#i have been very busy causing problems for a site with no public api
Explore tagged Tumblr posts
Text
I've been doing different and unrelated code for a while: has anyone at Tumblr open-sourced a version of the NPF-block-to-dashboard-HTML code?
#tumblr api#coding#i have been very busy causing problems for a site with no public api#and wheezing
10 notes
·
View notes
Text
COVID: The Squeeze Play on the Population
It’s a con as old as the hills. The ancient chieftain of a little territory looks out across his domain and says to his top aide, “You know, we have these clusters of people worshiping different gods. That’s not good for business. Our business is CONTROL, so we need UNITY. Make up the name of some god, and go out there and sell it. Take down those little shrines and tell all the people they have to believe in the new deity. Use force and censorship when necessary. Later on, I may decide I’M really the name you chose for the new god. We’ll see. If you have any trouble right away, call me on my cell. I’ll be out sunning by the pool.”
Unity of thought. That’s what controllers are after.
In the case of this fake epidemic, the population must view WHAT IT IS in the way public officials and the press are describing it. Dissenting analysis must be pushed into the background.
Here is a 4/9 Bloomberg News headline: “5G Conspiracy Theory Fueled by Coordinated Effort.” [1] A sub-headline states, “Researchers identify disinformation campaign but not source.” The article begins: “A conspiracy theory linking 5G technology to the outbreak of the coronavirus is quickly gaining momentum…” Nature Made Calcium, M... Buy New $9.00 ($0.03 / Count) (as of 03:55 EDT - Details)
Obviously, such wayward thinking has to be stopped. And down further in the Bloomberg article, we have chilling news: “Some social media companies have taken action to limit the spread of coronavirus conspiracy theories on their platforms. On Tuesday, Google’s YouTube said that it would ban all videos linking 5G technology to coronavirus, saying that ‘any content that disputes the existence or transmission of Covid-19’ would now be in violation of YouTube policies.”
“In the U.K., a parliamentary committee on Monday called on the British government to do more to ‘stamp out’ coronavirus conspiracy theories, and said it was planning to hold a hearing later this year at which representatives from U.S. technology giants will be asked about how they have handled the spread of disinformation on their platforms.”
Independent analysis of the “epidemic” hangs in the balance. The masters of control want to maintain an information monopoly.
It goes without saying that, in order to achieve this monopoly, detailed surveillance of Internet content is necessary.
Another type of surveillance is also part of the squeeze play. Apple.com has the story (press release, 4/10) [2]:
“Across the world, governments and health authorities are working together to find solutions to the COVID-19 pandemic, to protect people… Since COVID-19 can be transmitted through close proximity to affected individuals, public health officials have identified contact tracing as a valuable tool to help contain its spread. A number of leading public health authorities, universities, and NGOs around the world have been doing important work to develop opt-in contact tracing technology.”
“To further this cause, Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing. Given the urgent need, the plan is to implement this solution in two steps while maintaining strong protections around user privacy.” All-Natural Large Heat... Buy New $27.95 ($27.95 / Count) (as of 03:18 EDT - Details)
“First, in May, both companies will release APIs that enable interoperability between Android and iOS devices using apps from public health authorities. These official apps will be available for users to download via their respective app stores.”
“Second, in the coming months, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms. This is a more robust solution than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities. Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders. We will openly publish information about our work for others to analyze.”
“All of us at Apple and Google believe there has never been a more important moment to work together to solve one of the world’s most pressing problems. Through close cooperation and collaboration with developers, governments and public health providers, we hope to harness the power of technology to help countries around the world slow the spread of COVID-19 and accelerate the return of everyday life.”
If you believe citizen privacy is an utmost concern in the minds of Google and Apple, I have condos for sale on the far side of the moon.
The tracing tools appear to involve a very rapid expansion of Snitch Culture. What else are “opt-in users” going to communicate about? The weather? Lunch?
“Dear Relevant Users and Public Health Officials: Yes, I know Marty. Sad to hear he’s been diagnosed with COVID-19. I did have a brief meeting with him just prior to the lockdown. I suppose I might be infected. I should get tested right away. Let’s see, who else was at the meeting? Marty’s brother, Felix, and Carrie, who is Felix’ on and off girlfriend. Six months ago she was tested for an STD, I don’t know the results—Sandy, the broker at Wilson and Wise was also at the meeting—OMG, that could mean the whole company is infected—and Sandy’s dog Tootsie—can animals spread the virus?—then there was a janitor who came into the room, I think his name is Al. He lives down near the docks. He has a brother who I hear is a drug dealer and a compulsive gambler. He owes money to some nasty people, I think…Anything I can do to stop the spread of the virus, let me know…”
Enlist the citizenry to act as spies on each other. A useful tactic. Qunol Ultra CoQ10 100m... Buy New $25.35 ($0.21 / Count) (as of 02:39 EDT - Details)
It rips the fabric of social trust.
It blows apart privacy.
It exposes people to government intervention.
It cements the UNITY DICTUM: the epidemic has only one portrait, and the population must bow before it.
An answer? A counter? More citizens must become independent reporters and publish their findings. More citizens must set up blogs and sites that act as old-fashioned street newsstands, posting the work of independent journalists and investigators.
For every ten they censor, a hundred must spring up.
Nothing is riding on this except the immediate future—freedom, slavery, medical dictatorship, a borderless planet operated as one super-corporation, the individual vs. the collective, the energy of the individual soul.
Or people can say doom is upon us and nothing can be done about it.
Or people can sit at home and suck on the lockdown lollipop.
In Ohio, there is a protest see here and here.
SOURCES: [1]: 5G Virus Conspiracy Theory Fueled by Coordinated Effort [2]: Apple and Google partner on COVID-19 contact tracing technology
-Jon Rappaport
0 notes
Text
Monthly Web Development Update 9/2019: Embracing Basic And Why Simple Is Hard
Monthly Web Development Update 9/2019: Embracing Basic And Why Simple Is Hard
Anselm Hannemann
2019-09-13T13:17:00+02:002019-09-13T11:44:31+00:00
Editor’s note: Please note that this is the last Monthly Web Development Update in the series. You can still follow the Web Development Reading List on Anselm’s site at https://wdrl.info. Watch out for a new roundup post format next month here on Smashing Magazine. A big thank-you to Anselm for sharing his findings and his thoughts with us during the past four years.
Do we make our lives too complex, too busy, and too rich? More and more people working with digital technology realize over time that a simple craft and nature are very valuable. The constant hunt to do more and get more productive, with even leisure activities that are meant to help us refuel our energy turning into a competition, doesn’t seem to be a good idea, yet currently, this is a trend in our modern world. After work, we feel we need to do two hours of yoga and be able to master the most complex of poses, we need a hobby, binge-watch series on Netflix, and a lot more. That’s why this week I want to encourage you to embrace a basic lifestyle.
“To live a life in which one purely subsists on the airy cream puffs of ideas seems enviably privileged: the ability to make a living merely off of one’s thoughts, rather than manual or skilled labor.” — Nadia Eghbal in “Basic”
What does basic stand for? Keep it real, don’t constantly do extra hours, don’t try to pack your workday with even more tasks or find more techniques to make it more efficient. Don’t try to hack your productivity, your sleep, let alone your meditation, yoga, or other wellness and sports activities. Do what you need to do and enjoy the silence and doing nothing when you’re finished. Living a basic life is a virtue, and it becomes more relevant again as we have more money to spend on unnecessary goods and more technology that intercept our human, basic thoughts on things.
News
Firefox 69 is out, bringing us JavaScript public instance fields, Resize Observers, Microtask APIs, CSS overflow-block, and @supports for selectors.
General
Chris Coyier asks the question if a website should work without JavaScript in 2019. It breaks down to a couple of thoughts that mainly conclude with progressive enhancement being more important than making a website work for users who actively turned off JavaScript.
Privacy
Brave’s research reveals how Google works around the legal requirements of the GDPR directive on its DoubleClick service, exposing private user data to millions of websites without any control.
UI/UX
In our modern world, it’s easy to junk things up. We’re quick to add more questions to research surveys, more buttons to a digital interface, more burdens to people. Simple is hard.
Web Performance
So many users these days use the Internet with a battery-driven device. The WebKit team shares how web content can affect power usage and how to improve the performance of your web application and save battery.
Scrolling a page with complex rendering and video playback has a significant impact on battery life. But how can you make your pages more power efficient? (Image credit)
JavaScript
Philip Walton shows how we can use native JavaScript modules in production today.
Tooling
There’s a new tool in town if you want to have a status page for your web service: The great people from Oh Dear now also provide status pages.
Bastian Allgeier shares his thoughts on simplicity on the web, where we started, and where we are now. Call it nostalgic or not, the times when we simply uploaded a file via FTP and it was live on servers were easy days. Now with all the CI/CD tooling around, we have gotten many advantages in terms of security, version management, and testability. However, a simple solution looks different.
Accessibility
Adrian Roselli shares why we shouldn’t under-engineer text form fields and why the default CSS that comes with the browser usually isn’t enough. A pretty good summary of what’s possible, what’s necessary, and how to make forms better for everyone visiting our websites. It even includes high-contrast mode, dark mode, print styles, and internationalization.
Work & Life
Adam Blanchard summarized his notes and thoughts from TechFestival in Copenhagen and shares behaviors that transform organizations.
Claire Lew explains why the question of how to motivate employees is misguided and how great managers support their employees’ thoughts and ideas to foster self-motivation.
A lot of developers hate to be interrupted as it can harm productivity for hours. Samuel Taylor wrote a thought-provoking article to help us understand why a “developers vs. others” mentality decreases trust in a team and how you can take matters into your own hands, asking yourself why people interrupt you and take this as a chance to improve.
Nadia Eghbal shares why externalizing all our thoughts is not only a good thing. Embracing the basic in our lives is a virtue we should focus on more and this article is great food to make us think.
A method to solve the problem of that one thing on our task list that is “so meaningful and important that it brings up a ton of uncertainty for us, and causes us to avoid, run, distract, comfort, procrastinate.”
Going Beyond…
Snøhetta’s Powerhouse Brattørkaia produces twice the energy it uses with clever architecture and technology like solar panels all over the place. Isn’t that an office building we’d love to go to for work?
It might be that scientists have been underestimating the pace of climate change as the sea temperature measurements which were made in the past decade lacked accuracy.
This isn’t business as usual. Business as usual has time but we can use a short break to finally start shaping our future. From September 20th to 27th, millions will join young climate strikers on the streets and demand an end of the age of fossil fuels. I’m ready and will support this movement. Let’s do our best to cut down emissions — by driving less or flying less, especially if it’s “for fun”. Together we can change everything.
—Anselm
(cm)
0 notes
Text
Version 443
youtube
windows
zip
exe
macOS
app
linux
tar.gz
I had a great week doing nice cleanup and quality of life work.
Hey, we had a problem getting the macOS release to build this week. The macOS link above goes to a build using a simpler and faster method. It should work fine, but please let me know if you have any trouble. As always, back up before you update!
highlights
Popup messages can now launch complex jobs from a button. The first I've added is when a subscription hits its 'periodic' file limit. The situation itself is now better explained, and a button on the popup will create a new downloader page with the specific query set up with an appropriate file limit to fill in the gap. The second is if you try to upload some content to a repository that your account does not have permission for (this is affecting sibling- and parent-uploading PTR users as the shared public account is changing), the popup message that talks about the issue now has a button that takes you straight to the manage services panel for the service and starts automatic account creation.
Subs should now be more careful about determining when they have 'caught up' to a previous sync. Small initial file limits are respected more, and the 'caught up' check is now more precise with sites that can give multiple files per URL or very large gallery pages.
I gave options->speed and memory a full pass. The layout is less crushed and has more explanation, the options all apply without needing a client restart, and the new, previously hardcoded cache/prefetch thresholds are now exposed and explained. There's a neat thing that gives an example resolution of what will be cached or prefetched, like 'about a 7,245x4,075 image', that changes as you fiddle with the controls.
The client has recently had worse UI lag. After working with some users, the biggest problems seemed to come in a session with lots of downloaders. I traced the cause of the lag and believe I have eliminated it. If you have had lag recently, a second or two every now and then, please let me know how things are now.
If you use the Client API a lot while the client is minimised, you can now have it explicitly prohibit 'idle mode' while it is working under options->maintenance and processing.
full list
quality of life:
when subscriptions hit their 'periodic file limit', which has always been an overly technical term, the popup message now explains the situation in better language. it also now provides a button to automatically fill in the gap via a new gallery downloader page called 'subscription gap downloaders' that gets the query with a file limit five times the size of the sub's periodic download limit
I rewrote the logic behind the 'small initial sync, larger periodic sync' detection in subscription sync, improving url counting and reliability through the third, fourth, fifth etc... sync, and then generalised the test to also work without fixed file limits and for large-gallery sites like pixiv, and any site that has URLs that often produce multiple files per URL. essentially, subs now have a nice test for appropriate times to stop url-adding part way through a page (typically, a sub will otherwise always add everything up to the end of a page, in order to catch late-tagged files that have appeared out of order, but if this is done too eagerly, some types of subs perform inefficiently)
this matters for PTR accounts: if your repository account does not have permissions to upload something you have pending, the popup message talking about this now hangs around for longer (120 seconds), explains the issue better, and has a button that will take you directly to the _manage services_ panel for the service and will hit up 'check for auto-account creation'
in _manage services_, whenever you change the credentials (host, port, or access key) on a restricted service, that service now resets its account to unknown and flags for a swift account re-fetch. this should solve some annoying 'sorry, please hit refresh account in _review services_ to fix that manually' problems
a new option in maintenance and processing allows you to disable idle mode if the client api has had a request in the past x minutes. it defaults disabled
an important improvement to the main JobScheduler object, which farms out a variety of small fast jobs, now massively reduces Add-Job latency when the queue is very busy. when you have a bunch of downloaders working in the background, the UI should have much less lag now
the _options->speed and memory_ page has a full pass. the thumbnail, image, and image tile caches now have their own sections, there is some more help text, and the new but previously hardcoded 10%/25% cache and prefetch limits are now settable and have dynamic guidance text that says 'about a 7,245x4,075 image' as image cache options change
all the cache options on this page now apply instantly on dialog ok. no more client restart required!
