Monthly Archives: July 2014

The UK is rushing through Parliament what it calls an emergency law that will ensure it retains access to people’s phone and internet records.

The BBC calls the rush job a “highly unusual move”, with the legislation set to take up a mere seven days, instead of the typical months-long consideration to which a bill would normally be subjected.

The Liberal Democrats (the smaller of the two political parties in the UK’s coalition government) had already successfully blocked plans for the earlier, similar, much-reviled Communications Data Bill – commonly known as the Snooper’s Charter.

The rush job for this new bill comes in response to the European Court of Justice’s (ECJ) having in April struck down an EU directive – the Data Retention Directive – that required telecoms to store the communications data of EU citizens for a minimum of six months and a maximum of two years.

That directive was introduced in 2006, after the London and Madrid bombings, to help fight organised crime and terrorism, but the ECJ ruled that it violated human rights.

The idea of the directive going away has been grating on the UK powers – particularly given that privacy advocates such as the Open Rights Group have recently been pushing service providers to start destroying data.

Prime Minster David Cameron, who’s reportedly secured the backings of all three major parties for the “emergency” Data Retention and Investigatory Powers Bill, says that if the collected data is deleted or no longer collected, “criminals and terrorists” are going to be tougher to go after.

Cameron says the emergency law will also “clarify” police and security services’ powers to bug suspects’ phones when they’ve got a warrant issued by the home secretary.

Some companies are already turning down requests to hand over data, he told the BBC:

Some companies are already saying they can no longer work with us unless UK law is clarified immediately.

Maybe Cameron has all three parties backing him on this new iteration of the snooper’s charter, but he’s still outraged some MPs, who said on Thursday morning that they hadn’t even seen the bill yet.

Labour MP Tom Watson, for one, said on Twitter that the new law will be “railroaded” through parliament next week:

@tom_watson

Statement on Comms Data and Interception confirmed for this morning. MPs have not seen the BIll that will be railroaded through next week.

Meanwhile, privacy advocates are calling this so-called emergency a theatrical stunt.

Jim Killock, from the Open Rights Group, told the BBC that it’s neither terrorists nor paedophiles that have lit a fire under the government; rather, it’s the fact that groups like his are actually expecting telecoms to make good on the EJC’s ruling:

The government knows that since the ECJ ruling, there is no legal basis for making internet service providers retain our data, so it is using the threat of terrorism as an excuse for getting this law passed.

The government has had since April to address the ECJ ruling but it is only now that organizations such as ORG are threatening legal action that this has become an ’emergency’.

The emergency bill addresses collection of metadata, which can potentially include the time, duration, location, originator and recipient of phone or internet messages.

It does not, Cameron stressed, include legal obligations for telecoms to preserve content.

The bill does, however, also cover “legal intercept” rules, for when authorities are empowered to listen in on conversations.

In those circumstances, snooping authorities need a warrant, signed by either the foreign secretary, the home secretary, the secretary of state for Northern Ireland, the defence secretary or the cabinet secretary for justice for Scotland.

The emergency law includes a sunset provision: it will be ended in 2016, at which time government will have to look at it again.

Cameron stressed that the emergency bill isn’t granting powers that weren’t already there:

I want to be very clear that we are not introducing new powers or capabilities – that is not for this parliament. This is about restoring two vital measures ensuring that our law enforcement and intelligence agencies maintain the right tools to keep us all safe.

Nick Clegg, leader of the junior coalition Liberal Democrats party, said that the emergency bill is not just another snooper’s charter.

The differences between old and new legislation: the number of bodies able to obtain data from telecoms will be restricted, with some losing their access rights altogether and councils having to go through a single central authority, according to the Huffington Post.

The law doesn’t deal with communications interception and monitoring done by the UK’s intelligence agency, GCHQ.

