An analysis from Google TAG shows that Android zero-day exploits were packaged and sold for state-backed surveillance.

At least eight governments around the world have purchased a package of Android zero-day exploits from a company called Cytrox and are using them to install spyware on targets' mobile phones. The development highlights the sophistication of off-the-shelf surveillance offerings, according to a recent report. 

Google's Threat Analysis Group (TAG) said that by taking advantage of the time difference that keep some systems from being updated for hours after patches were released, the Cytrox exploits allowed governments to target Android users with malware to record audio, add CA certificates, and hide apps, Google's TAG said.

The report explained that the governments of Armenia, Côte d’Ivoire, Egypt, Greece, Indonesia, Madagascar, Serbia, and Spain are confirmed to have used the Cytrox exploits in at least three state-backed campaigns, adding there are likely others. 

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," the TAG report said, adding that the group is currently tracking more than 30 additional surveillance vendors with the capability of selling tools to state-backed actors. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Multiple Governments Buying Android Zero-Days for Spying: Google

By Deeba Ahmed
Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and…
This is a post from HackRead.com Read the original post: Predator Spyware Using Zero-day to Target Android Devices

Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and Chrome.

On Thursday, May 19th, Google’s Threat Analysis Group (TAG) reported that spyware developer/vendor Cytrox had developed exploits against five zero-day vulnerabilities to target Android users with spyware.

According to the details shared by TAG, threat actors are using the infamous Predator spyware in three different campaigns. Predator was previously analyzed in a report from the University of Toronto’s Citizen Lab.

**0-days used with n-days to Deploy Spyware**

The exploits are developed for four Chrome 0-days and one Android 0-day flaw. In their blog post, TAG researchers Clement Lecigne and Christian Resell explained that the 0-days are used in conjunction with n-day exploits.

Moreover, the attackers are trying to benefit from the time difference between the patching of some critical bugs, which weren’t declared severe security issues, and “when these patches were fully deployed across the Android ecosystem.”

**Spyware Details**

According to Google, the North Macedonian-based commercial surveillance firm Cytrox has packaged and sold the exploits to different state-backed threat actors in Greece, Egypt, Serbia, Madagascar, Indonesia, Spain, Côte d’Ivoire, and Armenia.

It is alleged that the buyers have used these bugs in at least three campaigns so far. The Predator spyware is similar to NSO Group’s Pegasus spyware, allowing threat actors to penetrate Android and iOS devices.

**About the Three Campaigns using Predator**

TAG examined three campaigns and concluded that attackers send one-time URLs to Android users through spear-phishing emails. These links are shortened using a common use URL shortener while the attackers target only a handful of victims. When users click on this malicious URL, they are redirected to a malicious webpage that automatically deploys the exploits and redirects them to a legitimate website.

Once there, the attackers deploy Alien Android malware that loads Cytrox’s Predator. In case the shortened link doesn’t work, the victim is directly taken to the legit website.

**List of Exploits**

Here’s the list of the 0-day flaws exploited by attackers in Chrome and Android:

*   CVE-2021-1048
*   CVE-2021-37973
*   CVE-2021-37976
*   CVE-2021-38000
*   CVE-2021-38003

The primary aim of attackers behind this operation is distributing Alien malware that is a precursor for deploying Predator spyware onto infected devices. It receives commands from Predator through an IPC (inter-process communication) mechanism and can record audio, hide apps, and add CA certificates to evade detection.

The first campaign was launched in August last year on Google Chrome, targeting the Samsung Galaxy S21 device. One month later, the second campaign targeted an updated Samsung Galaxy S10, while the third was detected in October 2021.