.
other stuff, mostly specific niche work:
last week's v441->442 update now has a pre-run check for free disk space. users with large sessions may need 10GB or more of free space to do the conversion, and this was not being checked. I will now try to integrate similar checks into all future large updates
fixed last week's yandere post parser link update--the post url class should move from legacy moebooru to the new yandere parser correctly
the big maintenance tasks of duplicate file potentials search and repository processing will now take longer breaks if the database is busy or their work is otherwise taking a long time. if the client is cluttered with work, they shouldn't accidentally lag out other areas of the program so much
label update on ipfs service management panel: the server now reports 'nocopy is available' rather than 'nocopy is enabled'
label update on shortcut: 'open a new page: search page' is now '...: choose a page'
fixed the little info message dialog when clicking on the page weight label menu item on the 'pages' menu
'database is complicated' menu label is updated to 'database is stored in multiple locations'
_options->gui pages->controls_ now has a little explanatory text about autocomplete dropdowns and some tooltips
migrate database dialog has some red warning text up top and a small layout and label text pass. the 'portable?' is now 'beneath db?'
the repositery hash_id and tag_id normalisation routines have two improvements: the error now shows specific service_ids that failed to lookup, and the mass-service_hash_id lookup now handles the situation where a hash_id is mapped by more than one service_id
repository definition reprocessing now corrects bad service_id rows, which will better heal clients that previously processed bad data
the client api and server in general should be better about giving 404s on certain sorts of missing files (it could dump out with 500 in some cases before)
it isn't perfect by any means, but the autocomplete dropdown should be a _little_ better about hiding itself in float mode if the parent text input box is scrolled off screen
reduced some lag in image neighbour precache when the client is very busy
.
boring code cleanup:
removed old job status 'begin' handling, as it was never really used. jobs now start at creation
job titles, tracebacks, and network jobs are now get/set in a nicer way
jobs can now store arbitrary labelled callable commands, which in a popup message becomes a labelled button
added some user callable button tests to the 'make some popups' debug job
file import queues now have the ability to discern 'master' Post URLs from those that were created in multi-file parsing
wrote the behind the scenes guts to create a new downloader page programmatically and start a subscription 'gap' query download
cleaned up how different timestamps are tracked in the main controller
next week
I am now on vacation for a week. I'm going to play vidya, shitpost the limited E3, listen to some long music, and sort out some IRL stuff.
v444 should therefore be on the 23rd. I'll do some more cleanup work and push on multiple local file services.
Thank you for your support!
0 notes
Text
Just how to Choose an Online Payment Solution
Just how to Choose an Online Payment Solution
Exactly how to choose an Online Payment Service and also our choice
The payment supplier is selected based upon many different criteria. Several of these are the solution accessibility in the nation where your checking account is, prices of a purchase, monthly charges, the prices of integration, and whether it settles sales tax concerns or allows for integration with a few other popular payment solutions. A lot of these concerns should be responded to by You the customer. Stripe is our favored selection as it had exceptional API abilities. This article will certainly use Stripe as its payment cpu of selection. Alipay
Ideal Practices for payment suppliers
Retry if purchase did not been successful The transaction could fall short not just as a result of technological reasons yet in some cases inadequate funds might be the reason. You must retry processing the transaction between an hour to number of days later on.
Know when your CC will end Some of the card details will run out or their data will no longer stand for different reasons. When you do not have valid CC data charging the customer will not be feasible. The major card systems supply a service that allows you check if there are any kind of updates pending for the consumer information that you keep. Some of the on-line payment remedies will certainly also update card information for you. Red stripe will certainly do this for most of MasterCard, Discover, as well as Visa cards. Not just CC.
Be aware that in some parts of the world individuals are not willing to pay with their Charge card The most effective example of this is China when Alipay is the major payment resource. It is worth keeping in mind that not all customers more than happy handing out their card information so making use of a widely known payment approach assists to boost the completion price of potential deals. Red stripe also sustains Alipay for China as well as for Europe Giropay, iDEAL
We wish to have Alipay Often customers just want to use Alipay UK as they know with the brand name. Do not be stubborn - Stripe will certainly aid to optimize your revenue. Stripe and also Paypal are straight rivals there is no combination between them.
Best practices while utilizing the Red stripe payment procedure
PCI compliance with Stripe
Many users end up being PCI certified by filling out the Self-Assessment Questionnaire (SAQ) offered by the PCI Safety And Security Standards Council. The kind of SAQ depends upon how you collect card information. The easiest technique of PCI validation is SAQ A. The fastest means to end up being PCI compliant with Stripe is to see to it you get a prefilled SEQ A. If so Stripe will certainly load the SEQ A for you as well as will make it readily available for you to download to your account's conformity setups after the initial 20 or so purchases. The means to attain this is as adheres to:
- Utilize the Embedded form called Check out, Stripe.js as well as Aspects (it provides far better format modification then Check out). You can utilize react-stripe-elements which makes use of Stripe.js API or Stripe mobile SDK libraries. When you're using react-native select tipsi-stripe. ipsi-stripe bindings are not formally sustained by Stripe so assistance will not formally inform you that they get approved for prefilled SEQ-A compliance - but they do.
- If you are making use of web serve your settlements pages need to utilize HTTPS.
In all those instances information is firmly transmitted directly to Red stripe without it passing through your servers. When you choose the fastest means you will certainly not need to do anything more. It is as straightforward as this up until you reach 6 million transactions annually then you will have to fill up a Record on Compliance to verify your PCI conformity each year.
Plan for technological failing - Idempotency essential If you are utilizing API to take payments you should plan for a technical failing as all networks are unstable. If failing occurs wit is not constantly feasible to understand if a charge was made or otherwise. When it comes to a network failure you must retry the deal. The Idempotency secret is a prevention device against charging a customer two times. If somehow you sent the payment twice - which might take place due to retrying procedures after a failing. In Stripes node lib you just add it to alternatives specification while billing. Each Idempotency key will time out after 24 hours so afterwards time if you make a payment with the same Idempotency secret you will charge the client.
Stripe charges in cents not dollars On the internet payment options like PayPal charge in bucks as opposed to cents. However that in Stripes all charges are made in smallest currency system. This is not only the instance concerning bucks, Stripes does it for all currencies.
Test
Red stripe offers lots of card numbers for you to examine various circumstances on the frontend and also symbols so you can straight check your backend. For instance you can not only test Visa, Mastercard, American Express, Discover, Diners Club and also JCB Cards yet additionally worldwide cards and also 3D Secure Cards. Stripe additionally supplies you with tokens so you can evaluate failing circumstances like a cost being decreased, or a cost being obstructed due to the fact that its deceitful, an ended card, or a handling mistake. So you will be prepared for every little thing that can take place when you go live.
Do not place JSON in description - Use metal
Be descriptive as you can. Metadata is your good friend. You can improve your Red stripe purchase with custom-made information so you can after that see it in the dashboard. For example you can add points like consumer ID or the delivery ID in metadata so there is no reason to pollute your deal summary.
Should I accumulate extra information?
The bare minimum to gather from a CC is its number, CVV and also expiration day yet you can accumulate extra. You can additionally collect the postal code/ CC holder name/ address for Address Verification System (AVS). If you accumulate them it will raise Wechat Payment UK safety since the scams avoidance algorithms will certainly have much more information and will have the ability to react a lot more accurately. Nonetheless, from the individual point of view it's even more information to kind - which is not constantly excellent. Clients are just human and also occasionally make mistakes when going into data which can additionally cause some deals to be rejected. So you must select just how much data you need and also what will certainly function best for you and also your revenue. Similarly financial institutions will sometimes deny repayments with a 'do not recognize' standing and also you will certainly have to call your client so they can ask their financial institution regarding the reason (high level of current activity on a card, an absence of matching AVS info, a card being over its limit, or a variety of various other reasons which only the financial institution will certainly recognize).
If you are any kind of on-line supplier of service or products, a method for consumers to pay quickly and easily online is becoming increasingly more essential. Online payment options are abundantly offered, and offer consumers a far more streamlined as well as hassle-free internet purchasing experience. The complying with are several of the advantages to carrying out online payment remedies. These apply to small businesses and large ventures alike (though the substantial bulk of bigger companies do have on the internet payment services).
Reduce of Purchase
It only stands to factor: if a purchase is simpler as well as quicker to make, there is a greater possibility that a person will make it. When you contrast the amount of time and also problem it requires to write out a check, placed it in a stamped envelope, and send it with filling in a name as well as a couple of credit card digits and after that clicking submit, it is clear at to which the client will perceive as much easier. As well as, in fact they will certainly be right even in a measurable sense worrying the quantity of time invested. Hence from a standard sales standpoint, it makes sense to supply online payment alternatives UK.
Up-to-Date Appearance
Beyond the above, a site that uses on-line payment solutions shows up much more up-to-date and contemporary. Online payment is the standard now, the rule as opposed to the exemption. So it makes a site appear even more market mindful as well as technically updated. This can aid to strengthen the sight for the customer that the website is legit, present, and also customer-oriented.
Simpler to Track and Organize
It is less complicated to track as well as arrange sales that are made online. The software program that processes these payments may additionally include analysis and also organizational components that are very handy in both evaluation of the sales performance of the website and also publication maintaining. And also excellent analysis and organization of supplier information is constantly handy for optimizing as well as streamlining a business.
Conserves Time and also Resources
These online payment services UK conserve the moment and sources of a company. Some examples are their capability to immediately handle repeating payments, produce billings automatically, as well as act as user interfaces for customer questions and complaints. The sheer workforce conserved right here alone is factor to institute these services.
Movement
These repayments can be received anywhere internet gain access to is available. This significantly frees up time and also permits higher flexibility both of business employees and also customers. When a customer can buy anywhere they can utilize their laptop computer, and also a firm can similarly receive those repayments basically anywhere and also anytime, the window for making purchases is a lot higher. This is all thanks to the raised availability/mobility.
A relatively current growth in this area is what is known as mobile payment. This is a growing network that enables people to Wechat Pay for goods or solutions making use of just mobile phones. Once again, what is occurring here is that payment is ending up being also easier to make in a variety of different circumstances and areas.
As you can see, applying an on-line payment option E14 5NR for your organisation makes sense on various levels. If you anticipate to have any type of significant online sales presence, allowing customers to make on line settlements is basically a requirement. Discover a great solution that matches your company needs and also you'll be ready to go.
Today's culture is slowly proceeding in the direction of a cashless economy! People favor to utilize their plastic as opposed to hard cash. Indeed, making use of charge card is a whole lot simpler than lugging money around. One card is all that you require to suit your purse whereas in case of cash money you need to carry a mass amount because you don't recognize how much you may need at one go. While talking with a company boss who lives next door, I realized the relevance of on the internet payment and also its growing importance for business globe. They have actually begun using different on-line payment remedies as well as terminating the acceptance of cash money from the customers. You need to work with people in order to man the cash counters while in case of online cash transfer the process is quick, basic as well as hassle-free.
On the internet payment transfer is much safer option also. Credit cards are issued by a financial institution after a prolonged verification process. While paying with your charge card, you need to mandatorily check all payment related details before final confirmation. Likewise, you MUST inspect credit card and also bank declarations meticulously after every payment to make certain the appropriate quantity has actually been debited, and also that no scams has happened throughout the particular transaction phase. Bulk of individuals likewise make use of conventional payment portals (PayPal, Authorize.net, and so on) to transfer funds to the vendor. Occasion coordinators as well are relying greatly on such on the internet payment processing and also administration options to effectively deal with event registration charges and/or ticket sales.
On-line payment services feature some major advantages such as:
PCI Compliance
It suggests you can securely make use of such an option for monetary purchases of any kind of kind. PCI which means Payment Card Industry has actually gotten a few objectives that all credit card providing and also dealing financial institutions require to adhere to. Some of the objectives include keeping a protected network, securing the card owner's information, as well as consistently keeping an eye on every single deal that takes place using credit cards.
SSL 128-bit Information Security
Bulk of on-line payment administration software adhere to the SSL 128-bit data file encryption plan to protect info that passes through the system. Therefore, the online payment remedy allows you refine all types of credit/debit card settlements and payments made using preferred gateways firmly, stopping any kind of chances of fraudulence.
Tension-free Cash Handling
Companies of all kinds, event monitoring firms plus course organizers discover an online payment service extremely easy to use. It is since they don't have to trouble around separately collecting money from the consumers, attendees or trainees. The on the internet system successfully transfers money from the purchaser's to the seller's savings account in minutes with least human disturbance.
On-line payment options could be the secret to saving personal time. It's simple to establish automatic electronic payment choices. You can log on each month to pay your expenses. Or you can license for repayments to be made as regularly as you want without going to your computer. Electronic settlements save you time due to the fact that you are not in the automobile or standing at the bank in line to make a withdrawal or transfer. Doing settlements online is very easy for people with standard computer system skills. If you want straight deposits from your business instead of waiting on a paper check, just offer your firm your account info to set up deposits with the financial institution, and also the transfers begin usually in a few pay cycles.
As an organisation on-line payment services will certainly conserve you a great deal of time and paperwork. You will have exact, organized records of the paychecks you spread at your fingertips. It will not take long to initiate worker pay-roll direct down payments when fundamental account information is authorized and become part of the system. Currently instead of preparing each specific check, printing it, and afterwards signing it, your pay-roll heads out at the touch of a few computer system keys.
Increasingly more company is being carried out online so online payment solutions is a progressively approved as well as preferred purchase. Cash can be transferred in real time where in the past, somebody could have to wait days for a check to show up, hoping it would certainly get to all and not obtain lost in the mail, and afterwards take it to the bank to deposit and wait for funds to clear. Currently, due to the strict regulatory steps that safeguard on the internet settlements, transfers are often offered to the recipient instantly or within a couple of hours of transfer. In today's stressed economy, having prompt accessibility to money that is your own or being able to pay your expenses in the nick of time when you can manage it, is a welcome benefit.
Online payment remedies is a terrific idea for people that require to move large or regular quantities of cash and also are worried for their safety and security. Before digital transfers, individuals had to take pay-roll to a bank, approve repayments personally, as well as handle money handy. Currently as opposed to stressing over being robbed at any step of the method, digital transfers offer a high degree of security. Staff members don't need to bother with washing a paper check when they do washing and after that needing to change it. Digital transfer guarantees the money goes straight to the designated account.
0 notes
Text
Guest Post: Ten Questions the SEC Will Probably Be Asking Google
John Reed Stark
Earlier this week, media reports circulated that this past spring Google had exposed the private data of thousands of the Google+ social network users and then opted not to disclose the issue, in part because of concerns that doing so would draw regulatory scrutiny and cause reputational damage. In the wake of these revelations, one question is whether the SEC will look into these circumstances. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at what he regards as a likely SEC investigation and the questions that the SEC likely will be asking. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s post.
