At a glance.
- Privacy and Civil Liberties Oversight Board reports.
- Making sense of reporting on privacy.
- Data scraping isn't the same as a data breach.
Watchdog report on NSA surveillance under scrutiny.
In December, the Privacy and Civil Liberties Oversight Board concluded their six-year investigation of the US National Security Agency’s (NSA) XKeyscore program, which allows the NSA to query global internet traffic for the activity of specific individuals. The resultant report was submitted to Congress, the White House, and the Office of the Director of National Intelligence in March, but the Washington Post reports that a newly released statement from board member Travis LeBlanc reveals he voted against approving the report because he felt it “failed to adequately investigate or evaluate” XKeyscore. “What most concerned me was that we have a very powerful surveillance program that eight years or so after exposure, still has no judicial oversight, and what I consider to be inadequate legal analysis and serious compliance infractions.” The other four members of the board disagreed. Former board chairman Adam Klein asserted, “[The report is] highly factual, substantive and apolitical — the type of oversight the board was created to perform.” The New York Times notes that the board’s report was complicated by several factors, including a shift from Democratic to Republican control mid-investigation, and the fact that a residential directive known as Executive Order 12333 allows XKeyscore to go unmonitored by the Foreign Intelligence Surveillance Court.
A primer on privacy threats.
Nextgov offers guidance for those trying to make sense of the various security incidents reported in the media. They advise that the typical user shouldn’t be overly concerned about their data being stolen in a ransomware attack (unless, of course, the attackers employ a double-extortion technique). In the event of a data breach, individuals impacted will likely be notified, and they can confirm for themselves on websites like haveibeenpwned.com. The type of data exposed is also a factor, as there’s a difference between login credentials versus more sensitive info like bank account data or social security numbers. To get ahead of the game, users can take precautions like setting up two-factor authentication or mobile bank alerts.
“We want to be clear...this is not a data breach”
And indeed it's not. As the CyberWire noted earlier this week, LinkedIn experienced a data exposure (the second since April) in which 700 million user records were posted on an underground hacker marketplace. Computing reports that the professional networking platform continues to focus on their assessment that their systems were not infiltrated. “Our initial investigation has found that this data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year in our April 2021 scraping update.” Experts say that while LinkedIn might be correct, the impact on users is still worth acknowledging. “As successful attacks on infrastructure become more difficult to execute, attackers will naturally shift their focus to abusing legitimate access methods like APIs provided by businesses to access data,” principal security strategist Tim Mackey of Synopsys Cybersecurity Research Centre told ComputerWeekly.