The Week in Online Safety, July 11, 2011A weekly global view of online safety news, policy developments, research, and influence
Violent Video GamesThe ramifications of the last month’s Supreme Court ruling striking down a California law restricting the sale of violent video games to minors, continued this week. NPR reports in “It's A Duel: How Do Violent Video Games Affect Kids?” that the research debate is unsettled, and that “scientists who think the games are harmful and those who think they're not are both looking at the same evidence. They just see two different things.”
Michael Gallagher, president and CEO of the Entertainment Software Association wrote in an editorial after the ruling that:“As an industry, we are working to do our part by providing parents with the tools and information they need, including providing password-protected parental controls on all new video-game consoles. These robust controls allow parents' choices to be enforced even when they are not at home.”
Online Safety LegislationLast week, several states either enacted or advanced legislation to address cyberbullying. In Connecticut, SB 1138 was signed into law. The Hartford Courant reports that “School officials are directed to develop a policy for maintaining a safe school environment and provide training in suicide prevention to teachers.” In Hawaii, HB 688 was sent to the governor for signing. The Honolulu Star-Advertiser reports the bill “requires the Board of Education to regulate compliance with Department of Education rules on bullying, cyberbullying or harassment,” as well as “hold annual training sessions on how to promote respect and how to intervene when students are victims or perpetrators of bullying.” However in Oregon, SB 240, which would have required schools to have a cyberbullying policy, died when the 2011 session ended last week.
ResearchTwo interesting new studies from the United Kingdom were published last week. Dr Sarah Pederson of Robert Gordon University published a cyberbullying survey of teens, and found that half of teen boys and young men admitted to cyberbullying, and almost 70 per cent had been victims of cyberbullying, the Daily Mail reported. Also in the U.K., Nominet published an 100 word review, The impact of digital technologies on human wellbeing. The report found pervasive fears about online safety among U.K. parents, including 80 percent believing it is possible to become addicted to social networking sites, and a third believing that the Interne can “rewire” a person’s brain, The Telegraph reported.
AdvocatesLarry Magid writes about, “Old school conversations about child online safety, stating that“While there are many tools available to control or monitor what your children are doing online, the best approach is the oldest of tools called conversation." Marsali Hancock, President of iKeepSafe.org, writes about “Facebook Parenting: A Proactive Approach For Tweens.”
- Compiled by David Burt
The Week in Online Safety, August 1, 2011A weekly global view of online safety news, policy developments, research, and influence
“Swatting” victimizes a prominent safety advocate.Yesterday it was reported that prominent safety advocate Parry Aftab was victimized by a type of revenge hoax known as “swatting.” MSNBC reported:“Police received a 911 call from a man saying he had killed four people and was holding another hostage inside a home in Wyckoff, N.J. owned by Parry Aftab, a noted cybercrime lawyer and anti-cyberbullying crusader…When they got inside the house, police said they found it empty save for the family cat. No dead bodies, no hostage, no killer, no Parry Aftab. It turns out the 911 call that sparked the suburban standoff did not come from Aftab's house, but was placed through a computer that "cloned" her number, making it appear to come from her. ”
The FBI issued an official warning about “swatting” in 2008, and stated that “Law enforcement agencies at all levels are currently working with telecommunications providers around the country to help them address swatting activity.” Swatting perpetrators often use various methods of Caller ID spoofing. According to a Wikipedia article, there are multiple methods for Caller ID spoofing, including online services that offer a web-based interface. Caller ID spoofing was one of the tactics used by News of the World reporters to hack into voice mail messages. In response to security concerns related to Caller ID spoofing, Congress passed and President Obama signed the "Truth in Caller ID Act of 2010" which makes it a crime to "to cause any caller ID service to transmit misleading or inaccurate caller ID information, with the intent to defraud or deceive." However, the law does not outlaw the Caller ID spoofing services.
Fallout from Norway KillingsThe recent mass killings in Norway are causing new online safety anxieties in Europe and elsewhere. Suspect Anders Behring Breivik’s use of violent video games has led stores in Norway to remove two games, "World of Warcraft" and "Call of Duty - Modern Warfare" that Breivik says he had played before his attack, AFP reports. Escapist reports that “The Australian Christian Lobby is calling for a ban on violent videogames in the wake of the Oslo massacre, but the government says it's unreasonable to blame games for the behavior of a "madman." German publication Deutsche Welle reports that officials from Finland, Estonia and Germany have all called for expanded monitoring of online hate groups after the attack.
Online Safety LegislationRep. Lamar Smith and Rep. Debbie Wasserman Schultz published an editorial, “Requiring Internet providers to retain user data is key to prosecution of online predators,” supporting their bill, H.R. 1981 the "Protecting Children From Internet Pornographers Act of 2011." The bill would require ISPs to retain subscriber information for up to 18 months to help investigators track down child pornography offenders. Privacy and civil liberties groups, such as the Center for Democracy and Technology, have voiced opposition to the bill, which they say would harm privacy rights.
Advocates
On the Microsoft on the Issues blog, a guest post from Leslie Harris, President and CEO, Center for Democracy & Technology. For more on Microsoft's approach to accountability in privacy, see our backgrounder, “Privacy Accountability,” available on the Trustworthy Computing Policymakers site.
Last Friday, I had the pleasure of moderating the inaugural panel of Microsoft’s new “Conversations on Privacy” series in Washington.
I was joined by FTC Commissioner Julie Brill, Microsoft Chief Privacy Officer Brendon Lynch , Intuit CPO Barb Lawler and privacy expert Peter Swire of Ohio State University to discuss comprehensive privacy programs (aka “accountability programs”) and the role such programs play in efforts by the nation’s biggest brands to secure data and build consumer trust.
The hallmark of the accountability approach is a move beyond simple compliance with privacy rules to a focus on data stewardship: rigorous attention to privacy in all processes that touch consumer data and in the design of new products and services. On the front end, innovative tools such as privacy impact assessments and privacy enhancing technologies help to identify and mitigate risk. And on the back end, monitoring and auditing ensure that privacy promises are honored.
We began the conversation with a look at the well-developed privacy programs at Microsoft and Intuit. It was obvious that the secret sauce in the success of both programs included an experienced chief privacy officer at the helm, strong buy-in for the program from top leadership, and a company-wide desire to maintain consumer trust in the brand.
Peter Swire questioned whether the message that privacy matters is getting through to companies without established brands, particularly those that collect consumer data outside of public view. Consumers do not “choose” to do business with these companies, and thus the incentives for these companies to build consumer trust are often low.
However, is the resource intensive accountability model beyond the means of small and mid- size firms that may want to do the right thing on privacy? Brendon Lynch offered an important level set, reminding us that accountability should be tied to the risk that a firm’s products or processes will have on privacy impact. As Commissioner Brill noted – in response to my question about whether recent enforcement actions mean that all companies need to adopt an accountability program – the ends, not the means, are what matter most. A company that does not have a CPO, for example, can still be doing the right thing on privacy.