***********************
Google has a problem and, having served for over 11 years as Chief of the SEC’s Office of Internet Enforcement, my guess is that the SEC is probably investigating.
On October 8, 2018, Google announced that it will close most of its failing social media platform Google+ and implement several new privacy measures because of a previously undisclosed software bug relating to its Google+ application programming interphase (API). Google created the API to help app developers access an array of profile and contact information about the people who sign up to use their apps, as well as the people they are connected to on Google+.
Google also mentioned that up to 500,000 Google+ users potentially had their personal data exposed. In addition, Google reported that up to 438 applications may have used the defective Google+ API, which makes estimations of impacted individuals difficult to ascertain.
Meanwhile the Wall Street Journal and the Washington Post are reporting that Google hid the Google+ API defect from shareholders and others for fear of regulatory examination, Congressional inquiry and other negative ramifications.
What a mess. Let the onslaught of scrutiny begin, which in my opinion will undoubtedly include an investigation by the U.S. Securities and Exchange Commission (SEC), the federal regulator tasked with policing the disclosures to shareholders by public companies like Google.
But what precisely will the SEC want to know? Assuming I am right about an ongoing SEC investigation, this article presents ten questions SEC enforcement staff will be posing to Google executives and others, in connection with an investigation of Google’s public disclosures of the Google+ API defect.
Some Background: Post 2018 SEC Cybersecurity Disclosure Guidance
On February 20th, 2018, the SEC issued further interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents (the “2018 SEC Guidance”).
The 2018 SEC Guidance offers the SEC’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and processes, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.
The 2018 SEC Guidance serves as a follow-up to the October 13, 2011 SEC Division of Corporation Finance staff guidance, which also pertained exclusively to the cybersecurity- related disclosure obligations of public companies (the “2011 SEC CF Guidance”).
The fact that the 2011 SEC CF Guidance was published by the staff while the 2018 SEC Guidance was adopted by the Commission itself, though indicative of the gravity of the issue of the SEC and cyber incident disclosure, makes little actual difference for practitioners. Whether guidance emanates from the SEC staff or from the SEC itself, it should be taken with the same high level of significance and attentiveness.
Along those lines, much of the 2018 SEC Guidance tracks the 2011 SEC CF Guidance, retaining a focus on “material” cyber risks and incidents and expanding upon its predecessor while also reinforcing the SEC’s expectations about cyber-disclosure. But if the 2011 SEC CF Guidance was a wake-up call for public companies, the 2018 SEC Guidance was a resounding fire alarm — and is a must-read for any C-suite executive at a public company.
In short, the 2018 SEC Guidance:
Stresses the need for public companies to put into practice disclosure controls and procedures designed to escalate cybersecurity risks and incidents to the right c-suite executives;
Emphasizes the urgency for public companies to make appropriate disclosure to investors; and
Articulates the SEC’s growing concerns about unlawful trading involving data security incidents.
The 2018 SEC Guidance also serves as a stark reminder for public companies that disclosures relating to data security events present an array of regulatory and litigation issues and has quickly evolved into an increasingly specialized area of securities regulation.
Pre-2018 SEC Cyber-Disclosure Guidance
On October 13, 2011, the SEC released the 2011 SEC CF Guidance, its first ever staff guidance pertaining exclusively to the cybersecurity-related disclosure obligations of public companies.
With the 2011 SEC CF Guidance, the SEC officially (and quite noticeably) added cybersecurity into the mix of disclosure by putting every public company on notice that cyber-attacks and cybersecurity vulnerabilities fell squarely within a public company’s reporting responsibilities.
The 2011 SEC CF Guidance covered a public company’s reporting responsibilities both just after a cyberattack as a “material” event, and before as a “risk factor.” In their essence, these notions clarified the SEC’s long- standing requirement that public companies report “material” events to their shareholders. What precisely renders an event material has plagued securities lawyers for years and has been the subject of countless judicial decisions, SEC enforcement actions, law review articles, law firm guidance and the like – but can be effectively summed up as any important development or event that “a reasonable investor would consider important to an investment decision.”
Prior to the 2011 SEC CF Guidance, publicly traded companies were not necessarily required to report in their SEC filings if a data security incident had occurred or if they had fixed the problem. After the 2011 SEC CF Guidance, however, publicly traded companies were more compelled to acknowledge cyber-attacks other data security incidents to regulators, and explain the measures they planned to take to close their cyber-security gaps.
With respect to the aftermath of a cyberattack, the 2011 SEC CF Guidance discussed the myriad of ways a cyber-attack can impact the operations of a public company. Next the 2011 SEC CF Guidance set forth the various reporting sections of typical SEC filings that could warrant mention of the cyber-attack, including Risk Factors; Management’s Discussion and Analysis of Financial Condition and Results of Operations; Description of Business, Legal Proceedings, Financial Statement Disclosures; and Disclosure Controls and Procedures.
With respect to the mere possibility of a cyber-attack, the 2011 SEC CF Guidance noted that companies should also “consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.”
Even though the SEC staff might have viewed the 2011 SEC CF Guidance as simply a reiteration of previously existing requirements, there remained little doubt at the time of its publication that the 2011 SEC CF Guidance imposed an arguably unprecedented and certainly significant obligation upon public companies.
Against the backdrop of the 2011 CF Guidance and the 2018 SEC Guidance, below are ten questions Google should expect from SEC enforcement staff.
Question #1: Was Google’s Internal Investigation of the Google+ API Vulnerability a Fulsome and Robust Process of Neutrality, Objectivity, Transparency and Candor?
When it comes to data security incidents, one option for Google is to investigate the problem itself – get to the bottom of it, improve security practices, policies and procedures and move forward with better, stronger and more robust security. This seems to have been Google’s approach – and it may have very well succeeded.
However, there is a far more effective, more rewarding and more cost-effective option, which SEC enforcement staff has come to respect and appreciate. Whether it is British Petroleum struggling to handle the aftermath of an oil refinery explosion killing 15 Alaskan workers; Wells Fargo adjusting its operations after a massive company fraud committed by 5,300 employees against over two million customer accounts; or any company experiencing a threat to its customers, the same lesson always rings true. Confront the issue head-on with independence, transparency and integrity.
For starters, strong leaders seek answers from independent and neutral sources of information and when responding to data security incidents. Google’s leaders should:
Engage a former law enforcement agent or prosecutor from an independent and neutral law firm or consulting firm (preferably never engaged before) to conduct an investigation and report its findings to the board;
Direct the law firm to engage an independent digital forensics firm to examine the Google+ API issue;
Report the investigation’s progress to shareholders, regulators and other constituencies and fiduciaries every step of the way; and
Disclose the details of the findings to those users impacted.
Instead of trying to characterize an incident, effective leaders begin with these three steps, which evidence strong corporate ethics; fierce customer dedication; and steadfast corporate governance.
Next is to anoint someone from the engaged outside investigative team to serve as the face of the response. This person should be a former law enforcement official with impeccable credentials and the kind of gravitas that customers, shareholders and other important members of the public will trust and respect.
By navigating problems with integrity and transparency, Google can shift the tides in their favor, seizing the opportunity to reinforce strong business ethics; renewed customer dedication; and steadfast corporate governance.
But Google’s announcement makes no mention of any independent investigation. Rather Google’s announcement focuses on findings and conclusions rendered by its own “Privacy & Data Protection Office,” a council of top Google product executives who oversee key decisions relating to privacy.
C-Suite executives and boards of directors are not politicians and do not have the luxury of conducting potentially self-serving investigations and offering sanitized reports and findings; they have fiduciary obligations to shareholders and others to seek the truth and they should do so with independency, neutrality, transparency and candor. Otherwise, any formal findings can lack credibility and integrity, and no one, including the SEC enforcement staff, will take the investigative and remedial effort seriously.
Question #2: What Did the Google Board Know, and When Did They Know It?
The 2018 SEC Guidance for public companies on cybersecurity-related disclosures garnered a great deal of attention for what it says about the threat and risk that cybersecurity presents for public companies — large and small. With cyber-incidents capturing headlines around the world with increasing frequency, businesses and regulators have come to recognize that cyber-incidents are not a passing trend, but rather in our digitally connected economy, an embedded risk that is here to stay. Indeed, these cybersecurity risks represent a mounting threat to businesses — risks that can never be completely eliminated.
Much of the published commentary concerning the 2018 SEC Guidance focused on the technical aspects of the SEC’s instructions regarding the need for additional disclosure in a company’s periodic filings and the SEC’s updated views on the timing of cyber-related disclosures and what that means for insider trading windows. However, the 2018 SEC Guidance also says a lot about the SEC’s expectations of boards with respect to data security incidents, including disclosure-related responsibilities.
The SEC’s views on the role of the board have evolved over the past few years, culminating with the release of the 2018 SEC Guidance, which likely prompted many corporate boards to take tangible steps to translate their general awareness and high-level concerns around cybersecurity risks into specific behaviors and precise actions that are identifiable, capable of being readily implemented and heavily documented.
The comments contained in the 2018 SEC Guidance evidence the SEC’s strong views regarding the board’s essential role in this emerging area of enterprise risk and remove any doubt that for those who serve as corporate directors, “cybersecurity” can no longer be just a buzz word or a simple talking point. While many board members characterize cybersecurity risks as “an existential threat,” few, if any, have taken the time to go beyond attaining a superficial understanding of what that really means for their companies. Corporate directors now must consider themselves on notice. When it comes to cybersecurity, they are expected to dig in and, therefore, must demand greater visibility into what is oft presented as a murky and highly complex area best left to technologists.
Specifically, the 2018 SEC Guidance advises that public companies should disclose the role of boards of directors in cyber risk management, at least where cyber risks are material to a company’s business. With respect to the Google+ vulnerability, the SEC enforcement staff will probe about communication lines up to the board from the ground level at Google, searching for any broken links; any lack of transparency or candor; any concealment or “cleansing” of inculpatory information and any other related corporate governance failure.
Historically, when it comes to their CFOs and the financial reporting function, the successful board paradigm has been one of vigorous and independent supervision, requiring the participation of independent third parties. The same should go for CTOs, CIOs and CISOs, and the maxim of trust but verify should be equally operative in both contexts.
The SEC enforcement staff will want to know what steps, if any, Google took to enhance its board’s cybersecurity oversight in response to the 2018 SEC Guidance, and will want to understand the Google board’s approach to cybersecurity and the Google board’s involvement in the handling and management of the Google+ API defect.
Question #3: Where was Google’s CEO?
If Google’s CEO does not embrace and understand the importance of cybersecurity, the company has little chance of effectively carrying out its responsibility to ensure proper risk-based measures are in place and functioning. It is the CEO who is charged with day-to-day management responsibility and, as history tells us, those in the organization will, in fact, “follow the leader.” This may seem like an obvious point, but its criticality cannot be overstated.
Why would a CEO not take the issue of cybersecurity seriously? CEOs have a lot on their plate. And, like it or not, it is a reality of human behavior that there is a tendency to downplay the potential for certain risks — “this is not going to happen to us” — until those risks manifest themselves and then it is just too late. By then, the damage is already done, and the consequences can be immediate and, at times, catastrophic.
Recognizing this reality, the 2018 SEC Guidance actually offers shareholders an assist in the effort to focus the attention of the CEO. The SEC explicitly recognizes the importance of “tone at the top,” as demonstrated by one of its more specific and impactful directives, requiring that so-called executive certifications regarding the design and effectiveness of disclosure controls now encompass cybersecurity matters (such as certifications made pursuant to the Exchange Act Rules 13a-14 and 15d-14 as well as Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F).
Disclosure controls and procedures should ensure that relevant cybersecurity risk and incident information is reported to management so that they may make required certifications and disclosure decisions. Here, the SEC actually stole a page from the playbook of former SEC Chairman Harvey Pitt, who originated the idea of executive certifications way back in 2002.
Shocked after officials of such scandal-plagued companies such as Enron and Worldcom testified on Capitol Hill that they did not know their companies were reporting false or misleading information, Chairman Pitt conjured up the idea of executive certifications which was remarkably successful, effective — and quite ingenuous.
Then Chairman Pitt dictated that top corporate officials, chief executive officers and chief financial officers, must declare personally — literally, to take an oath — that their most recent financial statements are accurate. The new rule applied to companies’ future reports as well.
By making a “certification,” these officers are swearing that they know, for certain, that financial reports are true. If the reports are not, the executives must explain why these results are not accurate. This eventually led some companies to restate their results to comply with certification.
Just like former SEC Chairman Pitt’s certification requirement sought to ensure accurate financial reporting and responsible executive conduct regarding financial results, current SEC Chairman Jay Clayton’s 2018 SEC Guidance seeks to ensure accurate cybersecurity reporting and responsible executive conduct regarding data security incidents.
These required certifications by a company’s principal executive officer and principal financial officer as to the design and effectiveness of cyber-related disclosure controls and procedures can be somewhat challenging. Company executives making these certifications have to consider whether a company’s disclosure controls and procedures for cybersecurity are, in particular, capable of fully assessing and escalating such cyber risks and incidents. Along these lines, the SEC will look to see if Google executives have developed and implemented some methodology to “drill down” into Google’s technical conclusions, perhaps even independently validating IT conclusions and representations when necessary.
The expanded certification rule seeks to drive executive-level ownership and accountability with respect to the reporting of cybersecurity incidents and the broader area of data security. Indeed, the 2018 SEC Guidance states:
“These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.”
The SEC certainly understands the centrality of the CEO’s role and now the CEO must affirmatively certify to the adequacy of the organization’s cybersecurity controls. SEC enforcement staff will attempt to determine if Google’s CEO and senior executives have accepted – and embraced – both the spirit and the language of this new SEC certification requirement.
Question #4: What Were Google’s Formal Policies, Practices and Procedures Relating to Disclosure of Data Security Incidents?
SEC enforcement staff will want to review all of Google’s formal policies, practices and procedures relating to the disclosure of cybersecurity incidents.
The 2018 SEC Guidance encourages companies to implement policies, practices and procedures mandating that important cyber risk and incident information escalate “up the chain,” from IT teams to senior management, allowing for informed, intelligent and knowledgeable decisions.
