Saturday, April 27, 2019


The rest of the world seems to be going in the opposite direction.
Those who want to see HHS/OCR come down like a ton of bricks on more entities and impose heavier civil monetary penalties for HIPAA breaches will likely not be happy to learn that HHS has decided to reduce the maximum civil penalties it will impose for the four tiers of violations of HIPAA.
[Tables omitted. Bob]
HHS’s notification, which will be published in the Federal Register on April 30, explains their reasoning and justification for exercising their discretion in this way. I’ve reproduced the notification, below.




I think we’ve found a title for the Fall Privacy Foundation seminar… What are humans for? Register to listen to the podcast.
As AI advances, what are humans for?
The wary relationship between humans and technology is also at the heart of Mr McEwan’s new novel, “Machines like Me” (reviewed by The Economist here ).
In an interview with “The Economist Asks” podcast, he reflects on the moral quandaries of differentiating between synthetic and biological humans and his own on-off relationship with technology.




A good summary.
Here’s how Internet of Things malware is undermining privacy
There are several aspects to the problem. One is that devices with microphones and cameras may be monitoring what people say and do directly. Sometimes users may not even be aware that there is a microphone present, as happened with Google’s Nest. Another is the leakage of sensitive information from the data streams of IoT devices. Finally, there is the problem summed up by what is called by some “Hyppönen’s law: “Whenever an appliance is described as being ‘smart’, it’s vulnerable”.
Existing legislation may provide a more effective way of tackling IoT’s threat to privacy. As readers of this blog know, the EU’s GDPR law is proving to be a powerful weapon for defending personal data and tackling abuses. It may be that the GDPR can be used to curb some of the worst problems of IoT systems, at least in Europe.




Kinda like a Berlin wall, but an e-wall.
The Quick Read About… Russia’s New Internet Law
This law will regulate how internet traffic moves through critical infrastructure for the internet. By November internet service providers will have to adopt new routing and filtering technology and grant regulators the authority to directly monitor and censor content it deems objectionable. But the real groundbreaker is the intent to create a national domain name system (DNS) by 2021, probably as a back-up to the existing global system that translates domain names into numerical addresses. If Russia builds a workable version and switches it on, traffic would not enter or leave Russia’s borders. In effect, it means turning on a standalone Russian internet, disconnected from the rest of the world.
Read this excellent piece by GZERO Media’s Alex Kliment on the pros and cons of shutting down the internet in times of emergency. Folks in the Kremlin should read it, too.


(Related) On the other hand…
Telecom giants battle bill which bans Internet service throttling for firefighters in emergencies
Internet service providers (ISPs) and telecom firms are fighting a bill which would force them to provide unfettered broadband services and prevent them from throttling data use in emergency situations.
… As reported by StateScoop, the bill – introduced in February – aims to prevent a repeat of what happened in summer 2018 during the Mendocino Complex Fire, one of the largest wildfires recorded in California's history.
During the blaze, which erupted in July, two combined fires burned a combined 459,123 acres, destroyed 280 structures, and resulted in the death of one firefighter, as reported by the Sacramento Bee.
As firefighters from the Santa Clara County Central Fire Protection District fought to contain the fires, they found their Internet service drastically reduced, having been throttled in what Verizon Wireless later called a "customer support mistake."
… Verizon said at the time that the company has an internal policy to remove "data speed restrictions when contacted in emergency situations," but this did not happen during the wildfires.
To lift the throttling, instead, Verizon told the department to upgrade to a more expensive plan.




Spoiler alert: We don’t know.
How to prepare for a career in machine learning and artificial intelligence
I heard an interesting stat recently: Approximately 70% of deep learning or AI practitioners today are still in school. Because this is an emerging technology, and it's pulling in people from all sorts of disciplines, we don't really have a great precedent for it yet.
Truth is, a majority of good practitioners in the space today are either self-taught, or they're coming from a different domain entirely (i.e. not just computer science or programming). A solid background in statistics and traditional mathematics is always helpful — experience in a research area is also a big plus.




Dilbert talk directly to my Architecture class.



