Cyber Security Intelligence

Twitter< Follow on Twitter>

April Newsletter #4 2015

Cybercrime More Profitable Than Drug Trading

As reported by the 2013 Europol Serious & Organized Threat Assessment, the "Total Global Impact of Cybercrime [has risen to] US $3 Trillion, making it more profitable than the global trade in marijuana, cocaine and heroin combined."

This growing cost of cyber crime partially reflects the different laws that define countries' breach disclosure policies. For example, whereas the United States has mandatory disclosure laws, the European Union has none.

European-based companies that have been affected by an incident, including TK Maxx, Loyaltybuild, Stay Sure and CEC Bank, are therefore under no obligation to notify their customers of an incident. This lack of visibility may limit the affected company's incentives to invest in detection measures that facilitate a timely response.

Clearly, computer criminals are interested in stealing customers' payment card information, which helps to explain the uptick in breaches we are seeing today. This begs the question: How can we make sure a company does not succumb to large-scale payment card theft?

The answer has to do with compliance. Information protection policies were created to ensure the protection of sensitive information. In this case, compliance with one such policy, known as the Payment Card Industry Data Security Standards (PCI DSS), helps to protect customers' payment card information.

To be sure, companies vary in their approach to the issue of compliance. Some organizations look at compliance as just a checkbox, implementing security controls in an effort to merely pass their security audit and thereby continue to do business. As I discussed in a recent post, however, this approach more often than not values a cheap solution to compliance at the expense of improving the organization's security. It is therefore no surprise that many companies that implement the "checkbox" approach are predominantly those affected by large security breaches.

Just to be clear, a comprehensive approach to compliance cannot prevent attackers from infiltrating a company's networks. On the contrary, as the growing number of breaches has shown, it is inevitable that attackers will find a way in. But where PCI DSS compliance makes a difference is in a company's detection and response time.

Having the capabilities to quickly detect and remove an attacker from one's network allows a company to resume business as usual in a matter of weeks. This is a preferred outcome when one considers the case of Target, which recently agreed to a multi-million dollar settlement after losing millions of customers' data back in 2013.


Cloud-based Business Intelligence Goes Mainstream

More than 50 percent of businesses currently use or plan to use cloud-based business intelligence, according to a survey by Dresner Advisory Services. Still several common hurdles have limited cloud-based BI's adoption in some companies.

The report, the latest in the firm's Wisdom of Crowds series of research, examines usage trends and perceptions of cloud BI. The primary barrier to adoption of cloud-based BI remains security, and cloud BI as a concept retains "mid-tier importance" among the 775 survey respondents worldwide.

Other findings of the research: Sales and marketing attach the greatest importance and are the greatest users of cloud BI; very small and very large organizations attach the most importance to cloud BI; private cloud BI models remain the most preferred, followed by public; and "bread and butter" functionality including self-service, dashboards, and visualization top the list of required cloud BI features.

The perceived benefits of cloud BI continue to reflect conventional wisdom of cost savings, easier maintenance and greater access to BI, according to the study.

"We began analyzing the cloud BI market while it was still in its early days and have tracked with great interest the shifts in deployment and perception that have surfaced over the past four years," Howard Dresner, founder and chief research officer at Dresner Advisory Services, said in a statement. "Most telling, those organizations who perceive themselves as more successful with their business intelligence projects are those most likely to use cloud BI today."


Insurance Experts Say Adequate Cyber Cover Is Now Available!

Cyber insurance is becoming broader and more affordable, although it's worth shopping around for the policy that best meets an organisation's individual needs, according to a panel of industry experts speaking during a webinar organised by Advisen.

There has never been a better time to buy cyber insurance, according to David Derigiotis, Head of Professional Liability at broker Burns & Wilcox. He has seen cyber insurance coverage in the US continue to broaden and prices reduce.

There are now more insurers offering specialist cyber insurance, with many providing 'very adequate' first and third party cover, he explained. It is also possible to obtain full limits for regulatory fines and separate limits for business interruption and systems restoration, he added.