The bill also includes measures meant to increase transparency and oversight. Beyond the sunset clause and the increased government scrutiny it entails, these measures also include:

• The creation of a new Privacy and Civil Liberties Oversight Board to scrutinise the impact of the law on privacy and civil liberties.
  
• Annual government transparency reports on how these powers are used, similar to those put out by Facebook, Google, Yahoo and other companies.
  
• The appointment of a senior former diplomat to lead discussions with the US government and internet firms to establish a new international agreement for sharing data between legal jurisdictions.
  
• A restriction on the number of public bodies, including Royal Mail, able to ask for communications data under the Regulation of Investigatory Powers Act (RIPA).
  

In spite of the government’s reassurances about most people being safe from having the actual content of their communications spied on, metadata of course provides ample details about even innocent people.

The Washington Post’s recent analysis of the US National Security Agency (NSA)’s surveillance shows that clearly: the paper found that 9 of 10 spied-on account holders weren’t intended targets of surveillance but were still swept up in the net cast to catch somebody else.

As critics pointed out about the earlier snooper’s charter, the system could be abused by law enforcement agencies that could conduct fishing expeditions rather than targeted surveillance against specific individuals.

In fact, Sir Paul Kennedy, the Interception of Communications Commissioner, told MPs at the time the bill was drafted that the law would justify investigating criminal infractions as mild as fly tipping – i.e., illegal dumping – and that setting a “crime threshold” would be difficult.

Top political figures in the UK tried to revive the snooper’s charter about a year ago, with spectacularly bad timing: smack in the middle of the earliest Snowden revelations about US surveillance.

Now, they’ve scaled back in an attempt, apparently, just to hang on to the snooping powers that the EJC decided were a violation of human rights.

Will the new bill present a more palatable approach to privacy? Will the wealth of data that the bill retains the right to amass still present an opportunity for the government to build profiles about individuals’ browsing or calling habits?

Will the amassed data still wind up in databases as a powerful lure for cybercrooks who might want to steal it so as to abuse private information or even to blackmail individuals – as in, we know when and how often you called so-and-so. What will you pay for that info not to get out?

Those were the objections to the snooper’s charter and the emergency bill is being given precious little time for those same concerns to be discussed.

Via: sophos

The PowerPoint add-on helps turn slideshows into interactive presentations with lots of bells and whistles.

For years, I’ve worked with tools for creating online presentations, including TechSmith’s Camtasia, Adobe’s Captivate, and Articulate’s Storyline. They do the job well, but they’re not easy for many people to use, much less master.

So I was intrigued by Microsoft’s new PowerPoint add-on, called Office Mix that debuted in a public beta in May. Although it’s touted as a “game-changer” for teachers (as evidenced by Microsoft’s example gallery of “mixes” created with the tool), I saw Office Mix as a potentially useful tool for every enterprise.

I decided to put the Office Mix preview to the test. The good news: Office Mix is supereasy to work with.

Installing the add-on was simple enough, though it is available only for Windows PCs. You get the Mix ribbon added to your Ribbon bar. There’s also an easy-to-understand PowerPoint tutorial that walks you through the tool.

Office Mix lets you pull together a slide deck, audio, and video (imported, Web-linked, or recorded via your webcam). You can use different pen types and colors in the presentation, such as for highlighting. You can add a screen recording (aka screen capture or screencast), as well as quizzes (multiple choice and true/false) and polls. Each slide essentially becomes a multimedia collection of whatever you add to it.

I did think it odd that I couldn’t see my slide notes while recording — that would help users stay on script. PowerPoint has Presentation View to display notes while users are presenting, so why those notes aren’t available while recording in Office Mix is a perplexing omission.

Once you finish recording and adding all the elements, you can go back through your slide deck (which now contains the recorded elements) and adjust the placement and size of the video or re-record sections that didn’t capture smoothly. You can use PowerPoint’s audio/video trimming and fading tools after you record to make some adjustments. But these built-in PowerPoint tools are nowhere near as good as what Camtasia and other professional tools provide, so you’ll want clean takes for each slide, which means keep re-recording until you get them.