**More Android Spyware News**

1.  Fake Android Banking Apps Stealing Credentials Via Malware
2.  BRATA Android malware factory resets phones after stealing funds
3.  TangleBot Android malware hijacks phone to steal login credentials
4.  New Android malware TeaBot found stealing data, intercepting SMS
5.  New Russian Android Malware Tracks GPS Location and Spies on Victims

Predator Spyware Using Zero-day to Target Android Devices

Multiple Denial-of-Service vulnerabilities was discovered in the F-Secure Atlant and in certain WithSecure products while scanning fuzzed PE32-bit files cause memory corruption and heap buffer overflow which eventually can crash the scanning engine. The exploit can be triggered remotely by an attacker.

2022-05-23 CVE-2022-28874: Multiple Denial-of-Service (DoS) Vulnerabilities

Multiple denial-of-service (DoS) vulnerabilities while scanning fuzzed PE32-bit files can eventually crash the scanning engine. 

More 2022-04-25 CVE-2022-28871: Denial-of-Service (DoS) Vulnerability

A denial-of-service (DoS) vulnerability in WithSecure component may crash the scanning engine. 

More 2022-04-13 CVE-2022-22965: Vulnerability in Spring Framework Remote Code Execution affect WithSecure Products

A critical vulnerability in the Spring framework affects the following products: F-Secure Policy Manager, F-Secure Policy Manager for Linux, F-Secure Policy Manager Proxy, and F-Secure Elements Connector.

More 2022-03-07 CVE-2021-44750: Arbitrary Code Execution

WithSecure Support Tool (fsdiag) embedded within various WithSecure products for Microsoft Windows can be abused to execute arbitrary commands on the system.

More 2022-03-01 CVE-2021-44749: Universal Cross-Site Scripting Vulnerability in WithSecure SAFE Browser Protection for Android

Vulnerabilities in the browser protection of WithSecure SAFE for Android could allow remote attacker to steal user's sessions cookie.

More 2022-03-01 CVE-2021-44748: Universal Cross-Site Scripting Vulnerability in WithSecure SAFE Browser for Android

Vulnerabilities in the browser of WithSecure SAFE for Android could allow execution of JavaScript. 

More 2022-02-27 CVE-2021-44747: Denial-of-Service (DoS) Vulnerability

Crash while scanning fuzzed files can cause denial-of-service of the antivirus engine.

More 2022-02-07 CVE-2021-40837: Denial-of-Service (DoS) Vulnerability More 2021-12-20 CVE-2021-40836: Denial-of-Service (DoS) Vulnerability More 2021-12-14 CVE-2021-40835: URL Address Bar Spoofing in F-Secure SAFE Browser for iOS More 2021-12-08 CVE-2021-40834: User interface Spoofing in F-Secure SAFE browser for Android More 2021-11-24 CVE-2021-40833: Denial-of-Service (DoS) Vulnerability More 2021-10-06 CVE-2021-40832: Denial-of-Service (DoS) Vulnerability More 2021-10-06 CVE-2021-33603: Denial-of-Service (DoS) Vulnerability More 2021-10-04 CVE-2021-33602: Denial-of-Service (DoS) Vulnerability More 2021-09-26 CVE-2021-33601: Arbitrary Code Execution in Web Interface of F-Secure Internet Gatekeeper More 2021-09-26 CVE-2021-33600: Denial-of-Service Vulnerability in Web Interface of F-Secure Internet Gatekeeper More 2021-09-01 CVE-2021-33599: Denial-of-Service (DoS) Vulnerability More 2021-08-21 CVE-2021-33598: Denial-of-Service (DoS) Vulnerability More 2021-08-09 CVE-2021-33596: Fake Apple Login Prompt in F-Secure SAFE Browser for iOS More 2021-08-09 CVE-2021-33595: F-Secure SAFE Browser for iOS Vulnerable to Address Bar Spoofing More 2021-08-09 CVE-2021-33594: F-Secure SAFE Browser for Android Vulnerable to Address Bar Spoofing More 2021-08-07 CVE-2021-33597: Denial-of-Service (DoS) Vulnerability More 2021-06-01 CVE-2021-33572: Denial-of-Service (DoS) Vulnerability More 2021-01-25 FSC-2021-1: Reflected Cross-Site Scripting Vulnerability in F-Secure Cloud Protection for Salesforce More 2020-11-10 FSC-2020-3: Multiple Buffer Overflow Vulnerabilities in F-Secure Linux Security

Multiple buffer overflow vulnerabilities can lead local privilege escalation.

