Saturday, March 02, 2019

Could social media talk a country into war?
While Two Nuclear Powers Were On The Brink Of War, A Full-Blown Online Misinformation Battle Was Underway
India and Pakistan, both countries that possess over a hundred nuclear warheads each, came close to the brink of war this week. But even as fighter aircraft from both nations invaded each other’s air space, a full-blown misinformation war about the conflict raged on the internet.
Misinformation has been used to start wars throughout history. It would be foolish to think that our time is the exception to the rule,” Aviv Ovadya, cofounder of the Thoughtful Technology Project, a San Francisco–based nonprofit dedicated to preventing harmful misinformation, told BuzzFeed News.
… India and Pakistan have fought wars previously and have been engaged in a decadeslong territorial dispute over the Kashmir Valley. But this conflict is the first one to take place since social media became ubiquitous.
Fact-checkers in India say that the deluge of misinformation around tensions between India and Pakistan that has flooded the internet is “unprecedented.” Also unusual was the fact that official handles run by the Pakistan army shared two videos (one was later deleted) of the Indian pilot captured on Pakistani soil. The deleted video showed the pilot injured and being escorted away from mobs by Pakistan’s army soon after his plane crashed — it was released before the Indian government confirmed that the pilot was now a prisoner of war, and is still being shared by right-wing Indian WhatsApp groups. The second video, which was shared by the Pakistan military’s official spokesperson soon after, had a palliative effect on revenge-thirsty Indian Twitter: After seeing the Indian pilot praising Pakistani officers for being “thorough gentlemen” and drinking their tea, people online slowly began to favor the hashtag #SayNoToWar, as opposed to #SayYesToWar, which had been trending before.

One definition of “vulnerable.”
America’s Cities Are Running on Software From the ’80s
The only place in San Francisco still pricing real estate like it’s the 1980s is the city assessor’s office. Its property tax system dates back to the dawn of the floppy disk. City employees appraising the market work with software that runs on a dead programming language and can’t be used with a mouse. Assessors are prone to make mistakes when using the vintage software because it can’t display all the basic information for a given property on one screen. The staffers have to open and exit several menus to input stuff as simple as addresses. To put it mildly, the setup “doesn’t reflect business needs now,” says the city’s assessor, Carmen Chu.

Privacy (in the abstract) is bipartisan, nothing else is.
James Strawbridge of Covington & Burling writes:
At a February 27, 2019 hearing on “Privacy Principles for a Federal Data Privacy Framework in the United States,” Republican and Democratic members of the Senate Commerce, Science, & Transportation Committee offered different perspectives on whether new federal privacy legislation should preempt state privacy laws.
Chairman Roger Wicker (R-MS), who described the hearing as a chance to “set the stage” for bipartisan legislation, stressed the importance of preemption, as did Sen. Marsha Blackburn (R-TN). Wicker noted that a national standard would provide greater certainty for consumers, and that a preemptive framework does not necessarily mean “weaker” protections than those included in state privacy laws. Ranking Member Maria Cantwell (D-WA), by contrast, said the focus on preemption (rather than new rights for consumers) was “disturbing,” and wondered if U.S. companies were trying to “shut down” the California Consumer Privacy Act (“CCPA”). Similarly, Sen. Richard Blumenthal (D-CT) warned that U.S. companies must convince Congress that they want “something more” than just preemption.
Despite their apparent differences on preemption, committee members broadly agreed that the “notice and choice” approach to privacy protections is insufficient.
Read more on InsidePrivacy.

For the tool kit.
Microsoft Excel will now let you snap a picture of a spreadsheet and import it
Microsoft is adding a very useful feature to its Excel mobile apps for iOS and Android. It allows Excel users to take a photo of a printed data table and convert it into a fully editable table in the app. This feature is rolling out initially in the Android Excel app, before making its way to iOS soon. Microsoft is using artificial intelligence to implement this feature, with image recognition so that Excel users don’t have to manually input hardcopy data. The feature will be available to Microsoft 365 users.

Friday, March 01, 2019

Noted for future (next year) US elections.
ENISA issues recommendations to protect EU Parliament elections against cyber-threats
… To combat foreign interference such as that witnessed in the US presidential elections in 2016, ENISA is providing guidelines to all election stakeholders.
… According to the document – Election Cybersecurity: Challenges and Opportunities – a democratic society needs a well-protected election lifecycle, from the maintenance of the electoral register and the public political campaigning process to the actual voting and the delivery of the results.