The best way to display a mix is from Microsoft’s Office Mix site, where it remains private unless you share it via links. Chrome for Windows and OS X, Firefox for Windows, Internet Explorer (for Windows), and Safari for OS X can display the mixes and use their interactive functionality. iOS and Android support for interactive mix features is planned, but for now you can only play mixes as videos on their mobile browsers. You can also export the whole thing to an MPEG-4 video for local playback on practically any device.

I like its interactive elements, but I wish Office Mix could produce mix files that retained the interactive elements included for use outside the supported browsers, such as in a learning management system (say, Moodle or a SCORM-compliant tool). Of course, Office Mix is still in beta, so we’ll see what Microsoft comes up with over time.

Office Mix is a good step forward for PowerPoint. It’ll make it easier for educators and business people of all stripes to create better training presentations. Let’s hope Microsoft deepens its capabilities before its formal release.

Via: infoworld

Say good-bye to sluggish performance with these easy tips.

Want to give your Wi-Fi network a quick speed boost? Then check out these five no-cost or low-cost ways to improve its performance.

Change your router’s channel

A frequent cause of network slowdowns is interference from household devices or nearby networks. Changing the channel your network uses can make a big difference. If you’ve got a 2.4 GHz router, channels 1, 6, and 11 are generally the best bets because they’re furthest away from other channels. But even those might run into interference from nearby networks. So first run software that shows you the channels any nearby networks use, and how powerful their signals are. The free NetStumbler does a great job on Windows machines. If you’ve got an Android device, WiFi Analyzer does the trick. After you see what channels nearby networks are running on, choose a conflict-free channel for your own network.

If you have a combo 2.4 Ghz and 5 Ghz router, use 5Ghz because you have more bands from which to choose, and so less likely to have interference. And make sure to choose Auto or 20/40 MHz for channel bandwidth. That will both give you most bandwidth and be compatible with all of your devices.

Update your firmware

Yes, I know this sounds like your mother’s advice to eat your broccoli, and you’ve heard it so many times you’ve tuned it out. But it works. Manufacturers regularly tweak hardware’s firmware, and it leads to faster, more reliable performance. So check out your documentation about how to update your router’s firmware. It’s easy to do, and it has a big payoff.

Properly locate your router

Moving a router to a different location can make a surprisingly big difference in network speed on your devices. Before moving your router, checks network speeds on your devices using a service like SpeedTest. Then move it to different locations, using SpeedTest each time, until you find the best location.

Use repeaters and extenders

Repeaters, extenders, and add-on antennas are great ways to extend your network’s range to places in your house that currently gets poor network coverage. These devices generally cost under $50 and are relatively straightforward to set up. There are also Powerline-to-WiFi devices such as the Linksys PLWK400 that uses your home’s AC outlets to extend your wireless network’s reach. They’re particularly good for extending your network to difficult places like basements.

Use DD-WRT

If you’re willing to spend a little tech time, then consider entirely replacing your router’s firmware with the open source DD-WRT. It won’t work with all routers, and you are taking a chance by replacing your router’s firmware. But I’ve done it and the software has countless ways for improving your network’s performance. Before you do it, check the DD-WRT site carefully to make sure it works with your router, and follow instructions carefully.

Via: itworld

More evidence the Internet of things treats security as an afterthought.

Context

In the latest cautionary tale involving the so-called Internet of things, white-hat hackers have devised an attack against network-connected lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the LED devices.

The attack works against LIFX smart lightbulbs, which can be turned on and off and adjusted using iOS- and Android-based devices. Ars Senior Reviews Editor Lee Hutchinson gave a good overview here of the Philips Hue lights, which are programmable, controllable LED-powered bulbs that compete with LIFX. The bulbs are part of a growing trend in which manufacturers add computing and networking capabilities to appliances so people can manipulate them remotely using smartphones, computers, and other network-connected devices. A 2012 Kickstarter campaign raised more than $1.3 million for LIFX, more than 13 times the original goal of $100,000.