Friday, April 26, 2019


Surveilling ‘domestic terrorists’ who never cross the boarder?
CBP’s New Social Media Surveillance: A Threat to Free Speech and Privacy
U.S. Customs and Border Protection (CBP) released a required Privacy Impact Assessment (PIA) on March 27 for the social media monitoring it carries out as part of its new Situational Awareness Initiative. The release of the assessment may have come in response to a March 6 report from NBC7 in San Diego revealing that the U.S. government created a surveillance target list of “Suspected Organizers, Coordinators, Instigators and Media.” The list featured journalists, activists, social media influencers, and lawyers working on immigration issues, and was the subject of a recent article for Just Security on the immense growth in the Department of Homeland Security’s (DHS’s) intelligence gathering programs.




Looks like the 2020 election will be interesting.
Study identifies 80% of journalists falling for false online info
Poynter – “In a new study conducted by the Institute for the Future, a California-based nonprofit think tank, researchers found more than 80% of journalists admitted to falling for false information online. The data was based on a survey of 1,018 journalists at regional and national publications in the United States. Perhaps more concerning: Only 14.9% of journalists surveyed said they had been trained on how to best report on misinformation…”




Privacy laws move at different rates.
South Africa Data Protection Regulations Expected to Take Effect in 2019
Although South Africa’s first comprehensive piece of data protection legislation, the Protection of Personal Information Act (POPIA), was originally signed into law in November 2013, the substantive provisions of the law have not yet taken legal effect. That is likely to change since South Africa’s data protection authority, the Information Regulator, published the final draft of its POPIA regulations in December 2018.




Will US laws conflict with HIPAA?
EDPB’s Position on Clinical Trials Creates Friction with Other EU Legislation
Clinical trials in the EU include the collection of sensitive health data from patients. Trial sponsors are obliged to reconcile their respect of regulations governing data protection with regulations governing the conduct of clinical trials. The GDPR¹ could not fully harmonize these rules since this area is already heavily regulated by public health regulations that vary between EU Member States. One of the most disconcerting areas of divergence between EU Member States is the different national positions on whether patient consent is a valid legal ground for processing personal data in clinical trials.




We need a catcher name.
MIT finally gives a name to the sum of all AI fears
Now we know what to call it, that vast, disturbing collection of worries about artificial intelligence and the myriad of threats we imagine, from machine bias to lost jobs to Terminator-like robots: "Machine behaviour."
That's the term that researchers at the Massachusetts Institute of Technology's Media Lab have proposed for a new kind of interdisciplinary field of study to figure out how AI evolves, and what it means for humans. (They use the British spelling, as this is a European journal.)
… Commentators and scholars, they write, "are raising the alarm about the broad, unintended consequences of AI agents that can exhibit behaviours and produce downstream societal effects – both positive and negative – that are unanticipated by their creators." There is "a fear of the potential loss of human oversight over intelligent machines," and the development of "autonomous weapons" means that "machines could determine who lives and who dies in armed conflicts."


(Related) In this case, the ‘elite and powerful’ company is McDonalds. (and the AI is reduced to: Would you like fries with that?)
How artificial intelligence will serve the elite and powerful — and leave working people behind
Speaking at the 2019 Forum on China Intellectual Property Protection, Zhang Wen, president of the Beijing Internet Court — which was established in September 2018, and has since processed 14,904 cases — reportedly said that the court employs technologies such as artificial intelligence (AI) and blockchain to render judgement.
Zhang reportedly told the Global Times that “of the 41 cases concluded [with blockchain technology] so far, parties chose to settle out of court rather than litigate in 40 cases with compelling evidence from blockchain. This fosters social credibility development in the country.” He also noted that the court had deployed blockchain in 58 cases to collect and provide evidence. Zhang said:
"In the current use of AI as an assistant to make rulings, efficiency is prioritized over accuracy. A human judge is ultimately responsible for the fair ruling. [...] But we are heading toward a future when we can see an AI judge sitting at the podium."
In September of last year, China’s Supreme Court ruled that evidence authenticated with blockchain technology is binding in legal disputes. The Supreme Court declared that "Internet courts shall recognize digital data that are submitted as evidence if relevant parties collected and stored these data via blockchain with digital signatures, reliable timestamps and hash value verification or via a digital deposition platform, and can prove the authenticity of such technology used."