Is Digital Forensics Effectively Joining the Dots in Today’s Corporate Crime Scenes?
… Resolving complex corporate crimes requires tech-savvy sleuthing, and digital forensics does exactly that. It broadly covers identification, evaluation, examination, and peer review of computer or mobile device related artifacts. The coverage however continues to evolve with the emergence AI (Artificial Intelligence) and IoT (Internet of Things) enabled platforms, high security mobile devices, and other overarching trends in the technology world.
The insights presented in the article are based on a recent research study on Digital Forensics Market by Future Market Insights.

A culture that is not too concerned with accuracy (facts) will repeat this failure every time.
Facebook admits 18% of Research spyware users were teens, not <5 font="">
Facebook has changed its story after initially trying to downplay how it targeted teens with its Research program that a TechCrunch investigation revealed was paying them gift cards to monitor all their mobile app usage and browser traffic. “Less than 5 percent of the people who chose to participate in this market research program were teens” a Facebook spokesperson told TechCrunch and many other news outlets in a damage control effort 7 hours after we published our report on January 29th. At the time, Facebook claimed that it had removed its Research app from iOS. The next morning we learned that wasn’t true, as Apple had already forcibly blocked the Facebook Research app for violating its Enterprise Certificate program that supposed to reserved for companies distributing internal apps to employees.
… In the response from Facebook’s VP of US public policy Kevin Martin, the company admits that (emphasis ours) “At the time we ended the Facebook Research App on Apple’s iOS platform, less than 5 percent of the people sharing data with us through this program were teens. Analysis shows that number is about 18 percent when you look at the complete lifetime of the program, and also add people who had become inactive and uninstalled the app.”

Now that they have your attention…
Ireland's Data Protection Commission Reports Multiple GDPR Investigations on Tech Giants
Ireland's Data Protection Commission (DPC), headed by the Commissioner for Data Protection, Helen Dixon, has published its first annual report since the General Data Protection Regulation (GDPR) came into force in May 2018. It shows that Europeans are taking their new privacy rights very seriously. In the five months of 2018 pre-GDPR, the DPC received 1,249 privacy complaints. In the seven months post-GDPR, it received a further 2,864. The total of more than 4,000 complaints in 2018 is up from less than 1000 in 2015.
The section of the report (PDF) most relevant to Americans and American firms operating in Europe, however, is Section 7: Technology Multinationals Supervision.

Perhaps a good collection of bad examples?
Thailand passes internet security law decried as 'cyber martial law'
Thailand’s military-appointed parliament on Thursday passed a controversial cybersecurity law that gives sweeping powers to state cyber agencies, despite concerns from businesses and activists over judicial oversight and potential abuse of power.
The Cybersecurity Act, approved unanimously, is the latest in a wave of new laws in Asian countries that assert government control over the internet.
… The law allows the National Cybersecurity Committee (NCSC) to summon individuals for questioning and enter private property without court orders in case of actual or anticipated “serious cyber threats.”
An additional Cybersecurity Regulating Committee will have sweeping powers to access computer data and networks, make copies of information, and seize computers or any devices.
Court warrants are not required for those actions in “emergency cases,” and criminal penalties will be imposed for those who do not comply with orders.
… Legislators also unanimously passed the Personal Data Protection Act, intended to imitate the European Union’s General Data Protection Regulation (GDPR).

Update your toolkit.
Wireshark 3.0.0 Released
The Wireshark Foundation on Thursday announced the general availability of Wireshark 3.0.0, the newest release of the popular open-source packet analyzer.
The latest version fixes a handful of bugs and introduces roughly two dozen new features or significant updates to existing features.

Thursday, February 28, 2019

California is contagious?
Proposed Data Privacy Act for Washington State Could Be a Game-Changer
Inspired by the example of the European General Data Protection Regulation (GDPR), Washington State is now considering a comprehensive data privacy act that would protect the personal information of its citizens. If the new Washington Privacy Act (SB 5376) passes the state legislature this year, it would make Washington only the second state in America to adopt a comprehensive data privacy law.
… In fact, much of the language used within the Washington data privacy act is almost exactly the same as that found within the GDPR, especially when it comes to the definition of “personal data” and the notion of which protections should be offered to consumers as a fundamental basis of security and privacy.
With an emphasis on protecting personal information, the Washington data privacy act gives state residents several key rights, including the right to the deletion of data; the right to request any data errors to be corrected; the right to receive a personal copy of any personal data collected by a company in electronic format; and the right to withdraw consent from any personal data being processed.

FPF Comments on the Washington Privacy Act, SB 5376
Today, the Future of Privacy Forum submitted comments to the Washington State Senate Ways & Means Committee on the proposed Washington Privacy Act, Senate Bill 5376. FPF takes a “neutral” position regarding the Bill, and makes a few important points.

Should Alexa think like a doctor or like a lawyer?
Seen on Foley Hoag’s Security, Privacy, and the Law blog:
Partner Colin Zick and Associate Jeremy Meisinger presented to the Massachusetts Health Information Management Association on the legal issues presented by the continued development of voice technology in healthcare. Click here to download the slides.

Why not a simple Traffic Robot? Don’t tie down a human, drop off a sensor loaded automaton and we’re good until the lights come back on.
Waymo Car AI Obeys Traffic Cop Hand Signals
Self-driving cars need to cope with every situation a human driver can, and that includes faulty lights at a junction being replaced with a traffic cop giving hand signals to follow.

A most interesting article. Clausewitz is too old (1832), let’s use Sun Tzu (500BC?) instead.
Why we should stop teaching Clausewitz

Could prove useful.
BillTrack50 is available for everyone to research state and federal legislation and legislators – free
BillTrack50 is a free service for citizens to look up information about federal and state bills and legislators. Register for a free account to start searching right away. We also provide tools appropriate for professionals to help track bills, and to help organizations share important information on their own website. To see how the free and paid services compare, see our comparison matrix.”

Wednesday, February 27, 2019

A war, by any other name, would smell as sweet.
US Cyber Command attacked Russian troll farm on Election Day 2018
The United States Cyber Command launched an offensive campaign to silence one of Russia’s most notorious troll operations on the day of the 2018 midterm elections, according to a new report by The Washington Post. The operation targeted the Internet Research Agency, a private company linked to the Kremlin and often used for disinformation campaigns.
The US operation seems to have taken the IRA entirely offline during Election Day, to the point that many employees complained to systems administrators that they were unable to access the internet, according to the Post’s sources.
… It’s one of the most aggressive publicly reported campaigns the cyber command has yet taken, and the legal status of such actions remains in flux. In theory, infrastructural attacks against agents of a foreign government could have significant diplomatic repercussions, and run the risk of being taken as an act of war. But in practice, these actions are rarely officially attributed and political blowback is typically minimal.

The official database of the Ministry of Silly Walks? Every ache and pain is reflected in my ‘silly walk.’
Chinese police test gait-recognition technology from AI startup
South China Morning News: “You can tell a lot of things from the way someone walks. Chinese artificial intelligence start-up Watrix says its software can identify a person from 50 metres away – even if they have covered their face or have their back to a camera – making it more than a match for Sherlock Holmes. Known as gait recognition, the technology works by analysing thousands of metrics about a person’s walk, from body contour to the angle of arm movement to whether a person has a toe-in or toe-out gait, to then build a database. “With facial recognition people need to look into a camera – cooperation is not needed for them to be recognised [by our technology],” said Huang Yongzhen, co-founder and chief executive of Watrix, in an interview in Beijing.
Features like this have given Watrix an edge in catching runaway criminals, who tend to avoid surveillance, said Huang. Police on the streets of Beijing, Shanghai and Chongqing, have already run trials of gait recognition technology, said Huang, and the company officially launched its 2.0 version last week, which supports analysis of real-time camera feeds at a mega-city level. “We are currently working with police on criminal investigations, such as tracking suspects from a robbery scene,” said Huang, who was dressed all in black for the interview in his company office. “Currently, China has about 300,000 wanted criminals on the loose and counting. [Our software’s] database includes those with a prior gait record…”

Self-driving fighters.
Avalon 2019: Boeing to partner with Australia on development of multimission unmanned aircraft system
Boeing and Australia's Department of Defence (DoD) are to partner in developing a concept demonstrator for a large unmanned aircraft system (UAS) that will support and protect air combat missions.
… Dr Shane Arnott, director of Boeing's Phantom Works International, said system development had been under way for some time, but declined to say for how long.
The first flight will take place in Australia and is scheduled for 2020. The model unveiled at Avalon was representative of the intended flight vehicle, he said.
Although the platform would be powered by a single light commercial jet engine to save costs, "it will need to take off from the same runways and run the same speeds" as the aircraft with which it was teamed.
The system is not remotely piloted but will be semi-autonomous and controlled from both the ground and the air, he explained. "The intention is the teaming system will be an extension of the air power assets that it will be supporting," Arnott explained.

I have concerns.
Is war coming to South Asia?
… On February 26, the Indian military launched what it said were retaliatory air raids which allegedly destroyed a "terrorist" training camp in Pakistan's Khyber Pakhtunkhwa province. Pakistan for its part also responded with air raids across the line of control (LoC) which separates Indian- from Pakistan-administered Kashmir and claims to have downed two Indian fighter jets.
Military standoffs or escalations between India and Pakistan are not new, nor is the use of military means to settle scores. However, what sets this round of escalation apart is that this is the first time since the 1971 Indo-Pakistani war that the two countries attack targets deep within each other's territories.

Tuesday, February 26, 2019

Everybody’s doing it. Not just evil hackers.
Huawei Frightens Europe's Data Protectors. America Does, Too
A foreign power with possible unbridled access to Europe’s data is causing alarm in the region. No, it’s not China. It’s the U.S.
As the U.S. pushes ahead with the “Cloud Act” it enacted about a year ago, Europe is scrambling to curb its reach. Under the act, all U.S. cloud service providers from Microsoft and IBM to Amazon – when ordered – have to provide American authorities data stored on their servers regardless of where it’s housed. With those providers controlling much of the cloud market in Europe, the act could potentially give the U.S. the right to access information on large swaths of the region’s people and companies.
… The Cloud Act (or the “Clarifying Lawful Overseas Use of Data Act”) addresses an issue that came up when Microsoft in 2013 refused to provide the FBI access to a server in Ireland in a drug-trafficking investigation, saying it couldn’t be compelled to produce data stored outside the U.S.
The act’s extraterritoriality spooks the European Union – an issue that’s become more acute as trans-Atlantic relations fray and the bloc sees the U.S. under Trump as an increasingly unreliable ally.

For my Computer Security students.
Practitioner’s Guide for Assessing the Maturity of IoT System Security
The Industrial Internet Consortium® (IIC™), now incorporating OpenFog, announces the Security Maturity Model (SMM) Practitioner’s Guide, which provides detailed actionable guidance enabling IoT stakeholders to assess and manage the security maturity of IoT systems.

European Telecommunications Standards Institute Publishes New IoT Security Standard
On February 19, the European Telecommunications Standards Institute (ETSI) published the ETSI TS 103 645 V1.1.1 – or more simply, a high-level outcome-focused standard (PDF) for cybersecurity in the consumer-oriented Internet of Things (IoT).
The cybersecurity provisions are provided in section 4 of the standard. There are thirteen in total, some being simple statements and others comprising multiple subsections. For example, the total of provision 4.1 requires little more than its heading: "No universal default passwords."

Too useful to stop, so we’d best figure out how to do it correctly.
Jeffrey C. Skinner and Craig A. Newman of Patterson Belknap write:
The use of biometric technology is fast becoming the next big thing in privacy litigation. There was last month’s decision by the Illinois Supreme Court that upheld a consumer’s right to sue companies for collecting biometric data – such as fingerprints and iris scans – without first disclosing how such information will be used. See our blog on that ruling here.
And now, the debate surrounding the use and collection of biometric data has expanded beyond challenging the biometric collection practices in the private sector, to challenging the practices of state and local governments including law enforcement.
In Center for Genetics and Society v. Becera, a lawsuit filed late last year in California state court, two nonprofit organizations and an individual sued the state of California, challenging its DNA Fingerprint, Unsolved Crime and Innocence Protection Act (the “DNA Act”). The DNA Act authorizes the retention of DNA samples collected from people arrested on suspicion of a felony.
Read more on Data Security Law Blog.

What would a few thousand carefully worded discovery requests do to a small firm?
Californians could sue companies over privacy violations
State officials proposed a new amendment to the California Consumer Privacy Act (CCPA) on Monday that would allow consumers to sue companies that violate the new law. Currently, consumers can only file a lawsuit if they're victims of a data breach and only when the state's department of justice has decided not to sue on consumers' behalf.
… James P. Steyer, CEO of Common Sense, a non-profit organization that promotes safe technology use, said the amendment will take some of the burden of enforcing and monitoring violations off the attorney general's plate.
"Companies with endless resources will do everything they can to make it difficult for the AG," Steyer said in a statement. "By allowing consumers their own right to take action to hold bad actors accountable for violating their privacy, this law adds needed enforcement teeth to CCPA and Common Sense is firmly in support."
The amendment would also remove the current waiting period that gives businesses 30 days to attempt to remedy a violation and retract any exposed data from public view to avoid penalties.
… This new amendment follows legislation proposed on Thursday that would require companies to notify California residents when their passport, passport card or green card numbers are compromised in data breaches. It would also require customers be notified of compromised biometric information such as fingerprints.

(Related) Some topics that need discussion?
You’re Invited to an In-Person Event: CCPAnow: Understanding the Challenge Ahead And What You Should Be Doing Now
A few key topics that will be addressed are:
  • How should you interpret key definitions like “personal information,” “sale,” “third party,” and “business” when operationalizing the CCPA?
  • How far does a business have to go to implement a consumer’s opt-out of sales to third parties?
  • How will the financial incentives and anti-discrimination provisions actually work when consumers exercise their rights?
  • What is happening in the California Office of the Attorney General’s rulemaking process once the March 8th deadline for written comments has passed?

How important is your privacy?
Axios: “…A full 81% of consumers say that in the past year they’ve become more concerned with how companies are using their data, and 87% say they’ve come to believe companies that manage personal data should be more regulated, according to a survey out Monday by IBM’s Institute for Business Value. Yes, but: They aren’t totally convinced they should care about how their data is being used, and many aren’t taking meaningful action after privacy breaches, according to the survey. Despite increasing data risks, 71% say it’s worth sacrificing privacy given the benefits of technology…”

Lawyers recommending surveillance?
Joe Cadillic writes:
Arizona State University (ASU) which spent $307 million to renovate Sun Devil Stadium has learned a lot about Smart City surveillance.
ASU used facial recognition to spy on alumni, students, faculty and families. And now they want to share what they learned by bringing it to a stadium or city near you.
An article in the Tech Republic revealed that Sun Devil Stadium and Croke Park in Ireland used facial recognition cameras to spy on fans.
Read more on MassPrivateI.

My students would never make such an assumption!

Monday, February 25, 2019

With great power comes great responsibility. I didn’t think we were quite there yet.
Federal judge finds male-only military draft unconstitutional
… Miller, who was appointed to the court by President George W. Bush in 2006, noted that the Supreme Court upheld excluding women from the draft in 1981 because women were excluded from combat duty. Because that prohibition was lifted in 2015, he wrote, excluding them from registering for the draft made no constitutional sense.

...and a few Oscar winners?
Thoughtful Entertainment Streaming now for free with your library card
kanopy – Over 30,000 films entirely free with a library card from participating libraries – “The films that truly resonate with us do more than just entertain. They inspire us, enrich us, and challenge our perspectives. Kanopy ensures that these films reach viewers around the world. We stream thoughtful entertainment to your preferred device with no fees and no commercials by partnering with public libraries and universities. Everyone from film scholars to casual viewers will discover remarkable and enriching films on Kanopy. Log in with your library membership and enjoy our diverse catalog with new titles added every month…”

Sunday, February 24, 2019

The long, long, long view
Google’s Hope and Dreams In India
… In 2011, Reliance, whose core business was oil and infrastructure, decided to build a vast broadband network, a business in which it had no experience but plenty of rivals. It had acquired a telecom company that owned mobile spectrum licenses, and it muscled in on its competitors. Barely 28 million Indians then owned smartphones. Reliance aimed to blanket India with broadband coverage, which was available only in big cities. After decades building pipelines and refineries, Reliance erected 220,000 mobile towers across India, often building more than 700 in a single day. In all, the project cost more than $30 billion.
In September 2016 it launched the Reliance Jio telecom network, offering people free mobile data for the first six months. Indians stampeded to grab the offer. Reliance Jio signed 100 million subscribers within six months and 250 million by its second anniversary last September. Its cheap plans set off a price war and drove down India’s data prices, from about $4.50 a gigabyte in 2016 to a rock-bottom 15¢ now, cutting deeply into competitors’ profits. For Reliance the pricing proved a masterstroke, establishing itself as a key phone and Internet service provider. Reliance Jio now sells $20 phones, and it is rolling out connected devices for cars, TV monitors, and home appliances.
For Google, the disruption is a potential gold mine. Together, Reliance Jio’s network and Prime Minister Modi’s policies have cracked open markets that until now have been out of reach, or too small to be worth the investment. In 2017, shortly after Jio’s launch, Google created its first-ever digital payments app, Tez, seizing on the millions of Indians who were suddenly making digital payments. Last year, it renamed the app Google Pay. It now has about 40 million monthly active users in India, and is available in 29 countries, including the U.S., with about $60 billion in transactions in 2018, according to Google.

My students will need to understand how this works.
A guide to protecting AI and machine learning inventions
… The European Patent Office has recently amended its ‘Guidelines for Examination’ by including a new section containing advice about how patents related to AI and machine learning technologies should be assessed. The guidance clarifies that whilst algorithms are regarded as ‘computational’ and abstract in nature, which means they are not patentable per se, once applied to a technical problem they may become eligible for patent protection. Beneficially, the approach outlined in the guidance is similar to that currently used to assess the patentability of computer-implemented inventions.
To clarify, one of the keys to patentability lies in an invention’s ‘technical effect’. If an AI or machine learning invention is shown to have an effect in a real-world application, it is likely to be deemed patentable under the European Patent Convention