According to a blog post published over the weekend, LIFX has updated the firmware used to control the bulbs after researchers discovered a weakness that allowed hackers within about 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the IEEE 802.15.4 standard. While the bulbs used the Advanced Encryption Standard (AES) to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload.

“Armed with knowledge of the encryption algorithm, key, initialization vector, and an understanding of the mesh network protocol we could then inject packets into the mesh network, capture the Wi-Fi details, and decrypt the credentials, all without any prior authentication or alerting of our presence,” researchers from security consultancy Context wrote.

BusBlaster JTAG debugger.

The post underscores the futility of relying on obscurity to prevent hacking attacks. Sadly, the approach, known as security through obscurity, underpins much of today’s Internet of things offerings. Version 1.1 of the LIFX firmware was unavailable for downloads, making it hard for hackers to reverse engineer it and uncover the types of crypto weaknesses that exposed the Wi-Fi credentials. The Context engineers found a way around this hurdle. They undertook the painstaking process of removing the microcontroller embedded inside each bulb and connecting different JTAG pins to special debugging hardware to monitor the signals that were sent when lightbulbs were added or removed to a network. “At this point we can merrily dump the flash memory from each of the chips and start the firmware reverse engineering process,” the researchers wrote.

To its credit, LIFX responded proactively to the discovery by Context. Version 1.3 of the firmware now encrypts all 6LoWPAN traffic using an encryption key derived from the Wi-Fi credentials. It also includes functions for secure processing when new bulbs join a network. But given its warchest of $1.7 million, it’s unfortunate the company didn’t catch the crypto weakness on its own before the bulbs were available for public consumption. Software updates of any type are a hassle for many people, and firmware fixes are often even more difficult or risky.

Marketers would have people believe they’re missing out unless their refrigerators, thermostats, and other traditional appliances are connected to the Internet. Yet over and over, these devices have been shown to introduce networking and privacy threats not present in non-networked iterations. Microsoft, Apple, and Google devote huge amounts of resources to ensuring their wares and services are secure. Manufacturers pursuing Internet of things riches would do well to apportion a similar percentage of their means to securing these devices.

Via: arstechnica

Microsoft today announced a number of new features for its Azure cloud computing platform ahead of its Worldwide Partner Conference next week. There is quite a bit that’s new in this update, but the highlights are two new Azure regions for the U.S. (US Central in Iowa and US East 2 in Virginia) that will go live next week, as well as the launch of Microsoft’s newest Azure StorSimple hybrid storage arrays for enterprise customers.

Microsoft says bringing two new regions online will help it continue to double its Azure capacity every six to nine months. The company hasn’t yet announced which services will be available in these new regions or what the pricing will look like. There has always been a bit of disparity between Microsoft’s different data centers, but it’s probably a fair guess that its second Virginia data center will look a lot like its current one in the area, and the Iowa location will have slightly fewer services available and will be on par with the current US North Central and South Central locations. The two new regions will join Microsoft’s four existing regions in the U.S. later next week.

StorSimple is likely a somewhat obscure service for many, but Microsoft has long offered this storage solution for large enterprise customers like Mazda, SK Telecom and GF Health Products. The new 8000 series arrays are more powerful than Microsoft’s existing 5000 and 7000 series StorSimple arrays (hence the higher number). The twist here is that these new arrays can use Azure Storage as a hybrid cloud tier on top of the existing HDDs and SSDs in the system for capacity expansion and off-site data warehousing whenever necessary.

IT can manage all of this from a new dashboard that consolidates all of these features and allows administrators to control all of the storage and data management services included in the service.