I would be shocked to find that AI was not being used frequently today. In three years it will probably be testifying about its findings.
Artificial Intelligence Will Change E-Discovery in the Next Three Years
Law Technology Today: “…According to Andrew Ng, Co-Founder of Coursera and Adjunct Professor of Computer Science at Stanford University, artificial intelligence (AI) is the new electricity. [Shocking! Bob] “Just as electricity transformed almost everything 100 years ago,” he explains, “today I actually have a hard time thinking of an industry that I don’t think AI will transform in the next several years.” Ng is not alone. Consumers’ lives, tastes, and habits have been profoundly altered by artificial intelligence, with companies like Amazon, Google, Netflix, Spotify, and Uber (to name a few) disrupting well-established industries. Legal technology including e-discovery (and software as a service in general) will not be spared. No less an authority than Gartner estimates that 80% of emerging technologies will be built on a foundation of artificial intelligence by 2021… AI facilitates e-discovery by playing a number of roles in the process: curator, advisor, and orchestrator. Both curator and advisor roles are familiar to e-discovery professionals. AI can recommend documents for deeper review (much like Netflix recommends a new movie or TV show), or it can advise a project manager on scoping custodian lists or collection criteria (as it can suggest a response to a text message or email). But newer AIs can also function as an orchestrator of the entire e-discovery process, learning from past actions and results, and coordinating tasks across multiple channels…”




I’m not sure how this would work. But then I’m not a techno-lawyer...
Chinese Internet Court Employs AI and Blockchain to Render Judgement




Perspective. A child without a smartphone is deprived? Abused?
California approves free phones, internet for foster youth
… The California Public Utilities Commission passed the $22 million pilot program that will provide smartphones to more than 30,000 current and former foster youth between 13 and 26. The phones come with an unlimited calling plan, wireless service and mobile hotspot.
… In addition to the cellphones and internet access, the program will partner with the state's 50 county welfare departments for digital literacy training. The classes will teach online safety, effective social media use and how to present professionally for potential employment, Cox said.




Perspective. Another device I’m out of touch for not owning?
AirPods Are the New Cubicles
… The arrival of these now-ubiquitous devices has ushered in a new era of office etiquette—and created a whole new set of problems.
Beyond their tethered forebears, Bluetooth wireless headphones are convenient because they allow workers to forget they’re wearing a device and leave their desks without yanking their laptops onto the floor. In open offices, people commonly wander around with their headphones on all day, into bathrooms and kitchens, sometimes listen to nothing at all in order to avoid the constant distraction of compulsory social interaction.




Perspective. Imagine the logistical challenge.
Amazon says it’s working on free one-day Prime shipping



Thursday, April 25, 2019


An email is worth $3,700,000! It is if no one confirms it’s authenticity.
WKYT reports:
Scott County Schools has announced the district is a victim of a multi-million dollar online scam.
The FBI is now investigating after Superintendent Dr. Kevin Hub said an undisclosed vendor told the district it never was paid for an invoice from two weeks ago. As the district investigated, it learned it fell victim to a fraudulent email disguising as the vendor.
Read more on WKYT.




I’m sure they can get it right, just give them a decade or two.
CCPA Amendments Advance through California Assembly
A number of legislative proposals seeking to amend the California Consumer Privacy Act (CCPA) are moving forward following an April 23 hearing before the California Assembly’s Committee on Privacy and Consumer Protection in which the bills were approved.




Does $3 Billion get your attention?
Facebook’s privacy woes have a price tag: $3 billion or more
The social network said Wednesday it's set aside $3 billion to cover possible expenses for a possible fine related to an ongoing investigation by the US Federal Trade Commission. The as-yet-unannounced FTC fine, which Facebook said could be as high as $5 billion, would be the largest ever against a US tech company.
The FTC is looking into Facebook's privacy practices and determining if the company violated a legal agreement to keep user data private.


