Internet News

The BBC writes:

A few weeks before a major change to the way in which UK viewers access online pornography, neither the government nor the appointed regulator has been able to provide details to the BBC about how it will work.

From April 2018, people accessing porn sites will have to prove they are aged 18 or over.

Both bodies said more information would be available soon.

The British Board of Film Classification (BBFC) was named by parliament as the regulator in December 2017. (But wasn't actually appointed until 21st February 2018. However the BBFC has been working on its censorship procedures for many months already but has refused to speak about this until formally appointed).

The porn industry has been left to develop its own age verification tools.

Prof Alan Woodward, cybersecurity expert at Surrey University, told the BBC this presented porn sites with a dilemma - needing to comply with the regulation but not wanting to make it difficult for their customers to access content. I can't imagine many porn-site visitors will be happy uploading copies of passports and driving licences to such a site. And, the site operators know that.

The conservative US news website, the Daily Caller, has revealed that Google has recruited several social justice organisations to assist in the censorship of videos on YouTube.

The Daily Caller notes:

The Southern Poverty Law Center is assisting YouTube in policing content on their platform. The left-wing nonprofit -- which has more recently come under fire for labeling legitimate conservative organizations as hate groups -- is one of the more than 100 nongovernment organizations (NGOs) and government agencies in YouTube's Trusted Flaggers program.

The SPLC and other program members help police YouTube for extremist content, ranging from so-called hate speech to terrorist recruiting videos.

All of the groups in the program have confidentiality agreements. A handful of YouTube's Trusted Flaggers, including the Anti-Defamation League and No Hate Speech, a European organization, have gone public with their participation in the program. The vast majority of the groups in the program have remained hidden behind their confidentiality agreements.

YouTube public policy director Juniper Downs said the third-party groups work closely with YouTube's employees to crack down on extremist content in two ways:

First, the flaggers are equipped with digital tools allowing them to mass flag content for review by YouTube personnel. Second, the partner groups act as guides to YouTube's content monitors and engineers designing the algorithms policing the video platform but may lack the expertise needed to tackle a given subject.

We work with over 100 organizations as part of our Trusted Flagger program and we value the expertise these organizations bring to flagging content for review. All trusted flaggers attend a YouTube training to learn about our policies and enforcement processes. Videos flagged by trusted flaggers are reviewed by YouTube content moderators according to YouTube's Community Guidelines. Content flagged by trusted flaggers is not automatically removed or subject to any differential policies than content flagged from other users.

Last week, the European Parliament's MEP in charge of overhauling the EU's copyright laws did a U-turn on his predecessor's position. Axel Voss is charged with making the EU's copyright laws fit for the Internet Age, yet in a staggering disregard for advice from all quarters, he decided to include a obligation on websites to automatically filter content.

Article 13 sets out how online platforms should manage user-uploaded content appears to have the most dangerous implications for fundamental rights. Never mind that the new Article 13 proposal runs directly contrary to an existing EU law -- the eCommerce Directive - which prohibits member states from imposing general monitoring obligations on hosting providers.

Six countries -- Belgium, the Czech Republic, Finland, Hungary, Ireland, and the Netherlands -- sought advice from the Council's Legal Service last July, asked specifically if the standalone measure/obligation as currently proposed under Article 13 [would] be compatible with the Charter of Human Rights and queried are the proposed measures justified and proportionate? But this does not seem to have been addressed.

The aim of the rule, which is in line with the European Commission's proposals more than a year ago, is to strengthen the music industry in negotiations with the likes of YouTube, Dailymotion, etc. Under Voss' revised Article 13, websites and apps that allow users to upload content must acquire copyright licenses for EVERYTHING, something that is in practice impossible. If they cannot, those platforms must filter all user-uploaded content.

The truth is that this latest copyright law proposal favors the rights-holders above anyone else. And we though MEPs represented the people.

Today, most web browsers have private-browsing modes, in which they temporarily desist from recording the user's browsing history.

But data accessed during private browsing sessions can still end up tucked away in a computer's memory, where a sufficiently motivated attacker could retrieve it.