Microsoft has long been betting that large enterprises will opt for hybrid cloud deployments for the time being. StorSimple 8000 handles the storage aspect of this for large enterprises, but businesses who don’t quite need the full power of the 8000 series can still opt for the 5000/7000 series, too.

As part of this focus on hybrid clouds, Microsoft also today announced that it will expand access to Azure through ExpressRoute – which allows for private connections between Azure and on-premise infrastructure — to six new locations around the world (up from three in the U.S. and Europe that were available at launch).

But there is more: Azure’s Machine Learning service for big data modeling, which was announced earlier this year, will be available for public preview next week; the Azure Government Cloud is adding more partners and customer solutions, and the Azure Preview Portal — Microsoft’s new central management dashboard for all things Azure — is getting a number of new features, including support for Azure SQL Database

Via: techcrunch

China could be targeting the products to suppress mention of pro-democracy protests in Hong Kong

A massive pro-democracy protest in Hong Kong may have prompted China’s censors to block several foreign Internet products, including messaging apps Line and KakaoTalk, and Microsoft’s OneDrive storage service.

The product outages began earlier, following a rally in Hong Kong that brought out half a million people on July 1. Line continues to investigate the access problems, but has yet to find the cause, a company spokeswoman said Friday.

The popular social networking app from Japan lets users send messages, photos, and make voice calls. But since the outages began on July 1, some users have been struggling to send and receive messages over the app.

Kakao, the company behind another mobile messaging product KakaoTalk, was also unsure what had caused the disruptions, a spokesman said. Users already registered with the app can still chat and make voice calls, but other features like adding new friends are no longer functioning.

On Friday, Microsoft said it was also investigating access problems with its OneDrive service in China. From Beijing, Microsoft’s OneDrive site was inaccessible.

In addition, Yahoo’s photo-sharing service Flickr has also been blocked. The company did not immediately respond for comment about the disruptions.

It’s unclear how many users each of the services have in China, but the blocking is likely tied to the political protests in Hong Kong, said censorship watchdog group GreatFire.org. Government censors probably targeted the products because of their photo-sharing functions, the group said in an email.

Lately, China has been stepping up its censorship of foreign Internet services. About a month ago, China appeared to have begun blocking all Google products, including its search engine.

The government has yet to publicly comment on the blocking of Google’s services, but it occurred just as the pro-democracy Tiananmen Square protests of 1989 had approached its 25th anniversary. Later in mid-June, China also seemed to have started blocking U.S. cloud storage provider Dropbox.

But even with the recent disruptions, local Chinese Internet users still have plenty of alternatives that follow the government’s strict rules on censorship. Baidu remains China’s largest search engine, and WeChat is the country’s biggest mobile messaging app, with close to 400 million monthly active users.

Still, some Chinese users are taking to the country’s social networking sites to complain. “We need Line,” wrote one user repeatedly on the company’s official account on Sina Weibo.

Via: itworld

First up, there has to be a security incident plan. At ISSA UK we see plenty of organisations without any incident response plan at all in place, and that means they could find themselves over-exposed when a cyber security incident does happen.  

Without a proper incident response plan in place, what happens to such organisations is any or all of the following:

The wrong people in the organisation push out the wrong message to the media. In particular I see many ill-thought out responses from CEOs of breached organisations, thinking they know best. I cringe at statements like “the hackers used advanced techniques and simply were too clever for us” –  it has immediate legal implications, is a public admission of liability, and does not paint the right picture of a responsible organisation to its customers.

Gaffe 2: Poor recovery times

Without a plan in place, organisations take longer to recover, period. Whether this is minutes, hours or days, who knows? However, if there is an incident response plan in place, then recovery time can be tested. Recovery times can be baselined and an organisation can confidently operate on a 99%+ uptime basis. I often find that organisations without an incident response plan do not have a business continuity plan either – or at least one that works.  