(Related) It got Wall Street’s attention.
Facebook Set Aside $3 Billion For A Penalty. Then It Grew By $40 Billion.
Facebook is setting aside $3 billion to cover the expected costs, including an anticipated fine, related to an ongoing investigation with the Federal Trade Commission over its privacy practices, the company said today. The expenses could go as high as $5 billion, Facebook said.
The figure may sound massive, but Wall Street is giddy. In after-hours trading on Wednesday, Facebook's stock price shot up more than 8%, signaling that investors consider the estimated fine to be a slap on the wrist that could've been far worse.
After announcing the anticipated settlement, Facebook's market capitalization climbed by approximately $40 billion in just over an hour of after-hours trading.




A good summary.
Eight Steps to Data Privacy Regulation Readiness
This May marks the first anniversary of the European Union (EU)’s General Data Protection Regulation (GDPR) having taken effect.
… Now with similar legislation taking effect early next year in the form of the California Consumer Privacy Act (CCPA) and Brazil's data protection law, Lei Geral de Proteção de Dados (LGPD), organizations will be racing once again to get up to speed, and in compliance. Additionally, other ordinances aimed at boosting cyber resiliency, like the Australian Prudential Regulation Authority (APRA), put further pressure on organizations to quickly and effectively respond to security breaches.
The good news is that companies can leverage the lessons learned and investments made in preparation for GDPR to expedite compliance for these and future related regulations. Outlined below are eight steps to develop a repeatable framework for protecting data likely to fall under new and existing data privacy regulations.
1. Scope Your Data:
2. Understand Data Transfer Agreements:
3. Update Consent Methods or Legal Basis for Processing:
4. Prepare for Subject Access Requests:
5. Plan for Notification:
6. Amend Your Contracts with New Obligations:
7. Revise Your Privacy Policies and Statements:
8. Designate a Data Protection Officer:




The joy of managing global markets.
Facebook's flood of languages leave it struggling to monitor content
Facebook Inc’s struggles with hate speech and other types of problematic content are being hampered by the company’s inability to keep up with a flood of new languages as mobile phones bring social media to every corner of the globe.
The company offers its 2.3 billion users features such as menus and prompts in 111 different languages, deemed to be officially supported. Reuters has found another 31 widely spoken languages on Facebook that do not have official support.
Detailed rules known as “community standards,” which bar users from posting offensive material including hate speech and celebrations of violence, were translated in only 41 languages out of the 111 supported as of early March, Reuters found.




"I can see by your outfit that you are a lawyer."
These words he did say as I boldly walked by.
"Come an' sit down beside me an' hear my sad story.
"I'm told they won’t hire an' I want to know why."
The Legal and Ethical Implications of Using AI in Hiring
Digital innovations and advances in AI have produced a range of novel talent identification and assessment tools. Many of these technologies promise to help organizations improve their ability to find the right person for the right job, and screen out the wrong people for the wrong jobs, faster and cheaper than ever before.
These tools put unprecedented power in the hands of organizations to pursue data-based human capital decisions.
While these novel tools are disrupting the recruitment and assessment space, they leave many yet-unanswered questions about their accuracy, and the ethical, legal, and privacy implications that they introduce.
In this article, we focus on the potential repercussions of new technologies on the privacy of job candidates, as well as the implications for candidates’ protections under the Americans with Disabilities Act and other federal and state employment laws. Employers recognize that they can’t or shouldn’t ask candidates about their family status or political orientation, or whether they are pregnant, straight, gay, sad, lonely, depressed, physically or mentally ill, drinking too much, abusing drugs, or sleeping too little. However, new technologies may already be able to discern many of these factors indirectly and without proper (or even any) consent.