While Fortune 500 companies will find capacity is 'tight' and 'extremely challenging', most buyers should be able to find the cover and limits they need, according to Mr. Derigiotis. "You just need to know where to look," he said, adding that London is currently the lead market for cyber insurance in terms of pricing and coverage.

Commercial Risk Europe:

Wi-Fi on Planes is Open to Inflight Hacking

Hackers on commercial flights could now bring down the plane they are on by using the on board Wi-Fi, a US government watchdog has warned.

The US Government Accountability Office (GAO) does not suggest it would be easy to do but it points out that as airlines and the Federal Aviation Administration attempt to modernise planes and flight tracking with Internet-based technology, attackers have a new vulnerability they could exploit.

The report highlights the fact that cockpit electronics are indirectly connected to the passenger cabin through shared IP networks. The connection between passenger-accessible systems and the avionics of the plane is heavily moderated by firewalls, but information security experts have pointed out that firewalls, like all software, can never be assumed to be totally infallible.

"According to cybersecurity experts we interviewed, internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors," the report adds.

The report praises the FAA for the steps it has taken to get its cybersecurity policies in order, but says that "opportunity exists for further action", and particularly highlights as a cause for concern the fact that cybersecurity responsibility is split over multiple FAA offices.

A worst case scenario is that a terrorist with a laptop would sit among the passengers and take control of the airplane using its passenger Wi-Fi, said Rep. Peter DeFazio, an Oregon Democrat on the House Transportation and Infrastructure Committee who requested the investigation.


Planes Without Pilots

This Centaur Optionally Piloted Aircraft can be operated unmanned or with pilots on board

Evidence that the co-pilot crashed a German wings plane into a French mountain has prompted a global debate about how to better screen crewmembers for mental illness and how to ensure that no one is left alone in the cockpit. This is no allowed in Germany at present.

But among many aviation experts, the discussion has taken a different turn. How many human pilots, some wonder, are really necessary aboard commercial planes?

Advances in sensor technology, computing and artificial intelligence are making human pilots less necessary than ever in the cockpit. Already, government agencies are experimenting with replacing the co-pilot, perhaps even both pilots on cargo planes, with robots or remote operators.

In 2014, airlines carried 838.4 million passengers on more than 8.5 million flights. Commercial aviation is already heavily automated. Modern aircraft are generally flown by a computer autopilot that tracks its position using motion sensors and dead reckoning, corrected as necessary by GPS. Software systems are also used to land commercial aircraft.

In a recent survey of airline pilots, those operating Boeing 777s reported that they spent just seven minutes manually piloting their planes in a typical flight. Pilots operating Airbus planes spent half that time.

And commercial planes are becoming smarter all the time. "An Airbus airliner knows enough not to fly into a mountain," said David Mindell, a Massachusetts Institute of Technology aeronautics and astronautics professor. "It has a warning system that tells a pilot. But it doesn't take over."

Such a system could take over, if permitted. Already, the Pentagon has deployed automated piloting software in F-16 fighter jets. The Auto Collision Ground Avoidance System reportedly saved a plane and pilot in November during a combat mission against Islamic State forces.

The Pentagon has invested heavily in robot aircraft. As of 2013, there were more than 11,000 drones in the military arsenal. But drones are almost always remotely piloted, rather than autonomous. Indeed, more than 150 humans are involved in the average combat mission flown by a drone.

This summer, the Defense Advanced Research Projects Agency, the Pentagon research organization, will take the next step in plane automation with the Aircrew Labor In-Cockpit Automation System, or Alias. Sometime this year, the agency will begin flight-testing a robot that can be quickly installed in the right seat of military aircraft to act as the co-pilot. The portable onboard robot will be able to speak, listen, manipulate flight controls and read instruments.

The machine, a bit like R2D2, will have many of the skills of a human pilot, including the ability to land the plane and to take off. It will assist the human pilot on routine flights and be able to take over the flight in emergency situations.

NASA is exploring a related possibility: moving the co-pilot out of the cockpit on commercial flights, and instead using a single remote operator to serve as co-pilot for multiple aircraft.
In this scenario, a ground controller might operate as a dispatcher managing a dozen or more flights simultaneously. It would be possible for the ground controller to "beam" into individual planes when needed and to land a plane remotely in the event that the pilot became incapacitated, or worse.


The Internet Connected Car

By 2020, BI Intelligence estimates that 75% of cars shipped globally will be built with the necessary hardware to allow people to stream music, look up movie times, be alerted of traffic and weather conditions, and even power driving-assistance services such as self-parking.
In a new report from BI Intelligence, we take a deep dive into the connected-car market. We size the market for connected cars, determine the average selling price and how it will decline over time, and assess different manufacturers' approaches.

The connected-car market is growing at a five-year compound annual growth rate of 45%, which is ten times as fast as the overall car market. We expect that 75% of the estimated 92 million cars shipped globally in 2020 will be built with internet-connection hardware.

But of the 220 million total connected cars on the road globally in 2020, we estimate consumers will activate connected services in only 88 million of these vehicles.

Connected-car vehicle prices are out of reach for most car buyers, but they will drop significantly in the next few years. The high average selling price of $55,000 is driven by the fact that connected-car shipments tilt toward the luxury category.

Connected-car technology is now split between approaches that put the Internet connection in the car and those relying on a secondary device. Embedded connections don't require a phone's data plan to operate, and consumers and carmakers gain access to a wider variety of features and data.

Embedded connections will win, in part because they offer two clear advantages to carmakers. They allow auto companies to collect data on cars' performance and send updates and patches to cars remotely, avoiding recalls related to the car's software.

Business Insider:

NSA's Plan to Snowden-Proof Data Using the Cloud

A ground level view of Utah's NSA Data Center in Bluffdale, Utah

Almost two years ago, the National Security Agency forever lost its "No Such Agency" nickname at the hands of one of its contractors, a once-trusted insider by the name of Edward Snowden.
Within NSA's Fort Meade, Maryland, headquarters, no one wants to face another Snowden. With NSA's widespread adoption of cloud computing, the spy agency may not have to. NSA bet big on cloud computing as the solution to its data problem several years ago.

Following expanded legal authorities enacted after the Sept. 11, 2001, terrorist attacks, NSA and the other 16 agencies within the intelligence community began to collect a gargantuan amount of intelligence data: Internet traffic and emails that traverse fiber optic cables; telephone call metadata; and satellite reconnaissance. Much of that intelligence piled up in various repositories that had to stock up on servers to keep up with demand.

NSA's GovCloud, open-source software stacked on commodity hardware, creates a scalable environment for all NSA data. Soon, most everything NSA collects will end up in this ocean of information.

At first blush, that approach seems counterintuitive. In a post-Snowden world, is it really a good idea to put everything in one place, to have analysts swimming around in an ocean of NSA secrets and data?

NSA built the architecture of its cloud environment from scratch, allowing security to be baked in and automated rather than bolted on and carried out by manual processes. Any piece of data ingested by NSA systems over the last two years has been meta-tagged with bits of information, including where it came from and who is authorized to see it in preparation for the agency's cloud transition.

Data in the GovCloud doesn't show up to analysts if they aren't authorized, trained or cleared to see it, according to NSA Chief Information Officer Lonny Anderson.

"While putting data to the cloud environment potentially gives insiders the opportunity to steal more, by focusing on securing data down at cell level and tagging all the data and the individual, we can actually see what data an individual accesses, what they do with it, and we can see that in real time. So we think this actually dramatically enhances our capability."

GovCloud's other baked-in security features are likely to deter all but the boldest of would-be rogue insiders.

In other words, if NSA had this cloud-based system in place two years ago, Snowden wouldn't have made off with what NSA Deputy Director Richard Ledgett in a 2013 interview called the agency's "keys to the kingdom." According to NSA officials, if GovCloud works, as they believe it will, Snowden may have never left Hawaii, where he lived and worked, without his actions raising alarm bells.

NSA's cloud migration will also significantly beef up the agency's ability to comply with a plethora of legal rules, mandates and executive order. Just as security is automated in NSA's cloud, so too are compliance measures such as data preservation orders or data retention rules.