More 2020-05-17 FSC-2020-2: Local Non-Root User Can Rename or Delete System FIles in Linux Security

A local user can rename or delete arbitrary files owned by root in Linux Security.

More 2020-05-17 FSC-2020-1: CSRF Vulnerability in Web Interface of Linux Security

Vulnerability in web user interface of the F-Secure Linux Security can lead to remotely disable product settings.

More

CVE-2022-28874: Security advisories

The world-leading data law changed how companies work. But four years on, there’s a lag on cleaning up Big Tech.

One thousand four hundred and fifty-nine days have passed since data rights nonprofit NOYB fired off its first complaints under Europe’s flagship data regulation, GDPR. The complaints allege Google, WhatsApp, Facebook, and Instagram forced people into giving up their data without obtaining proper consent, says Romain Robert, a program director at the nonprofit. The complaints landed on May 25, 2018, the day GDPR came into force and bolstered the privacy rights of 740 million Europeans. Four years later, NOYB is still waiting for final decisions to be made. And it’s not the only one.

Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. While GDPR has immeasurably improved the privacy rights of millions inside and outside of Europe, it hasn’t stamped out the worst problems: Data brokers are still stockpiling your information and selling it, and the online advertising industry remains littered with potential abuses.

Now, civil society groups have grown frustrated with GDPR’s limitations, while some countries’ regulators complain the system to handle international complaints is bloated and slows down enforcement. By comparison, the information economy moves at breakneck speed. “To say that GDPR is well enforced, I think it’s a mistake. It's not enforced as quickly as we thought,” Robert says. NOYB has just settled a legal case against the delays in its consent complaints. “There’s still what we call an enforcement gap and problems with cross-border enforcement and enforcement against the big players,” adds David Martin Ruiz, a senior legal officer at the European Consumer Organization, which filed a complaint about Google’s location tracking four years ago.

Lawmakers in Brussels first proposed reforming Europe’s data rules back in January 2012 and passed the final law in 2016, giving companies and organizations two years to fall in line. GDPR builds upon previous data regulations, super-charging your rights and altering how businesses must handle your personal data, information like your name or IP address. GDPR doesn’t ban the use of data in certain cases, such as police use of intrusive facial recognition; instead, seven principles sit at its heart and guide how your data can be handled, stored, and used. These principles apply equally to charities and governments, pharmaceutical companies and Big Tech firms.

Crucially, GDPR weaponized these principles and handed each European country’s data regulator the power to issue fines of up to 4 percent of a firm's global turnover and order companies to stop practices that violate GDPR's principles. (Ordering a company to stop processing people’s data is arguably more impactful than issuing fines.) It was never likely that GDPR fines and enforcement were going to flow quickly from regulators—in competition law, for instance, cases can take decades—but four years after GDPR started, the total number of major decisions against the world’s most powerful data companies remains agonizingly low.

Under the dense series of rules that make up GDPR, complaints against a company that operates in multiple EU countries are usually funneled to the country where its main European headquarters are based. This so-called one-stop-shop process dictates that the country leads the investigation. The tiny nation of Luxembourg handles complaints against Amazon; the Netherlands deals with Netflix; Sweden has Spotify; and Ireland is responsible for Meta’s Facebook, WhatsApp, and Instagram, plus all of Google’s services, Airbnb, Yahoo, Twitter, Microsoft, Apple, and LinkedIn.

A glut of early and complex GDPR complaints has led to backlogs at regulators, including the Irish body, and international cooperation has been slowed down by paperwork. Since May 2018, the Irish regulator has completed 65 percent of cases involving cross-border decisions—400 are outstanding, according to the regulator's own stats. Other cases, launched by NOYB against Netflix (Netherlands), Spotify (Sweden), and PimEyes (Poland) have all also dragged on for years.

