2020 has been a ride of a wildness caliber that very few could have imagined. And while it was a year defined by a pandemic that exposed many weaknesses in our social, economic, and political systems, it was also a golden era for hackers and otherwise malicious agents.
In terms of various issues to both policies and legislation regarding cybersecurity and privacy, this year may go down as one of the particularly memorable ones in human history.
From global initiatives, surging cyber risks, and questionable legislation to the US president getting involved over data privacy issues with TikTok – the narrative was starting to become hard to follow. In turn, we have decided to compile what we deem as the ten most important and impactful cybersecurity stories of 2020.
California joins global data privacy initiatives
- California Consumer Privacy Act (CCPA) became effective on January 1, 2020.
- It provides residents with some rights to control their own personal data.
- Similar to GDPR, but less thorough, which resulted in issues that will be addressed by Proposition 24.
The California Consumer Privacy Act (CCPA) became effective on January 1, 2020, marking California as the first state in the US that has taken data privacy matters into its own hands after Congress has again failed to provide legislative protection to the sovereignty of individual information.
The CCPA grants Californian residents the right to demand full disclosure and deletion of information that companies collect about them. They can also refuse to have this information shared or sold to third parties per a mandatory request via the company’s website.
Often referred to as “GDPR-lite”, CCPA follows a data privacy legislation pattern that has spread over the last three years around the globe in countries like Australia, Brazil, Chile, India, Japan, New Zealand, South Africa, and Thailand. The trend is often referred to as “GDPR-like” due to the emerging regulations sharing many similarities with the General Data Protection Regulation law passed in 2016 for the EU and EEA areas.
This doesn’t mean that other countries don’t have their own privacy protection laws, just that the EU doesn’t recognize most of their legislation as adequate. Besides the nations mentioned above, Argentina, Canada and Uruguay are the only other countries with sufficient protection, according to the EU.
However, CCPA has already proven itself to be too “lite” as many data companies found ways to work around it. Proposition 24, which was approved in 2020, the same year CCPA became effective, aimed to reinforce and redefine Californian privacy rights by 2023. Many states in the US are expected to follow California’s example.
COVID-19 pushes cyber risks to an all-time high
- Hacking, phishing, and scamming attempts have increased dramatically due to COVID-19 forcing people to work from home.
After the pandemic hit in early 2020, a majority of the population shifted to working from home and away from their secured workplace networks. This has caused an incredible increase in phishing email attempts by hackers and manifold cybersecurity problems for employers.
So far, COVID-19 has proven to be one of the worst periods for cybersecurity we have statistically experienced. Scams saw an increase of 400% over mere months, and in April alone, Google has reportedly blocked 18 million daily malware and phishing emails related to the coronavirus. Around the same time, some individuals using Zoom for conferencing also fell victim to “Zoom Bombing” and had their credentials sold on the dark web for $0.0020 cents apiece.
Coronavirus apps reach new heights in disregard for privacy
- Many of these apps have made ridiculous function claims.
- Information they collect in some cases can be compromising or even life-threatening.
Following the pandemic theme, many countries and third parties launched COVID-19 related apps when the spread of the virus had initially caught speed. The app functions range from COVID-19 prevention spread to alleged self-diagnosis or even the detection of infected individuals.
While varying in purpose, most of these applications had negligible to non-existent privacy policies, and some even openly declared selling its users’ data to third parties.
Many people felt obligated to download and install these applications due to the dread and global tension concerning the situation. As of the most recent assessments, 120 contact tracing apps are still available in 71 countries. Out of these, 23 apps are based in the US, a total of 19 apps are available worldwide, and with combined 4 million downloads, they have no privacy policies.
These applications are a testament to how quickly mass surveillance is spreading across the world. Some of this collected information includes political views and sexuality, which can have life-threatening consequences for people in some countries.
VPN interest surges in Hong Kong after Beijing unveils new law
- Beijing officials revealed a new law regarding Hong Kong’s autonomy.
- A massive Hong Kong resident surge to Surfshark’s website within 24 hours indicated a growing concern for internet freedom.
On May 21, a Chinese official said that Beijing seeks to “improve” the system which allowed Hong Kong to enjoy a level of autonomy for the past 23 years. Within 24 hours of the announcement, Surfshark reported that 42,000 Hong Kong residents visited its website, as it sold a week’s worth of VPN subscriptions in a single hour.
The new law, which went effective on July 1, criminalizes secessionist, subversive and terrorist activities allowing Beijing to deploy state security agencies in the city. The sudden surge in VPN interest indicates that locals are concerned about this law potentially affecting their internet freedom.
Trump threatens TikTok ban over data controversy
- Tik Tok has severe privacy issues in its policy.
- Tik Tok is obligated to share user data with Chinese authorities if they ask.
- Trump, alongside other leaders around the world, voiced concern about potential breaches of privacy.
The popular video app TikTok has become a major source of privacy concerns around the world in countries like the US, India, Japan, Australia, Turkey and Pakistan.
The app also showcases serious security vulnerabilities easily exploitable by hackers, but ByteDance, the company behind TikTok, is also headquartered in Beijing. Because of this, the Chinese government can ask TikTok to share its user data at any time and the company, like any other public or private business entity in China, would be legally obligated to do so.
Delving into the app and its policies only reveals more questionable conduct regarding user privacy. TikTok starts collecting data the minute someone downloads the app. It tracks visited websites, typing habits and even keystroke rhythms and patterns.