Gaffe 3: The wrong people are assigned the task

For the IT professional who loves fixing problems, firefighting and taking a reactive approach, creating an incident response plan and testing it is excruciatingly boring and time-consuming. What’s more, their fire-fighting job will detract them from formulating the right level of response in the first place. You need the right process-driven individual to help put this together. A business analyst would be a better choice than a security analyst, for example.

Gaffe 4: Incident plans purchased off the shelf

Incredibly, there is a huge market for off-the-shelf policy packs, and suppliers are making a killing. Companies can just download a complete information security governance framework and policy pack, do a find and replace, and voilà – they’re PCI DSS or ISO 27001-compliant. As a seasoned PCI DSS QSA and auditor, I can easily tell where most policy packs come from. Some companies even leave the vendor’s name on the policy pack, as some sort of warranty that they have bought the pack on a commercial basis, so it MUST be good.

Doing it properly

Hopefully that gives you an idea of what not to do and why incident and disaster response planning is absolutely critical in any business. Putting a plan together is not a quick task. All businesses are different, and my recommendations would be to loosely follow these steps:

• Create an incident response team, available 24/7, to co-ordinate any cyber security or business continuity incident.
  
• Train them. Get them used to the idea that incidents cost the company money, and why a consistent response is a must. If you can’t get at least one board member on the incident response team, then it’s not going to work. If the board needs convincing, give me a call!
  
• Carry out business process analysis, and identify critical areas within your business. What sort of data security incident should trigger a response? Which systems, if down, would cause the company problems? What systems containing data should be monitored for signs of attack?
  
• Put together a one-page response plan for all employees for when the shit hits the fan. Train them. Tell them why an effective and consistent response is so important.
  
• Build specific incident response processes, defining how you want your staff to recover systems in the event of outage.
  
• Build specific cyber security incident response processes, defining how you want your staff to contain incidents and recover compromised systems. Teach them how to image a system for later forensic analysis.
  
• Once plans and processes have been released, test them. In practice. Pull plugs out. Install test malware on critical servers and see what happens. If that’s going to cause problems, then there’s immediate justification for a pre-production or test infrastructure so this can be done in a controlled manner. The point is, if you want to put a serious incident/disaster response programme in place, then realistic tests are a must. Don’t wait for a few blown power supplies or hackers to test things for you. If you’ve not looked at virtualisation yet, do so now – it’s disaster recovery in a box.
  
• Fire everyone who thinks a reactive, fire-fighting approach is best for your business.
  

There is plenty of formal guidance around incident response – we have ISO 27001, PCI DSS, NIST, SANS et al – it’s all just guidance. It is not meant for cutting and pasting into your own incident response plans, although it will definitely give you food for thought and cover pretty much every eventuality. Read them and do your own research.  

If you are stuck, then hire in expert advice. I cannot stress enough the importance of getting these plans right.

Via: computerweekly

Customers should be vigilant about checking their credit card and bank statements.

P.F. Chang’s China Bistro said last month that there had been a breach involving data from customers’ credit and debit cards used at its restaurants, confirming a report out earlier this week.

After learning of the breach, the company “initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised,” P.F. Chang’s CEO Rick Federico said in a statement.

He said the company has created a website, pfchangs.com/security, for customers to receive updates and answers to their questions, and it has moved to a manual credit card imprinting system.

Federico said the company is encouraging its patrons “to be vigilant about checking their credit card and bank statements. Any suspected fraudulent activity should be immediately reported to their card company. We sincerely regret the inconvenience and concern this may cause for our guests.”

The Scottsdale, Ariz.-based restaurant chain has 211 P.F. Chang’s locations in the USA and 192 Pei Wei Asian Diner restaurants.

The initial report on the breach came from cybersecurity blogger Brian Krebs, who has uncovered previous data breaches at retailers such as Target.

His website, KrebsOnSecurity, said customer data from thousands of credit and debit cards previously used at P.F. Chang’s restaurants went up for sale on an underground store best known for selling data from tens of millions of cards stolen in the Target breach.

