Differential privacy, according to Google, is a privacy-enhancing technology (PET) that “allows for analysis of datasets in a privacy-preserving way to help ensure individual information is never revealed.” This enables researchers or analysts to study a dataset without accessing personal data. 

Google claims that its implementation of differential privacy is the largest in the world, spanning nearly three billion devices. As such, Google has invested heavily in providing access to its differential privacy technologies over the last several years. For instance, in 2019, it open sourced its first differential privacy library, and in 2021, it open sourced its Fully Homomorphic Encryption transpiler.

In the years since, the company has also worked to expand the languages its libraries are available in, which is the basis for today’s news. 

The new library, PipelineDP4j, enables developers to execute highly parallelizable computations in Java, which reduces the barrier to differential privacy for Java developers, Google explained.

“With the addition of this JVM release, we now cover some of the most popular developer languages – Python, Java, Go, and C++ – potentially reaching more than half of all developers worldwide,” Miguel Guevara, product manager on the privacy team at Google, wrote in a blog post.

The company also announced that it is releasing another library, DP-Auditorium, that can audit differential privacy algorithms. 

According to Google, two key steps are needed to effectively test differential privacy: evaluating the privacy guarantee over a fixed dataset and finding the “worst-case” privacy guarantee in a dataset. DP-Auditorium provides tools for both of those steps in a flexible interface. 

It uses samples from the differential privacy mechanism itself and doesn’t need access to the application’s internal properties, Google explained. 

“We’ll continue to build on our long-standing investment in PETs and commitment to helping developers and researchers securely process and protect user data and privacy,” Guevara concluded. 

The post Google open sources Java-based differential privacy library appeared first on SD Times.

Google is now announcing the forthcoming phase of features, tools, and updates that have been developed to maintain the platform’s safety and reliability.

In the App content page in Google Play Console, Google plans to “show not just existing declarations, but also upcoming declaration requirements and deadlines to give users more time to plan,” Jacqueline Hart, director of trusted experiences for Developer Enablement at Google, wrote in a blog post. 

A new notification feature on the Google Play SDK Index is being provided to assist users in making informed decisions regarding SDK versions and potential policy violations on Google Play. 

Additionally, in an upcoming update, users will have access to this crucial information directly within Play Console. Unlike the previous method of receiving notifications through Inbox messages or email, users will now find this information on the Policy status page, enabling them to conveniently track any policy-related issues in one centralized location and stay informed about their app’s policy compliance status.

Google has also simplified the process of determining if an app complies with Target API requirements on the latest Android versions, which is necessary for accessing security updates and platform enhancements. Since early August, users have been provided with information regarding their app’s potential compliance issues on the Policy status page, along with resources for guidance.

To offer additional support, two new initiatives are being introduced. First, the Developer Help Community will provide a platform for developers to seek advice and discuss topics related to Play Console and policy changes with their peers. 

Second, the Google Play Strike Removal program, which was initially launched as a pilot program, will now be available to all developers. This program enables eligible developers to have certain enforcement strikes removed upon completing a related Play Academy training course, and it has been successful in reducing repeat violations.

Additional details are available here.

The post Google Play updated with new features to keep users safer appeared first on SD Times.

Developers will now be required to provide a D-U-N-S number when creating a developer account in the Play Console. D-U-N-S numbers are unique numbers provided by Dun & Bradstreet that are commonly used in verifying businesses. 

Google is also renaming the “Contact details” section in store listings to “App support.” In App Support there will be a new section labeled “About the developer” where end users can learn more about the developer of the app they are downloading. Developers can choose to show information like their website or support phone number.  

These new requirements will be in effect starting August 31 for anyone new that is creating Play Console accounts. 

The company is also trying to allow new ways for developers to incorporate blockchain-based content in their apps while still protecting users. 

Any developer including that sort of content in their app must now clearly disclose this and aren’t allowed to use language that would “promote or glamorize any potential earning from playing or trading activities.”

Developers also can offer NFTs where the value isn’t clear at time of purchase, such as with a loot box that contains randomized prizes. 

“We will continue to engage with developers to understand their challenges and opportunities — and how we can best support them in building sustainable businesses using blockchain technology. As a next step, we’re talking to industry partners about further improving our support of blockchain-based app experiences, including in areas such as secondary markets,” Joseph Mills, group product manager for Google Play, wrote in a blog post.

The post Google Play adds new developer verification requirements appeared first on SD Times.

Named Sentra ChatDLP Anonymizer, the new feature helps minimize vulnerability around this critical personal data and helps companies ensure compliance with privacy frameworks, such as CCPA and GDPR. 

