Cyber Week in Review: June 19, 2015

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

• The Electronic Frontier Foundation published its annual "Who Has Your Back?" report, which assesses twenty-four tech companies’ commitment to user privacy and transparency. Yahoo, WordPress, Dropbox, Apple, Adobe, and Wikimedia got top marks. The report takes aim at WhatsApp and AT&T for failing to disclose government demands that affect users directly and for subpar data retention policies. The report caps off a bad week for AT&T, which was slapped with a $100 million fine by the Federal Communications Commission for throttling their wireless customers’ unlimited data plans. Despite praising some companies, the EFF affirmed, "We think it’s time to expect more from Silicon Valley.”

• As legislators start looking into the vulnerabilities that enabled hackers to exfiltrate the personal data of millions of federal government employees from the systems of the Office of Personnel Management (OPM), it’s become clear that a history of bad security practices made the hackers’ job simpler. While the agency’s systems were too old to be encrypted, even encryption wouldn’t have mattered if the hackers had been able to gain access to login credentials through social engineering. Making matters worse, according to a consultant who worked with OPM, some of their system administrators with root access were based overseas, including one in China. OPM isn’t the only one to blame. Ars Technica reports that a lack of funding and oversight from Congress directly led to many of the vulnerabilities that made the breach possible. And although there may be good evidence that the attack was perpetrated by state-backed hackers, the Obama administration’s restrained response—not pinning the attack on the Chinese government—may be aimed at establishing clear international norms on cyberspace.
• The Canadian government’s networks were flooded with junk traffic this week,  rendering federal government domains inaccessible for hours and intermittently shutting down government email access. Anonymous has claimed responsibility for the distributed denial of service attack (DDoS), saying that they were protesting the government’s new controversial anti-terrorism legislation. The incident probably made for some interesting small talk during the Canada-Mexico-United States cyber talks that took place this week.

• Although two weeks have elapsed since Der Spiegel identified Russian hackers as the likely source of an attack on the Bundestag, concern about cyber threats on German networks seems to be growing, especially after discovery of malware on Angela Merkel’s parliamentary computer. Hans-Georg Maassen, chief of Germany’s domestic intelligence service, suggested that Russian spies could be capable of such an attack, though he avoided any specific attribution. Unsurprisingly, the Kremlin has rejected any claim that Russians could be behind recent attacks.

• The California Labor Commission ruled this week that a San Francisco Uber driver ought to be considered an employee rather than an independent contractor. While mainstream coverage of the ruling has hailed it as the end of Uber, several commentators make clear that this decision does not necessarily set a precedent. Re/code reports that "contrary to some of the breathless coverage, this is a minor ruling that applies to only one person." While UC Hastings law professor Reuel Schiller agreed in part, he also explains how the decision exposes a vulnerability of a company that has effectively used technology to crowdsource transportation. Above all, the case illustrates the regulatory hurdles Uber confronts in its attempt to expand internationally while simultaneously rejecting many of the guidelines imposed upon taxi drivers.

• In case you missed it, we launched our second Cyber Brief this week. You can find it here.