This particular communications edict must have hit close to home for SEC Chairman Clayton, who when testifying before Congress about a data breach at the SEC, was clearly miffed that the SEC staff had not shared certain critical information with the various SEC Commissioners, including the Chairman. At that time, then-SEC Commissioner Michael S. Piwowar even went so far as to issue a formal statement about the lack of communication to him about the SEC data breach, stating:
“I commend Chairman Clayton for initiating an assessment of the SEC’s internal cybersecurity risk profile and approach to cybersecurity from a regulatory perspective. In connection with that review, I was recently informed for the first time that an intrusion occurred in 2016 in the SEC’s Electronic Data Gathering, Analysis, and Retrieval (“EDGAR”) system. I fully support Chairman Clayton and Commission staff in their efforts to conduct a comprehensive investigation to understand the full scope of the intrusion and how to better manage cybersecurity risks related to the SEC’s operations.”
Question #5: What was the Nature of any Google Disclosure Related to the Data Security Incident or the Risks of Data Security Incidents?
Much like the 2011 SEC CF Guidance, the 2018 SEC Guidance can be somewhat maddening with respects to the actual content of a company’s disclosure regarding a data security incident.
For example, as to the particularity of any data security incident’s disclosure, the SEC seems to want to have its cake and eat it too. On the one hand, the 2018 SEC Guidance appears to allow for a lack of specifics so as not to compromise a company’s security, stating:
“This guidance is not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts – for example, by providing a “roadmap” for those who seek to penetrate a company’s security protections. We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”
On the other hand, the 2018 SEC Guidance cautions companies not to use any sort of generic “boilerplate” type of language in its disclosures, stating somewhat opaquely:
“We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents. As the Commission has previously stated, we ‘emphasize a company-by-company approach [to disclosure] that allows relevant and material information to be disseminated to investors without boilerplate language or static requirements while preserving completeness and comparability of information across companies.’ Companies should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.”
Along these lines, any conclusions about the adequacy (or inadequacy) of the actual substance of any Google disclosure concerning the Google+ API defect will be the subject of debate. SEC staff will review texts, emails, reports and other relevant documents pertaining to the Google+ vulnerability discovery and remediation, and then follow-up seeking testimonial evidence from Google employees and outside experts to better understand the particulars of the “bug.”
With respect to Google’s risk disclosures, the SEC enforcement staff will likely consider Google’s vague reference to risk in its October 8th announcement, which stated:
“The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+”
The SEC staff will want to know if Google incorporated into its SEC filings the risk associated with the “challenges,” and will want to read the details of the Google “review,” cited above in Google’s October 8th announcement.
Question #6: How Long Did It Take for Google to Remediate After Discovery of the Data Security Vulnerability?
Good news on this front for Google. Google should take some comfort that the 2018 SEC Guidance recognizes that data security incident investigations are complicated and cannot be completed overnight.
The SEC recognizes that the investigation of data security incidents can take time, and that some companies may not want to make any disclosures about an incident when they do not have some comfortable handle on the facts of the situation. The 2018 SEC Guidance states:
“Understanding that some material facts may be not available at the time of the initial disclosure, we recognize that a company may require time to discern the implications of a cybersecurity incident. We also recognize that it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident.”
But the SEC also qualifies its recognition of the complexity of data security incidents and warns companies that the need for a lengthy investigation into a data security incident is not necessarily an automatic excuse for delaying the disclosure of a data security incident, stating:
“However, an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
Of course, when a data security incident happens, the public’s demand for immediate answers is understandable. Lifesavings are at risk while the perpetrators of hacking schemes are rarely identified, let alone captured and prosecuted. However, in the aftermath of most data security incidents, there exists no CSI-like evidence which would allow for speedy evidentiary findings and rapid remediation.
While some data security incidents may provide key evidence early-on, most never do, or even worse, provide a series of false positives and other stumbling blocks. The evidence among the artifacts, remnants and fragments of a data security incident is rarely in plain view; it can rest among disparate logs (if they even exist), volatile memory captures, server images, system registry entries, spoofed IP addresses, snarled network traffic, haphazard and uncorrelated timestamps, Internet addresses, computer tags, malicious file names, system registry data, user account names, network protocols and a range of other suspicious activity.
Moreover, evidence can become difficult to nail down — logs are destroyed or overwritten in the course of business; archives become corrupted; hardware is repurposed; and the list goes one.
For instance, in Google’s case, according to the Wall Street Journal, certain key logs were simply never retained, which created obstacles for its internal investigators:
“Because the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data may potentially have been improperly collected, the two people briefed on the matter said. The bug existed since 2015, and it is unclear whether a larger number of users may have been affected over that time.”
In short, the evidence analyzed during a data security incident can be a massive, jumbled and chaotic morass of terabytes of data. That is why the investigation of a data security incidents can take weeks, perhaps months, before any concrete conclusions begin to take shape. Rushing to judgment (and disclosure) might not only create further confusion and expense, but it can also undermine the objectivity, truth and confidence that the public (especially shareholders) deserves.
Question #7: Did Google Undertake a Timely and Comprehensive Disclosure of its Data Security Incident?
The Wall Street Journal reported one blockbuster fact that will be a lightning rod for SEC enforcement attention:
“[Google] opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.”
The SEC will likely begin its investigation by reviewing Google’s disclosures since March of 2018, when a privacy task force formed inside Google, code-named Project Strobe, apparently discovered the API problem during a company-wide audit of the company’s APIs. Google’s announcement states that:
“We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.”
The 2018 SEC Guidance clearly emphasizes the need for timely disclosure, probably taking a lesson from the Equifax data breach and, ironically from the SEC’s own data breach experience, which SEC Chairman Jay Clayton admitted should have been disclosed earlier.
Equifax, one of three elite repositories of personal credit information, and a trusted source for personal security and identity theft defense products, disclosed a cyber-attack that could potentially affect 148 million consumers — nearly half of the U.S. population. The accessed Equifax data reportedly included sensitive information such as social security numbers, birthdays, addresses, and in some instances, driver’s license numbers — a virtual treasure trove for identity thieves.
Not long after the Equifax data breach, SEC Chairman Jay Clayton also announced a data breach into the SEC’s EDGAR system, a vast database that contains information about company earnings, share dealings by top executives and corporate activity such as mergers and acquisitions. Accessing that information before it’s disclosed publicly could allow hackers to profit by trading ahead of the information’s release.
With respect to the Equifax data breach, now “retired” Equifax CEO Richard Smith told a breakfast meeting in mid-August 2017 that data fraud is a “huge opportunity,” allowing Equifax to sell consumers more offerings. Smith touted the company’s credit-monitoring offerings, according to a video recording of the meeting at the University of Georgia’s Terry College of Business, and declared that protecting consumer data was “a huge priority” for the company.
But what the Equifax CEO failed to mention was that less than three weeks earlier, Equifax had apparently discovered a potentially massive data security incident and that Equifax had called in expert incident response firm Mandiant, to investigate. Yet, it was not until a few weeks later on Sept. 7, that Equifax disclosed the massive data breach to the public.
With respect to the SEC data breach, the SEC itself may have opted for a similar path of delayed notification. Reports and SEC Chairman Clayton’s testimony before the Senate Banking Committee indicate that the SEC data breach was discovered in 2016, and the possible illegal trades were detected in August of 2017, but the SEC did not disclose any information about the incident until September 20th, 2017.
Senior executives at both the SEC and Equifax have angered their constituents with their arguably sluggish disclosure. Both entities probably focused too much upon what they were legally and contractually obligated to disclose, rather than taking a more holistic approach to the question.
Per the 2018 SEC Guidance, if Google learned of a cybersecurity incident or cyber-risk that was material to its investors, then Google was expected to make appropriate disclosures. The 2018 SEC Guidance even goes so far as to remind public companies to consider obligations under the stock listing requirements, such as Section 202.05 of the NYSE Listed Company Manual and NASDAQ Listing Rule 5250(b)(1). Additionally, when Google experienced a data security incident of any type, the 2018 SEC Guidance emphasizes the possible need to “refresh” previous disclosures during the process of investigating a cybersecurity incident or past events.
When organizing the disclosure of data security incidents and overall cybersecurity risks, just like the 2011 SEC CF Guidance, the 2018 SEC Guidance explains that disclosure of data security incidents may be required in sections of public filings addressing Risk Factors, MD&A, Description of Business, Legal Proceedings and Financial Statement Disclosures.
No doubt, SEC enforcement staff will be pouring over these various sections of disclosure, looking for any possibly misleading information or material omission.
Question #8: Was There any Trading by Any Google Personnel Who Knew of the Data Security Incident?
While empirical data may suggest otherwise, some data security incidents can impact a company’s stock price – such as the actual stock price drops immediately following disclosure of the Equifax and Target breaches. In such situations, executives who learn of a data security incident, if it is material and nonpublic, could be violating insider trading laws if they engage in any trading of the company’s stock.
Along these lines, the 2018 SEC Guidance warned corporate insiders not to sell shares of a company when holding confidential knowledge about cyberattacks and breaches that could affect stock price. This is an area not covered by the 2011 SEC CF Guidance but made sense to include in the 2018 SEC Guidance.
Equifax once again probably triggered the SEC’s concerns and prompted inclusion of this principle in the 2018 SEC Guidance. The Equifax data breach also involved a stock sell-off by some of its executives before the disclosure of its experience of a cyber-attack and spurred an SEC insider trading investigation that resulted in at least one SEC enforcement action against an Equifax manager for unlawful insider trading. Intel CEO Brian Krzanich got hit with a similar backlash, too, for selling a large block of shares after learning of the Meltdown and Specter computer chip vulnerabilities, but before disclosing them to the public.
The SEC is obviously expecting that Google have thoughtful and well-documented consideration of data security incidents in the context of possible trading on material, nonpublic information – and carefully drafted, robust and precise policies, practices and procedures in place to demonstrate a rigorous culture of compliance.
SEC enforcement staff will likely explore whether the 2018 SEC Guidance prompted Google to review, with data security incidents in mind, their trade restriction policies, permissible trading windows, insider trading training curricula, codes of ethics, trade authorization procedures, trading training manuals and the like.
Question 9: Was Google Mindful of Regulation FD When Briefing Outsiders About its Data Security Incident?
Regulation FD (for “Fair Disclosure”), promulgated by the SEC under the Securities Exchange Act of 1934, as amended prohibits companies from selectively disclosing material nonpublic information to analysts, institutional investors, and others without concurrently making widespread public disclosure.
Regulation FD reflects the view that all investors should have equal access to a company’s material disclosures at the same time. Since its enactment in 2000, Regulation FD has fundamentally reshaped the ways in which public companies conduct their conference calls, group investor meetings, and so‐called “one‐on‐one” meetings with analysts and investors.
The SEC adopted Regulation FD to address the selective disclosure by issuers of material nonpublic information. In its adopting release, the SEC expressed concerns about reported instances of public companies disclosing important nonpublic information, such as advance warnings of earnings results, to securities analysts or selected institutional investors or both, before making full disclosure of the same information to the general public. Those privy to the information beforehand were able to profit or avoid a loss at the expense of everyone else.
The 2018 SEC Guidance emphasizes that companies subject to Regulation FD (like Google) should have policies and procedures to promote compliance with Regulation FD regarding cybersecurity risks and incidents.
In particular, these policies and procedures should work to ensure that Google did not make any selective disclosures about cybersecurity risks and incidents to Regulation FD-enumerated persons without the required broadly disseminated public disclosure. This can create unanticipated problems for any public company experiencing any form of data security incident, because Regulation FD can throw a wrench into an already challenging disclosure process.
For example, in the aftermath of a data security incident of any kind, in addition to any consumer notifications, a broad range of other important notifications may immediately arise, such as briefings to customers, partners, employees, vendors, affiliates, insurance carriers, and a range of other interested/impacted parties.
Given the broad swath of interested parties, SEC enforcement staff will be looking to make sure Google maintained careful and methodical communications practices to ensure that their disclosures were consistent, and not selective.
Question #10: Do Google’s Disclosures, or Lack Thereof, Amount to Criminal Behavior?
Perhaps the most important takeaway from the 2018 SEC Guidance is a notion not specifically stated in the four corners of the document, but rather found in an SEC enforcement action (and parallel DOJ criminal prosecution) filed on the very same day of the 2018 SEC Guidance’s release.
In the SEC enforcement action, captioned SEC v. Jon E. Montroll and Bitfunder, the SEC charged a former bitcoin-denominated platform and its operator with operating an unregistered securities exchange and defrauding users of that exchange. The SEC also charged the operator with making false and misleading statements in connection with an unregistered offering of securities.
Among other accusations, the SEC alleges that BitFunder and its founder Jon E. Montroll operated BitFunder as an unregistered online securities exchange and defrauded exchange users by misappropriating their bitcoins and failing to disclose a cyberattack on BitFunder’s system that resulted in the theft of more than 6,000 bitcoins.
The SEC actually alleges fraud because of the lack of disclosure of the data security incident to customers/account holders, effectively bypassing the issue of whether there is actually any statutory or regulatory disclosure obligation. In other words, by keeping the data security incident a secret, the exchange (which was unlawfully unregistered), committed a fraud upon its customers. The SEC Complaint states:
“Montroll failed to disclose the theft [which occurred by means of a cyber-attack] and the deficit to Ukyo Notes investors and potential investors. By failing to disclose these facts, Montroll misled investors and potential investors – who were led to believe they would profit, at least in part, from BitFunder’s operations – to reasonably believe that BitFunder was a secure and profitable business.”
Concealing a data security incident can not only prompt SEC enforcement actions but can also lead to being arrested and taken into custody. In a parallel criminal case, the U.S. Attorney’s Office for the Southern District of New York filed a complaint against Montroll for perjury and obstruction of justice during the SEC’s investigation. In other words, whether a public company or private company and whether a regulated entity or an unregulated one — keeping a data security incident secret can be the kind of act that triggers an indictment. The SDNY’s press release about their parallel case states:
“As alleged, Montroll committed a serious crime when he lied to the SEC during sworn testimony. In an attempt to cover up the results of a hack that exploited weaknesses in the programming code of his company, he allegedly went to great lengths to prove the balance of bitcoins available to BitFunder users in the WeExchange Wallet was sufficient to cover the money owed to investors. It’s said that honesty is always the best policy – this is yet another case in which this virtue holds true.”
Nothing in any of the few public reports of the Google+ incident indicates any clear-cut nefarious form of fraud or chicanery. However, the Wall Street Journal reports that Google failed to disclose the Google+ API defect for fear of regulatory and other ramifications, stating:
“The [internal Google] document shows Google officials felt that disclosure could have serious ramifications. Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said. It “almost guarantees Sundar [Google’s CEO] will testify before Congress.”