The move has not come without obstacles. The cloud organizes data differently than old repositories, and some analyst methods do not translate to NSA's cloud model. However, the agency is training analysts on new methodologies.

In the coming years, closed repositories will come to signal the success of NSA's bet on cloud computing. Will it prevent the next Edward Snowden-like attack? NSA officials are counting on it, but they're counting on the cloud for a lot more than that.


China's Cyber Attacks on Governments and Corporates in Asia

The Chinese government is accused of being behind a newly discovered set of cyber attacks waged against government agencies, corporate companies and journalists across India and Southeast Asia over the past ten years.

Security firm FireEye released a report today revealing a spate of corporate espionage and cyber spying offenses against targets located in India, Malaysia, Vietnam, Thailand, Nepal, Singapore, Philippines, Indonesia and beyond. The group said attacks began in 2005.

"There's no smoking gun that shows this is a Chinese government operation, but all signs point to China" FireEye's APAC CTO Bryce Boland told TechCrunch in an interview. "There's huge intellectual property development in Asia, that's the new battleground."

Boland referenced several pieces of evidence collected by FireEye following "months" of research. In particular, the existence of an operating manual written in Chinese, a code base that was seemingly developed by Chinese developers, and a related domain registered to a suspicious 'tea company' in rural China, all imply Chinese involvement.

FireEye's report caps a rough few days of media coverage for China's Internet strategy. China put on a (falsely) friendly front when hosted the World Internet Conference last year, but increasingly we hear about its efforts to police the web. Last week, Citizen Lab issued a report detailed Great Canon, a new technology that allows the Chinese government to take down websites — like — using a worryingly direct and offensive approach.

Of course, it is possible that the attacks highlighted by FireEye were not run directly by the state, and instead by a professional espionage agency, which may have sold secrets to Chinese corporates or even the government itself. Actors are very often a few degrees removed, and concrete evidence is hard to find.

All in all, FireEye detected more than 200 distinction variations of malware developed by the group. The fact that these attacks remained undetected for so long is troubling given the sensitivity of the targets, but there is a positive. Boland explained that because the infrastructure of the attacks had been able to remain similar for years, it isn't difficult to check on potential compromises and take action if needed.

FireEye shared its report with certain intelligence agencies worldwide in advance of making it public. Though Boland declined to be more specific about exactly which ones had been contacted, he did confirm that FireEye does not provide details of its intelligence or reports to the Chinese government.


Russia's cyber attacks grow more brazen

Russia has ramped up cyber attacks against the United States to an unprecedented level since President Obama imposed sanctions last year on President Putin's government over its intervention in Ukraine.

The emboldened attacks are hitting the highest levels of the US government, according to reports, in what former officials call a "dramatic" shift in strategy.

The efforts are also targeting a wide array of US businesses, pilfering intellectual property in an attempt to level the playing field for Russian industries hurt by sanctions.

"They're coming under a lot of pressure from the sanctions — their financial industry, their energy industry" said Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, which monitors critical infrastructure attacks. "And they're obviously trying to leverage cyber intrusion and cyber espionage to compensate for that."

Crowdstrike has recorded over 10,000 Russian intrusions at companies worldwide in 2015 alone. That's a meteoric rise from the "dozens per month" that Alperovitch said the firm noted this time last year, just as the US was imposing its sanctions.

Many see the recent reports that Moscow infiltrated the State Department and White House networks, giving them access to President Obama's full schedule, as a turning point in Russian government hacking.

Moscow doesn't care as much about being caught, perhaps in an attempt to prove its cyber prowess, some speculate.

Last year, Russians were charged with hacking into Nasdaq, America's second largest stock exchange. Going further back, a notorious Russian Internet gang made off with tens of millions of dollars from Citibank in 2009.

On the government-sponsored side, researchers at security firm FireEye discovered evidence of Russian intelligence-gathering cyber campaigns stretching back to at least 2007. Moscow was searching for communications, emails, memos, phone calls and schedules that could smear adversaries' reputations or simply shed light on their plans.

President Obama repeatedly asked his advisors whether a massive data breach at JPMorgan last fall was Russian retaliation for the sanctions, according to reports. The aides couldn't give the president a definitive answer. Indeed, the security community is not united in its belief Russia was behind the attack.

