The week in security: iappANZ weighs privacy progress; Obama, industry fight government spying

Privacy Commissioner Timothy Pilgrim released a new Privacy Regulatory Action Policy as the iappANZ Privacy Summit kicked off. Also instructive on the policy front was Scotland's National Health Service, which shared its experience meeting healthcare privacy requirements with attendees. Vodafone's head of privacy was also on hand, pointing out that economics is playing an increasing role in discussions about the risks of privacy.

With data breaches on the rise and 320 discrete incidents last quarter leaking 183 million customer records – and things getting grimmer for retailers by the day – it's little wonder that many users are focused on exercising their right to be forgotten, with Google employing a large team of lawyers, engineers and paralegals to evaluate URLs requested for delisting.

One service that probably has many users wishing they could be forgotten is WhatsApp – which announced it now supports end-to-end encryption of messages between users. This followed on the trend of smartphone encryption, which is becoming an increasingly significant part of the security discussion. EFF and Mozilla certainly see it that way, with both supporting a new certificate authority that will issue free SSL/TLS certificates to Web site owners.

This, as a US government investigation questioned the value of privacy certifications from online provider TRUSTe. Others were concerned about thought leadership as the possibility of privacy as the Internet of Things takes hold.

US telco AT&T decided to stop using a 'permacookie' technique that allows it to track users' every move online, while Swedish ISP Bahnhof went several steps further by allowing its users to sign up for a free service that hides their every online move.

Also in the same vein, US president Barack Obama was urging legislators to pass the USA Freedom Act, which would ease the bulk collection of telephone records by the NSA. Efforts to rein in US government spying got support from Apple, Microsoft, Google, and others while the US government was also clamping down on a massive tech-support scam that was charging people for supposed lifetime support packages for a real antivirus product.

Whether or not all this enforcement effort would address reported mobile-phone surveillance planes being deployed by the US Department of Justice, was another question. But the US State Department, for its part, shut down its unclassified email system during the G20 to minimise possible damage from hackers, with subsequent reports suggesting the email system had already been hit by suspicious activity that had also been observed as malware authors turned their sights to pro-Tibet activists on the occasion of the G20.

It's hardly the only one: Android and iOS apps are still being cloned to spread malware, according to the latest survey of such apps. BitTorrent was dismissing security concerns raised about its Sync app, while a long-running Android botnet was evolving and said to pose a threat to corporate networks.

For its part, the PCI Council was looking for ways to tap into emerging security technologies to help prevent the kind of breaches that made this year one of the worst ever on the security front. The FIPS standard might be a help in some cases, and the USB Armory is another one.

But many companies may want to focus more on dealing better with DDoS attacks – which, Akamai recently warned, we're not very good at in Australia. Vietnam, India, and Indonesia have been pegged as the leaders in the DDoS front next year.

This article is brought to you by Enex TestLab, content directors for CSO Australia.