Europe’s data regulators claim GDPR enforcement is still maturing and that it is working well and improving over time. (Officials from France, Ireland, Germany, Norway, Luxembourg, Italy, the UK, and Europe’s two independent bodies, the EDPS and EDPB, were all interviewed for this article.) The number of fines has ramped up as the legislation has aged, hitting a running total of €1.6 billion (around $1.7 billion). The biggest? Luxembourg fined Amazon €746 million ($790 million), and Ireland fined WhatsApp €225 million ($238.5 million) last year. (Both companies are appealing the decisions). At the same time, one lesser-known Belgian fine could change how the entire ad tech industry works. However, officials concede that changes to the way GDPR is enforced could speed up the process and ensure swifter action.

Helen Dixon is at the heart of Europe’s GDPR enforcement, with the Irish Data Protection Commission (DPC) responsible for an outsized number of Big Tech firms. The DPC has faced criticism for struggling to keep up with the number of complaints under its purview, drawing ire from fellow regulators and calls to reform the body. “If everything comes at you at the same time, clearly there’s going to be a lag in terms of prioritizing and dealing sequentially with the issues while standing up what is a very significant legal framework,” Dixon says, defending her office’s performance. Dixon says the DPC has had to handle GDPR’s complexity from scratch, leading to many cases and new processes, and there aren’t simple answers for many of them.

“I would classify the DPC as being very effective in the first four years of application of the GDPR,” Dixon says. “The fact that DPC has stood up a new legal framework that many described as 'the law of everything' in a couple of short years, and implemented what are very significant sanctions in the form of fines and corrective measures already in that time period” shows its success, Dixon says. The organization has enforced measures against Twitter, WhatsApp, Facebook, and Groupon, among thousands of national cases, during this time.

“There should be an independent review of how to reform and strengthen the DPC,” says Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties. “We cannot know from outside what the problems are.” Ryan adds that blame can’t just be leveled at the Irish regulator. “The European Commission has immense power. The GDPR is supposed to be an immense project. And the Commission has neglected the GDPR,” he says. “It doesn't just propose the laws, it also has to see that they are applied.”

So far, the European Commission has backed enforcement of GDPR in Ireland and across the continent. “The Commission has consistently called on data protection authorities to continue stepping up their enforcement efforts,” Didier Reynders, the European Commissioner for Justice, says in a statement. “We have launched six infringement procedures under the GDPR.” These legal cases include action against Slovenia for failing to import GDPR into its national law and questioning the independence of the Belgian data authority.

However, following a complaint from Ryan in February, the EU Ombudsman, a watchdog for European institutions, opened an inquiry into how the Commission has been monitoring data protection in Ireland. (The Ombudsman says the Commission has until May 25 to reply, after asking for its initial deadline to be extended. Reynders says the Commission does not comment on ongoing inquiries). If the Commission does look into Ireland, it could make recommendations, says Estelle Massé, the global data protection lead at Access Now, a technology-focused civil rights organization. “There is an issue, and if you don't intervene in this way, I don’t really see how the situation will resolve,” Massé says. “It has to go through an infringement procedure.”

Despite clear enforcement problems, GDPR has had an incalculable effect on data practices broadly. EU countries have made decisions in thousands of local cases and issued guidance to organizations to say how they should use people’s data. Spain’s LaLiga soccer league was fined after its app spied on users, retailer H&M was fined in Germany after it saved details about employees’ personal lives, the Netherlands’ tax body was fined over its use of a ‘blacklist,’ and these are just a handful of the successful cases.

Some of GDPR’s impact is also hidden—the law isn’t just about fines and ordering companies to change—and it has improved company behaviors. “If you compare the awareness about cybersecurity, about data protection, about privacy, as it looked like 10 years ago and it looks today, these are completely different worlds,” says Wojciech Wiewiórowski, the European Data Protection Supervisor, who oversees GDPR cases against European institutions, such as Europol.