The Hill:

Russia's Censor tells citizens that some memes are illegal

This week Russia's media regulator and telecom oversight agency, known as Roskomnadzor, reminded Russian citizens that it's illegal to post memes of real people that depict them in any way that does not reflect their "personality," the Washington Post reported. The announcement, made on Russian social media site VKontakte, clarified an existing law governing how a person's image may be distributed.

"These ways of using [celebrities' images] violate the laws governing personal data and harm the honor, dignity and business of public figures," Roskomnadzor wrote, according to a translation from the Post. Parody accounts and parody websites impersonating a person are also illegal.

Roskomnadzor has only been an entity in Russian public policy for three years and it has already defined itself as a repressive and controlling speech censor. In 2012, it was ordered to create a blacklist of websites detrimental to Russian interests and ended up blocking over 180 sites. In mid-2014, Russia passed a law that said bloggers with 3,000 daily readers or more must register with Roskomnadzor. The same law also required that social media data be stored within Russia's boundaries so the government can access it at any time.

This clarification of meme law was ordered by a Moscow judge who presided over a case involving, Russian singer, Valeri Syutkin. Syutkin sued a Russian culture site for disseminating some off-color jokes using his image, and the judge ruled in his favor, but asked that Roskomnadzor post an update to its laws governing personal data.

A person who believes that their image is being used inappropriately can report the offenders to Roskomnadzor or sue them. "Web sites are essentially given the choice of blocking the offending content in Russia, or seeing their whole sites get blocked across the country," the Post writes.

The Post added that celebrities would likely have to report the memes themselves, which could mean that some could still be used if they're not reported. One hopes that Vladimir Putin is too busy to scour the Internet seeking to destroy for the many excellent memes using his visage.

Ein News:

How Syrian Electronic Army Hacked Email Accounts of Assad's Opponents

On November 19, 2013, Dan Layman received a disconcerting email from a fake address

The culprit is the Syrian Electronic Army (SEA), the popular group of hackers aligned with Syrian President Bashar al-Assad, which in the past has hacked high-profile targets including Microsoft, eBay and PayPal.

The SEA claims to have also hacked into the email accounts of Louay Sakka, founder of the SSG; Mazen Asbahi, the former president of the SSG; and Oubai Shahbandar, a former Pentagon analyst and an advisor to the Syrian Opposition Coalition.

The motive is the cyber espionage, the members of SEA launched the campaign at the end of 2013 but there was no news about the operation until now. SEA conducted targeted spear phishing attacks against a number of high-profile people in the Syrian opposition, including Salim Idris, the chief of staff of the Supreme Military Council (SMC) of the Free Syrian Army.
The SEA confirmed have hacked seven high-profile people and offered to Motherboard the proof of the attack, but security experts speculate that many other individuals fell victim of the operation.

The SEA has stolen from the victims any information related activities against the government of Syrian President Bashar al-Assad.

According to the revelation of a SEA member, the Layman email account was simply hacked through brute force attack that revealed the use of "easy and weak" passwords made by the political exponent. The SEA tried to compromise the Layman's network of contacts by controlling the Layman's email account. Among the targets are members of the Free Syrian Army and of the Syrian Support Group.

Motherboard examined a collection of screenshots provided by SEA as evidence of the attack that report data stolen from the dissidents' email accounts, including the Idris's passport and the names of SSG collaborators in Syria.

The SEA member Th3 Pr0 told Motherboard that the group is aware about the plan to subvert the regime, despite no data appears to be related to military secrets.

But SEA confirmed to have access to the victim's accounts for a long time. The news of hacking operation against dissidents in Syria is not a novelty. In February, security firm FireEye revealed that hackers tapped into Syrian opposition's computers and have stolen gigabytes of secret communications and battlefield plans.

The hackers infected the machines of Syrian opposition with malware during flirtatious Skype chats. The hackers targeted several exponents of the Syrian Opposition located in Syria, including armed opposition members, humanitarian aid workers, and media activists.