Panelists offered several ways that good privacy practices could be encouraged in small and mid-size companies. Barb Lawler emphasized that industry associations and groups like the International Association of Privacy Professionals can serve as a resource for smaller businesses. She also described mechanisms that Intuit employs to bring the company’s customer base of small businesses and individuals into the privacy dialogue. Brendon Lynch explained that large companies like Microsoft have a vested interest in ensuring that partners and participants in their ecosystem take privacy seriously and has therefore published its “Security Development Lifecycle” and made its privacy standards available.
Finally, we discussed whether and how comprehensive privacy programs could be integrated into privacy legislation. Should accountability be required by legislation or is accountability a path forward that makes legislation unnecessary?
Panelists – and audience members – held a range of views about whether baseline privacy legislation is truly necessary, but Commissioner Brill made the astute observation that improvements in company practices are correlated with periods of increased pressure from both the Hill and the FTC. If everyone were to “call it a victory and go home,” one important incentive for companies to improve their data stewardship practices would disappear. Brendon Lynch also expressed concern that without a baseline law to assure global customers that their data is being protected, American companies may find themselves at a disadvantage as they deploy innovative cloud services. One point that all agreed on: privacy legislation that set out privacy principles at a high level could be consistent with an accountability approach.
At least from my perspective and that of my organization, the Center for Democracy & Technology (CDT), accountability programs are not a substitute for baseline privacy legislation. Microsoft and Intuit are among the major brands at the vanguard of privacy innovation. They understand why investing in privacy makes sense. However, without a baseline set of flexible privacy rules, much consumer data will have little or no privacy protection, and there will be little incentive for the myriad of companies that collect, use and share personal data to make similar investments.
Having said that, core elements of accountability programs could be included in legislation, starting with privacy risk assessment for companies that collect and use large amounts of consumer data. And flexible privacy legislation that creates a safe harbor for companies that meet certain standards – such as implementing strong accountability programs – will reward responsible companies while ensuring that consumers’ privacy is protected in all instances.
Leslie Harris is the President and CEO of the Center for Democracy & Technology and a recognized global leader in Internet policy. CDT is the leading Internet freedom organization working at the vanguard of technology and policy innovation.
Andrew Ko, Senior Director, U.S. Partners in Learning, Microsoft writes on the Microsoft on the Issues Blog:
It’s hard to ignore the pictures in the news of bright-eyed young boys and fresh-faced teen girls with infectious smiles, full of life, and a future full of potential placed under the headline ‘Bullied to Death.’
Bullying is one of the most pervasive issues affecting every school in the country on campus and online, and is a challenge that parents, teachers and administrators are tasked with tackling every day. With the vast use of social media, the phrase “Sticks and stones may break my bones, but words will never hurt me,” has become a thing of the past. Words have become powerful enough to drive students to tragically end their young lives.
Bullying has emerged as a top theme among the applications for Microsoft’s 2011 US Innovative Education Forum (IEF), with several teacher applicants submitting lessons that use Microsoft technologies to help address the issue of bullying. These teachers are among 100 U.S. educators selected to attend the U.S. IEF, presented by Microsoft Partners in Learning. Microsoft will honor these educators for their creative and effective use of technology in the classroom to improve learning outcomes for every student’s future. The projects centered on bullying impart knowledge while addressing a serious problem facing students of all ages.
At Franklin Pierce High School in Tacoma, Wash., there were a large number of fist fights at the beginning of the school year. Colin Horak’s 9th grade leadership class took on the challenge to address the problem and restore the freshman class’ reputation, working together on Project UNITE by adopting the universal hand sign for ‘I Love You’ as the logo to represent the campaign.
They also created a moving PhotoStory music video, two public service videos, as well as t-shirts and signs. These were used in a presentation to the entire freshman class about making the school a better place for all students. Horak noticed that students in his class improved their attendance and academic performance because they felt like respected and appreciated members of the group and the overall mission.
Another project example comes from Beacon Heights Elementary School in Salt Lake City, where an anti-bullying project stemmed from an unlikely source: The school’s art teacher specialist, Donna Pence. The project, called “Art, Bullying, and Videotapes,” started with the idea of having students show one another responsible forms of behavior inside and outside of school. Projects included staged skits, music videos, puppet shows, Claymation, stop-motion video and animation with Windows Moviemaker and Windows Media Player.
During the assignment, students learned to work together and problem solve to achieve their goal of producing their videos. The projects were debuted on a video night at the school’s annual fundraiser, and will be used next year to introduce the idea of responsible behavior to a new group of students.
Microsoft is committed to the education of our children, creating software and programs to teach and inspire them to strive for a successful future. Student safety has always been and will continue to be a top priority for the company, which is why it is so gratifying to see Microsoft software being used to address such a wide-spread issue that affects children of all ages.
At Amazing Grace Christian School in Seattle, Michelle Zimmerman saw the root of bullying take the form of nurturing. Michelle began the lesson ‘From the face in the webcam to the face of humanity: Pre-teen researchers influencing little lives’ and assigned her middle school students preschoolers to mentor and instructed them to use a webcam to help research and document the development of their ‘buddies’ through human connection.
Michelle noticed the boys showed the most verbal enthusiasm and traced it back to male dominance hierarchies and its commonality in schools as boys attempt to assert their status among classmates. Through the work mentoring younger boys, Zimmerman noticed the middle school boys felt a raised status because the preschoolers looked up to them. This observation prompted the discussion of bullying behavior and how the leadership role the students were learning in the lesson can improve social interactions among their peers.
Horak, Pence and Zimmerman will join more than 100 innovative teachers at the Microsoft U.S. Innovative Education Forum from July 28-29 at the Microsoft campus in Redmond, Wash. In addition to the anti-bullying projects, other teacher submissions this year address topics such as engaging students in science, technology, engineering and math (STEM) fields, starting their own business and learning financial responsibility, and effectively implementing social media in the classroom. The IEF provides a forum for these innovative teachers to come together, share best practices and be honored for their amazing work. I look forward to watching them share their projects and collaborate to continue shaping education for our next generation!
To read more about the remaining teachers and their projects selected to attend the U.S. IEF, please visit our TeachTec blog.
The Week in Online Safety, June 13, 2011A weekly global view of online safety news, policy developments, research, and influence
NewsThe ongoing controversy over allowing children to use social networks drew the attention of the media, advocates, and policymakers, as the Boston Herald reports on the Debate over allowing tweens to use social media, while an article in ABC News notes that Age verification not stopping kids from joining social networking sites.
Several news stories during the week reported on trends in cyberbullying, US News reports that Cyber Bullying Growing More Malicious, Experts Say, the Vancouver Sun relates how Cyberbullying can start with a miscue, and Medill Reports explores that We know white kids cyberbully more than minorities; we don’t know why.
Policy – Legislative, Regulatory, and Legal DevelopmentsHow the courts in the United States should treat juvenile “sexting” offenders continues to be an area of focus for legislators and advocates. The Washington Post reports that Sexting teens need education, not jail, New York lawmakers say. A number of states are, in fact enacting proposals to lessen sexting penalties into law. Last week Nevada’s governor signed into law SB 277, which treats "sexting" by a minor as a noncriminal act, and exempts juvenile sexters from being considered sex offenders. A similar bill in Rhode Island, H 5094, was passed by the House and referred to the Senate.