Companies have been put off using people’s data in dubious ways, experts say, when they wouldn’t have thought twice about it pre-GDPR. One recent study estimated that the number of Android apps on Google’s Play store has dropped by a third since the introduction of GDPR, citing better privacy protections. “More and more businesses have allocated significant budgets to doing data protection compliance,” says Hazel Grant, head of the privacy, security, and information group at London-headquartered law firm Fieldfisher. Grant says that when GDPR decisions are made—such as Austria’s decision to make the use of Google Analytics unlawful—companies are concerned about what it means for them. “Four or five years ago, that enforcement wouldn't have happened,” Grant says. “And if it had happened, maybe a few data protection lawyers would have known about it—it wouldn't have been out there with clients coming to us saying we need advice on this.”

But at Big Tech levels where data is plentiful, the scale of complying with GDPR is different. One recent internal Facebook document obtained by Motherboard hints that the company doesn't really know what it does with your data—an assertion Facebook denied at the time. Equally, a WIRED and _Reveal_ joint investigation at the end of 2021 found serious shortcomings in the ways Amazon handles customer data. (Amazon said it had an “exceptional” track record in protecting data.)

Microsoft declined a request to comment. Neither Google nor Facebook provided comment in time for publication.

“There is a lag, especially on Big Tech, enforcing the law on Big Tech—and Big Tech means cross-border cases, and that means the one-stop-shop and the cooperation among the data protection authorities,” says Ulrich Kelber, the head of the German federal data protection regulator. The one-stop-shop allows all of Europe’s regulators to have a say on the final decision of the lead regulator in that case, which can then be challenged. Ireland’s fine against WhatsApp grew from the original proposed penalty of as little as €30 million ($31.8 million) to €225 million ($238.5 million) after other regulators weighed in. Another Irish case against Instagram is currently being discussed, Dixon says, which will add months to its final outcome.

The one-stop-shop was created under GPDR, meaning the process has started with teething problems, but four years in, a lot still needs to be improved. Tobias Judin, the head of international at Norway’s data protection authority, says that each week several drafts of decisions are circulated among Europe’s data regulators. “In the vast majority of those cases, we actually agree,” Judin says. (German authorities object the most.) Decisions can face a lot of back and forth between regulators, wrapped up in bureaucracy. “We do question whether, in those cases that have a European-wide impact, it makes sense and whether it is feasible that these cases are solely dealt with by one data protection authority until we reach the decision stage,” Judin says.

Luxembourg’s data regulator hit Amazon with a record-breaking €746 million ($790.6 million) fine last year, its first case against the retailer. Amazon is contesting the fine in court—in a statement to WIRED, the company repeated its assertion that “there has been no data breach, and no customer data has been exposed to any third party”—but Luxembourg’s regulator says investigations will always be lengthy despite it bringing in new ways to investigate companies. “I think under one year or one-half year, I think it’s almost impossible to have it closed before such a delay,” says Alain Herrmann, one of Luxembourg’s four data protection commissioners. “There are huge \[amounts of\] information to deal with.” Herrmann says Luxembourg has a few other international cases ongoing, but national secrecy laws prevent it from talking about them. “It’s just the \[one-stop-shop\] system, the lack of resources, the lack of clear law and procedure, which makes their job even more difficult,” Robert says.

The French data regulator has, in some ways, sidestepped the international GDPR process by directly pursuing companies’ use of cookies. Despite common beliefs, annoying cookie pop-ups don’t come from GDPR—they’re governed by the EU’s separate E-Privacy law, and the French regulator has taken advantage of this. Marie-Laure Denis, the head of French regulator CNIL, has hit Google, Amazon, and Facebook with hefty fines for bad cookie practices. Perhaps more importantly, it has forced companies to change their behavior. Google is altering its cookie banners across the whole of Europe following the French enforcement.