Security Affairs:

INTERPOL Targets Cybercrime in Asia

"Cybercrime is a game changer for law enforcement. It changes the way police mount an investigation," says Noboru Nakatani, Executive Director of the INTERPOL Global Complex for Innovation. "More than half of our 190 members don't have digital investigation or cyber forensic capabilities. They don't know how to investigate this new generation of crime."

The INTERPOL Global Complex for Innovation (IGCI) is a research and development facility for the identification of cyber crimes and criminals and it provides specialist training and operational support for police jurisdictions around the world. Hosted in Singapore, it is the only other INTERPOL office in the world, outside the headquarters in Lyons in France.

Nakatani explains that the IGCI, which has been ramping up staff since November 2014 but officially opened on 13 April and is focused on providing operational support, capacity building and cybercrime research: "we have to increase the capability of our members before they can start investigating and prosecuting cybercrime."

"When police recognise a conventional crime in the field they start to collect evidence - such as fingerprints and DNA. They will collect witness statements and check CCTV. Sometimes you will use facial recognition software, or check suspicious transactions in bank accounts," says Nakatani.

"But in cybercrime you first have to track the IP address - which more often than not is in another country. As the evidence is digital, and may be stored in personal devices, the data first has to be retrieved from these devices. If there is any indication that the digital information was changed after interception by the police, then it is inadmissible."

To establish the capacity to investigate and prosecute cybercrime is expensive - and requires a level of international cooperation between police jurisdictions that only INTERPOL can provide.
Of the 120 full-time staff at IGCI, half are on secondment from police forces around the world - a clear demonstration of support from INTERPOL's member countries: "Just as cybercriminals cooperate across international boundaries, so law enforcement needs to be able to collaborate seamlessly," he continues.

IGCI is also working closely with the private sector - including NEC, Kaspersky, Trend Micro and Oracle - to harness their technical expertise in dealing with cybercrime.

In the first operation of its kind, information shared between the INTERPOL Digital Crime Centre (IDCC), Hong Kong Police Force, Singapore Police Force and the Philippines National Police (PNP) Anti-Cybercrime Group led to the identification of between 190 and 195 individuals working for organised crime groups operating out of the Philippines.

"The reality of INTERPOL is different from Hollywood. We do not have a Q, the fictional gadget man in the James Bond film series, but we do not have secret bases," Nakatani chuckles. "But innovation comes from collaboration, and individual police agencies can't realize the level of collaboration required to address cybercrime. IGCI understands collaboration from the standpoint of a multi-stakeholder approach. This is key for us, and how we will face the emerging threats."


Baltimore Police use of 'Stingray' Cellphone Surveillance

US Baltimore Mayor Stephanie Rawlings-Blake defended the widespread use of a cellphone surveillance device that sweeps up phone signals, echoing the Baltimore Police Department's stance that it's used to track criminals and limited in the type of data it collects.

Kevin Harris, a spokesman for Rawlings-Blake, said the mayor was aware of the program and supports it as an "effective tool" that has proved useful for police departments across the country. Nonetheless, Harris said, the mayor is open to discussing ways to make the program more transparent.

How a stingray device works

Baltimore Police used secret technology to track cellphones in thousands of cases and the extent of Baltimore police's use of the so-called stingray device was largely secret until this week, when a detective testified in court that the department has used it 4,300 times since 2007 and that a 2011 nondisclosure agreement with the FBI prevented police from discussing details about it.

As part of the agreement, the FBI retains the right to ask local police departments and prosecutors to drop cases against criminals before revealing information about stingray programs.

The stingray has come under scathing criticism from privacy advocates. Christopher Soghoian, a technology expert with the American Civil Liberties Union, said focusing on ways the stingray aids police investigations disregards the indiscriminate collection of phone signals and the device's ability to jam phone service in areas where police use it.

Soghoian said the shroud of secrecy surrounding stingrays leaves judges in the dark about the type of police operations they are allowing and law-abiding citizens unaware of their vulnerabilities to such technology. He also noted that enough information is already publicly available for criminals to create their own stingray-like tools.