Coming soon to a Walmart near you?
Walmart experiments with AI to monitor stores in real time
Walmart, which faces fierce competition from Amazon and other online retailers, is experimenting with digitizing its physical stores to manage them more efficiently, keep costs under control and make the shopping experience more pleasant.
Thousands of cameras suspended from the ceiling, combined with other technology like sensors on shelves, will monitor the store in real time so its workers can quickly replenish products or fix other problems.
Hanrahan says the cameras are programmed to focus primarily on the products and shelves right now. They do not recognize faces, determine the ethnicity of a person picking up a product or track the movement of shoppers, he says. Some other companies have recently started experimenting with store shelf cameras that try to guess shoppers’ ages, genders and moods.
Hanrahan says Walmart has made sure to protect shoppers’ privacy and emphasized that there are no cameras at the pharmacy, in front of the rest rooms or in employee breakrooms.




First chalking tires, now location data. Warrants make courts comfortable?
Massachusetts Court Blocks Warrantless Access to Real-Time Cell Phone Location Data
There's heartening news for our location privacy out of Massachusetts this week. The Supreme Judicial Court, the state's highest court, ruled that police access to real-time cell phone location data—whether it comes from a phone company or from technology like a cell site simulator—intrudes on a person’s reasonable expectation of privacy. Absent exigent circumstances, the court held, the police must get a warrant.




Perspective. See? It’s not all President Trump.
Pew – 10 percent of Twitter users create 80 percent of tweets
We know from Pew Research Center surveys that 22% of U.S. adults use Twitter. But surveys can only tell us so much about how these Americans actually use the platform. A new Pew Research Center study goes a step further. First, we asked survey respondents whether they use Twitter and, if so, for permission to look at their Twitter accounts. After reviewing each account, we quantified these Americans’ tweets, likes, followers and followings. The result is the Center’s first study of Twitter behavior that’s based on a representative sample of U.S. adults who use the platform.
Among U.S. adults, Twitter discourse is dominated by a small share of tweeters. The most prolific tweeters – those in the top 10% by number of tweets – are responsible for 80% of all tweets created by U.S. adults. That includes all types of tweets: original tweets, retweets and quote tweets…”



Wednesday, April 24, 2019


Security does depend on the resources you can deploy.
Wow. As far as a physical security FAIL goes, this is a contender.
The Ahmedabad Mirror reports:
Officials of the Directorate General of GST Intelligence (DGGI) in Gujarat on Sunday lodged a complaint of theft of record files from their storage unit in Ahmedabad.
The DGGI storage unit is housed in an old and decrepit government quarters building in Pragatinagar area of the city. It neither has any security measures to prevent incursions nor CCTV to monitor activities there.
Read more on Ahmedabad Mirror. You seriously need to take a look at that storage unit pictured in the story.




A look a the threats to international money transfers.
New SWIFT Report Details Cyber Threats to International Payment Flows
According to a new SWIFT report (“Three Years On From Bangladesh: Tackling the Adversaries”), international cyber criminals are becoming increasingly sophisticated in the ways that they evade detection when carrying out fraudulent payment transactions. The report, based on 15 months of investigation after the much-heralded cyber attack on the Bank of Bangladesh in 2016, found a constantly evolving landscape of cyber threats to international payment flows.




A really good suggestion and a completely unrelated survey?
UK's NCSC Suggests Automatic Blocking of Common Passwords
A recent survey from the UK's National Cyber Security Centre (NCSC, part of GCHQ), conducted by Ipsos Mori, suggests that 52% consider their most prevalent online security consideration to be protecting their privacy, while 51% consider it to be the loss of their money.
The survey ( PDF ), conducted between November 2018 and January 2019, involved 1,350 telephone interviews with the general public aged 16+ and was weighted to represent the UK population.
Absent from this survey is any analysis of passwords specifically. This is covered in a separate survey that analyzes the most commonly used passwords as found in Troy Hunt's Have I been Pwned database.
The NCSC believes that if defenders automatically block the most common passwords, then hacking will be made more difficult. To make this practical, it has -- in conjunction with Troy Hunt – published a list of the 100,000 most common passwords found in the Have I Been Pwned database. These range from the most common '123456' to the 100,000th most common 'crossroad'.