In the United Kingdom, the Department of Education released the Independent Review of the Commercialisation and Sexualisation of Childhood. The report was overseen by Reg Bailey, Chief Executive of the Mothers' Union. The BBC News summarizes the Bailey Review: Parents need much more help in protecting children from online porn.
InfluencersOnline safety experts, such as Dr. Justin W. Patchin, Cyberbullying Research Center were asking How young is too young for social networks?, while Larry Magid of Safe Kids opines that Social networks ought to allow children under 13.
Anne Collier of Net Family News thinks about How teachers use social media for students, and in the European Union, online safety group InSafe describes Pan-EU Youth, an online platform for young people.
Last week on the Family Health Blog, the Microsoft HealthVault team announced it would let users sign in with Facebook, and also explained the privacy considerations around the move:
For many folks, Facebook is the Internet --- the social networking juggernaut has become the starting point for an incredibly broad swath of online activity, and “health” happens there all the time.
With this release, we’re acknowledging Facebook’s central role in people’s lives by allowing users to sign into HealthVault using their Facebook credentials. It’s important to note that this does NOT mean that HealthVault information will show up on your wall! Today, data only moves from Facebook to HealthVault, not the other way around --- we use your name, birthdate, etc. from Facebook to populate the HealthVault signup form, but that’s it.
Note that there may be great opportunities to create native Facebook applications that include HealthVault data … we just want to be sure folks understand that it is not happening now, and would only ever happen with explicit, separate user opt-in.
The Facebook team has been really supportive of our moves in this area. We have been super-impressed with the seriousness with which they’ve responded to recent security issues. It is also a perfect complement to our recently-announced “second factor” account protection option --- if they like, users can log in with their Facebook credentials but get an extra security boost by having HealthVault call them on their mobile for confirmation before granting access.
-- David Burt, CISSP, CIPP
We just published a new article to help educate consumers on the risks of using location services and how to do so more safely:
Does your phone know where you are? If you've used your phone to find directions or locate a nearby restaurant, you've used its global positioning system (GPS) and it's likely that it would be able to pinpoint your location within a close range.
Location services can be convenient for automatically adding location information (geotags) to photos. Some people also use location services to post their locations to social networking sites, such as Facebook. Be aware, however, that others can use your location information, too.
Choose from among the strategies below to set the level of privacy that is right for you.
Pay attention to where and when you check in.
Link to social media with care. Avoid sending your check-ins to Twitter, Facebook, or your blog.
In addition to the other ways you can help preserve your family's online safety, consider these steps specific to location services:
The Week in Online Safety, June 20, 2011A weekly global view of online safety news, policy developments, research, and influence
NewsThe debate on how to address the use of social networks by minors continued last week, and an article in ZDNet asked, “Is Facebook's 'under-13' policy viable?” Video gaming safety was also in the news, with Tech News Daily reporting on research suggesting that “Relaxing Video Games May Calm Players in Real Life,” while the U.S. Supreme Court is expected to rule on the constitutionality of a California law restricting violent video games very soon.
Policy – Legislative, Regulatory, and Legal DevelopmentsSocial networks were the focus of proposed regulation aimed at protecting minors in the United States, the European Union, and Australia. In the U.S., The Washington Post reports “Lawmakers, advocates push social networks for more protection of youngest users,” and discusses the issues around verifying the ages of minors online. In Europe, the European Parliament Civil Liberties Committee published a report on data protection stating that “Children using social networks must be protected,” and Mobiledia reports “Australian Parliament to Consider Social Media Parental Controls.”
Several states either enacted or advanced legislation to address cyberbullying. Tennessee enacted a pair of statutes: HB 300 adds electronic communications to existing anti-harassment statutes, and HB 301 allows schools to discipline students for online harassment. The Knoxville News reports on both measures. In Rhode Island, S 732, which would create a single, statewide policy for cyberbullying, was sent to the governor; and in New York S 4921, which would expand the definition of school bullying to include cyberbullying, was passed by the Senate, and referred to the Assembly, The Legislative Gazette reports.
ResearchThe Joan Ganz Cooney Center at Sesame Workshop released a new study, “Families Matter: Designing media for a digital age.” The study shows the “Results from a survey of more than 800 parents of children ages 3 through 10 reveal how parents nationwide feel about raising children in a digital age.” Net Family News gives some analysis.
InfluencersJustin Patchin & Sameer Hinduja of the Cyberbullying Research Center announced the publication of their new book, Cyberbullying Prevention and Response: Expert Perspectives, the book will be available June 24, and features expert perspectives on law, education, therapy, and other issues.
Several advocacy groups announced new initiatives for Internet Safety Month in the United States. The National Center for Missing and Exploited Children released a “New Game that Teaches Kids How to Stay Safe on the Internet,” and Enough is Enough released “Summer Cyber Safety Made Simple.”
Finally, Anne Collier of Net Family News commented on “The teen sexting ‘trainwreck’ & state laws.”
Compiled by David Burt.
The Week in Online Safety, August 15, 2011A weekly global roundup of online safety news, policy developments, research, and influence
NewsU.S. - Parents let children go social/online, ABC News, Aug. 5, 2011
U.S. – Social Network Crimes on the Rise, Experts Warn, Fox News, Aug. 11, 2011
U.S. - Adults struggle to grasp new bullying, Ed. News, Aug. 11, 2011
U.S. - Schools wrestle teens texting, social media use, NWI, Aug. 10, 2011
Policy – Legislative, Regulatory, and Legal DevelopmentsU.S. - Fed Court rules punishing students for posting MySpace photos over summer unconstitutional, Daily Herald, Aug. 10, 2011
U.S. – Texas Prosecutors learning of problems with sexting bill, Star Telegram, Aug. 8, 2011
U.S. - Tennesseans face new Internet rules aimed at curbing piracy, bullying, The Tennessean, Aug. 7, 2011
S. Korea - Government plans to scrap online real-name system, TMCNet, Aug. 11, 2011
U.S. - Mo. social media law stirs up educators, parents, CBS News, Aug. 11, 2011
Australia - Australia creates adult-oriented R18+ game classification, The Globe and Mail, Aug. 10, 2011
ResearchU.S. - Cyberstalking is more traumatic than being stalked in person, says APA study, Think Digit, Aug. 9, 2011
U.S. - Most parents don’t monitor their children’s social media activity, SocialBeat, Aug. 9, 2011
U.S. - Study: Teenage social media use can lead to narcissism, health issues, Digital Journal, Aug. 7, 2011
AdvocatesU.S. – MO law: Well-intentioned but flawed, Anne Collier, Aug. 7, 2011
U.S. - Texting Potential, iKeepSafe, Aug. 10, 2011
Roger Capriotti writes on the Internet Explorer Blog:
While the web is a wonderful place, there are many dangers online that can put you and your computer at risk. Your browser is the first line of defense against attacks on the web, and it plays a critical role along with anti-virus and other security software to help keep you safe online. With Internet Explorer, SmartScreen helps protect users from socially engineered malware attacks by stopping them before they have a chance to infect your PC.