Google executives should realize that SEC enforcement staff will be looking for any hint of deception in their handling of the Google+ API defect — and that SEC enforcement staff will gladly pass along any evidence of fraud to the Federal Bureau of Investigation and the U.S. Department of Justice.
Looking Ahead
In addition to Google’s shareholders, a data security incident can trigger a litany of legal notification/disclosure requirements, including notice to state regulators; federal regulators; GDPR Supervisory Authorities; vendors; partners; insurance carriers; customers; consumers; employees; and any other constituency who may have a vested interest in a victim-company.
Hence, it is not surprising that disclosure of cybersecurity incidents and cybersecurity risks has evolved into one of the most important program areas of SEC enforcement, mentioned in so many SEC speeches and panel discussions. Yet the SEC enforcement division has only filed one SEC enforcement action, against Altaba, formerly known as Yahoo!, alleging any sort of data security incident disclosure failure. This is probably because cybersecurity disclosures are usually made in good faith and lack the kind of obvious misconduct and fraud that the SEC typically prosecutes.
But that should provide Google with little solace. The SEC enforcement division is always looking to prosecute the “big fish” to reinforce a regulatory priority or decree — and Google could fit that bill, especially if the Wall Street Journal report about Google’s efforts at concealment turn out to be even slightly treacherous or outrageous.
As an aside, the Wall Street Journal report implies the existence of an active whistleblower at Google who provided inculpatory memoranda and other documents. The SEC loves whistleblowers; cultivates whistleblowers; seeks out whistleblowers — and financially rewards whistleblowers for their efforts, especially when a whistleblower is a company insider. Whoever was speaking to the Wall Street Journal regarding the Google+ API issue will probably be cooperating with the SEC soon enough.
For Google, perhaps the Google+ API defect was only a minor data mishap and an aberration, and its internal investigative team acted promptly, carefully, swiftly and in the best interest of Google shareholders to remediate the vulnerability. Only time will tell.
In the meantime, my advice is for Google to prepare itself for a vigorous and relentless SEC enforcement division investigation – and have its responses ready not just to the ten questions cited above, but also to the many other questions that the SEC will most certainly pile on.
And if it has not done so by now, Google should consider engaging an independent law firm and digital forensics firm to confirm the findings of Google’s Privacy & Data Protection Office and recommend future remedial actions. To me, injecting independence, transparency and sunlight into Google’s process not only seems like a no-brainer, but would also contribute to a far more thoughtful, conscientious and meritorious defense.
*John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He has taught most recently as Senior Lecturing Fellow at Duke University Law School Winter Sessions and will likely be teaching a cyber-law course at Duke Law in the Spring of 2019. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook.”
The post Guest Post: Ten Questions the SEC Will Probably Be Asking Google appeared first on The D&O Diary.
Guest Post: Ten Questions the SEC Will Probably Be Asking Google syndicated from https://ronenkurzfeldweb.wordpress.com/
0 notes
Text
Guest Post: Ten Questions the SEC Will Probably Be Asking Google
John Reed Stark
Earlier this week, media reports circulated that this past spring Google had exposed the private data of thousands of the Google+ social network users and then opted not to disclose the issue, in part because of concerns that doing so would draw regulatory scrutiny and cause reputational damage. In the wake of these revelations, one question is whether the SEC will look into these circumstances. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at what he regards as a likely SEC investigation and the questions that the SEC likely will be asking. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s post.
***********************
Google has a problem and, having served for over 11 years as Chief of the SEC’s Office of Internet Enforcement, my guess is that the SEC is probably investigating.
On October 8, 2018, Google announced that it will close most of its failing social media platform Google+ and implement several new privacy measures because of a previously undisclosed software bug relating to its Google+ application programming interphase (API). Google created the API to help app developers access an array of profile and contact information about the people who sign up to use their apps, as well as the people they are connected to on Google+.
Google also mentioned that up to 500,000 Google+ users potentially had their personal data exposed. In addition, Google reported that up to 438 applications may have used the defective Google+ API, which makes estimations of impacted individuals difficult to ascertain.
Meanwhile the Wall Street Journal and the Washington Post are reporting that Google hid the Google+ API defect from shareholders and others for fear of regulatory examination, Congressional inquiry and other negative ramifications.
What a mess. Let the onslaught of scrutiny begin, which in my opinion will undoubtedly include an investigation by the U.S. Securities and Exchange Commission (SEC), the federal regulator tasked with policing the disclosures to shareholders by public companies like Google.
But what precisely will the SEC want to know? Assuming I am right about an ongoing SEC investigation, this article presents ten questions SEC enforcement staff will be posing to Google executives and others, in connection with an investigation of Google’s public disclosures of the Google+ API defect.
Some Background: Post 2018 SEC Cybersecurity Disclosure Guidance
On February 20th, 2018, the SEC issued further interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents (the “2018 SEC Guidance”).
The 2018 SEC Guidance offers the SEC’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and processes, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.
The 2018 SEC Guidance serves as a follow-up to the October 13, 2011 SEC Division of Corporation Finance staff guidance, which also pertained exclusively to the cybersecurity- related disclosure obligations of public companies (the “2011 SEC CF Guidance”).
The fact that the 2011 SEC CF Guidance was published by the staff while the 2018 SEC Guidance was adopted by the Commission itself, though indicative of the gravity of the issue of the SEC and cyber incident disclosure, makes little actual difference for practitioners. Whether guidance emanates from the SEC staff or from the SEC itself, it should be taken with the same high level of significance and attentiveness.
Along those lines, much of the 2018 SEC Guidance tracks the 2011 SEC CF Guidance, retaining a focus on “material” cyber risks and incidents and expanding upon its predecessor while also reinforcing the SEC’s expectations about cyber-disclosure. But if the 2011 SEC CF Guidance was a wake-up call for public companies, the 2018 SEC Guidance was a resounding fire alarm — and is a must-read for any C-suite executive at a public company.
In short, the 2018 SEC Guidance:
Stresses the need for public companies to put into practice disclosure controls and procedures designed to escalate cybersecurity risks and incidents to the right c-suite executives;
Emphasizes the urgency for public companies to make appropriate disclosure to investors; and
Articulates the SEC’s growing concerns about unlawful trading involving data security incidents.
The 2018 SEC Guidance also serves as a stark reminder for public companies that disclosures relating to data security events present an array of regulatory and litigation issues and has quickly evolved into an increasingly specialized area of securities regulation.
Pre-2018 SEC Cyber-Disclosure Guidance
On October 13, 2011, the SEC released the 2011 SEC CF Guidance, its first ever staff guidance pertaining exclusively to the cybersecurity-related disclosure obligations of public companies.
With the 2011 SEC CF Guidance, the SEC officially (and quite noticeably) added cybersecurity into the mix of disclosure by putting every public company on notice that cyber-attacks and cybersecurity vulnerabilities fell squarely within a public company’s reporting responsibilities.
The 2011 SEC CF Guidance covered a public company’s reporting responsibilities both just after a cyberattack as a “material” event, and before as a “risk factor.” In their essence, these notions clarified the SEC’s long- standing requirement that public companies report “material” events to their shareholders. What precisely renders an event material has plagued securities lawyers for years and has been the subject of countless judicial decisions, SEC enforcement actions, law review articles, law firm guidance and the like – but can be effectively summed up as any important development or event that “a reasonable investor would consider important to an investment decision.”
Prior to the 2011 SEC CF Guidance, publicly traded companies were not necessarily required to report in their SEC filings if a data security incident had occurred or if they had fixed the problem. After the 2011 SEC CF Guidance, however, publicly traded companies were more compelled to acknowledge cyber-attacks other data security incidents to regulators, and explain the measures they planned to take to close their cyber-security gaps.
With respect to the aftermath of a cyberattack, the 2011 SEC CF Guidance discussed the myriad of ways a cyber-attack can impact the operations of a public company. Next the 2011 SEC CF Guidance set forth the various reporting sections of typical SEC filings that could warrant mention of the cyber-attack, including Risk Factors; Management’s Discussion and Analysis of Financial Condition and Results of Operations; Description of Business, Legal Proceedings, Financial Statement Disclosures; and Disclosure Controls and Procedures.
With respect to the mere possibility of a cyber-attack, the 2011 SEC CF Guidance noted that companies should also “consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.”
Even though the SEC staff might have viewed the 2011 SEC CF Guidance as simply a reiteration of previously existing requirements, there remained little doubt at the time of its publication that the 2011 SEC CF Guidance imposed an arguably unprecedented and certainly significant obligation upon public companies.
Against the backdrop of the 2011 CF Guidance and the 2018 SEC Guidance, below are ten questions Google should expect from SEC enforcement staff.
Question #1: Was Google’s Internal Investigation of the Google+ API Vulnerability a Fulsome and Robust Process of Neutrality, Objectivity, Transparency and Candor?
When it comes to data security incidents, one option for Google is to investigate the problem itself – get to the bottom of it, improve security practices, policies and procedures and move forward with better, stronger and more robust security. This seems to have been Google’s approach – and it may have very well succeeded.
However, there is a far more effective, more rewarding and more cost-effective option, which SEC enforcement staff has come to respect and appreciate. Whether it is British Petroleum struggling to handle the aftermath of an oil refinery explosion killing 15 Alaskan workers; Wells Fargo adjusting its operations after a massive company fraud committed by 5,300 employees against over two million customer accounts; or any company experiencing a threat to its customers, the same lesson always rings true. Confront the issue head-on with independence, transparency and integrity.
For starters, strong leaders seek answers from independent and neutral sources of information and when responding to data security incidents. Google’s leaders should:
Engage a former law enforcement agent or prosecutor from an independent and neutral law firm or consulting firm (preferably never engaged before) to conduct an investigation and report its findings to the board;
Direct the law firm to engage an independent digital forensics firm to examine the Google+ API issue;
Report the investigation’s progress to shareholders, regulators and other constituencies and fiduciaries every step of the way; and
Disclose the details of the findings to those users impacted.
Instead of trying to characterize an incident, effective leaders begin with these three steps, which evidence strong corporate ethics; fierce customer dedication; and steadfast corporate governance.
Next is to anoint someone from the engaged outside investigative team to serve as the face of the response. This person should be a former law enforcement official with impeccable credentials and the kind of gravitas that customers, shareholders and other important members of the public will trust and respect.
By navigating problems with integrity and transparency, Google can shift the tides in their favor, seizing the opportunity to reinforce strong business ethics; renewed customer dedication; and steadfast corporate governance.
But Google’s announcement makes no mention of any independent investigation. Rather Google’s announcement focuses on findings and conclusions rendered by its own “Privacy & Data Protection Office,” a council of top Google product executives who oversee key decisions relating to privacy.
C-Suite executives and boards of directors are not politicians and do not have the luxury of conducting potentially self-serving investigations and offering sanitized reports and findings; they have fiduciary obligations to shareholders and others to seek the truth and they should do so with independency, neutrality, transparency and candor. Otherwise, any formal findings can lack credibility and integrity, and no one, including the SEC enforcement staff, will take the investigative and remedial effort seriously.
Question #2: What Did the Google Board Know, and When Did They Know It?
The 2018 SEC Guidance for public companies on cybersecurity-related disclosures garnered a great deal of attention for what it says about the threat and risk that cybersecurity presents for public companies — large and small. With cyber-incidents capturing headlines around the world with increasing frequency, businesses and regulators have come to recognize that cyber-incidents are not a passing trend, but rather in our digitally connected economy, an embedded risk that is here to stay. Indeed, these cybersecurity risks represent a mounting threat to businesses — risks that can never be completely eliminated.
Much of the published commentary concerning the 2018 SEC Guidance focused on the technical aspects of the SEC’s instructions regarding the need for additional disclosure in a company’s periodic filings and the SEC’s updated views on the timing of cyber-related disclosures and what that means for insider trading windows. However, the 2018 SEC Guidance also says a lot about the SEC’s expectations of boards with respect to data security incidents, including disclosure-related responsibilities.
The SEC’s views on the role of the board have evolved over the past few years, culminating with the release of the 2018 SEC Guidance, which likely prompted many corporate boards to take tangible steps to translate their general awareness and high-level concerns around cybersecurity risks into specific behaviors and precise actions that are identifiable, capable of being readily implemented and heavily documented.
The comments contained in the 2018 SEC Guidance evidence the SEC’s strong views regarding the board’s essential role in this emerging area of enterprise risk and remove any doubt that for those who serve as corporate directors, “cybersecurity” can no longer be just a buzz word or a simple talking point. While many board members characterize cybersecurity risks as “an existential threat,” few, if any, have taken the time to go beyond attaining a superficial understanding of what that really means for their companies. Corporate directors now must consider themselves on notice. When it comes to cybersecurity, they are expected to dig in and, therefore, must demand greater visibility into what is oft presented as a murky and highly complex area best left to technologists.
Specifically, the 2018 SEC Guidance advises that public companies should disclose the role of boards of directors in cyber risk management, at least where cyber risks are material to a company’s business. With respect to the Google+ vulnerability, the SEC enforcement staff will probe about communication lines up to the board from the ground level at Google, searching for any broken links; any lack of transparency or candor; any concealment or “cleansing” of inculpatory information and any other related corporate governance failure.
Historically, when it comes to their CFOs and the financial reporting function, the successful board paradigm has been one of vigorous and independent supervision, requiring the participation of independent third parties. The same should go for CTOs, CIOs and CISOs, and the maxim of trust but verify should be equally operative in both contexts.
The SEC enforcement staff will want to know what steps, if any, Google took to enhance its board’s cybersecurity oversight in response to the 2018 SEC Guidance, and will want to understand the Google board’s approach to cybersecurity and the Google board’s involvement in the handling and management of the Google+ API defect.
Question #3: Where was Google’s CEO?
If Google’s CEO does not embrace and understand the importance of cybersecurity, the company has little chance of effectively carrying out its responsibility to ensure proper risk-based measures are in place and functioning. It is the CEO who is charged with day-to-day management responsibility and, as history tells us, those in the organization will, in fact, “follow the leader.” This may seem like an obvious point, but its criticality cannot be overstated.
Why would a CEO not take the issue of cybersecurity seriously? CEOs have a lot on their plate. And, like it or not, it is a reality of human behavior that there is a tendency to downplay the potential for certain risks — “this is not going to happen to us” — until those risks manifest themselves and then it is just too late. By then, the damage is already done, and the consequences can be immediate and, at times, catastrophic.