It is currently already available for ChatGPT and will be available for Bard the week of June 12. 

According to Sentra, if PII is included in ChatGPT or Bard prompts, it runs the risk of becoming part of the training data for large language models. And while these technologies can have productivity benefits, they raise concerns around data privacy and security. 

ChatDLP Anonymizer allows privacy-conscious companies the ability to use ChatGPT or Bard with privacy guardrails in place. 

It uses a Named Entity Recognition model to filter out PII like names, email addresses, credit card numbers, and phone numbers.

There is also an enterprise version of the tool where the redaction happens within the customer’s own cloud infrastructure.

“In the race to capitalize on the power of this emerging technology, organizations are taking on new security and data privacy risks,” said Ron Reiter, co-founder and CTO of Sentra. “Over the past few months, we were encouraged by a number of CISOs and security professionals to develop and deliver ChatDLP Anonymizer as a logical extension to our DSPM platform. By implementing this innovative technology, enterprises will be able to feel confident that employees are using AI language models safely.”

The post Sentra has a new feature to remove personal info from ChatGPT prompts appeared first on SD Times.

Over the last decade the PETs it has invented include Federated Learning, Differential Privacy, and Fully Homomorphic Encryption (FHE). 

From the company’s standpoint, this allows them to protect users’ personal data while also continuing to provide the great user experiences that require personal data, such as finding the most popular dishes at a restaurant or providing recommendations as you type. 

According to Google, adoption of these technologies has been slow for a number of reasons, such as large computational resource requirements, management complexity, and cost of implementation.

Three years ago Google open-sourced these technologies to provide broader access, and now the company is making new strides to provide the community with new ways to deploy these technologies. 

First, it announced it would be open-sourcing a new project called Magritte. It uses machine learning to detect and blur objects, such as license plates, as they appear in a video. It requires low computational resources and can save time from having to manually blur objects in a video. 

Next, Google announced improvements to the FHE Transpiler. It optimized circuits to reduce circuit size by 50%. This improves speed and will be useful in industries where there is a need to have security guarantees when processing sensitive data. 

“Just a decade ago, PETs were largely seen as an academic exercise, with many ideas that were still untested. With our dedicated investment and work from engineering teams, we’re now applying these novel data processing techniques across many of our products. In fact, PETs are a key part of our Protected Computing effort at Google, which is a growing toolkit of technologies that transforms how, when and where data is processed to technically ensure its privacy and safety,” Miguel Guevara, product manager in the privacy and data protection office at Google, wrote in a blog post.

The post Google announces innovations in privacy-enhancing technologies appeared first on SD Times.

Earlier this year, it announced it was bringing Privacy Sandbox to Android and since then it has released a few developer previews. Now it is announcing that the Privacy Sandbox Beta will rollout to Android 13 devices starting early in 2023, and to get developers ready it is sharing some information about the upcoming beta.

RELATED CONTENT: Google’s Privacy Sandbox creates open standards to enhance privacy

First, in order to get access to Privacy-Preserving APIS, such as Topics, FLEDGE, and Attribution Reporting, developers will need to go through an enrollment process to verify their identity and gather developer-specific data that the API may need. 

Anyone wishing to participate in the beta program can request access on a limited number of Android 13 devices, and can register apps that utilize the Sandbox APIs. 

There will be a closed beta for developers to test the SDK Runtime. It will be limited to a small group of developers due to the coordination required in testing it on production devices, the Android team explained. 

On the advertiser side, the team recommends working with ad providers to understand testing roadmaps and ways to participate in testing of the Privacy Sandbox.

The post Google shares info about upcoming Android Privacy Sandbox Beta appeared first on SD Times.

The new type of verifiable identifier doesn’t require a centralized registry and it will enable individuals and organizations to take better control of their online information while providing greater security and privacy, according to W3C. 

Users will be able to take email addresses and social network addresses along with them whenever they want to switch between service providers, and this information can last for as long as their controller wants to continue using them in a similar way to how some individuals can take their mobile number with them when switching carriers.

DIDs also enable the controller to verify ownership of the DID using cryptography, allowing for more trustworthy transactions online. 

“Fundamentally, Decentralized Identifiers are a new type of globally unambiguous identifier that can be used to identify any subject (e.g., a person, an organization, a device, a product, a location, even an abstract entity or a concept). Each DID resolves to a DID document that contains the cryptographic material and other metadata for controlling the DID,” W3C wrote in a blog post.