NSS Labs, an independent security research and testing organization, released two reports today that show SmartScreen continues to offer industry-leading protection against socially engineered malware. According to the global test conducted by NSS, “IE9 caught an exceptional 96% of the live threats with SmartScreen URL reputation, and an additional 3.2% with Application Reputation.” The graph below compares the test results from various browsers and shows that Internet Explorer blocks up to seven times more malware than other browsers in the global test.
Source: NSS Labs, August 2011 – Global Socially Engineered Malware Protection
Other regional tests released by NSS for socially engineered malware targeted at users in Asia Pacific and in Europe showed similar and consistent results. In all cases, Internet Explorer 9 leads across all browsers in protecting users from these live threats of malware.
Source: NSS Labs, Asia, Global, and Europe Reports (2011)
We continue to improve the quality and protection SmartScreen technology offers to our Internet Explorer users. You can see these improvements in how much faster SmartScreen is in blocking malware over time. Since the October 2010 NSS report, the average time taken by SmartScreen filter to block a threat has gotten 28% faster - and if Application Reputation is considered, then the average time has improved by 85%. Not only has the effectiveness of the technology improved, but so has the speed at which it is able to identify socially engineered malware. For our Windows customers, this means fewer infections and headaches for you.
Internet Explorer is designed with your security and privacy in mind. Innovative features such as SmartScreen and Application Reputation are examples of technologies that help protect you as you browse from an increasingly prevalent threat – socially engineered malware. According to Bruce Hughes from AVG Technologies, “Users are 4 times more likely to come into contact with social engineering tactics as opposed to a site serving an exploit.” As this threat becomes more common consumers need better protection and the SmartScreen filter in Internet Explorer is designed to directly address this threat.
When it comes to browsing the web safely, your browser choice matters. If you haven’t already done so, download Internet Explorer 9 and experience a safer browsing experience.
Roger Capriotti Director, Internet Explorer Product Marketing
From the Microsoft News Center Blog:
in an otherwise typical Microsoft hallway, a black curtain stretches across the doorway to a large room. The whiteboard next to it offers this ambiguous, if not curiosity-inducing, explanation: “Please do not disturb. Sensitive material behind curtain.”
Behind the black curtain is a unique team of Microsoft employees. Their existence is not widely known, and probably for good reason – if you have a close encounter with a member of Xbox LIVE’s Policy and Enforcement team, chances are you’re on the wrong end of right.
Hackers, cheaters, phishers, account thieves, game code modifiers, communication abuser – they help police it all, including actual crimes in some rare instances. The team is there to help make sure Xbox LIVE is safe, non-offensive and fun for all users. “If you’re playing a game on Xbox LIVE, and somebody snipes you from across the map and you drop the F-bomb, we’re not going to ban you – not for the occasional slip. We focus on the really bad stuff,” says Boris Erickson, Xbox LIVE Enforcement Unicorn Ninja. Yes, that is his actual job title.
Adds Erickson: “We are not here to be the arbiters of all speech. But there are certainly some kinds of communication on Xbox LIVE that crosses a line – racism, homophobia, sexism, offensive comments about nationalities, and more.”
Day in and day out, the inboxes of Erickson and his fellow enforcers are piled high with stacks of complaints about offensive behavior, speech, and materials. They dutifully sort through it all and decide what’s next. That could be requiring a user to remove an offensive word or phrase from their profile to – in the more egregious cases – outright banning users.
“Or, as we like to say, inviting them to not be our customer,” Erickson says. “These are paid subscriptions we’re taking away, so we want to make sure we’re doing exactly the right thing.”
All Xbox LIVE users agree to a code of conduct when subscribing to the entertainment service. But, as Xbox LIVE tops 35 million users – and, as it incorporates an ever-widening range of entertainment, gaming, and communication features – it’s a given that there will be opportunists and rule-breakers, Erickson says.
But the team’s director, Stephen Toulouse (known widely by his Microsoft e-mail alias, Stepto), says despite Xbox LIVE’s explosive growth over the last several years, the number of complaints his team handles has remained tiny in proportion to the growing number of people who use the service.
“Looking at the stats, the cross-section of bad apples we deal with every day is small – typically less than one percent of the overall population,” Toulouse says. “The user complaint volume has tended to stay relatively flat compared to the line of new users. What that says to me is that our efforts are having an impact, and also that we’re broadening our audience. We’re bringing in different people that want to experience different things on Xbox LIVE, not just gaming, and at the end of the day that’s going to improve everything.”
The Explosion of Xbox LIVE
When Toulouse joined Xbox LIVE in 2007, the entertainment service had not yet reached one million users online at the same time.
“Enforcement was literally done by one guy with a spreadsheet who would go through the complaints once a week,” Toulouse says.
Though it took years to hit the one million user mark, it took one year to hit two million concurrent users.
“We knew Xbox LIVE was going to explode,” Toulouse says. “We knew we were on the cusp of something huge, especially when we saw how many people came into the service with the launch of Halo 3.”
The folks at Xbox LIVE, including Toulouse, wanted to stay ahead of the game. He slowly started assembling a team, and they started designing a tool to help the team effectively police the growing community of users. The result was a software program called Vulcan to help enforcers handle and escalate complaints.
“It was designed on cocktail napkins, then coded and designed to allow people who do complaint investigations to do so in an efficient and accurate way,” Erickson says.
Enforcers are now using a brand-new version of this tool, called “Vulcan 2,” which makes sorting through complaints even faster. In fact, because all enforcers are experienced gamers, they also often use an Xbox controller to navigate their work.
Say one gamer is offering to sell cheating services, or another user in a multiplayer online game is spouting racial epithets into his or her microphone, or yet another registered an offensive gamertag. Enforcement agents will find out about it either via a complaint sent by another Xbox user or by experiencing it firsthand.
“The enforcement agents also play games,” Erickson says. “Part of what we pay them for is to be out there in the community, listening for threats, looking for vulnerabilities, and reporting back to us.”
There are a handful of enforcements the team hands out ranging from a 24-hour ban to the most serious – voting an Xbox LIVE user “off the island” for good.
Apart from being gamers, agents are “steeped and stewed” in Internet culture, as well as being experts in slang, acronyms, and more. Erickson says some of them can actually write in “l33t,” (pronounced “leet”) a hacker pidgin language that incorporates abbreviations and numbers in an attempt to bypass profanity filters.
“We always appreciate having a diversity of knowledge,” Erickson says of the team. “Everybody kind of brings their own little history to the table, and can interpret content in the way the rest of us can’t.”
Toulouse says such diversity is key, though every member of the team shares a common goal.
“They are absolutely passionate about safety on Xbox LIVE,” he says. “I personally believe that when you buy your Xbox LIVE subscription, you are getting us ‘free in the box.’ Microsoft has invested in us, and we are invested in trying to make sure the experience is good.”
“We Have a Great Community”
Along with Toulouse and Erickson, Jason Coon and Andreas Holbrook round out the management team, which includes numerous enforcement agents who work one of three shifts during the day to maximize coverage (together, they cover 18 hours a day, seven days a week, 365 days a year). Coon manages the agents, and Holbrook works with outside companies and law enforcement agencies on deeper investigations.
The team is tight-knit, primarily because of the kind of content and situations they deal with each day.