Recognizing this reality, the 2018 SEC Guidance actually offers shareholders an assist in the effort to focus the attention of the CEO. The SEC explicitly recognizes the importance of “tone at the top,” as demonstrated by one of its more specific and impactful directives, requiring that so-called executive certifications regarding the design and effectiveness of disclosure controls now encompass cybersecurity matters (such as certifications made pursuant to the Exchange Act Rules 13a-14 and 15d-14 as well as Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F).
Disclosure controls and procedures should ensure that relevant cybersecurity risk and incident information is reported to management so that they may make required certifications and disclosure decisions. Here, the SEC actually stole a page from the playbook of former SEC Chairman Harvey Pitt, who originated the idea of executive certifications way back in 2002.
Shocked after officials of such scandal-plagued companies such as Enron and Worldcom testified on Capitol Hill that they did not know their companies were reporting false or misleading information, Chairman Pitt conjured up the idea of executive certifications which was remarkably successful, effective — and quite ingenuous.
Then Chairman Pitt dictated that top corporate officials, chief executive officers and chief financial officers, must declare personally — literally, to take an oath — that their most recent financial statements are accurate. The new rule applied to companies’ future reports as well.
By making a “certification,” these officers are swearing that they know, for certain, that financial reports are true. If the reports are not, the executives must explain why these results are not accurate. This eventually led some companies to restate their results to comply with certification.
Just like former SEC Chairman Pitt’s certification requirement sought to ensure accurate financial reporting and responsible executive conduct regarding financial results, current SEC Chairman Jay Clayton’s 2018 SEC Guidance seeks to ensure accurate cybersecurity reporting and responsible executive conduct regarding data security incidents.
These required certifications by a company’s principal executive officer and principal financial officer as to the design and effectiveness of cyber-related disclosure controls and procedures can be somewhat challenging. Company executives making these certifications have to consider whether a company’s disclosure controls and procedures for cybersecurity are, in particular, capable of fully assessing and escalating such cyber risks and incidents. Along these lines, the SEC will look to see if Google executives have developed and implemented some methodology to “drill down” into Google’s technical conclusions, perhaps even independently validating IT conclusions and representations when necessary.
The expanded certification rule seeks to drive executive-level ownership and accountability with respect to the reporting of cybersecurity incidents and the broader area of data security. Indeed, the 2018 SEC Guidance states:
“These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.”
The SEC certainly understands the centrality of the CEO’s role and now the CEO must affirmatively certify to the adequacy of the organization’s cybersecurity controls. SEC enforcement staff will attempt to determine if Google’s CEO and senior executives have accepted – and embraced – both the spirit and the language of this new SEC certification requirement.
Question #4: What Were Google’s Formal Policies, Practices and Procedures Relating to Disclosure of Data Security Incidents?
SEC enforcement staff will want to review all of Google’s formal policies, practices and procedures relating to the disclosure of cybersecurity incidents.
The 2018 SEC Guidance encourages companies to implement policies, practices and procedures mandating that important cyber risk and incident information escalate “up the chain,” from IT teams to senior management, allowing for informed, intelligent and knowledgeable decisions.
This particular communications edict must have hit close to home for SEC Chairman Clayton, who when testifying before Congress about a data breach at the SEC, was clearly miffed that the SEC staff had not shared certain critical information with the various SEC Commissioners, including the Chairman. At that time, then-SEC Commissioner Michael S. Piwowar even went so far as to issue a formal statement about the lack of communication to him about the SEC data breach, stating:
“I commend Chairman Clayton for initiating an assessment of the SEC’s internal cybersecurity risk profile and approach to cybersecurity from a regulatory perspective. In connection with that review, I was recently informed for the first time that an intrusion occurred in 2016 in the SEC’s Electronic Data Gathering, Analysis, and Retrieval (“EDGAR”) system. I fully support Chairman Clayton and Commission staff in their efforts to conduct a comprehensive investigation to understand the full scope of the intrusion and how to better manage cybersecurity risks related to the SEC’s operations.”
Question #5: What was the Nature of any Google Disclosure Related to the Data Security Incident or the Risks of Data Security Incidents?
Much like the 2011 SEC CF Guidance, the 2018 SEC Guidance can be somewhat maddening with respects to the actual content of a company’s disclosure regarding a data security incident.
For example, as to the particularity of any data security incident’s disclosure, the SEC seems to want to have its cake and eat it too. On the one hand, the 2018 SEC Guidance appears to allow for a lack of specifics so as not to compromise a company’s security, stating:
“This guidance is not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts – for example, by providing a “roadmap” for those who seek to penetrate a company’s security protections. We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”
On the other hand, the 2018 SEC Guidance cautions companies not to use any sort of generic “boilerplate” type of language in its disclosures, stating somewhat opaquely:
“We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents. As the Commission has previously stated, we ‘emphasize a company-by-company approach [to disclosure] that allows relevant and material information to be disseminated to investors without boilerplate language or static requirements while preserving completeness and comparability of information across companies.’ Companies should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.”
Along these lines, any conclusions about the adequacy (or inadequacy) of the actual substance of any Google disclosure concerning the Google+ API defect will be the subject of debate. SEC staff will review texts, emails, reports and other relevant documents pertaining to the Google+ vulnerability discovery and remediation, and then follow-up seeking testimonial evidence from Google employees and outside experts to better understand the particulars of the “bug.”
With respect to Google’s risk disclosures, the SEC enforcement staff will likely consider Google’s vague reference to risk in its October 8th announcement, which stated:
“The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+”
The SEC staff will want to know if Google incorporated into its SEC filings the risk associated with the “challenges,” and will want to read the details of the Google “review,” cited above in Google’s October 8th announcement.
Question #6: How Long Did It Take for Google to Remediate After Discovery of the Data Security Vulnerability?
Good news on this front for Google. Google should take some comfort that the 2018 SEC Guidance recognizes that data security incident investigations are complicated and cannot be completed overnight.
The SEC recognizes that the investigation of data security incidents can take time, and that some companies may not want to make any disclosures about an incident when they do not have some comfortable handle on the facts of the situation. The 2018 SEC Guidance states:
“Understanding that some material facts may be not available at the time of the initial disclosure, we recognize that a company may require time to discern the implications of a cybersecurity incident. We also recognize that it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident.”
But the SEC also qualifies its recognition of the complexity of data security incidents and warns companies that the need for a lengthy investigation into a data security incident is not necessarily an automatic excuse for delaying the disclosure of a data security incident, stating:
“However, an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
Of course, when a data security incident happens, the public’s demand for immediate answers is understandable. Lifesavings are at risk while the perpetrators of hacking schemes are rarely identified, let alone captured and prosecuted. However, in the aftermath of most data security incidents, there exists no CSI-like evidence which would allow for speedy evidentiary findings and rapid remediation.
While some data security incidents may provide key evidence early-on, most never do, or even worse, provide a series of false positives and other stumbling blocks. The evidence among the artifacts, remnants and fragments of a data security incident is rarely in plain view; it can rest among disparate logs (if they even exist), volatile memory captures, server images, system registry entries, spoofed IP addresses, snarled network traffic, haphazard and uncorrelated timestamps, Internet addresses, computer tags, malicious file names, system registry data, user account names, network protocols and a range of other suspicious activity.
Moreover, evidence can become difficult to nail down — logs are destroyed or overwritten in the course of business; archives become corrupted; hardware is repurposed; and the list goes one.
For instance, in Google’s case, according to the Wall Street Journal, certain key logs were simply never retained, which created obstacles for its internal investigators:
“Because the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data may potentially have been improperly collected, the two people briefed on the matter said. The bug existed since 2015, and it is unclear whether a larger number of users may have been affected over that time.”
In short, the evidence analyzed during a data security incident can be a massive, jumbled and chaotic morass of terabytes of data. That is why the investigation of a data security incidents can take weeks, perhaps months, before any concrete conclusions begin to take shape. Rushing to judgment (and disclosure) might not only create further confusion and expense, but it can also undermine the objectivity, truth and confidence that the public (especially shareholders) deserves.
Question #7: Did Google Undertake a Timely and Comprehensive Disclosure of its Data Security Incident?
The Wall Street Journal reported one blockbuster fact that will be a lightning rod for SEC enforcement attention:
“[Google] opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.”
The SEC will likely begin its investigation by reviewing Google’s disclosures since March of 2018, when a privacy task force formed inside Google, code-named Project Strobe, apparently discovered the API problem during a company-wide audit of the company’s APIs. Google’s announcement states that:
“We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.”
The 2018 SEC Guidance clearly emphasizes the need for timely disclosure, probably taking a lesson from the Equifax data breach and, ironically from the SEC’s own data breach experience, which SEC Chairman Jay Clayton admitted should have been disclosed earlier.
Equifax, one of three elite repositories of personal credit information, and a trusted source for personal security and identity theft defense products, disclosed a cyber-attack that could potentially affect 148 million consumers — nearly half of the U.S. population. The accessed Equifax data reportedly included sensitive information such as social security numbers, birthdays, addresses, and in some instances, driver’s license numbers — a virtual treasure trove for identity thieves.
Not long after the Equifax data breach, SEC Chairman Jay Clayton also announced a data breach into the SEC’s EDGAR system, a vast database that contains information about company earnings, share dealings by top executives and corporate activity such as mergers and acquisitions. Accessing that information before it’s disclosed publicly could allow hackers to profit by trading ahead of the information’s release.
With respect to the Equifax data breach, now “retired” Equifax CEO Richard Smith told a breakfast meeting in mid-August 2017 that data fraud is a “huge opportunity,” allowing Equifax to sell consumers more offerings. Smith touted the company’s credit-monitoring offerings, according to a video recording of the meeting at the University of Georgia’s Terry College of Business, and declared that protecting consumer data was “a huge priority” for the company.
But what the Equifax CEO failed to mention was that less than three weeks earlier, Equifax had apparently discovered a potentially massive data security incident and that Equifax had called in expert incident response firm Mandiant, to investigate. Yet, it was not until a few weeks later on Sept. 7, that Equifax disclosed the massive data breach to the public.
With respect to the SEC data breach, the SEC itself may have opted for a similar path of delayed notification. Reports and SEC Chairman Clayton’s testimony before the Senate Banking Committee indicate that the SEC data breach was discovered in 2016, and the possible illegal trades were detected in August of 2017, but the SEC did not disclose any information about the incident until September 20th, 2017.
Senior executives at both the SEC and Equifax have angered their constituents with their arguably sluggish disclosure. Both entities probably focused too much upon what they were legally and contractually obligated to disclose, rather than taking a more holistic approach to the question.
Per the 2018 SEC Guidance, if Google learned of a cybersecurity incident or cyber-risk that was material to its investors, then Google was expected to make appropriate disclosures. The 2018 SEC Guidance even goes so far as to remind public companies to consider obligations under the stock listing requirements, such as Section 202.05 of the NYSE Listed Company Manual and NASDAQ Listing Rule 5250(b)(1). Additionally, when Google experienced a data security incident of any type, the 2018 SEC Guidance emphasizes the possible need to “refresh” previous disclosures during the process of investigating a cybersecurity incident or past events.
When organizing the disclosure of data security incidents and overall cybersecurity risks, just like the 2011 SEC CF Guidance, the 2018 SEC Guidance explains that disclosure of data security incidents may be required in sections of public filings addressing Risk Factors, MD&A, Description of Business, Legal Proceedings and Financial Statement Disclosures.
No doubt, SEC enforcement staff will be pouring over these various sections of disclosure, looking for any possibly misleading information or material omission.
Question #8: Was There any Trading by Any Google Personnel Who Knew of the Data Security Incident?
While empirical data may suggest otherwise, some data security incidents can impact a company’s stock price – such as the actual stock price drops immediately following disclosure of the Equifax and Target breaches. In such situations, executives who learn of a data security incident, if it is material and nonpublic, could be violating insider trading laws if they engage in any trading of the company’s stock.
Along these lines, the 2018 SEC Guidance warned corporate insiders not to sell shares of a company when holding confidential knowledge about cyberattacks and breaches that could affect stock price. This is an area not covered by the 2011 SEC CF Guidance but made sense to include in the 2018 SEC Guidance.
Equifax once again probably triggered the SEC’s concerns and prompted inclusion of this principle in the 2018 SEC Guidance. The Equifax data breach also involved a stock sell-off by some of its executives before the disclosure of its experience of a cyber-attack and spurred an SEC insider trading investigation that resulted in at least one SEC enforcement action against an Equifax manager for unlawful insider trading. Intel CEO Brian Krzanich got hit with a similar backlash, too, for selling a large block of shares after learning of the Meltdown and Specter computer chip vulnerabilities, but before disclosing them to the public.
The SEC is obviously expecting that Google have thoughtful and well-documented consideration of data security incidents in the context of possible trading on material, nonpublic information – and carefully drafted, robust and precise policies, practices and procedures in place to demonstrate a rigorous culture of compliance.
SEC enforcement staff will likely explore whether the 2018 SEC Guidance prompted Google to review, with data security incidents in mind, their trade restriction policies, permissible trading windows, insider trading training curricula, codes of ethics, trade authorization procedures, trading training manuals and the like.
Question 9: Was Google Mindful of Regulation FD When Briefing Outsiders About its Data Security Incident?
Regulation FD (for “Fair Disclosure”), promulgated by the SEC under the Securities Exchange Act of 1934, as amended prohibits companies from selectively disclosing material nonpublic information to analysts, institutional investors, and others without concurrently making widespread public disclosure.
Regulation FD reflects the view that all investors should have equal access to a company’s material disclosures at the same time. Since its enactment in 2000, Regulation FD has fundamentally reshaped the ways in which public companies conduct their conference calls, group investor meetings, and so‐called “one‐on‐one” meetings with analysts and investors.
The SEC adopted Regulation FD to address the selective disclosure by issuers of material nonpublic information. In its adopting release, the SEC expressed concerns about reported instances of public companies disclosing important nonpublic information, such as advance warnings of earnings results, to securities analysts or selected institutional investors or both, before making full disclosure of the same information to the general public. Those privy to the information beforehand were able to profit or avoid a loss at the expense of everyone else.
The 2018 SEC Guidance emphasizes that companies subject to Regulation FD (like Google) should have policies and procedures to promote compliance with Regulation FD regarding cybersecurity risks and incidents.
In particular, these policies and procedures should work to ensure that Google did not make any selective disclosures about cybersecurity risks and incidents to Regulation FD-enumerated persons without the required broadly disseminated public disclosure. This can create unanticipated problems for any public company experiencing any form of data security incident, because Regulation FD can throw a wrench into an already challenging disclosure process.