“We are starting to see really concrete changes to the digital ecosystems and evolution of practices, which is really what we are looking \[for\],” Denis says. She explains that CNIL will next look at data collection by mobile apps under the E-Privacy law, and cloud data transfers under GDPR. The cookie enforcement effort wasn’t to avoid GDPR’s protracted process, but it was more efficient, Denis says. “We still believe in the GDPR enforcement mechanism, but we need to make it work better—and quicker.”

In the last year, there have been growing calls to change how GDPR works. “Enforcement should be more centralized for big affairs,” Viviane Redding, the politician who proposed GDPR back in 2012, said of the data law in May last year. The calls have come as Europe passed its next two big pieces of digital regulation: the Digital Services Act and the Digital Markets Act. The laws, which focus on competition and internet safety, handle enforcement differently from GDPR; in some instances, the European Commission will investigate Big Tech companies. The move is a nod to the fact that GDPR enforcement may not have been as smooth as politicians would have liked.

There appears to be little appetite to reopen GDPR itself; however, smaller tweaks could help improve enforcement. At a recent meeting of data regulators held by the European Data Protection Board, a body that exists to guide regulators, countries agreed that some international cases will work to fixed deadlines and timelines and said they would try to “join forces” on some investigations. Norway’s Judin says the move is positive but questions how effective it will be in practice.

Massé, from Access Now, says a small amendment to GDPR could significantly address some of the biggest current enforcement problems. Legislation could ensure data protection authorities handle complaints in the same way (including using the same forms), explicitly lay out how the one-stop-shop should work, and make sure that procedures in individual countries are the same, Massé says. In short, it could clarify how GDPR enforcement should be handled by every country.

The view is also shared by data regulators, at least to some degree. France’s Denis says regulators should share more information, more quickly on cross-border cases so they can build up an informal consensus around a potential decision. “The Commission could also, for example, look at resources given to data protection authorities,” Denis says. “Because it’s a member state’s obligation to give sufficient resources to data protection authorities to carry out their duties.” The staff and resources regulators have to investigate and enforce is dwarfed by those of Big Tech.

“Potentially, if there was the possibility for some kind of an instrument specific to the GDPR—being a legal instrument—that would specify certain process and procedural issues, that might assist,” Ireland’s Dixon says. She adds that complications that could be ironed out include issues around access to files during investigations, whether those making the complaints are given access to the investigation process, and problems in translations. “There’s a whole range of inconsistencies around that, giving rise to delays and dissatisfaction on all sides,” Dixon says.

Without some changes—and strong enforcement—civil society groups warn that GDPR could fail to stop the worst practices of Big Tech companies and improve people’s sense of privacy. “The immediate thing that needs to be addressed is the Big Tech firms,” Ryan says. “If we cannot deal with Big Tech, we will create a permanence to the fatalism that people feel about privacy and data.” Four years in, Massé says she still has hope for GDPR enforcement. “It's really not what we had hoped for. But it’s also not in a place that I think we can start digging a grave for the GDPR and forget about it.”

How GDPR Is Failing

By Owais Sultan
Online gaming has always been the buddy of leisure time because they allow us to bring some enjoyment…
This is a post from HackRead.com Read the original post: 5 Casual Games You Can Play on Your Mobile Browser Now

Online gaming has always been the buddy of leisure time because they allow us to bring some enjoyment to our lives after spending some hectic time. That’s why online games are the love of everyone irrespective of age and gender. However, the landscape of the online gaming world has changed with the advancement in technology.

The games first moved from our backyards to PCs and now they are enclosed in our cell phones through apps and online versions. So, now you don’t have to go anywhere to play games with your friends. Comfortably sit (or lay down!) on your couch, open your mobile browser, and get ready to take a dip in the gaming world. It’s that easy!

But with so many gaming options, it is hard to find the best games in one go. Don’t worry, we have made the list of the best casual games for you that can keep you hooked for hours.

