Saturday, June 15, 2019

A caution for my students working in the defense industry.
Experts: Spy used AI-generated face to connect with targets
Katie Jones sure seemed plugged into Washington’s political scene. The 30-something redhead boasted a job at a top think tank and a who’s-who network of pundits and experts, from the centrist Brookings Institution to the right-wing Heritage Foundation. She was connected to a deputy assistant secretary of state, a senior aide to a senator and the economist Paul Winfree, who is being considered for a seat on the Federal Reserve.
But Katie Jones doesn’t exist, The Associated Press has determined. Instead, the persona was part of a vast army of phantom profiles lurking on the professional networking site LinkedIn. And several experts contacted by the AP said Jones’ profile picture appeared to have been created by a computer program.

Learning from other laws?
Hunton Andrews Kurth writes:
Maryland Governor Larry Hogan recently signed into law House Bill 1154 (the “Bill”), which amends the state’s data breach notification law. Among other obligations, the amendments expand the required actions a business must take after becoming aware of a data security breach.
Under the existing data breach notification law, a business that owns or licenses personal information and becomes aware of a data security breach must conduct a reasonable, prompt and good faith investigation to determine the likelihood that personal information has been or will be misused as a result of the breach. The Bill expands this investigatory requirement to apply expressly to all businesses that own, license or maintain the personal information of Maryland residents.
[Other points:
based on the risk of harm, “the owner or licensee of the computerized data shall notify the individual of the breach.”
if the business that incurs the security breach is not the owner or licensee of personal information, that business may not charge the relevant owner or licensee for information necessary to carry out the owner or licensee’s notification obligations under Maryland’s breach law. [This must have happened once? Bob]

What App(s) in the US do the same thing?
WeChat Is Watching
Living in China with the app that knows everything about me.

Learning about stalkers…
The Predator in Your Pocket
A Multidisciplinary Assessment of the Stalkerware Application Industry
Part 1 discusses the harms which are associated with a person being targeted by stalkerware
Part 2 undertakes a technical assessment of specific stalkerware applications.
In Part 3, we evaluated how companies which sold stalkerware, and software which could be repurposed as stalkerware, marketed their products to prospective customers.
Part 4 of the report undertook a content assessment of companies’ user-facing public policies.
In Part 5, we conducted an assessment of stalkerware companies’ business practices through the lens of Canada’s federal commercial privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
In Part 6, we collect our major findings from our multidisciplinary research and propose a range of recommendations

If anyone should know...
Understanding artificial intelligence ethics and safety

New tech, new law.
Chapter 2: Regulating AI and Robotics: Ethical and Legal Challenges
Rapid progress in AI and robotics is challenging the traditional boundaries of law. Algorithms are widely employed to make decisions that have an increasingly far-reaching impact on individuals and society, potentially leading to manipulation, biases, censorship, social discrimination, violations of privacy and property rights, and more. This has sparked a global debate on how to regulate AI and robotics.
The purpose of this introductory chapter is twofold. First, it outlines some of the most urgent ethical and legal issues raised by the use of self-learning algorithms in Artificial Intelligence (AI) systems and (smart) robotics. Secondly, it provides an overview of several key initiatives at the international and European levels on forthcoming AI ethics and regulation.

Marketing is like politics?

Friday, June 14, 2019

No consequences, no security? Now how about senior management?
This is the kind of insider breach that makes patients lose confidence in hospitals. I am not surprised that the jury came down hard on the hospital. Of the $300,000 award, $295,000 is punitive damages against the hospital for not doing anything against the doctor when they were made aware of the problem.
A Coffee County jury on Tuesday awarded $300,000, including punitive damages, to plaintiff Amy Pertuit against Medical Center Enterprise for illegal access and disclosure of protected health information.
In a unanimous verdict, the jury found that Medical Center Enterprise failed to take action against its then-employee, Dr. Lyn Diefenderfer, after it learned that Dr. Diefenderfer had illegally accessed and disclosed Pertuit’s medical records.
Read more about the case on Dothan Eagle.