This week, at the Network and Distributed Systems Security Symposium, researchers from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) and Harvard University presented a paper describing a new system, dubbed Veil, that makes private browsing more private.

Veil would provide added protections to people using shared computers in offices, hotel business centers, or university computing centers, and it can be used in conjunction with existing private-browsing systems and with anonymity networks such as Tor, which was designed to protect the identity of web users living under repressive regimes.

"Veil was motivated by all this research that was done previously in the security community that said, 'Private-browsing modes are leaky -- Here are 10 different ways that they leak,'" says Frank Wang, an MIT graduate student in electrical engineering and computer science and first author on the paper. "We asked, 'What is the fundamental problem?' And the fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it. But at the end of the day, no matter what the browser's best effort is, it still collects it. We might as well not collect that information in the first place."

Wang is joined on the paper by his two thesis advisors: Nickolai Zeldovich, an associate professor of electrical engineering and computer science at MIT, and James Mickens , an associate professor of computer science at Harvard.

Shell game

With existing private-browsing sessions, Wang explains, a browser will retrieve data much as it always does and load it into memory. When the session is over, it attempts to erase whatever it retrieved.

But in today's computers, memory management is a complex process, with data continuously moving around between different cores (processing units) and caches (local, high-speed memory banks). When memory banks fill up, the operating system might transfer data to the computer's hard drive, where it could remain for days, even after it's no longer being used.

Generally, a browser won't know where the data it downloaded has ended up. Even if it did, it wouldn't necessarily have authorization from the operating system to delete it.

Veil gets around this problem by ensuring that any data the browser loads into memory remains encrypted until it's actually displayed on-screen. Rather than typing a URL into the browser's address bar, the Veil user goes to the Veil website and enters the URL there. A special server -- which the researchers call a blinding server -- transmits a version of the requested page that's been translated into the Veil format.

The Veil page looks like an ordinary webpage: Any browser can load it. But embedded in the page is a bit of code -- much like the embedded code that would, say, run a video or display a list of recent headlines in an ordinary page -- that executes a decryption algorithm. The data associated with the page is unintelligible until it passes through that algorithm.

Decoys

Once the data is decrypted, it will need to be loaded in memory for as long as it's displayed on-screen. That type of temporarily stored data is less likely to be traceable after the browser session is over. But to further confound would-be attackers, Veil includes a few other security features.

One is that the blinding servers randomly add a bunch of meaningless code to every page they serve. That code doesn't affect the way a page looks to the user, but it drastically changes the appearance of the underlying source file. No two transmissions of a page served by a blinding sever look alike, and an adversary who managed to recover a few stray snippets of decrypted code after a Veil session probably wouldn't be able to determine what page the user had visited.

If the combination of run-time decryption and code obfuscation doesn't give the user an adequate sense of security, Veil offers an even harder-to-hack option. With this option, the blinding server opens the requested page itself and takes a picture of it. Only the picture is sent to the Veil user, so no executable code ever ends up in the user's computer. If the user clicks on some part of the image, the browser records the location of the click and sends it to the blinding server, which processes it and returns an image of the updated page.

The back end

Veil does, of course, require web developers to create Veil versions of their sites. But Wang and his colleagues have designed a compiler that performs this conversion automatically. The prototype of the compiler even uploads the converted site to a blinding server. The developer simply feeds the existing content for his or her site to the compiler.

A slightly more demanding requirement is the maintenance of the blinding servers. These could be hosted by either a network of private volunteers or a for-profit company. But site managers may wish to host Veil-enabled versions of their sites themselves. For web services that already emphasize the privacy protections they afford their customers, the added protections provided by Veil could offer a competitive advantage.

"Veil attempts to provide a private browsing mode without relying on browsers," says Taesoo Kim, an assistant professor of computer science at Georgia Tech, who was not involved in the research. "Even if end users didn't explicitly enable the private browsing mode, they still can get benefits from Veil-enabled websites. Veil aims to be practical -- it doesn't require any modification on the browser side -- and to be stronger -- taking care of other corner cases that browsers do not have full control of."