City Councilman Brandon Scott said he understands why police did not disclose its widespread use until recently. "We all know if they make an agreement with the federal government, they need to honor that agreement," he said.

Still, Scott said he wants assurances that police are not tracking the phones of individuals not involved in criminality.

Such devices act as mobile cellphone towers, forcing phones within a certain radius to connect to them and share their unique identifying information. That information allows police to track the location of a targeted phone.

The technology is increasingly being used by local law enforcement officers and is used at the national level, by the US Marshals Service for surveillance planes. Members of Congress and the ACLU have been pressing for more information about the devices and asked the Federal Communications Commission to look into their use.

Rep. C.A. Dutch Ruppersberger, a Maryland Democrat, said that he has asked the FBI for "greater clarification" about how the device is deployed. Sen. Chuck Grassley, an Iowa Republican and chairman of the Senate Judiciary Committee, said there should be reporting on how often the technology is used, under which legal authorities, and what independent audit controls are in place to prevent abuse.

Baltimore Sun:

JP Morgan Algorithm Identifies Rogue Employees

JPMorgan Chase & Co., which has racked up more than $36 billion in legal bills since the financial crisis, is rolling out a program to identify rogue employees before they go astray, according to Sally Dewar, head of regulatory affairs for Europe, who's overseeing the effort. Dozens of inputs, including whether workers skip compliance classes, violate personal trading rules or breach market-risk limits, will be fed into the software.

"It's very difficult for a business head to take what could be hundreds of data points and start to draw any themes about a particular desk or trader," Dewar, 46, said last month in an interview. "The idea is to refine those data points to help predict patterns of behavior."

JPMorgan's surveillance program, which is being tested in the trading business and will spread throughout the global investment banking and asset-management divisions by 2016, offers a glimpse into Wall Street's future. An industry reeling from billions of dollars in fines for the actions of employees who rigged markets, cheated clients and aided criminals is turning to technology to police itself better. Failure to do so will provide ammunition for those pushing to separate trading operations from retail banks.

At New York-based JPMorgan, the world's biggest investment bank by revenue, the push comes after government probes into fraudulent mortgage-bond sales, the $6.2 billion London Whale trading loss, services provided to Ponzi-scheme operator Bernard Madoff and the rigging of currency and energy markets.

The company has hired 2,500 compliance workers and spent $730 million over the past three years to improve operations. Job postings show it is building a surveillance unit to monitor electronic and telephone communication in the investment bank.

E-mails, chats and telephone transcripts can be analyzed electronically to determine if employees are trying to collude or conceal intentions, said Tim Estes, chief executive officer of Digital Reasoning Systems Inc.

And some employees, who wish to remain anonymous, said that there was a distinct growing paranoia about the monitoring of employees that was going on at JP Morgan in London.

Automated surveillance is necessary for Wall Street firms because billions of e-mails flow through each bank annually, overwhelming the ability of people to monitor them, according to Estes. Still, technology that predicts behavior, as in the 2002 science-fiction movie "Minority Report," in which Tom Cruise plays a Precrime officer who hunts down murder suspects before they can act, raises ethical questions.


Human Rights Activists Want to Ban 'Killer Robots'

If a human soldier commits a war crime, he has to face the consequences (at
least in theory). The same goes for human operators of drones (again, in theory). But if a fully autonomous war machine with no human operator goes rogue and kills a whole bunch of innocent people, who would be responsible, its programmers or the manufacturers? Finding someone to blame would be hard enough, and proving it in a court of law would

It's a scenario we've seen played out in countless sci-fi movies. But this is not RoboCop or Skynet; this is real life, and these machines are startlingly close to being realized. That's why Harvard Law School and Human Rights Watch want to ban "killer robots" before they can become a reality. In a new report to the United Nations, they argue that there are serious moral and legal concerns surrounding fully autonomous weapons—and that they must be outlawed.

In an age when so much of modern warfare is carried out by pilotless flying killing machines, it's not at all farfetched to say that we'll have battlefield robots that actually make their own decisions in a matter of years. Already, Israel's Iron Dome defense system, for instance, is pre-programmed to intercept and neutralize rockets and other projectiles coming into Israel and the US military employs a similar system.