Krebs reported he contacted banking sources who said the cards had been used at P.F. Chang’s locations from the beginning of March 2014 to May 19, 2014.

KrebsOnSecurity.com said the most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and “planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines.”

Once they get the data, thieves can re-encode it onto new counterfeit cards and use them to buy expensive goods that can be resold for cash, KrebsOnSecurity reported.

“The breaches at Target, Neiman Marcus, Michaels and Sally Beauty all were powered by malware that thieves planted on point-of-sale systems,” it said.

Via: usatoday

The National Crime Agency, GCHQ and InfoSec Skills Ltd are embarking on a new scheme to help close the national ‘skills gap’ in information security.

Together they have produced an ISM Skills Draft which opened to the UK public yesterday. It will train Britain’s top information security talent and offer them the chance to compete at the Cyber Security Challenge Masterclass where contenders will fight against a cyber-terrorist group. The best performers will then be offered more than £8,500 (Around $14,000) of free e-learning training programmers.

In May, the Cyber Security Challenge had also launched its 2014/2015 programmer of online and face-to-face cyber games aimed at inspiring the most gifted British security amateurs. The latest ISM Skills Draft project is designed to find a mixture of talent, including potential information security managers.

The InfoSec Skills ISM Skills Draft is based on a set of the real BCS (the Chartered Institute of IT) examinations. The most successful candidate in all four of the challenges will win a five day eLearning course of their choice and an entry to one of the Challenge’s face-to-face cyber battles whereby the winning group of online defenders will be selected to enter the master-class final next year.

InfoSec Skills Ltd CEO Terry Neal said that the aim of the Skills Draft Assessment is for candidates to hopefully see “how broad information security really is and that it’s not just deep technical skills that are required by the UK cyber security industry”.

He added: “If you can combine a passion for security with commercial business and management savviness you can be a massive asset to the profession.”

Via: scmagazineuk

Google has come under fire over some of the search links it is removing in Europe as it struggles to cope with the high volume of requests from Europeans exercising their right to be forgotten.

In May, the European Court of Justice (ECJ) upheld that right by ordering Google to remove search links to a 15-year-old newspaper article about a Spanish man’s bankruptcy.

The court ruled that an individual could demand that “irrelevant or outdated” information be deleted from search results.

Google started acting on takedown requests towards the end of June 2014, but has admitted “teething problems” as it struggles to deal with more than 70,000 requests, according to the Guardian newspaper.

The search firm was inundated with more than 41,000 takedown requests within four days of the ruling. Although the numbers have tapered off, the company is still receiving around 1,000 requests every day.

UK news organizations have been critical of some of Google’s decisions, accusing the company of press censorship for removing a string of name-based links from European search results.

The Guardian, the Daily Mail and BBC have accused Google of being too hasty in removing searches on specific names for information that is not “inaccurate, irrelevant or outdated” as required by the ECJ ruling.

Certain links have been removed then reinstated, which critics said casts doubt on the abilities of the team of paralegals hired by Google to evaluate and approve or reject takedown requests.

A Guardian News & Media spokesperson said: “We are always concerned about any attempts to block access to our content.

“The recent ECJ judgment requires Google to deal with these requests on a case-by-case basis, so their current approach appears to be an overly broad interpretation.

“If the purpose of the judgment is not to enable censorship of publishers by the back door, then we’d encourage Google to be transparent about the criteria it is using to make these decisions, and how publishers can challenge them.”

Julia Powles, a law researcher at Cambridge University, said: “We need much more information from Google about how it is prioritizing complaints, as well as how its internal decision-makers are trained and what principles they are applying.”

A Google spokesperson said: “We have recently started taking action on the removals requests we’ve received after the European Court of Justice decision. This is a new and evolving process for us. We’ll continue to listen to feedback and will also work with data protection authorities and others as we comply with the ruling.” 

Via: computerweekly