What happens after I cry, “Fake news?” How will they stop Russia from flagging the truth as fake?
Strengthening our approach to deliberate attempts to mislead voters
Today, we are further expanding our enforcement capabilities in this area by creating a dedicated reporting feature within the product to allow users to more easily report this content to us.
We will start with 2019 Lok Sabha in India and the EU elections and then roll out to other elections globally throughout the rest of the year.
For more on the specifics of the policy, the types of content we will be taking action on, and our enforcement approach, visit the Twitter Help Center here.




How to ‘private up.’ Using the GDPR in the US?
It used to be that listings websites would make it very difficult for you to remove your data. Often they would request annoying things like printing and posting a paper form, or even requiring you to send a fax.
But now, thanks in part to new EU data control laws, the sites must give you a reasonable way to remove your details. Even if you live outside the EU, if the site operates within Europe then it must allow you to remove your information. [Really? Bob]
Unfortunately there is no way to opt out of all these sites at once. You will have to submit a request for your data to be removed from each site individually. But it shouldn’t take too long. Usually you just need to fill out an online form and the site will take down your details within a few days.
Here is a list of some of the most common data collection websites with links to their respective opt out pages:
You can find a longer list of personal data websites with instructions on how to remove your details from each at wiki.onerep.com.




Perspective. Is Mark Zuckerberg hiring mentors or attack dogs?
Facebook Hires Another Privacy Advocate and Critic
Kevin Bankston, currently director of the privacy-focused Open Technology Institute in Washington, will be joining Facebook as a director of privacy policy, he announced Tuesday. Bankston joins a number of privacy advocates at the beleaguered tech giant, as The Information previously reported. All have said they hope to change the company from within and help improve its privacy practices.




I want to buy the T-shirt! (Will the FBI consider it a munition?)
This colorful printed patch makes you pretty much invisible to AI
The rise of AI-powered surveillance is extremely worrying. The ability of governments to track and identify citizens en masse could spell an end to public anonymity. But as researchers have shown time and time again, there are ways to trick such systems.
The latest example comes from a group of engineers from the university of KU Leuven in Belgium. In a paper shared last week on the preprint server arXiv, these students show how simple printed patterns can fool an AI system that’s designed to recognize people in images.
As the researchers write: “We believe that, if we combine this technique with a sophisticated clothing simulation, we can design a T-shirt print that can make a person virtually invisible for automatic surveillance cameras.”




I don’t believe this is true. “Better performance” means they make more money.
Stock traders not ready for AI revolution, Greenwich survey finds
Traders are hesitant about using machine-learning tools to help them gain an edge in the stock markets, despite these being lauded by some of the financial services industry’s biggest investors.
Three-quarters of respondents to Greenwich Associates’ latest survey on the trends in global electronic equity execution said they did not yet use artificial intelligence when trading stocks. Of those that did, 37% said algorithms powered by such tech led to better performance.




Perspective. Hope for old businesses willing to leap into technology?
Disney: New Streaming Service Could Transform Its Valuation
Summary
  • On Apr. 11, Disney announced its new streaming service, Disney+.
  • Disney+ is priced at $6.99 per month; Disney clearly aims to undercut Netflix, the current market leader, and make a play for the streaming crown.
  • Disney is attempting to forge a new narrative, positioning itself as a growth stock story akin to Netflix or even Amazon.
… Despite the long lead time and general lack of surprises regarding Disney+, Disney shares leapt higher in the wake of the official unveiling. The stock is now trading 12% higher than it was the day before the advent of Disney+. That means the market has added more than $20 billion to the company’s valuation virtually overnight.




Perspective. Donald Trump is the opposite of the average Twitter user?
Twitter Is Not America
Hard as that is for the Twitter-addicted to believe, it is true, and a new Pew Research study presents new evidence about the way that the platform leans.
In the United States, Twitter users are statistically younger, wealthier, and more politically liberal than the general population.
They were far more likely (60%) to be Democrats or lean Democratic than to be Republicans or lean Republican (35%).




Perspective. “It’s a bird! It’s a plane. It’s a drone!” Watch the video to see how this drone lowers your package on a cable.
Google Spinoff’s Drone Delivery Business First to Get FAA Approval