Here is the list of fun games you can play on your mobile browser:

*   **Solitaire**

Microsoft introduced Solitaire with Microsoft Windows in 1990 and since then this card game has become popular among kids and adults alike. Back in time, people used to stick to their PC, playing Solitaire games for hours, and the urge to play more kept them sitting for hours. This was the level of the craze of Solitaire! And this mania is still alive!

Despite the introduction of many online games, the love of people for Solitaire has not ended yet. They still love to play it on their laptops, on online sites like Solitaire Bliss, and on in-app versions.

So, if you haven’t tried this amazing game yet, it is time you pick up your mobile and become a part of the huge Solitaire games community. You will surely not regret it!

*   **Sudoku**

Sudoku is one of the oldest and most popular puzzle games that is fun and an excellent way to sharpen up your mind. The goal is to complete the 9×9 grid in a way that each column, row, and 3×3 section contains all numbers from 1 to 9. This game has different difficulty levels from easy, medium, and hard to expert.

You can download the app or play it on the mobile browser and switch between different levels and check how good you are at solving puzzles.

Sudoku is an amazing brain game and besides keeping you busy and your fun part alive, it can also help improve your concentration and focus. Once you start playing this game, in no time it will become one of your favorite games. So, what are you waiting for? Let’s begin!

*   **Spider Solitaire**

The good news for card game lovers is that there are various variations of Solitaire if you get bored with the traditional Solitaire, but still want to stick to a card game. One of the Solitaire variations is Spider Solitaire.

Spider Solitaire is loved by many card game maniacs for all the right reasons. It also came with Windows in 1990, but it is a bit hard to master. Moving a few cards here and there thoughtlessly won’t help you out. You need full concentration and a strategy to win this game. The goal is to remove all cards by building piles of cards irrespective of suit.

This might seem to be something that anyone can do, but remember that in reality, it can tease your brain. So, with this game opened in your mobile browser, you will be on the edge of your seat while playing this game.

*   **Minesweeper**

Minesweeper is another Windows 7 game that is now available online and in in-app forms as well. You can open it on your mobile browser and start playing it right away. But the question is: why should someone download it? Simply because it is a fun game that can help you check your guesswork skills and luck in one go.

The goal is to empty the whole gray board by clicking different boxes on the board. But the tricky part is to save yourself from the mines hidden in the board. If you mistakenly click on the mine, the game is over.

Therefore, it is easy to play, but hard to win (tidbits: I have never won a minesweeper game ever in my life!). But if you are confident enough about your guesswork skills and luck, this game is the right pick for you. Wish you the best of luck – hope I also get to win it one day.

*   **Mahjong**

Mahjong is a traditional Chinese game with an enriched history dating back to 3000 years. It was once considered a game for Asians, but now the popularity of this game has broken the boundaries and become popular the world over. Thanks to the online and app version of this game.

Mahjong is not an easy nut to crack. This game involves 4 players and 136 tiles made of bamboo or plastic. The goal is to make 1 pair of identical tiles and four sets of tiles with three identical tiles. You might not understand it initially, but the practice can make you perfect. It becomes easier to learn it if you know Chinese because the tiles have different Chinese symbols carved.

Therefore, you can play the game in a better way if you can read those symbols. Once you get on the road to understanding this game, you will also become part of those millions of people who like to play this game like a religion.

**Conclusion**

Passing leisure time doesn’t always mean sleeping or lying lazily on your bed. It also means doing things you love to do – just like playing games. Open your mobile browser, find the games mentioned above and your leisure hour will turn into a fun time with a rollercoaster of emotions. These games also give the option to invite your friends to take the fun part to the next level. So, whatever you do, these games will not disappoint you!