Mr. Paranoia says: Probably an individual attack. Possibly a ‘proof of concept’ military exercise.
Aircraft Component Maker ASCO Hit by Ransomware, Shuts Down Global Production
Belgian company ASCO Industries, a key leader in manufacturing components for both civilian and military planes, fell victim to a ransomware attack on June 7 that shut down production around the world, writes ZDNet. With all IT systems incapacitated, some 1,000 of 1,400 employees were sent home.
The company has plants in Belgium, Germany, Canada and the US, as well as office representation in Brazil and France. A week later, the plants are still closed and an investigation by external experts seeks to determine the actual damage caused. The infection occurred at the production plant in Belgium, but the plants in the rest of the locations were shut down as a precaution to prevent the ransomware from spreading across the entire network.
ASCO Industries manufactures airplane parts for Airbus, Boeing, Bombardier Aerospace, Lockheed Martin and the new F-35 fighter plane.

Interesting question. Would the FBI then make it public or allow the recipient to make it public or require the recipient to ignore it unless they can confirm it independently?
To Congress: If Russians Seek to Provide Dirt, Make it a Requirement to Report!
Shockingly – if anything shocks anymore – President Donald Trump told ABC news Wednesday that he need not tell the FBI if the Russians once again reached out with an offer of “dirt” on his opponents in the race for president. When Trump was told that Christopher Wray, the FBI director the president himself appointed, said last month that this kind of attempted foreign election interference was something that should be reported to federal law enforcement, Trump’s response was: “The FBI Director is wrong.”
The good news is that Congress is already working on this issue. The Anti-Collusion Act, introduced Wednesday by Rep. Tom Malinowski (D-N.J.), would require everyone running for federal, state, or local office to report offers of assistance from a foreign government or agent of a foreign government to the Department of Justice.

Why are political reactions so often over reactions? “We gotta do something” overrides “let’s think about this.”
Amelia Vance of the Future of Privacy Forum has an excellent commentary in the Orlando Sentinel that begins:
After the horrific school shooting in Parkland last year, state legislators passed a law that included a little-noticed provision creating a new government database. Education Week recently reported that the database will include a vast range of sensitive, personal information about Florida students. The state plans to merge information from social media with records of students who have been bullied or harassed based on their religion, race, disability, or gender, plus data about students in foster care. In deciding which data to include, Florida did not take an evidence-based approach; instead, the state merely asked agencies and a few districts if they had any data that might indicate that someone was a threat.
Read her whole commentary in the Orlando Sentinel.

Ignore this if you’re certain you are not impacted, but expect lawsuits when you find out you are.
Webinar Invitation — Operationalizing the California Consumer Privacy Act
Please join the Hogan Lovells Privacy and Cybersecurity team and LexisNexis on June 19 for the webinar, Operationalizing the California Consumer Privacy Act – Key Decisions and Compliance Strategies.
explore the impact of the CCPA including:
  • Key terms used by the law that are fundamental to planning compliance – including broad definitions of “personal information” and “sale”;
  • How the act will interact with existing regulations covering organizations in healthcare, financial services, and beyond;
  • The new private right of action established by the law;
  • A comparison of the CCPA to Europe’s General Data Protection Regulation (GDPR), including learnings from GDPR compliance that can be applied in the United States.
… To register for the webinar, click here.

Alabama is in the forefront?
State commission to study artificial intelligence technology
Alabama now has one of the first state commissions formed to study the policy implications of artificial intelligence technology.
The Alabama Commission on Artificial Intelligence (AI) and Associated Technologies will make policy recommendations to advance AI’s growth in the state’s tech sector.

For our non-geeks?
NYT has a course to teach its reporters data skills and now they’ve open-sourced it
NiemanLab: “Should journalists learn to code?” is an old question that has always had only unsatisfying answers. (That was true even back before it became a useful heuristic for identifying Twitter jackasses.) Some should! Some shouldn’t! Helpful, right? One way the question gets derailed involves what, exactly, the question-asker means by “code.” It’s unlikely a city hall reporter will ever have occasion to build an iPhone app in Swift, or construct a machine learning model on deadline. But there is definitely a more basic and straightforward set of technical skills — around data analysis — that can be of use to nearly anyone in a newsroom. It ain’t coding, but it’s also not a skillset every reporter has. The New York Times wants more of its journalists to have those basic data skills, and now it’s releasing the curriculum they’ve built in-house out into the world, where it can be of use to reporters, newsrooms, and lots of other people too…”

and for our geeks.
Semantic Sanity, A Personalized Adaptive Feed
About Semantic Sanity Semantic Sanity provides an adaptive ArXiv feed tailored to your research interests. This feed uses an AI model that recommends the latest papers across all ArXiv categories in Computer Science to help you stay up to date. Our AI model learns from you – when you indicate whether or not a paper is relevant, your feed will improve. It only takes a few clicks to see the most relevant research.
More Features & Benefits
    • Open access preprints from all ArXiv categories in Computer Science.
    • Refine feeds using categories and keywords.
    • Save feeds and papers to read later.
    • Create multiple feeds to track diverse research interests…”