“There’s a sort of gallows mentality, because we do have to deal with some pretty bad stuff during the course of our day,” Erickson says. “We talk openly and frankly about it and the effect it has on all of us. You can’t help but need to talk after being exposed to the worst of the worst day in and day out.”
Sometimes this includes interacting with courts, law enforcement agencies, and other agencies. In one recent case, that included the National Center for Missing and Exploited Children (MCMEC).
“That, of course, pushes a lot of buttons,” Erickson says. “We make sure people get the space and time they need after something particularly bad – to have a talk, or go outside and take a walk.”
The team also has some go-to “palette cleansers” to brighten things up: LOLcats, those cute and funny pictures of animals adorned with irreverent and witty (and almost exclusively grammatically incorrect) captions.
“Sites like ‘I Can Has Cheezburger’ and ‘The Daily Squee’ are frequently called upon around here,” Erickson says. “They do a lot to help. You sort of need that disconnection from the offensive content sometimes.”
As Xbox LIVE continues to expand, so too does the enforcement team and the effectiveness of their tool Vulcan. But Erickson doubts there will ever be a time that enforcement is totally automated.
“Most of the decisions need human eyes to keep it real, though we are moving into a realm where we’re applying more automation to the process,” Erickson says.
And what of this team whose sole mission it is to deal with “the worst of the worst” – what has it done for their views on humanity?
“I’ve learned that the vast majority of people on our service are out there having fun. We have a great community,” Toulouse says. “To the extent that we do see bad behavior, it’s often tied to the belief that they’re anonymous, they won’t get caught, and we’re not looking. The vast majority of people are out there are trying to be excellent to each other.”
Despite having seen the worst of people, Erickson, too, is still optimistic about people.
“The reality of working in the wild, wild west of the internet is that most people just want to be creative, and to use our products in social ways and to connect to people. And for the ones that don’t, well, that just requires a bit of tweaking. We’re slowly crumbling the nexuses of bad behavior.”
The Week in Online Safety, August 22, 2011A weekly global roundup of online safety news, policy developments, research, and influence
NewsU.S. - Netflix Launches 'Just For Kids Section', AP, Aug. 16, 2011
U.S. - New FBI iPhone App Could Help Keep Kids Safe, ABC News, Aug. 16, 2011
Australia - Police warn of 'sexting' perfect storm, ABC News, Aug. 16, 2011
U.S. - What Is Your Teen's Online Reputation?, Psychology Today, Aug. 14, 2011
U.S. - Facebook Issues Security Guide for Teens, Parents, Teachers, PC World, Aug.18, 2011
U.S. - Could Those Hours Online Be Making Kids Nicer?, The Wall Street Journal, Aug. 16, 2011
Kuwait - Kuwait teachers to get cash for using Twitter and Facebook, Al Arabiya News, Aug. 16, 2011
Policy – Legislative, Regulatory, and Legal DevelopmentsU.S. – IL HB 2389 - The Online Child Safety Act , Signed into Law. (Requires ISPs to offer parental controls.)
U.S. - FTC Publication “Living Life Onine” Fosters Online Safety for Tweens and Teens, FTC, Aug. 15, 2011
U.S. - ACLU Sues Missouri School System for Censoring Gay Advocacy Websites, Fox News, Aug. 16, 2011
Australia - Sexting punishment is unjust says magistrate, The Age, Aug. 14, 2011
ResearchU.K. - Study finds third of teachers have been bullied online, BBC News, Aug. 15, 2011
InfluenceE.U. - Kids on social networks - privacy first!, InSafe, Aug. 17, 2011
U.S. - Teaching via the Internet, iKeepSafe, Aug. 19, 2011
U.S. – Donna Rice Hughes on NBC’s Today Show, Enough is Enough, Aug. 12, 2011
U.S. - ACLU Sues Missouri School District for Illegally Censoring LGBT Websites, ACLU, Aug. 15, 2011
U.S. - Debunking myths about kids’ online risks: Studies, Anne Collier, Aug. 19, 2011
U.S. - Kids,Privacy, Free Speech & the Internet: Finding the Right Balance, Adam Thierer, Aug 12, 2011
Jacqueline Beauchere, Director, Trustworthy Computing Communications, writes on The Official Microsoft Blog:
September is synonymous with back-to-school for much of the world's youth – getting back in the classroom, reconnecting with friends and teachers and sharing tales of summer fun. For some, however, back-to-school often means a return to cyberbullying.
New Microsoft research shows that, on average, 27 percent of people in five countries have been exposed to cyberbullying in the last 12 months. The survey, conducted in Brazil, France, Germany, the United Kingdom and the United States, shows that in these countries, cyberbullying features most prominently in Brazil (50 percent) and less so in the U.S. (16 percent).
France, Germany and the UK, meanwhile, fall more in the middle of the pack, with 24 percent, 25 percent and 22 percent of respondents, respectively, stating that they or someone they know have been exposed to incidents of cyberbullying in the past year. These data are part of a larger Microsoft study about consumer online awareness, attitudes and behaviors, and are in line with other similar polling data. Statistics vary, but in the U.S., Europe, Australia, Japan and South Korea, between 10 percent and 40 percent of teens say that at one time or another, they’ve been victims of cyberbullying.
The Cyberbullying Research Center in the U.S. defines cyberbullying as “willful and repeated harm inflicted through the use of computers, cell phones, and other electronic devices.” Examples include sending hurtful or threatening messages online or to a cell phone; posting embarrassing pictures or information about another person with the intent to humiliate them and impersonating someone online. Global media reports show that, in rare but highly publicized instances, Internet bullying can intensify to such a degree that young people may see taking their own lives as the only way out.
In an effort to create a “culture of safety” and promote good “digital citizenship” worldwide, Microsoft helps inform parents, caregivers, teachers and school officials about cyberbullying. We've published a list of 10 tips for tackling cyberbullying. These include:
· Be an advocate. Kids need to know that adults can and will provide positive, active and predicable support. And, that they should never, under any circumstance, bully someone.· Talk about it. Encourage kids to report bullying to a trusted adult.· Look for signs of online bullying. For example, if kids get upset when they're online, or they show a reluctance to go to or be at school.· Encourage them to make friends. And, urge friends to look out for one another. Cyberbullies are less likely to target those whom they perceive are well-supported.
Indeed, we make a host of cyberbullying prevention resources available at our Safety & Security Center, including a factsheet, brochure and article, as well as recent cyberbullying research and the associated findings. We participate actively in industry coalitions, and partner with groups such as iKeepSafe, Wired Safety and the Family Online Safety Institute, supporting their efforts to help prevent cyberbullying and reduce other online risks.
Earlier this year, we were invited to and participated in a White House summit on Bullying Prevention, presided over by President Barack and First Lady Michelle Obama. We intend to remain active in these dialogues, and work with others in the technology industry, law enforcement, government and advocacy organizations to help reduce instances of cyberbullying.
No individual, company or organization can shoulder such a challenge alone. Like many online risks, combating cyberbullying and harassment are shared responsibilities. The first steps rest with each of us. So, all of us must do our part. As kids head back to school, teach them safer online habits and practices, and encourage them to stand up to cyberbullying.