**More Gaming Topics**

1.  5 Best Android Emulators for PC
2.  Influence of technology on the gaming industry
3.  12 Classic Games You Can Play on Your Smartphone
4.  How data collected in gaming can be used to breach user privacy
5.  Sony is bringing PlayStation games to your Android and iOS devices

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

5 Casual Games You Can Play on Your Mobile Browser Now

Plus: The Conti ransomware gang shuts down, Canada bans Huawei and ZTE, and more of the week’s top security news.

As Russia’s full-scale war in Ukraine heads towards its hundredth day, opposition from Ukrainian forces is as strong as ever. At the same time, hacktivists all around the world continue to breach Russian institutions and publish their files and emails. This week one hacktivist collective took a different—and slightly peculiar—approach: launching a service to prank-call Russian government officials. The new website uses leaked details to put two random Russian officials on a call with each other. It obviously won't make any difference to the outcome of the war, but the group that created it hopes the tool will cause some confusion and annoy those in Moscow.

New research from Google’s Threat Analysis Group has delved into the surveillance-for-hire industry and found that spyware vendors are targeting Android devices with zero-day exploits. State-sponsored actors in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia have all purchased hacking tools from the North Macedonian firm Cytrox, the Google team says. The malware has used five previously unknown Android exploits, alongside unpatched vulnerabilities. Overall, Google’s researchers say they’re tracking more than 30 surveillance-for-hire firms around the world.

In other malware news, academics at Germany’s Technical University of Darmstadt have figured out a way to track an iPhone’s location even when it is turned off. When you switch your iPhone off it doesn’t fully power down—instead chips inside run in a low-power mode. The researchers were able to run malware that can track the phone in this low-power mode. They believe their work is the first of its kind, but the method is unlikely to be much of a threat in the real world, as it first requires jailbreaking the targeted iPhone, which has generally become harder to do in recent years.

But wait, there's more. We’ve rounded up all the news that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

International sanctions imposed against North Korea, for its continued development of nuclear weapons and ballistic missiles, mean the nation can’t trade with other countries or bring outside money within its borders. To get around this, in recent years Pyongyang has allowed its state-affiliated hackers to raid cryptocurrency platforms and rob banks. Now the FBI, the US Department of State, and the US Treasury have warned that thousands of North Korea’s IT workers—including app and software developers—have been freelancing at businesses around the world and sending money home. Many of them are based in China or Russia, the officials say. The risks of hiring North Korean workers range from “theft of intellectual property, data, and funds to reputational harm and legal consequences, including sanctions under both US and United Nations authorities.”

In a significant public move, the US Department of Justice says it will stop prosecuting security researchers under the Computer Fraud and Abuse Act. “Computer security research is a key driver of improved cybersecurity,” deputy attorney general Lisa Monaco said in a statement. For years the anti-hacking CFFA law has been criticized for its broad scope and its potential to be abused by prosecutors. While the DOJ’s explicit shift in policy will be welcomed by researchers, as _Motherboard_ reports, the policy doesn’t go far enough and still can put legitimate researchers at risk.

The mostly Russia-based Conti ransomware gang has had a dreadful few months. After backing Vladimir Putin’s war in Ukraine, thousands of its internal messages and innermost secrets were published online. While the gang has continued to target victims, including Costa Rica’s government, researchers now say Conti has officially shut down its operations. Conti’s Tor admin panels have been taken offline, and the group’s members are splintering off into other ransomware groups, according to security firm Advanced Intel. The shutdown comes after the US government offered a $15 million reward for information about Conti's members.

Canada has become the final country in the Five Eyes intelligence group—which also includes the US, UK, Australia, and New Zealand—to ban the use of Huawei’s telecoms equipment in its 5G networks. Fellow Chinese telecom firm ZTE is also included in the ban. The Canadian government, in an announcement, cited national security concerns and the fact that companies could be forced to comply with orders from “foreign governments.” Starting in September, Canadian firms will be banned from buying new 4G and 5G equipment from the Chinese companies. They must remove all existing 5G equipment by the summer of 2024, and 4G equipment must be removed by the end of 2027.

Tag

#android