The foundational pillars of DIDs are:

1. They do not require a central issuing agency and are decentralized
2. They do not require the continued operation of an underlying organization (persistent)
3. Control of DIDs, and the information they are associated with, can be proven cryptographically
4. DID metadata can be discovered 

The post W3C announced Decentralized Identifiers (DIDs) v1.0 as official web standard appeared first on SD Times.

Understanding user data is the first step to proving strong privacy and security, Simpson said. “We’ve got to be looking at what personal information is flowing through our environment unprotected,”  Simpson explained. “Gaining visibility to that clear tech data that’s linked to the landscape and first and foremost understanding that.” 

If applications and platforms that users rely on for protection understand the kind of personal data they are entrusted to protect, then it will make it exponentially easier for them to do so. Simpson, though,  cautioned: “Unfortunately in most environments we see, a lot of that data is not encrypted. It’s flowing through networks, going outside of the company and can be intercepted and stolen by anyone,” he said. This can be a scary thought for many users. It is not uncommon to browse the internet assuming a certain level of anonymity will be provided and that is why it is so important for organizations to take crucial steps to grant users protection.

However, understanding data goes deeper than encryption. Simpson said there are many levels to personal user data, and platforms should strive to have a clear picture of all of them. “What we should be doing from there is taking a step back and looking at things like: where is this data coming from? Who is it being shared with? And really taking action,” he began. 

Simpson explained that a good way to gain knowledge on these things is for organizations to create data flow maps. These kinds of maps provide a physical representation of how data is created, who creates it, where it goes, and who needs access to it, making it easier for companies to more securely protect their users. “We’ve got to do that legwork because what we have to do is set a standard, monitor the standard, and continue to build controls around the standard,” Simpson explains. 

The burden of internet privacy doesn’t fall solely on organizations though; users also hold some of the responsibility. According to Simpson, a one-sided approach to privacy will never be enough. He says that keeping track of and hiding passwords is the first thing users should be concerned with online. “There’s a lot of things users can do, but one of the first things I recommend is using a password management or password vaulting service where you can centrally manage passwords in one application,” he explained. With so many different applications and services requiring unique passwords for login, it can be challenging to keep track. Being overwhelmed with too many passwords in too many locations can result in carelessness and sometimes leave a metaphorical window open for hackers that may allow them to more easily gain access to user data and information. According to Simpson, storing passwords in a centralized and secure place helps to combat this and provide an extra layer of protection to users. 

On top of this, Simpson also stresses the importance of having multi-factor authentication enabled when it is available. “It’s particularly important in email because you think about when you hit a password reset button on almost any website, that password reset is going to that email address,” he began. “If someone gained access to that email account, they can gain access to anything else associated with that email account.” According to Simpson, this is how most user information becomes compromised on a regular basis. However, his most important tip to users looking to up their internet security is to simply think about what they are sharing. “If you don’t need to share the information, if it’s not a required field, don’t share it.”

According to Sri Mukkamala, senior vice president of security products at the IT automation platform Ivanti, the responsibility of internet privacy falls on both the organization and consumer equally. “It’s a combination of both, because as an individual if you give up information, you’re almost signing a waiver,” he began. “There’s something that says ‘I accept’ and you don’t even read through it… and I wouldn’t fully blame the consumer because at the same time a company should not just throw in legalities and take that waiver and do whatever they want.” Mukkamala said that this is a key reason why we see regulations coming into play more and more now. Relying on just the consumers and organizations themselves to provide proper protection is no longer enough.

In recent years many applications have opted for biometric identification in place of passwords in pursuit of a more secure platform. According to Simpson, this has worked in many cases, but not to the scale necessary. “It’s helped but it’s not consistently implemented on a widespread basis that would provide it with the material impact that it could have.” 

Simpson accredits this lack of widespread adoption to the diversity we see in devices. With so many users employing a number of different technologies, creating a standardized kind of biometric identification has proved to be incredibly difficult. “Everyone is concerned about the business impact as well and the impact that [biometric identification] can have within the organization so these types of things can be scary,” he added. 

Another key aspect of implementing this kind of technology is assurance that organizations are doing it the right way. While Simpson believes that software like this paired with universal adoption would be a major step in the right direction for internet privacy, he also believes that taking shortcuts with such important technology will do more harm than good.

There is another side of the shift towards biometric identification, however. According to Mukkamala, using facial recognition or voice identification in place of passwords could result in hackers becoming savvier and gaining access to arguably even more personal information. Mukkamala explained, “The personally identifiable information has just expanded its scope… if i started collecting biometrics, whether that’s facial recognition or voice recognition, where will that data go?” 