For example, in the aftermath of a data security incident of any kind, in addition to any consumer notifications, a broad range of other important notifications may immediately arise, such as briefings to customers, partners, employees, vendors, affiliates, insurance carriers, and a range of other interested/impacted parties.
Given the broad swath of interested parties, SEC enforcement staff will be looking to make sure Google maintained careful and methodical communications practices to ensure that their disclosures were consistent, and not selective.
Question #10: Do Google’s Disclosures, or Lack Thereof, Amount to Criminal Behavior?
Perhaps the most important takeaway from the 2018 SEC Guidance is a notion not specifically stated in the four corners of the document, but rather found in an SEC enforcement action (and parallel DOJ criminal prosecution) filed on the very same day of the 2018 SEC Guidance’s release.
In the SEC enforcement action, captioned SEC v. Jon E. Montroll and Bitfunder, the SEC charged a former bitcoin-denominated platform and its operator with operating an unregistered securities exchange and defrauding users of that exchange. The SEC also charged the operator with making false and misleading statements in connection with an unregistered offering of securities.
Among other accusations, the SEC alleges that BitFunder and its founder Jon E. Montroll operated BitFunder as an unregistered online securities exchange and defrauded exchange users by misappropriating their bitcoins and failing to disclose a cyberattack on BitFunder’s system that resulted in the theft of more than 6,000 bitcoins.
The SEC actually alleges fraud because of the lack of disclosure of the data security incident to customers/account holders, effectively bypassing the issue of whether there is actually any statutory or regulatory disclosure obligation. In other words, by keeping the data security incident a secret, the exchange (which was unlawfully unregistered), committed a fraud upon its customers. The SEC Complaint states:
“Montroll failed to disclose the theft [which occurred by means of a cyber-attack] and the deficit to Ukyo Notes investors and potential investors. By failing to disclose these facts, Montroll misled investors and potential investors – who were led to believe they would profit, at least in part, from BitFunder’s operations – to reasonably believe that BitFunder was a secure and profitable business.”
Concealing a data security incident can not only prompt SEC enforcement actions but can also lead to being arrested and taken into custody. In a parallel criminal case, the U.S. Attorney’s Office for the Southern District of New York filed a complaint against Montroll for perjury and obstruction of justice during the SEC’s investigation. In other words, whether a public company or private company and whether a regulated entity or an unregulated one — keeping a data security incident secret can be the kind of act that triggers an indictment. The SDNY’s press release about their parallel case states:
“As alleged, Montroll committed a serious crime when he lied to the SEC during sworn testimony. In an attempt to cover up the results of a hack that exploited weaknesses in the programming code of his company, he allegedly went to great lengths to prove the balance of bitcoins available to BitFunder users in the WeExchange Wallet was sufficient to cover the money owed to investors. It’s said that honesty is always the best policy – this is yet another case in which this virtue holds true.”
Nothing in any of the few public reports of the Google+ incident indicates any clear-cut nefarious form of fraud or chicanery. However, the Wall Street Journal reports that Google failed to disclose the Google+ API defect for fear of regulatory and other ramifications, stating:
“The [internal Google] document shows Google officials felt that disclosure could have serious ramifications. Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said. It “almost guarantees Sundar [Google’s CEO] will testify before Congress.”
Google executives should realize that SEC enforcement staff will be looking for any hint of deception in their handling of the Google+ API defect — and that SEC enforcement staff will gladly pass along any evidence of fraud to the Federal Bureau of Investigation and the U.S. Department of Justice.
Looking Ahead
In addition to Google’s shareholders, a data security incident can trigger a litany of legal notification/disclosure requirements, including notice to state regulators; federal regulators; GDPR Supervisory Authorities; vendors; partners; insurance carriers; customers; consumers; employees; and any other constituency who may have a vested interest in a victim-company.
Hence, it is not surprising that disclosure of cybersecurity incidents and cybersecurity risks has evolved into one of the most important program areas of SEC enforcement, mentioned in so many SEC speeches and panel discussions. Yet the SEC enforcement division has only filed one SEC enforcement action, against Altaba, formerly known as Yahoo!, alleging any sort of data security incident disclosure failure. This is probably because cybersecurity disclosures are usually made in good faith and lack the kind of obvious misconduct and fraud that the SEC typically prosecutes.
But that should provide Google with little solace. The SEC enforcement division is always looking to prosecute the “big fish” to reinforce a regulatory priority or decree — and Google could fit that bill, especially if the Wall Street Journal report about Google’s efforts at concealment turn out to be even slightly treacherous or outrageous.
As an aside, the Wall Street Journal report implies the existence of an active whistleblower at Google who provided inculpatory memoranda and other documents. The SEC loves whistleblowers; cultivates whistleblowers; seeks out whistleblowers — and financially rewards whistleblowers for their efforts, especially when a whistleblower is a company insider. Whoever was speaking to the Wall Street Journal regarding the Google+ API issue will probably be cooperating with the SEC soon enough.
For Google, perhaps the Google+ API defect was only a minor data mishap and an aberration, and its internal investigative team acted promptly, carefully, swiftly and in the best interest of Google shareholders to remediate the vulnerability. Only time will tell.
In the meantime, my advice is for Google to prepare itself for a vigorous and relentless SEC enforcement division investigation – and have its responses ready not just to the ten questions cited above, but also to the many other questions that the SEC will most certainly pile on.
And if it has not done so by now, Google should consider engaging an independent law firm and digital forensics firm to confirm the findings of Google’s Privacy & Data Protection Office and recommend future remedial actions. To me, injecting independence, transparency and sunlight into Google’s process not only seems like a no-brainer, but would also contribute to a far more thoughtful, conscientious and meritorious defense.
*John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He has taught most recently as Senior Lecturing Fellow at Duke University Law School Winter Sessions and will likely be teaching a cyber-law course at Duke Law in the Spring of 2019. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook.”
The post Guest Post: Ten Questions the SEC Will Probably Be Asking Google appeared first on The D&O Diary.
Guest Post: Ten Questions the SEC Will Probably Be Asking Google published first on http://simonconsultancypage.tumblr.com/
0 notes
Text
Is Social Media Content Moderation An Impossible Task?
New Post has been published on https://britishdigitalmarketingnews.com/is-social-media-content-moderation-an-impossible-task/
Is Social Media Content Moderation An Impossible Task?
In the early freewheeling days of social media, companies gave little thought to content moderation, focusing all of their efforts on making it as easy as possible for anyone anywhere to post whatever they wanted, no matter how toxic. As the trolls settled in to their new home and hate and violent speech flowed, the ramifications of those decisions became clear and the companies faced increasing pressure from lawmakers to clean up their platforms. From the “free speech wing of the free speech party” that famously guaranteed the right of terrorists to use its tools to recruit and inspire violent attacks, Twitter has undergone a complete reversal of its views towards freedom of speech, with the new Twitter moving aggressively to censor and suspend voices. After years of arguing it simply cannot do more, the threat of new regulation has coincided with Facebook’s similarly aggressive new posture towards censorship. Yet, as the socials take on a newfound focus on global content moderation, is the very concept of enforcing a single set of content rules across the entire planet even an achievable goal?
The online world was created as a decentralized and completely ideologically neutral platform in which anyone anywhere could make anything available to the planet. Other than governmentally enforced court orders, there was no concept of “content moderation.” Even a court order demanding a given website remove a piece of content had limited impact, as that content could instantly reappear on another website in a different country. Indeed, Wikileak’s very existence is due to the borderless collective that is the web.
As the web grew beyond its early academic roots towards the commercialized online landscape we know today, so too did the need for new tools to make it frictionless to publish, consume and discover content. Requiring advanced HTML expertise and Unix server administration to create a website was replaced with one-click instant publishing. Server hosting costs in the hundreds or even thousands of dollars a month was replaced with unlimited free ad-supported hosting. Yet, the discoverability dimension still haunted the early web. In an online world without boundaries and populated with an almost uncountable number of websites, content was so fragmented that even search engines could do little as material was scattered across myriad independent virtual home fronts.
The social media era solved this final limitation by centralizing the web into a single website with a single interface and single set of rules enforced globally.
Initially these shared rules were enforced loosely, if at all. Social media was more preoccupied with encouraging content volume than ensuring the quality of that material. Automated bot content was something to be encouraged and supported as it greatly inflated the volume of content available to advertisers and users. A desire to centralize the remaining corners of the web under their banners led social platforms to offer APIs and partnership programs that enabled bulk export of their data without consideration of the inherent privacy impacts. All of this placed profit over privacy.
The immense shift that has confronted the online world over the past few years has upended this Libertarian worldview and fetishization of the American First Amendment’s absolute guarantee of freedom of speech. In its place, the social platforms are discovering and exercising their power as private companies and their exemptions from the protections afforded by the First Amendment. Unlike public institutions, social platforms are private entities that are under no legal requirement to grant anyone the right to speak or participate in their walled gardens. This affords them the unique ability to both inject themselves as intermediaries between citizens and their governments and decide which voices may be heard.
Even the media itself has come to question whether free speech is a good thing, with a frontpage CNN story asking “what happened to the argument of free speech? The idea that anyone can say anything they like, as long as it doesn’t cause harm to someone else, is unraveling in the age of online fake news, alternative facts, trolling and conspiracy theories.”
As social media platforms step into this void and embrace the concept of active moderation, they have increasingly transitioned from minimal community standards that focused only on the most egregious behavior and were only loosely enforced towards elaborate policies that are being aggressively, but selectively enforced.
In their rush to embrace content moderation and censorship, the social media companies have each developed centralized systems that entail a single set of rules enforced globally.
While we simply accept that this is what the web has become, it is important to recognize that this is not the only possible option.
The web’s decentralized structure permitted it to transparently adapt to the differing cultural sensitivities of the world, enabling a person in the US to document Tiananmen Square, even while Chinese citizens are blocked from discussing it. While this enables repressive regimes to constrain what is available to their citizens, it also reflects the basic fact that humankind is not uniform. The seven billion people inhabiting Planet Earth are an immensely diverse collection of nearly every conceivable culture, language, demographic, life experience, views and beliefs.
The things we find important and those we find offensive vary by who we are – there is no universal “truth.”
In contrast, Facebook, Twitter and their Silicon Valley brethren have determined to create a single set of rules to be enforced globally to all. Much as humorists discover that a joke one person finds hilarious another may find horrifically offensive, when it comes to determining acceptable speech, it is impossible to find a single set of common ground rules that will fit the needs and desires of every person on earth.
As I’ve written extensively over the years, the world constitutes a rich patchwork quilt of cultural standards of what constitutes acceptable speech in each corner of the world and each demographic and attempting to unify all of those into a single master set of speech rules is doomed from the start.
Publicly Facebook has portrayed these global rules as empowering all with the protections and guarantees of the Western world. That by creating a single set of rules for all countries on earth, the company is able to grant to all citizens across the globe the American ideals of free speech.
Yet, in reality, the company appears to be going in the opposite direction. The realities of being a global business and subject to the laws and whims of all the world’s countries means social platforms have instead embarked upon a race to the bottom, developing policies that are in effect an amalgamation of the restrictions of every country on earth. Instead of empowering all the world with Western ideals of freedom, they are repressing all under the restrictions of the most limited countries on earth.
In contrast to Sheryl Sandberg’s upbeat Congressional testimony last week that the company would never sacrifice its ideals to do business in a country, the company’s own Transparency Reports document in considerable detail just how willing the company is to cave to local demands to censor uncomfortable voices.
Indeed, two years ago when I asked the company whether it would commit on the record to never restrict the right of women around the world to freely express themselves on its platform even if such restrictions would benefit it economically, the company notably declined to do so. For a company that professes to place empowerment and democratic ideals over all else, its refusal to commit to the freedoms that underlie such ideals speaks far louder than its words.
In the end, the problem is that there simply is no universal set of standards of acceptable speech that would cover the incredible diversity that is our global human society. No single set of rules or conduct could possibly fit the needs of every person. Our backgrounds, experiences, views and beliefs are simply too different across the world and our definitions of right and wrong too varied. To a privileged Western cubicle dweller in Silicon Valley, it might seem relatively trivial to type out a few lines of code to bend the rest of the world to their ideal view of life, but as they have failed to learn again and again, real life isn’t the Matrix and society will always find a way to bend technology to its needs and when profit and privacy, business and idealism collide, the path to economic riches will always win out.
Source: https://www.forbes.com/sites/kalevleetaru/2018/09/08/is-social-media-content-moderation-an-impossible-task/
0 notes
Text
How To Create Strong Backlinks To My Site.