The Week in Online Safety, August 29, 2011A weekly global roundup of online safety news, policy developments,research, and influence
NewsU.S. - What to Do If Your Child Is a Cyberbully, Security News, Aug. 25, 2011
U.S. - Playing video games together considered 'quality time' for children to bond, Daily Mail, Aug. 23, 2011
U.S. - Victim: Dating site sex-offender screening could 'save' other women, Los Angeles Times, Aug. 24, 2011
U.S. - Apps to block texting & driving, Online Mom, Aug. 24 2011
U.S. - New Ways to Protect Your Kids Online, Smart Money, Aug. 24, 2011
U.S. - News sites using Facebook Comments see higher quality discussion, Poynter, Aug. 18, 2011
Policy: Legislative, Regulatory, & Legal DevelopmentsU.K. - Government backs down on plan to shut social media in crises, The Guardian, Aug. 25, 2011
U.S. - Union Challenges Missouri Ban on Student-Teacher Online Communications, Wired, Aug. 22, 2011
U.S. - Child Pornography Bill Makes Privacy Experts Skittish, NPR, Aug. 24, 2011
ResearchU.S. – Teens Regularly Using Social Networking Sites Likelier to Smoke, Drink, National Center on Addiction, Aug. 24, 2011
U.S. - Parents say tech skills are a barrier to keeping kids cyber-safe, Telstra, Aug. 22, 2011
AdvocatesU.S. - The Porn Identity, iKeepSafe, Aug. 24, 2011
U.S. - Do fear and exaggeration increase risk?, Larry Magid, Aug. 25, 2011
U.S. - Confiscating Cell Phones from Students at School, Cyberbullying Research Center, Aug. 24, 2011
U.S. - Statement on Facebook’s New Privacy Features, Common Sense Media, Aug. 24, 2011
U.S. - A fresh look at ‘Netiquette’, Anne Collier, Aug. 24, 2011
Here's the first in a series of profiles of privacy managers at Microsoft. Robert Gratchner is director of privacy and online safety supporting the advertising business group at Microsoft. Click here to read the entire profile in a 2 page pdf:
An important update from the Microsoft Security Response Center:
This blog post was updated Sept. 5, 2011 below.
Microsoft’s investigation into the scope and impact of the DigiNotar compromise has continued over the holiday weekend. We’ve now confirmed that spoofed certificates for *.microsoft.com and *.windowsupdate.com are among those issued by the Dutch firm.
Users of Vista and later operating systems have been protected since we released Security Advisory 2607712 on August 29. In addition, customers using Windows Update on any platform are not at risk of exploitation from the windowsupdate.com certificate, since that domain is no longer in use. The Windows Update service uses multiple means of checking that the content distributed is legitimate and uncompromised. For more information on how Microsoft is protecting customers and additional actions customers may take for further protection, please see today’s SRD blog post titled “Protecting yourself from attacks leveraging fraudulent DigiNotar digital certificates."
As always, we continue to take action to ensure the safety of our customers. We have already removed the two DigiNotar root certificates, which encompass what we believe to be the vast majority of the fraudulently issued digital certificates, from the Certificate Trust List. All fraudulent certificates that have been disclosed to Microsoft roll up to one of those two root certificates. We are also working to update Security Advisory 2607712 for customers on XP and Server 2003 and will continue to investigate any additional issues arising from the spoofed *.microsoft.com certificate. We will provide updated information to customers as it becomes available.
Dave ForstromDirector, Trustworthy Computing
UPDATED Sept. 5, 2011
On Aug. 29, Microsoft released Security Advisory 2607712 to remove two DigiNotar root certificates from the Certificate Trust List. We are in the process of moving all DigiNotar owned or managed Certificate Authorities to the Untrusted Certificate Store, which will deny access to any websites using DigiNotar certificates. Microsoft is preparing to release an update to implement these protections.
Microsoft is offering the update to customers worldwide in order to protect them from this breach. At the explicit request of the Dutch government, Microsoft will delay deployment of this update in the Netherlands for one week to give the government time to replace certificates. Dutch customers who wish to install the update can do so by manually visiting Windows Update or following the instructions available at ww.microsoft.nl once the security update is released worldwide.
For further updates and actions customers may take for added protection, visit: http://blogs.technet.com/b/msrc.
The Week in Online Safety, September 5, 2011A weekly global roundup of online safety news, policy developments,research, and influence
NewsU.S. - ‘Odd Girl Out’ tackles bullying in the digital age, NBC News, Aug. 30, 2011
U.S. - Violence in Video Games: It’s All Part of Growing Up, Wired, Sep. 6, 2011
U.S. - Video Games Could Increase Children’s Risk of Identity Theft, Fox News, Aug. 31, 2011
U.S. - Social networking helps students perform better,professor says, AP, Aug. 26, 2011
U.K - Children should be taught importance of privacy in mainstream education, ICO says, Out Law, Aug. 31, 2011
U.S. - Internet anonymity suffering scrutiny courtesy of the London riots, Digital Trends, Aug. 27, 2011
Policy: Legislative, Regulatory, & Legal DevelopmentsU.S. – Statement before House Ways and Means Committee on Child Identity Theft, Federal Trade Commission, Sep. 1, 2011
U.S. - New CT 'cyberbullying' law poses challenges as school year starts, The Connecticut Mirror, Aug. 30, 2011
U.S. - Bullying Law Puts New Jersey Schools on Spot, The New York Times, Aug. 30, 2011
U.S. – Social Network limits for teachers nixed by Mo. Judge, CBS News, Aug. 26, 2011
ResearchU.S. - The Effect of Video Game Competition and Violence on Aggressive Behavior, Psychology of Violence, Aug. 15, 2011
AdvocatesU.S. - Back to school - what should you be thinking about?, Parry Aftab, Aug. 31, 2011
E.U. – September Insafe Newsletter, Insafe, Sep. 1, 2011
U.S. - Another Well-Meaning, but Unfunded Mandate to Address Bullying, Justin Patchin, Sep.1, 2011
U.S. - Digital Citizenship & Media Literacy Beat Tracking Laws and Monitoring, Larry Magid, Huffington Post, Aug. 30, 2011
U.S. - What is online risk?: Helpful clarity from Europe, Anne Collier, Aug. 30, 2011
Compiled by David Burt
Ziad Ismail writes on the Internet Explorer Blog:
Today, the W3C formally created a working group to focus on consumer privacy on the Internet.
Internet Explorer 9 was built with a focus on consumer privacy. As Dean Hachamovitch explained in the blog introducing Tracking Protection a comprehensive approach requires both a) The ability for Web sites to detect consumers intent not to be tracked and b) A mechanism for consumers to protect themselves when their intent is not respected. Since the announcement, numerous privacy organizations have begun offering Tracking Protection Lists.
We saw the opportunity to work together with the W3C and its members to create a common standard, improve site adoption and increase consumer privacy on the Internet. In late February, the W3C accepted and published Microsoft’s member submission for an industry standard. Today, with the formation of the new privacy working group, the W3C takes the next step in establishing a standard for web sites to detect when consumers express their intent not to be tracked and help protect those same consumers from sites that do not respect that intent. The full charter and details of the working group are available here.