This is an interesting point to look at. If organizations opt for this kind of identification, the data they are collecting from users becomes almost more personal and thus, has to be protected accordingly, which brings us right back around to the initial question of how organizations can ensure the best protection for users. 

Swallowing third-party cookies

Google has announced that it will ban third-party cookies from the search engine in the name of internet privacy and protecting user data. According to Curtis Simpson, CISO of the cybersecurity platform Armis, this move away from third-party cookies will have a tremendous impact. “If you look at this whole acceptance model that was built around third-party cookies, that’s generally a joke,” he explained. According to Simpson, most users are hitting “accept all” when pop-ups prompt them to do so, regardless of whether or not they understand what they are actually agreeing to. Once users allow cookies to access their data, it becomes much easier for it to fall into the wrong hands. “In most cases, they’re collecting more information than you want or need to share with them,” Simpson warned. Google’s push away from third-party cookies will provide users with better privacy because they will no longer have to worry about what outside sources have access to their personal information. 

Mukkamala, senior vice president of security products at the IT automation platform Ivanti, puts this into perspective. “If someone walks up to you on the street and says ‘show me your driver’s license,’ you’re going to ask why,” he explained, “It’s the same thing online and you don’t even hesitate to give that personal information away.” This comparison drives the point home. When websites like Google ask users to allow third-party cookies, and they do, it is essentially the same as giving a stranger on the street your information. The user has no real knowledge of what websites are going to do with that information or where it could end up. The internet should operate the same as the real world in this way: question why websites want users to grant access to cookies and respond in the same way you would if this were an interaction in the real world.

In the last few years, internet privacy has been taken very seriously by many organizations. Back in 2016, the European Union announced the implementation of The General Data Protection Regulation (GDPR) which was designed to better protect internet users. According to Simpson, GDPR is the first set of laws regarding internet privacy that enterprises really took seriously. 

“In many cases, enterprises see it’s cheaper to be non-compliant than to be compliant, but GDPR changed all of that due to their findings,” Simpson explained. He believes that this widespread compliance with the regulations GDPR put into place is the reason why it has been so effective. However, that does not mean that every organization is following all of these rules. Simpson explained that GDPR was effective because many companies were enforcing these laws due to a fear of repercussions if they did not. Unfortunately, this kind of fear-based acceptance may not be a sustainable model. “If we don’t continue to see penalties, due to inaction, I think we’re going to see a slowdown around some of those privacy elements,” he said. While Simpson believes that if organizations become more lenient with GDPR regulations, it could lead to stricter enforcement and more fines, he also predicts that until penalties become more consistent and more public, privacy issues may fall to the back burner. 

On the bright side though, Simpson also predicts that in the near future, we will see an increase in regulations like GDPR being implemented on a national scale. “Whether it’s [an adoption of GDPR] or other similar regulations, we’re going to see across the globe that everyone’s going to care and mandate minimum standards,” he said. Once organizations start to care more about internet privacy and putting regulations in place to protect users, we will see a real change. “As we’ve seen, this really does have a general impact on society as we continue to see these breaches at scale affecting hundreds of millions of people,” he began, “We can’t continue to have that happen because it’s disrupting services and capabilities within countries because when this happens at scale, it has a much larger impact.” 

California was the first state to go the extra mile in terms of internet privacy when it enacted The California Consumer Privacy Act (CCPA). This set of laws used GDPR as a guide to help better implement and enforce these regulations. According to Simpson, while CCPA operates on a smaller scale than GDPR, it is still generally effective. CCPA striving to meet GDPR requirements has caused many organizations to look at their own privacy guides and adjust them. “In many cases, companies are just finding the lowest common denominator,” he explained. These companies and organizations are looking at GDPR and CCPA regulations and trying to enact similar standards on a smaller scale, which will ultimately be a positive for users.

Mukkamala said that one way companies and organizations can ensure user privacy outside of enacting new laws is to simply collect less information and be more careful with what they do collect from users. “Companies collect way too much information,” he began, “The company should be very careful about what they’re collecting, why they’re collecting it, and how they plan to use it.”  If companies took a step back and reevaluated how much personal user information they are collecting, they could rid themselves of what they deem unnecessary. Doing this would make for more secure platforms because organizations would be more intentional about what they are collecting and storing from users. 

Mukkamala referred to the excessive amount of personally identifiable information (PII) websites and organizations collect, and the possible misuse of said info as privacy debt. In recent years this has become a bigger problem as more and more privacy debt is incurred by companies. “Because of privacy debt, during transactions, during IPO, during their SEC disclosures, privacy is becoming a very important risk factor to be considered,” Mukkamala said. All this is to say that organizations that are taking more information than needed from their users, while not taking the best steps to protect consumers may end up paying the price for it in the long run. Collecting personal information from users requires proper guidelines for how to use, store, and share said information, whether that be at a company, state, or global level. 