"Many people question whether the decision to kill a human being should be left to a machine," the report says. "There are also grave doubts that fully autonomous weapons would ever be able to replicate human judgment and comply with the legal requirement to distinguish civilian from military targets."

The report was released a few days ahead of an April 13 UN meeting in Geneva that will weigh the costs and benefits of autonomous weapons. Delegates will consider adding "killer robots" to the Inhumane Weapons Convention, which currently outlaws "blinding laser weapons," and certain uses of incendiary weapons such as flamethrowers, among other weapons of an especially heinous nature.


Data Privacy: the tide turns in EU – but is it little & late?

Europe is in the midst of a technological step change; a pivot in the world of data privacy.
Many people fall into the trap of seeing privacy in an overly atomistic, individualistic, selfish way; the preserve of the filthy rich. And it is, if we see it as separable from collective freedom, or as absolute over other rights; of freedom of expression, opinion and association; freedom to protest; freedom to resist. But this is not privacy's ask.

Privacy is about having decisional power, control, over which acts and events of our lives are disclosed and to whom, free from the prying eyes of states, corporations and neighbours. Privacy affords us the freedom to develop ourselves in the world.

The crux of the issue with digital technology is that our ability to make decisions and to control our personal information. Mostly without our knowledge, and certainly without informed consent, nation states sweep our data alleging 'national security' interests, whether legitimate or not. Corporations sweep our data, because they have powerful economic incentives to do so and, with the capitalist lurch, no reason not to.

So what can be done to reclaim this systematic erosion to reinstate rights over the long echo of our digital whispers and wanderings? In Europe, there are some rumblings of resistance. They are the rumblings of citizens, of regulators, of courts. And they are starting to find their voice.
On 24 March in Luxembourg, the Court of Justice of the European Union heard Austrian Max Schrems' lawsuit against Facebook over the storage, security and treatment of European users' data. In particular, it explored cooperation between Facebook and US intelligence agencies in sharing private information through Prism and other clandestine surveillance programs. The Schrems case is politically charged, thrust into the tense commercial and intergovernmental relations between the EU and US over data privacy, and particularly the imperiled 'safe harbor' regime, which has governed cross-border data transfers for the past 15 years.

This will have been given fuel by the discovery that Facebook spies on virtually all European web users, even those who have opted out of its services, for up to two years.

If ex-NSA contractor Edward Snowden's disclosures about the vast extent of digital surveillance issued a gunshot, then the European Parliament absorbed it, and the CJEU is now deflecting it. So much so that it has even reached the UK.

The UK is not particularly known as a stronghold of data protection and privacy. But that may have changed with a significant Court of Appeal case on 27 March of Vidal-Hall, which concerned claims by Apple Safari browser users against Google over secret tracking and collation of their browser-generated information and its sale to advertisers.

Vidal-Hall was a procedural decision, but it cleared the way for claims against international tech companies for the tort of misuse of private information, as well as confirming the availability of damages under the UK Data Protection Act for non-financial losses, such as anxiety and distress.

Finally, and moving away from the courts, on 26 March, the UN Human Rights Council issued a resolution establishing a special rapporteur on privacy, the latest step in the Germany and Brazil-led coalition, initiated after the Snowden revelations, to bring privacy in the digital age to the United Nations.

Where do we go from here?

Almost all of our new and much-vaunted technological advances, the app economy, drones, self-driving cars, the Internet of Things, pose unprecedented and, as presently conceived, unjustified trade offs with our autonomy, privacy and data rights.

There are signals and small flames of hope however, that the balance can be readjusted, that corporate and governmental restraint can be introduced to digital platforms, and that citizens can be put back in the driving seat.

The challenge articulated 15 years ago by scholar Michael Froomkin stands as true as the day he said it:

"There is no magic bullet, no panacea. If the privacy pessimists are to be proved wrong, the great diversity of new privacy-destroying technologies will have to be met with a legal and social response that is at least as subtle and multifaceted as the technological challenge. Given the rapid pace at which privacy-destroying technologies are being invented and deployed, a legal response must come soon, or it will indeed be too late."