We look forward to working with the members of the W3C on this important initiative.
The Week in Online Safety, September 12, 2011A weekly global roundup of online safetynews, policy developments, research, and influence
NewsU.S.- Figuring Out How Children Learn With Technology, The New York Times, Sep. 8, 2011
E.U.- PEGI widens remit with mobile ratings, MCV, Sep. 9, 2011
U.S.- When Should Kids Get Cell Phones?,Huffington Post, Sep. 8, 2011
U.S.- Apps, social networks pose new threat to kids, USA Today, Sep. 7, 2011
U.S.- Facebook: No single solution for implementing age restrictions, ZDNet, Sep. 7, 2011
U.S. - How an Internet ‘Sextortionist’ Ruined the Lives of Teen Girls, Wired, Sep. 7, 2011
U.S. - Teenage fights get taped, go viral, The Washington Post, Sep. 8, 2011
Policy:Legislative, Regulatory, & Legal DevelopmentsAustralia - Jail terms for cyberbullies put on table, The Australian, Sep. 8, 2011
UAE - Tagging Facebook photos without permission? Think twice, Next Web, Aug. 29, 2011
U.S. - Dad of girl, 12, sues Facebook over her suggestive photos, BBC News, Sep. 6, 2011
U.S. – MO SB1, Passed Ed. Comm., Sep. 12. (Would repeal portions of law restricting teacher use of social networks)
ResearchU.S. - Parents' Behavior Linked to Kids' Videogame Playing, Science Daily, Sep. 7, 2011
U.S. - 28% of American adults use mobile and social location-based services, Pew Internet, Sep. 7, 2011
U.S. - Harris Interactive Poll: Bullies Are Top Worry for Parents and Youth, Harris Interactive, Sept. 7, 2011
AdvocatesU.S. - Who Gets to See Our Social Networking Sites?, iKeepSafe, Sep. 8, 2011
E.U. - Back to School 2011 gift from Insafe, InSafe, Sep. 7, 2011
U.S. - First Town Hall on Online and Mobile Privacy for Kids, Common Sense Media, Sep. 1, 2011
U.S. - 5th-graders teaching us about teaching digital citizenship, Anne Collier, Sep. 7, 2011
U.S. - Why Confiscating Student Cell Phones Might Be a Bad Idea, Sameer Hinduja, Sep. 7, 2011
Compiled by DavidBurt, CISSP, CIPP
Today in Washington, D.C., the Family Online Safety Institute (FOSI), with support from Microsoft and other companies, released the findings of a new survey on the use of parental controls that found that 53percent of parents say they have used parental controls for their children’s Internet use.
That finding of 53 percent closely tracks with other recent surveys:
While almost half of all parents aren’t using parental controls, a reassuring 93 percent say they have set rules or limits to monitor their children’s online usage, according to the survey:
These rules include requiring children to only use the computer in a certain area of the house (79 percent), limiting the amount of time a child can spend online (75 percent), setting rules for the times of day a child can be online (74 percent), and establishing time limits for use of a child’s cell phone (59 percent).
The press release for the survey quotes Microsoft’s Kim Sanchez:
“Access to the Internet and all it offers is crucial for preparing today’s youth for the 21st century,” said Kim Sanchez, Chairman of the FOSI Board of Directors and Director of Privacy and Online Safety at Microsoft Corporation. “The survey results are encouraging because parents believe they have the tools necessary for their children to safely navigate the digital world.”
There’s also a nice InfoGraphic from the research:
The Week in Online Safety, September 19, 2011A weekly global roundup of online safety news, policy developments, research, and influence
NewsU.K. - Trolling: Who does it and why?, BBC News, Sep. 14, 2011
U.S. - Psychology Researchers Argue Gamer 'Improvement' Studies Are Flawed, Gamasutra, Sep. 15, 2011
U.K. - How bullied children get worse grades at school, Daily Mail, Sep. 9, 2011
U.S. - Don't study the video game, study the player, USA Today, Sep. 15, 2011
Policy: Legislative, Regulatory, & Legal DevelopmentsU.K. - Internet troll jailed after mocking deaths of teenagers, The Guardian, Sep.13, 2011
U.S. - FTC proposes stricter online privacy rules for children, San Francisco Chronicle, Sep. 15, 2011
U.S. - FTC Seeks Comment on Proposed Revisions to COPPA, FTC, Sep. 15, 2011
E.U. - 2011 Implementation Report on the Protection of Minors, EU Commission, Sep. 13, 2011
ResearchU.S. - Majority of Parents Use Tools, Rules to Protect Their Kids Online, FOSI, Sep. 14, 2011
AdvocatesU.S. - FTC’s proposed updates for COPPA, Anne Collier, Sep. 19, 2011
U.S. - Statement on the FTC’s COPPA Report, Common Sense Media, Sep. 15, 2011
U.S. - CDT Statement on FTC's Proposed COPPA Revisions, CDT, Sep. 15, 2011
U.S. - Federal Trade Commission Proposes New Rules for Children’s Online Privacy, EPIC, Sep. 15, 2011
U.S. - Kids, Parents & Online Safety, Adam Thierer, Sep. 15, 2011
U.S. - Cyberbullying 101: Fact vs. fiction, Larry Magid, Sep. 12, 2011
U.S. – New Game Teaches Kids How to Stay Safe on the Internet, NCMEC, Sep. 13,2011
-- Compiled by David Burt, CISSP, CIPP
Here's the second in our series of profiles of privacy managers at Microsoft. Corey Miller, senior information architect for privacy strategy in Microsoft Online Services’ Risk Management Group and Kore Koubourlis, senior director of compliance and privacy work to meet the privacy requirements of business customers in the cloud. Click here to read the entire profile in a 2 page pdf:
Matt Thomlinson, General Manager, Trustworthy Computing, Microsoft writes on the Microsoft on the Issues Blog:
Today, I spoke at NATO (North Atlantic Treaty Organization) during the Information Assurance Symposium 2011 on cybersecurity. I started by teeing up two important questions:
· What techniques are attackers using?
· What methods do we have at our disposal for defending against them?
The good news is that organizations can be better protected than the headlines might lead us to believe—even in the face of malicious adversaries and targeted attacks.
There are four areas that attackers focus on:
· Finding Vulnerabilities. This encompasses vulnerabilities that are introduced while the product is being built. Attackers attempt to exploit vulnerabilities in hardware and software, including the operating system, applications and services.
· Supply Chain, including product integration and delivery. Supply chain issues include attacks on product or service suppliers and subcontractors, malicious insiders and non-genuine products that could be tampered with in transit or during deployment to the customer.
· Operational Security. Once the product is created and safely delivered to a customer’s hands, attackers analyze how it’s deployed, searching for weak spots in an organization’s operational security. This includes whether strong passwords are required and whether software updates and security patches are immediately applied, but also covers issues like whether the company has a process to vet new hires.
· Social Engineering. As security improves in products and services, we see social engineering – tricking users - becoming the attack route of choice. Cyber attackers are adept at creating plausible e-mails that deliver malicious code, or posing as IT staff and asking users for passwords.