The app also warns users it has full access to photos, videos and contact information stored on the device. Unless the user manually revokes these permissions, TikTok uses their IP address and GPS coordinates to track their location while working, voting, attending protests and traveling.
Amazon, Microsoft and IBM pull the plug on facial-recognition technology for one year
- Facial recognition was used during the US protests in 2020.
- How this information will be used is still unknown.
- Microsoft, Amazon and IBM refuse to further share facial recognition technology with the police.
During protests that occurred across the US this year, law enforcement agencies were reportedly using facial recognition technology together with military-grade drones and body cams. How this information was used or will be used in the future remains unknown.
However, the implications are especially concerning seeing how there are no regulatory measures in place regarding the use of facial recognition. The technology is still in its infancy and it often uses large databases of photos to make matches. Needless to say, the methods yield questionable results as the accuracy is sub-par at best.
In response to the situation, Microsoft was the first to announce that it won’t sell its facial recognition technology to the police anymore. Both Amazon and IBM followed their competitor. The former announced that it would freeze the technology from being used by law enforcement for a year, while the latter said it would no longer develop or research facial recognition at all.
Twitter’s Biggest Hack exposes accounts of high- profile public figures
- Overabundance of access to account setting tools caused twitter employees to leak their credentials.
- Hackers used this to Hijack accounts of over at thousand high- profile public figures.
Two former Twitter employees revealed in July that more than a thousand people working for the company had access to tools that could change user account settings. This resulted in one of the biggest security breaches Twitter was ever subjected to, with more than a thousand high profile public figures having their accounts hijacked in the process.
Whoever was behind this was phishing for employee credentials, calling customer service and tech support asking to have their passwords reset through external links. Many employees reported this to security and went back to business, but few managed to take the bait and leak their credentials to dummy websites controlled by the hackers.
Cases of such social engineering have been on a steady rise, especially during the COVID-19 pandemic when individuals frequently receive alerts and texts regarding the pandemic. However, contrary to popular belief, people have not become more gullible over this period. Everyone became used to having big changes announced in short, simple messages, causing phishing attacks to be more frequent and successful.
EU prepares encryption law and threatens messaging privacy
- EU begins laying the foundation against end-to-end encryption.
- Follows a similar idea as India and the Five Eyes alliance
- The future of legislation regarding encryption laws in the EU became extremely vague.
The EU is reportedly laying the foundation to make a move against end-to-end encryption, a process that allows messaging apps to safely and privately transport information between user devices. The proposal has been in consideration since 2016 but a series of terrorist attacks in Paris, Vienna and Nice pushed it up in the EU’s priority list.
The new proposition is similar to what India and the Five Eyes alliance (USA, UK, Canada, Australia and New Zealand) have been aiming at for a while now. However, these countries have reportedly been deliberating to build backdoor access for devices.
In contrast, the EU home ministers pushed this idea saying that they need “security without encryption”, a term so vague it leaves a lot of room for interpretation. Consequently, it is nearly impossible to even speculate what this means in the grand scheme of data privacy and future legislation.
Internet blackouts during elections becoming common practice
- Several blackouts have been recorded during election processes in 2020 as countries sought to disrupt people’s abilities to communicate online.
- This type of behavior has been growing into a pattern since 2011.
The importance of the internet and digital communication has never been as obvious as amid the COVID-19 pandemic after human contact became a hazard. However, some governments across the world have severed the ability for people to go online and engage in information exchange to push their political agendas.
Internet shutdowns violate the human rights to freedom of expression, promotion of transparency, information access, and freedom of assembly.
In 2020 alone, authorities in Togo, Burundi, Belarus, Tanzania, and Guinea had all pulled the plug on the internet during their election periods. Seeing how Egypt was the place of origin for the first government-ordered nationwide digital blackout back in 2011, the rate at which it is becoming common practice is alarming.
Apple’s ATT policy promises users full control over personal data
- Apple announced a new App Tracking Transparency policy, which will allow users to opt-out of sharing their data with apps and websites.
- Received massive backlash from Facebook and ad brokers.
The global tech giant Apple took the privacy world by storm when it announced in June the implementation of its new App Tracking Transparency (ATT) policy. ATT will allow iOS 14 users to choose whether they want to share their personal information with third-party apps and websites.
Because of this, the company has received major backlash from Facebook, other ad brokers, and even a formal antitrust complaint from numerous trade associations in France.
In turn, Apple has stayed vigilant with its decision, calling data collection without user’s consent both “invasive” and “creepy,” as most people have no idea how much and what data is being collected about them.
How will these events shape the future of cybersecurity?
After all that we have witnessed this year, there’s strong evidence to assume that COVID-19 will bring fundamental change to the privacy and cybersecurity spheres going forward.
Concerns of third parties gathering user information and using it for monetary gains are continuing to be on the rise, but legislative action is being taken to address them. But even the government bodies that have started to take preventative measures for data privacy misconduct are expanding their surveillance systems and proposing questionable cybersecurity laws.
2020 has been too chaotic in these regards to make many substantial speculations. However, the impact of COVID-19 has forced the majority of people to work from home and many workplaces to adopt hybrid work-policies.
Seeing how the pandemic is not over, and we still don’t have a clear estimate of when it will end, this may just become a permanent change. If that happens, cybersecurity systems will have to adapt to a decentralized work environment and employees trained to identify and avoid phishing attacks and social engineering attempts, both of which have seen incredible growth after the start of the pandemic.