Friday, August 09, 2019


“Hey! It’s the law!” I can see we need to discuss procedure…
Black Hat: GDPR privacy law exploited to reveal personal data
About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.
The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.
In each case, he asked for all the data that they held on his fiancee.
In one case, the response included the results of a criminal activity check.
Other replies included credit card information, travel details, account logins and passwords, and the target's full US social security number
… "Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC.
"Small companies tended to ignore me.
… Mr Pavur has, however, named some of the companies that he said had performed well.
He said they included:
  • the supermarket Tesco, which had demanded a photo ID
  • the domestic retail chain Bed Bath and Beyond, which had insisted on a telephone interview
  • American Airlines, which had spotted that he had uploaded a blank image to the passport field of its online form
An accompanying letter said that under GDPR, the recipient had one month to respond.
It added that he could provide additional identity documents via a "secure online portal" if required. This was a deliberate deception since he believed many businesses lacked such a facility and would not have time to create one.
The idea, he said, was to replicate the kind of attack that could be carried out by someone starting with just the details found on a basic LinkedIn page or other online public profile.


(Related) Or, you could buy a canned procedure. There is probably a lot of money waiting for anyone who can make all this privacy stuff work.
Securiti.ai Raises $31 Million Series A To Help Companies Comply With California Consumer Privacy Act
As companies scramble to meet the data transparency requirements mandated by the California Consumer Privacy Act (CCPA) or face hefty fines, a San Jose-based company has put forth a solution that’s at the intersection of security and regulatory operations. Newly launched Securiti.ai
Under CCPA, consumers can request all personal information stored by a company, have their data deleted, learn how their information was used and opt-out of having their information shared with third parties. The law, which goes into effect on January 1, 2020, applies to California-based companies and those that serve California consumers.
Manually complying with an influx of consumer requests can be impractical if not impossible, and that’s if companies know all the places their consumer’s data lives . That’s where Securiti.ai comes in, Jalil says.
The first thing we had to crack was to not only discover the data that belongs to a particular consumer but find the owner of the data,” Jalil says. Securiti.ai’s platform uses an artificial intelligence-enabled chatbot to retrieve consumer data.
… “CCPA in California is the very first regulation, but there 15 others coming in North America alone and there are 30-plus globally,” Jalil said. “Privacy ops will allow companies to comply with one assessment.”


(Related)
German court decides on the scope of GDPR right of access
In a previous post, this blog reported on German guidance on the scope of the right of access under Art. 15 of the GDPR and in particular on the right to receive a copy. The Supervisory Authority of Hesse region stated that the term “copy” in Art 15 GDPR should not be understood literally but rather in the sense of a “summary”.
This somewhat relaxed interpretation appears to conflict with an earlier decision of the Labor Appeals Court of Stuttgart which ordered an employer to provide actual copies of all information held by the company regarding an employee’s performance and behavior to that employee.
More recently, the Appeal Court of Cologne held that the customer of an insurance company is entitled to access all personal data pertaining to him and processed by the company, including any internal notes regarding conversations between company employees and the customer. The company argued that it was impracticable to compile the information due to the large amounts of customer information processed by it. The court was unimpressed, stating that the company was compelled to adapt its IT systems to the requirements of the GDPR
These first court decisions on Art. 15 of the GDPR confirm that the right of access is becoming a powerful tool in litigation. Germany’s code of civil procedure does not provide for a general right to discovery. The right of access could make up for this and significantly affect outcomes in civil and labor law cases.




Should we trust vendor promises?
Exclusive: Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials
The top voting machine company in the country insists that its election systems are never connected to the internet. But researchers found 35 of the systems have been connected to the internet for months and possibly years, including in some swing states.
… “We ... discovered that at least some jurisdictions were not aware that their systems were online,” said Kevin Skoglund, an independent security consultant who conducted the research with nine others, all of them long-time security professionals and academics with expertise in election security.




My AI says she can do it in three years.
A 20-Year Community Roadmap for AI Research in the US is Released
The Computing Community Consortium (CCC) is pleased to release the completed Artificial Intelligence (AI) Roadmap, titled A 20-Year Community Roadmap for AI Research in the US – An HTML version is available here. This roadmap is the result of a year long effort by the CCC and over 100 members of the research community, led by Yolanda Gil (University of Southern California and President of AAAI ) and Bart Selman (Cornell University and President Elect of AAAI). Comments on a draft report of this roadmap were requested in May 2019. Thank you to everyone in the community who participated in workshops, helped write the report, submitted comments, and edited drafts. Your input and expertise helped make this roadmap extremely comprehensive. From the Roadmap – Major Findings:
I – Enabled by strong algorithmic foundations and propelled by the data and computational resources that have become available over the past decade, AI is poised to have profound positive impacts on society and the economy.
II – To realize the potential benefits of AI advances will require audacious AI research, along with new strategies, research models, and types of organizations for catalyzing and supporting it.
III – The needs and roles of academia and industry, and their interactions, have critically important implications for the future of AI.
IV – Talent and workforce issues are undergoing a sea change in AI, raising significant challenges for developing the talent pool and for ensuring adequate diversity in it.
V – The rapid deployment if AI-enabled systems is raising serious questions and societal challenges encompassing a broad range of capabilities and issues.
VI – Significant strategic investments in AI by the United States will catalyze major scientific, technological, societal, and economic progress…”




For a discussion of Big Data and analysis. If Zillow notes an undervalued house in an area where prices are rising, why not jump on it?
Zillow Is Buying And Selling Lots Of Homes And It’s Almost Half Its Business Now
BuzzFeedNews – Zillow made more than 40% of its revenue last quarter from selling homes: “Zillow, the real estate search and advertising platform, has gotten into the house-flipping business in a big way. That means the company earned about 41.5% of its revenue from selling homes in the three months ending June 30, according to its most recent earnings report. Zillow made $599.6 million in revenue last quarter, $248.9 million of which came from its Homes segment, which refers to the “buying and selling of homes directly through the Zillow Offers service,” which it kicked off in 2018. Zillow is now buying thousands of properties, investing in minor repairs, and then selling them — essentially flipping houses — in 15 markets around the country, with plans to be in 26 markets by mid-2020. It collects a fee from the seller with each of these transactions. The company sold 786 homes and bought 1,535 homes from April to June…”




Reminding my students that “big” does not equal “profitable.”
Uber lost over $5 billion in one quarter, but don’t worry, it gets worse
The ride-hailing giant reported losing a whopping $5.2 billion in the last three months.
Lyft, which reported its earnings Wednesday, fared better but still posted a loss of $644 million during the quarter.




For my geeks…
IBM Research launches explainable AI toolkit
IBM Research today introduced AI Explainability 360, an open source collection of state-of-the-art algorithms that use a range of techniques to explain AI model decision-making.
The launch follows IBM’s release a year ago of AI Fairness 360 for the detection and mitigation of bias in AI models.



No comments: