EU wants to regulate WhatsApp and Skype like carriers

IDG.GPT.addDisplayedAd(“gpt-pin”, “true”);
IDG.GPT.addLazyloadedAd(“gpt-pin”, “true”);
if (Object.keys(IDG.GPT.companions).length > 0) {
Internet-based communications services such as Skype, WhatsApp, Facebook Messenger, Google Duo, Apple iMessage, or Viber offer a host of advantages over the old-fashioned telephone — including, for their operators, exemption from the European Union’s strict telecommunications privacy rules.
The European Commission wants to change that, and on Tuesday proposed new legislation to protect consumers’ online privacy.
The move is no surprise: An early draft of the Proposal for a Regulation on Privacy and Electronic Communications leaked in December.
Smartphone apps such as Skype and WhatsApp replicate the voice calling and text-messaging features of older phones, but don’t fall under existing EU communications privacy legislation because they are data services that run over the top of an internet connection, rather than native functions of the network like phone calls and SMS. The current rules were written in 2002, before smartphones became widely available. 
The Commission is seeking to level the playing field by bringing such apps under the same regulatory umbrella.
The draft legislation also seeks to simplify the rules on tracking citizens’ browsing activities enshrined in the so-called Cookie Directive. That law, introduced in 2009, resulted in websites displaying a banner to visitors from the EU asking them if they would allow a cookie to be placed in their browser — even though most browsers already offer a way for users to indicate, site by site or globally, whether they will accept such cookies or not.
The new regulation will allow website operators to rely on browser preferences as an expression of users’ willingness to accept cookies, and will give traditional telecommunications operators greater scope to analyze call metadata, the better to compete with over-the-top service providers.
“It provides a high level of protection for consumers, while allowing businesses to innovate,” said Andrus Ansip, Commission Vice-President for the Digital Single Market.
The Internet Advertising Board U.K. said Tuesday that the proposal was an improvement on the draft leaked in December, but still imposed too many restrictions on online advertising.
“A number of areas in the proposal … could not only seriously disrupt people’s browsing experience but effectively put the future of the web as we know at danger, with considerable knock-on effects on media pluralism and digital inclusion,” warned IABUK head of policy and regulatory affairs Yves Schwarzbart.
To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.

Peter Sayer covers European public policy, artificial intelligence, the blockchain, and other technology breaking news for the IDG News Service.



Better authentication: Go get 'em, FIDO

Only a handful of industry associations accomplish what they set out to do. In the security realm, I’ve always been a huge fan of the Trusted Computing Group . It’s one of the few vendor organizations that truly makes computers more secure in a holistic manner.
The Fast Identity Online (FIDO) Alliance is another group with lots of vendor participation that’s making headway in computer security. Formed in 2012, FIDO focuses on strong authentication, moving the online world past less secure password logons and emphasizing safer browsers and security devices when accessing websites, web services, and cloud offerings. Its mission statement includes the words “open standards,” “interoperable,” and “scalable” —and the organization is actually doing it. Better, FIDO wants to do this in a way that’s so easy, users actually want to use the methods and devices.
All FIDO authentication methods use public/private key cryptography, which makes them highly resistant to credential phishing and man-in-the-middle attacks. Currently, FIDO has two authentication-specification mechanisms: Universal Authentication Framework (UAF), a “passwordless” method, and Universal Second Factor (U2F), a two-factor authentication (2FA) method. The last method may involve a password, which can be noncomplex, because the additional factor ensures the overall strength. FIDO authentication must be supported by your device or browser, along with the authenticating site or service.
With UAF, the user registers their device with the participating site or service and chooses to implement an authentication factor, such as PIN or biometric ID. When connecting to the site or service, or conducting a transaction that requires strong authentication, the device performs local authentication (verifying the PIN or biometric identity) and passes along the success or failure to the remote site or service. With U2F, an additional security device (a cellphone, USB dongle, or so on) is used as the second factor after the password or PIN has been provided.
The public/private key cryptography used behind the scenes is very reminiscent of TLS negotiations. Both the server and the client have a private/public key pair, and they only share the public key with each other to facilitate authentication over a protected transmission method.The web server’s public key is used to send randomly created “challenge” information back and forth between the server and client. The client’s private key never leaves the client device and can be used only when the user physically interacts with the device.

FIDO authentication goes much further than traditional TLS. It links “registered” devices to their users and those devices to the eventual websites or services. Traditional TLS only guarantees server authentication to the client. One authentication device can be linked to many (or all) websites and services. A nice graphical overview of the FIDO authentication process can be found here .
Google Security Keys
Google recently touted the success of its physical, FIDO-enabled “Security Keys” in a new whitepaper . Google’s Security Keys are supported in the Chrome browser (using JavaScript APIs) and by Google’s online services.
Several vendors make the physical, tamperproof Security Keys. The versions touted in the paper are small, USB-enabled dongles with touch-sensitive capacitors that act as the second factor. Each dongle has a unique device ID, which is registered to the user on each participating website. The public cryptography is Elliptical Curve Cryptography (ECC), with 256-bit keys (aka ECDSA_P256) and SHA-256 for signing.
Google tested its Security Keys by giving them to more than 50,000 employees and made them an option for Google online service customers. Google’s results? Zero successful phishing, faster authentication, and lower support costs—can’t beat that. The only negative was the one-time purchase cost of the devices, although Google says consumers should be able to buy Security Key devices for as little as $6 each. That’s not bad for greater peace of mind.
FIDO updates
FIDO recently announced the 1.1 version of its specification. It includes support for Bluetooth Low Energy, smartcards, and near-field communications (NFC). FIDO authentication can already be used by more than 1.5 billion user accounts, including through Dropbox, GitHub, PayPal, Bank of America, NTT DoCoMo, and Salesforce. Six of the top 10 mobile handset vendors already support FIDO, at least on some devices; mobile wallet vendors say they will participate as well.
The 2.0 version of the FIDO specification is already in the works. FIDO 2.0 is partitioned into two parts: the Web Authentication Spec, which is now in the W3C Web Authentication working group; and the remaining parts, including remote device authentication—which should allow you, for example, to unlock your workstation with your cellphone.
Reducing the use of stolen credentials takes a big bite out of online crime. I can only hope that the web continues to adopt the FIDO authentication standards as fast as possible. After years of previous attempts at similar initiatives, this one looks posed for broad success.