Disposing of user data

Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance, said that she believes one of the biggest challenges facing internet privacy today is the issue of disposing user data once websites no longer need it. “What happens in a lot of companies is there will be a particular initiative and when that program is over, nobody thinks about what happens to that data,” she said. According to Plaggemier, this is one of the biggest blindspots organizations face in terms of user protection. If companies are taking data and personal information from consumers with no proper disposal plan in place, it can become a real risk. User personal information can easily fall into the wrong hands if it is stored or disposed of improperly once it is no longer needed.

Plaggemier spoke specifically about a data breach involving Mercedes-Benz and a third-party company. According to Plaggemier, the data compromised was from years before the breach took place long after Mercedes had stopped working with the third-party company involved. “It brings the question to my mind: are you still using that data? Why is it still out there?” she said. This breach left many consumers vulnerable and if the proper user protection and data disposal systems had been in place, it may never have happened. When consumers give online companies their personal information they are placing their trust in them and if organizations don’t properly dispose of this data when it is no longer needed, they are betraying that trust.

The post Internet Privacy and User Protection appeared first on SD Times.

FHE allows encrypted data to be transported across the Internet to a server and get processed without being decrypted. The transpiler will allow developers to write code for basic computations, like string processing or math, and run it on the encrypted data. The transpiler transforms the code into code that can run on the data.

According to Google, this tool will allow developers to create new applications that don’t need unencrypted data. They can also use it to train machine learning models on sensitive data. 

For example, a developer can build an application for people with diabetes and use FHE to encrypt the data collected and share it with medical experts who can analyze the data without decrypting it. 

“In the next 10 years, FHE could even help researchers find associations between specific gene mutations by analyzing genetic information across thousands of encrypted samples and testing different hypotheses to identify the genes most strongly associated with the diseases they’re studying,” Miguel Guevara, product manager at the Privacy and Data Protection Office at Google, wrote in a post. 

Google noted that this is just a first step and that there is still a long way to go before most computations are possible with FHE. 

Guevara added: “We will continue to invest and lead the privacy-preserving technology field by publishing new work, and open-sourcing it for everyone to use at scale – and we’re excited to continue this practice by sharing this latest advancement with developers everywhere. We can’t wait to see what you’ll build, and we look forward to collaborating on the journey towards a safer Internet.”

The post Google open sources Fully Homomorphic Encryption transpiler appeared first on SD Times.

The platform’s updated low-code and developer tools enable users to build apps and processes faster with an improved UI and platform enhancements for external file data storage and other backend functions.

Improvements to the BPM engine streamline the full cycle of process management with faster integrations setups and the unified CRM solution enables companies to better align their sales, marketing and service departments.

Android privacy updates

The latest Android gives more transparency around the data being accessed by apps while providing simple controls to make informed choices.

With the new privacy dashboard, users can have a simple and clear timeline view of the last 24-hour access to location, microphone and camera and they can also share more context about an app’s data usage with a new permission intent API.

The updates also include  two new controls that allow users to quickly and easily cut off apps’ access to the microphone and camera on the device, more control over location data, clipboard read notifications, nearby device permissions and more. 

Additional details on all of the latest Android updates are available here.

The future of Internet Explorer

Microsoft announced that the Internet Explorer 11 desktop application will be retired on June 12, 2022, adding that the future of Internet Explorer on Windows 10 is in Microsoft Edge. 

Microsoft Edge is now capable of handling compatibility with older, legacy websites and applications with a built in “IE mode” so that users can access Internet Explorer-based websites and applications from Microsoft Edge. 

“With Microsoft Edge, we provide a path to the web’s future while still respecting the web’s past. Change was necessary, but we didn’t want to leave reliable, still-functioning websites and applications behind,” Sean Lyndersay, a partner group program manager of Microsoft Edge at Microsoft wrote in a blog post.

PDFTron announces new investment

PDFTron announced a new strategic growth investment from Thoma Bravo that is expected to drive increased innovation within PDFTron’s document processing market. 

The investment is expected to drive increased innovation in PDFTron’s document processing technology platform and to accelerate the company’s growth trajectory in the document processing market. 

The transaction is expected to close by the end of this month.

The post SD Times news digest: Creatio version 7.18, Android privacy updates, and the future of IE appeared first on SD Times.