Slideshare utilizes cookies to enhance functionality and performance, and to offer you with appropriate advertising. What we didn't have were marketing resources to support the growth of our client base and to construct a strong online existence. I fall under both camps with a local company and a 'global' individual blog and they are completely different animals requiring entirely different systems and techniques and are also viewed by Google entirely differently. For detailed instructions on how easy this can be, have a look at video # 3 discovered here (under the Link Building section). If another website utilizes your image however doesn't source you as the owner or developer, check to see if you have a do follow link off of the image. As older methods end up being actively harmful or useless, and basic white hat strategies become all but indistinguishable from content marketing, the winning edge will go to online marketers who know ways to carry out innovative link structure techniques that tie their domain to the ideal sites. Logically structured cross-linking with other reliable domains can on the other hand be useful for the ranking. If it was published over a year ago the amount of traffic to the post has actually potentially slowed over time suggesting you may not in fact produce much traffic by having the link in the post, but you will have a backlink from a trustworthy source so that's the goal here, not necessarily producing recommendation traffic. This result in SEO's abusing anchor text ratios and developing all of their relate to the anchor text as the expression they wished to rank for. This is where you mention that you've just recently released a post that they might be interested in, and ask if they would mind including a link from among their high ranking pages. what are backlinks? There are lots of chances out there that won't cost you a cent. Qualité, Qualité, il faut aujourd' hui définitivement se tourner vers elle. That domain regitered for longer durations gets more rankings. Next, add your post title and content, then release. Is there any way to get rid of this waiting period and fast approval. Send them a testimonial and also the URL of your website if you have actually bought an ebook or utilizing a service. Nevertheless, websites have actually been punished for using them, and they likely will continue to be punished in greater numbers. This remark is rich, handy and well written, so readers can benefit not simply from the blog post, however from the remark, too. Bear in mind that you'll see far better SEO advantages with longform material, which is rarely offered when you purchase backlinks. Thank you for sharing such incredible information. While not offering an audio alternative isn't really precisely discrimination, it would be nice to start a pattern in making audio versions of your content readily available for those that require them. I've been writing post (inspired by your previous email) then thinking to myself ... 'Hey how are people going to even see this' and then BAM! You can go on almost any SEO forum and buy backlinks on public networks. That's why, if you wish to take advantage of your efforts, your no. 1 objective must be to deliver on your promises. If many sites link to the same web page or site, search engines can infer that content deserves linking to, and therefore likewise worth appearing on a SERP. All I 'd ask is that you 'd consider discussing it on your blog site or writing an evaluation. Search engines use links as a step of a website's importance and authority, however not all links are developed equivalent. Technical cookies that facilitate user navigation and use of the numerous alternatives or services used by the web as identify the session, enable access to specific locations, assist in orders, purchases, completing types, registration, security, facilitating functionalities (videos, social networks, and so on.). So it is desirable to have these kinds of backlinks, since ranking highly can increase your traffic, purchases, conversion rate, and so on. Some hacks cause your site to start spamming e-mails that you can't discover in your outbox, or include pages that sell and promote prescription drugs. From there, you can add a website link, if you feel it is helpful for the reader. When I've got something to contribute, I'm always ready to pop away. Not all SEO companies or freelancers utilize great techniques that are concurred by Google. They have actually assisted our business fix some of the concerns produced by previous SEO firms, both in terms of on-site optimization and off-site programs. For instance, Google recently distributed manual penalties to websites with abnormal outgoing link" profiles. During a year, you'll be able to discover an upwards pattern of development, even if it's hard to see at the time. The problem nevertheless is the regular monthly API quota in this case. It will assist you enhance your rankings and ought to be a part of any marketing technique. That's a very popular concern and one that does not have an accurate answer. You should begin by sending your primary posts, when you publish new ones (or a couple of days have passed), add some more. Et si d'autres méthodes étaient valables il y a 5 ans, elles ne le sont plus du tout en 2015 sous peine de pénalités parfois difficiles à relever. Providing remarks not just assists with receiving backlinks however can also help in search engine exposure. So, it is constantly a smart idea to talk about blogs which have a big traffic even though they do not provide any backlink. Over at IT Digital World, Tirtha Ohja tells a scary story about exactly what happened after he purchased backlinks. Upon going into the search phrase cdl licensing," the very first result reveals links from 502 referring domains. Whether it's your school, the news, the government, or a fellow blogger like Vishal, the focus should be on relationship. Step # 1: visit the website and input your competitor's blog site URL Let's see which of their posts got the most shares and comments (engagement). But, there are a ton of tools out their that give near equivalent indicators of a domain/page's authority, such as Moz Rank, Trust Flow and Ahref's URL rank. Undoubtedly if you own a home-delivery company, having links from adult sites can easily destroy your credibility. You provide a press reporter a customized action and they'll hook you up with a link. On persuading effective influencers to connect to your website by writing an article. I'm constantly surprised why many SEOs avoid specific niche appropriate blog site remarks.
0 notes
Text
youtube
Bitcoin Yes or No Should You Invest in Bitcoin?
Bitcoins bitcoin payment gateway php are a decentralized form of crypto forex. That means, they don't seem to be regulated by a financial institution or the government. As such, not like a traditional checking account, you do not need a protracted record a paperwork equivalent to an ID so as for you to establish what's often known as a bitcoin pockets. The bitcoin pockets is what you will use to access your bitcoins and to send bitcoins to other bitcoin payment gateway api php people.
How To Setup An Account
You'll be able to purchase a bitcoin wallet from a bitcoin dealer similar to Coinbase. When you open up a wallet through an authorized dealer, you are given a bitcoin handle which is a collection of numbers and letters, equally to an account number for a bank account and a non-public key which is a series of numbers and letters as effectively, which serve as your password.
How Does Bitcoin Work As An Nameless Cost Processor
You are able to do 3 issues with bitcoins, you can make a purchase, ship money anonymously to somebody or utilize it as an investment. More and more merchants have been accepting bitcoins as a form of fee. By using bitcoins as a substitute of cash, you're essentially making that purchase anonymously bitcoin payment gateway open source The identical factor goes for sending cash, based on the fact that you do not have to submit a mountain of fee in order so that you can set up a bitcoin anonymously, essentially you possibly can ship money to someone else anonymously.
How Does Bitcoin Work As An Funding
The price of a bitcoin fluctuates on occasion. Simply to place issues in perspective, back at first of 2013, the common worth of a bitcoin was roughly $four hundred per bitcoin, however by the end of 2013, the value for bitcoin rose to over $a thousand more information on wikipedia This meant that for those who had 2 bitcoins price $800 in the beginning of 2013 and also you stored it as an funding by the top of 2013 these two bitcoins would have been price over $2000 as an alternative of $800. Many people store bitcoins as a consequence of the fact that the value of it fluctuates.
Bitcoin Casino and Poker Websites
Because of the anonymity of bitcoin the playing industry has taken up bitcoin as a payment technique. Both bitcoin casinos and bitcoin poker sites are coming to life and offering their gamers to make deposits, play with bitcoin on the tables and withdraw directly to their bitcoin wallet bitcoin payment processor definition Which means there is not any taxes or prospects for presidency control. Much like a daily Nevada casino the place do you needn't register wherever and all of your transactions are anonymous.
How Do You Ship Bitcoin
In order so that you can pay for goods and companies or to send bitcoins to an individual, three issues are needed. Your bitcoin deal with, your non-public key and the individual's bitcoin tackle bitcoin payment gateway integration php From that time, by your bitcoin wallet, you'll put three items of information, that are: input, stability and output. Input refers to your tackle, steadiness refers back to the quantity of bitcoins you will send and output is the recipient's tackle.
Most frequently it is described as a non-government digital forex. Bitcoin is also generally called a cybercurrency or, in a nod to its encrypted origins, a cryptocurrency. These descriptions are accurate enough, but they miss the point. It's like describing the U.S. dollar as a green piece of paper with pictures on it.
I have my own ways of describing Bitcoin. I think of it as store credit with out the shop. A prepaid phone with out the cellphone. Precious steel without the metallic. Authorized tender for no money owed, public or personal, until the occasion to whom it's tendered needs to just accept it. An instrument backed by the total faith and credit only of its nameless creators, in whom I therefore place no religion, and to whom I give no credit aside from ingenuity.
I would not touch a bitcoin with a 10-foot USB cable. However a fair number bitcoin payment gateway php of folks already have, and fairly a couple of extra soon might.
That is partly as a result of entrepreneurs Cameron and Tyler Winklevoss, best known for his or her position in the origins of Facebook, at the moment are searching for to make use of their technological savvy, and money, to bring Bitcoin into the mainstream.
The Winklevosses hope to start out an trade-traded fund for bitcoins. An ETF would make Bitcoin more extensively available to traders who lack the technological know-how you can purchase the digital forex instantly. As of April, the Winklevosses are mentioned to have held round 1 p.c of all existent bitcoins.
Created in 2009 by an nameless cryptographer, Bitcoin operates on the premise that anything, even intangible bits of code, can have worth as long as sufficient folks determine to deal with it as valuable. Bitcoins exist only as digital representations and aren't pegged to any traditional currency.
According to the Bitcoin website, "Bitcoin is designed across the thought of a brand new form of cash that uses cryptography to control its creation and transactions, slightly than counting on central authorities." https://www.blockchainapi.org (1) New bitcoins are "mined" by users who clear up pc algorithms to find digital cash. Bitcoins' purported creators have stated that the last word provide of bitcoins will likely be capped at 21 million.
While Bitcoin promotes itself as "a very safe and cheap approach to handle funds," (2) in actuality few businesses BlockchainAPI have made the move to just accept bitcoins. Of those that have, a sizable number operate within the black market.
Bitcoins are traded anonymously over the Web, without any participation on the part of established monetary institutions. As of 2012, sales of drugs and different black-market items accounted for an estimated 20 percent of exchanges from bitcoins to U.S. dollars on the principle BlockchainAPI Social Profile Bitcoin exchange, referred to as Mt. Gox. The Drug Enforcement Agency just lately performed its first-ever Bitcoin seizure, after reportedly tying a transaction on the nameless Bitcoin-only market Silk Highway to the sale of prescription and illegal medicine.
Some Bitcoin users have additionally advised that the currency can function a means to avoid taxes. Which may be true, but only within the sense that bitcoins assist unlawful tax evasion, not within the sense that they actually serve any position in real tax planning. Under federal tax law, no money wants to vary arms to ensure that a taxable transaction to occur. Barter and different non-cash exchanges are still totally taxable. There isn't any cause that transactions involving bitcoins could be treated in another way.
Outside of the legal element, Bitcoin's most important devotees are speculators, who don't have any intention of utilizing bitcoins to purchase he said something. These buyers are convinced that the restricted provide of bitcoins will power their worth to follow a continual upward trajectory.
Bitcoin has indeed seen some important spikes in value. But it has also experienced major losses, including an eighty percent decline over 24 hours in April. In the beginning of this month, bitcoins had been right down to round $ninety, from a excessive of $266 earlier than the April crash. They had been trading close to $97 earlier this week, based on mtgox.com.
The Winklevosses would make Bitcoin investing easier by permitting smaller-scale traders to profit, or lose, as the case could also be, without the effort of really shopping for and storing the digital cash. Regardless of claims of safety, Bitcoin storage has proved problematic. In 2011, an assault on the Mt. Gox trade forced it to temporarily shut down and brought about the price of bitcoins to briefly fall to almost zero. Since Bitcoin transactions are all nameless, there's little likelihood of monitoring down the culprits when you all of a sudden find your digital pockets empty.
If the Winklevosses get regulatory approval, their ETF would assist defend buyers from the specter of particular person theft. The ETF, nevertheless, would do nothing to address the problem of volatility caused by massive-scale thefts elsewhere in the Bitcoin market.
While Bitcoin comes wrapped in a excessive-tech veneer, this newest of currencies has a surprising amount in widespread with one of the oldest currencies: gold. Bitcoin's personal vocabulary, significantly the term "mining," highlights this connection, and intentionally read more about us here so. The mining course of is designed to be difficult as a management on provide, mimicking the extraction of more standard resources from the ground. Removed from providing a sense of safety, nonetheless, this rhetoric must function a word of warning.
Gold is an funding of final resort. It has little intrinsic worth. It doesn't generate interest. However as a result best bitcoin payment processor of its supply is finite, it is seen as being extra stable than types of money that may be printed at will.
The problem with gold is that it would not do anything. Since gold coins have fallen out of use, a lot of the world's gold now sits in the vaults of central banks and different monetary establishments. Because of this, gold has little connection to the true economy. That may appear to be a superb thing when the actual economic system seems like a scary place to be. But as quickly as other enticing investment choices seem, gold loses its shine. That is what we have now seen with the latest declines in gold prices.
In their push to deliver Bitcoin to the mainstream, its promoters have accepted, and, in some instances sought out, elevated regulation. Last month Mt. Gox registered itself as a money companies enterprise with the Treasury Department's Monetary Crimes Enforcement Network. It has also increased customer verification measures. The changes came in response to a March directive from Financial Crimes Enforcement Community clarifying the application of its guidelines to virtual currencies. The Winklevosses' proposed ETF would convey a brand new degree of accountability.
In the long run, nevertheless, I expect that Bitcoin will fade back into the shadows of the black market. Those who want a regulated, safe forex that they can use for legitimate enterprise transactions will decide from one of many many currencies already sponsored by a nationwide authorities outfitted with ample assets, a real-world economic system and much more transparency and security than the Bitcoin world can offer.
Traders are at all times involved about 'Bitcoin''s volatility. You will need to know what makes the worth of this particular digital forex highly unstable. Similar to many different issues, the value of 'Bitcoin' additionally relies upon upon the principles of demand and provide. If the demand for 'Bitcoin' increases, then the price may even enhance. Quite the opposite side, the decrease in demand for the 'Bitcoin' will lead to decreased demand. In easy words, we are able to say that the price is determined by what amount the trading market is agreed to pay. If a lot of individuals want to purchase 'Bitcoin's, then the worth will rise. If more people wish to sell 'Bitcoin's, then the worth will come down.
It is value understanding that the value of 'Bitcoin' could be unstable if in comparison with more established commodities and currencies. This reality could be credited to its comparatively small market dimension, which means that a lesser sum of money can shift the price of 'Bitcoin' more prominently. This inconsistency will scale back naturally over the passage of time because the forex develops and the market dimension grows.
After being teased in late 2016, 'Bitcoin' touched a brand new report high degree within the first week of the present year. bitcoin payment gateway open source There might be a number of factors causing the 'Bitcoin' to be volatile. A few of these are mentioned right here.
The Bad Press Issue
'Bitcoin' customers are principally scared by different information occasions together with the statements by authorities officials and geopolitical events that 'Bitcoin' could be probably regulated. It means the speed of 'Bitcoin' adoption is troubled by damaging or bad press reports. Completely different bad information stories created fear in buyers and prohibited them from investing in this digital forex.
An instance of bad headline information is the eminent utilization of 'Bitcoin' in processing drug transactions by way of Silk Highway which got here to an end with the FBI stoppage of the market in October 2013. This kind of stories produced panic amongst folks and brought about the 'Bitcoin' BlockchainAPI transfer value to decrease greatly. On the other side, veterans in the buying and selling business saw such destructive incidents as an proof that the 'Bitcoin' business is maturing. So the 'Bitcoin' started to achieve its increased value quickly after the effect of unhealthy press vanished.
Fluctuations of the Perceived Worth
One other great motive for 'Bitcoin' worth to turn into volatile is the fluctuation of the 'Bitcoin''s perceived worth. Chances are you'll know that this digital currency has properties akin to gold. That is dominated useful content by a design choice by the makers of the core expertise to restrict its production to a static quantity, 21 million BTC. As a consequence of this issue, traders could allocate less or more property in into 'Bitcoin'.
News about Safety Breaches
Various information companies and digital media play an essential function in constructing a destructive or optimistic public idea. In case you see something being marketed Advantageously, you are prone to go for that without paying much consideration to unfavourable sides. There was information about 'Bitcoin' security breaches and it actually made the investors think twice earlier than investing their hard earned cash in 'Bitcoin' trading.
They turn into too vulnerable about selecting any particular 'Bitcoin' funding platform. 'Bitcoin' could turn into unstable when 'Bitcoin' group uncovers security susceptibilities in an effort to create an amazing open supply response in form of security fixes. Such security considerations give delivery to a number of open-supply software akin to Linux. Therefore, it is advisable that 'Bitcoin' builders should expose security vulnerabilities to most of the people in an effort to make sturdy options.
0 notes