Perspective. This could be difficult for my smartphone using students. Maybe there’s an App for that?
Jobs of the future: teaching empathy to artificial intelligence
Now, thanks to advancements in technology, we’re at a stage where we can think about the importance of empathy in machines. Artificial intelligence (AI) is becoming an ever-increasing presence in our daily lives, whether it’s the voice assistant on your phone, or the complex algorithms used to fight diseases.
The way we design interactions with AI systems and the results they provide should be thoughtfully considered, and in the future, the responsibility for designing artificial empathy could fall under the remit of an empathologist – a job that has yet to exist.

It’s my understanding that they don’t teach this in high school.

Thursday, June 13, 2019

Regular reports of “who can access” and “who did access” should go to every manager of people or data. And they should look at them!
Brian Higgins reports:
P.E.I.’s privacy watchdog wants Health PEI to keep closer tabs on one of its employee’s use of patient health records, following a privacy breach last year at Queen Elizabeth Hospital.
That’s according to a new report by Information and Privacy Commissioner Karen Rose, posted May 30.
According to the report, in March 2018, a patient received a copy of their electronic patient chart from Health PEI. That chart included a log showing who had accessed the patient’s health information, and when.
[From the article:
The commissioner recommended Health PEI introduce regular auditing of the employee's access to patient records, with particular attention to the personal health information of the patient whose privacy was breached.

If you offer a tool to anyone potentially threatening the state, the state will react. (Best description of DDoS I have ever seen!)
Telegram Hit by Cyber-attack, CEO Points to HK Protests, China
Encrypted messaging service Telegram suffered a major cyber-attack that appeared to originate from China, the company's CEO said Thursday, linking it to the ongoing political unrest in Hong Kong.
Many protesters in the city have used Telegram to evade electronic surveillance and coordinate their demonstrations against a controversial Beijing-backed plan that would allow extraditions from the semi-autonomous territory to the mainland.
"Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram)," he tweeted.
"This case was not an exception."
"Imagine that an army of lemmings just jumped the queue at McDonald's in front of you -– and each is ordering a whopper," it said, referring to the flagship product of Burger King.
"The server is busy telling the whopper lemmings they came to the wrong place -– but there are so many of them that the server can't even see you to try and take your order."

It’s a mess.
Senators Question FBI on Russian Hack of Voting Firm
In a letter sent to FBI Director Christopher Wray, Democratic Sens. Ron Wyden of Oregon and Amy Klobuchar of Minnesota, who is the ranking member of the committee with jurisdiction over federal elections, asked for answers by July 12 regarding steps the agency has taken in response to the breach of VR Systems’ computer servers.
Robert Mueller’s report on Russia’s interference in the 2016 election describes how Kremlin-backed spies installed malware on the network of an unnamed company that “developed software used by numerous U.S. counties to manage voter rolls.”
VR Systems has said it believes it is the company referred to in the report. The Tallahassee, Florida-based company has maintained, however, that its system was never penetrated. It told Wyden in a letter last month that the cybersecurity firm Fire Eye conducted a security audit and found no evidence of a breach.
The Department of Homeland Security said last week that its computer experts will examine North Carolina polling equipment supplied by VR Systems , at the state’s request. The forensic analysis will look at laptops and replicas of computer hard drives that were used in heavily Democratic Durham County to determine whether hacking was responsible for malfunctions on election day in 2016.
State and local officials said previously they found no indication that the software system, used for voter registration and check-in, had been targeted by hackers, but they never did a forensic examination. VR Systems has blamed the trouble on poorly trained poll workers and inadequate computer maintenance. A report by a security consultant hired by Durham County’s elections board supported that claim.