Organizations can take concrete steps to enhance their security against all four areas of attack. In fact, they must do so to ensure there is no glaring “weakest link” that would allow an attacker to sidestep investment in other areas. Let’s take a look at how security can be enhanced at each of the four stages.
From the inception of a product at Microsoft, we apply rigorous processes and tools to reduce vulnerabilities. Our Security Development Lifecycle (SDL) is applied to every product during development and has proven its ability to increase the security of software. We’ve made the SDL process and many of our tools available for others to use—check out http://microsoft.com/SDL.
We also invest in mitigations so that even if a vulnerability is found, it is still difficult or impossible for an attacker to use. These mitigations, such as ASLR, included in Windows Vista, are built in and most are enabled by default. While you don’t notice them when using the computer, they take useful handholds away from attackers. The SDL requires that Microsoft products take advantage of mitigations to improve their resistance to attack.
Finally, it’s important to apply software updates to quickly respond to issues and decrease the likelihood of an attack against that issue or vulnerability. We’ve worked hard to make updates timely, easy to install, reliable and complete.
Governments have become increasingly concerned that a sophisticated attacker could manipulate products during their development or delivery in order to undermine or disrupt government functions.
We recently published two white papers on cyber supply chain risk management. The first white paper Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust presents a set of key principles to enable governments and vendors to manage supply chain policies more effectively. The second paper, Toward a Trusted Supply Chain: A Risk-Based Approach to Managing Software Integrity provides a framework for the pragmatic creation and assessment of Software Integrity risk management practices in the product development process and online services operations.
Strong operational security and use of best practices are essential because attackers often focus on finding deployment issues such as unpatched or misconfigured computers, weak passwords, computers that unintentionally bridge the corporate network to the Internet, or unapproved file-sharing software that makes internal documents publicly available.
Operational security can be enhanced by the use of best practices, including enforcing good security policies, aggressively updating software, monitoring your network for threats, employing defense-in-depth and ensuring your enterprise has incident response procedures.
Social engineering attacks can be difficult to block because it’s hard to protect against the actions of a legitimate user. Education is a key part of defense. Organizations should raise awareness of these threats and provide training to help spot and prevent social engineering.
Organizations can also protect users from their own actions by instituting best practices such as:
· Use encryption. Encryption should be used to protect sensitive data, including drive encryption like BitLocker to secure data should a computer be stolen or simply lost.
· Apply least privilege. Use least-privileged accounts and software restriction policies like AppLocker.
Learn more about cybersecurity topics via the Microsoft Security blog.
NewsAustralia - Bullying,violence, revenge: the dangers of antisocial networking laid bare for children, Sydney Morning Herald, Sep. 23, 2011
U.S. - In Small Towns, Gossip Moves to the Web, and Turns Vicious, The New York Times, Sep. 19, 2011
U.S. - Jamey Rodemeyer Suicide: Police Consider Criminal Bullying Charges, ABC News, Sep. 22, 2011
U.S. - Online predators adept at 'grooming' their targets, SI Live, Sep. 20, 2011
U.S. - Combatting cyber bullying and technology’s downside, The Washington Post, Sep. 21, 2011
Policy: Legislative, Regulatory, & Legal DevelopmentsU.S. - COPPA: What happens when a generation ignores a law?, Online Journalism Review, Sep. 20, 2011
U.S. - New Rules for Alcohol Companies to Advertise and Market on Social Networks, The Wall Street Journal, Sep. 20, 2011
U.S. – PA SB 850, Re-reported as amended, Sep. 26, 2011. (Create the offense of cyberbullying and sexting by a minor if a minor transmits nude images with the intent to distress.)
ResearchU.S. - The Drama! Teen Conflict, Gossip, and Bullying in Networked Publics, Alice E. Marwick & danah boyd, Sep. 2011
U.S. - Account Deactivation and Content Removal: Guiding Principles for Companies, Berkman Center, Sep. 21, 2011
U.S. – Human trafficking online: the role of social networks and online classifieds, USC Annenberg Center, Sep. 18, 2011
U.K. - How video games blur real life boundaries and prompt thoughts of 'violent solutions', Daily Mail, Sep. 21, 2011
U.S. - Tormented teachers: How cyberbullying affects educators, OnlineSchools.com, Sep. 1, 2011
AdvocatesU.S. - Three Provocations about Parental Controls, Online Safety & Kids’ Privacy, Adam Thierer, Sep. 21, 2011
U.S. - Bullying as True Drama, Alice E. Marwick & danah boyd, Sep. 22, 2011
U.S. - Parents and Cell Phone Rules for Children and Teens, Sameer Hinduja, Sep. 19, 2011
E.U. - The Resource Catalogue September 2011 is online, inSafe, Sep. 21, 2011
U.S. - SafetyVillage.com is stealing content from SafeKids.com, SafeKids.com, Sep. 18, 2011
Jacqueline Beauchere, Director, Trustworthy Computing Communications, writes on the Microsoft on the Issues blog:
October is National Cyber Security Awareness Month (NCSAM) in the U.S. and around the world. This year's official launch is taking place in Ypsilanti, Michigan to coincide with the Michigan Cyber Summit 2011.
Department of Homeland Security (DHS) Secretary Janet Napolitano, White House Cybersecurity Coordinator Howard Schmidt, Michigan Governor Rick Snyder, other state officials, and I shared the stage just a few hours ago kicking off NCSAM 2011. I represented Microsoft, as well as the Board of Directors of the National Cyber Security Alliance, who are long-time sponsors of NCSAM and an important public-private partnership of which Microsoft is a founding member.
This year's NCSAM theme, “Our Shared Responsibility,” refers to the ongoing work each of us can do to help secure our own piece of cyberspace—because when it comes to making the Internet safer, no individual, corporation or government entity is solely responsible. Moreover, individual acts and omissions can have a combined impact. When we exercise safer habits and practices, we help make the Web more secure for all. If each of us does our part, whether it be implementing stronger security, raising awareness of risks, or educating youth—together we can create a more resilient digital world.
It all starts with STOP. THINK. CONNECT. (STC), a simple, action-oriented reminder for all of us to stay safer and more secure online. In fact, it was just one year ago that, the White House, DHS and a public-private coalition launched STC in Seattle as part of NCSAM 2010. In short, STC means:
• STOP: Before going online, learn about the risks and how to avoid potential problems.
• THINK: Take a moment to check that the path ahead is clear. Watch for warning signs and consider how your actions (or inactions) might impact your safety or security or that of your family.
• CONNECT: Enjoy the Internet with increased confidence, knowing that you’ve taken some key steps to help safeguard yourself, your family, information and devices.
At Microsoft, we refer to these efforts as fostering “digital citizenship,” and we promote and share this work globally. Specifically, we create and offer, free of charge, a host of resources on our consumer safety website. These include a series of STC videos, one of which was honored by the White House and DHS earlier this year. We also help spread the STC message via our social media properties on Facebook and YouTube.
In the weeks to come, we will participate in other NCSAM events across the U.S., and hold our own forum in Washington, D.C., on October 27th. There, Trustworthy Computing will release new online safety research, as well as a toolkit of helpful resources for youth, parents, governments and educators.
Join us in our digital citizenship efforts to help create a culture of online safety where everyone embraces this shared responsibility.