(Related) ...and it’s going to get worse.
Mitch McConnell is Making the 2020 Election Open Season for Hackers
Senator Ron Wyden, the Oregon Democrat who sits on the Intelligence Committee, predicts that the 2020 election will make what happened in 2016 “look like small potatoes.” “It’s not just the Russians,” he told me. “There are hostile foreign actors who are messing with two hundred years’ worth of really precious history.” Wyden recently reintroduced the pave Act, a wish list of election-security provisions that failed to get through the Senate last year. The measure includes the use of hand-marked paper ballots and a prohibition on wireless modems and other kinds of Internet connectivity, all of which have been advocated by computer scientists and other election experts for years.
But with the Senate Majority Leader, Mitch McConnell, making it clear that he will not advance any election-security legislation

Interesting discussion.
Profiling and the GDPR: An interview with Mark Singer and Raf Sanchez

Let the lawsuits begin!”
This is huge. Warwick Ashford reports:
The Austrian Supreme Court has rejected all attempts by Facebook to block a lawsuit in Vienna on fundamental privacy issues.
Facebook had attempted to block the case by Austrian lawyer and privacy activist Max Schrems by questioning whether it is possible to bring a case about rights under the EU’s General Data Protection Regulation (GDPR) before the courts.
Facebook argued that only the Irish data protection commissioner has jurisdiction in this case, while the Vienna Regional Court declared that it did not have jurisdiction.
However, the Appellate Court and the Austrian Supreme Court have now made it clear that everyone has a right to file a lawsuit based on the GDPR.
Read more on ComputerWeekly.

Allow me to clearly state my obfuscation with the simplest of bemused befuddlement. (Amusing graphic)
We Read 150 Privacy Policies. They Were an Incomprehensible Disaster.
Only Immanuel Kant’s famously difficult “Critique of Pure Reason” registers a more challenging readability score than Facebook’s privacy policy.
Google’s privacy policy evolved over two decades — along with its increasingly complicated data collection practices — from a two-minute read in 1999 to a peak of 30 minutes by 2018.
The policy became more readable at the expense of brevity after the introduction of the General Data Protection Regulation, the European Union data privacy protection framework that went into effect a year ago. The regulation includes a clause requiring privacy policies to be delivered in a “concise, transparent and intelligible form, using clear and plain language.”
And if states continue to draft their own data protection laws, as California is doing with its Consumer Privacy Act, privacy policies could balloon with location-specific addendums.

For my summer Security Compliance class.
Regulating Big Tech: Legal Implications
CRS Legal Sidebar via LC – Regulating Big Tech: Legal Implications. June 11, 2019. “Amidst growing debate over the legal framework governing social media sites and other technology companies, several Members of Congress have expressed interest in expanding current regulations of the major American technology companies, often referred to as “Big Tech.” This Legal Sidebar provides a high-level overview of the current regulatory framework governing Big Tech, several proposed changes to that framework, and the legal issues those proposals may implicate. The Sidebar also contains a list of additional resources that may be helpful for a more detailed evaluation of any given regulatory proposal…”

Wednesday, June 12, 2019

Not the best target to irritate…
Colin Lecher reports:
Since May 21st, a virus has shut down Philadelphia’s online court system, bringing network access to a standstill. The problems started unexpectedly: suddenly, no one could seem to access the system to file documents. “It wasn’t working,” says Rachel Gallegos, a senior staff attorney with the civil legal aid organization Community Legal Services. “I thought it was my computer.”
Read more on The Verge.

Another way to defy ransomware.
Alternative rock legends Radiohead on Tuesday released an 18-hour trove of private recordings from their 1997 album "OK Computer" after getting hacked by someone seeking a ransom of $150,000 for the music.
The genre-banding English musicians uploaded the 1.8-gigabyte collection of recording session outtakes and rare live performances on their website.
The songs can be accessed online for free.

Security is complicated. Third parties can help, but it’s still your responsibility.
Liisa Thomas, Sarah Aberg, Kari Rollins, and Katherine Boy Skipsey write:
The SEC recently issued a risk alert warning about using vendors and cloud-based platforms. Many broker dealers and investment advisors are turning to these third parties to store customer data. In its alert, the SEC’s Office of Compliance Inspections and Examinations warns firms that relying on those third parties’ security tools is not, in and of itself, sufficient for the companies to demonstrate compliance with Regulations S-P and S-ID. These regulations require broker-dealers and investment advisers to protect customer records and detect and prevent identity theft.
Read more on SheppardMullin Eye on Privacy.

Targeting fans.
Telecompaper reports:
Spain’s football league (La Liga) has been fined a total of EUR 250,000 by the country’s data protection agency (AEPD) for using a mobile app to remotely activate smartphone microphones, reports local daily El Diario. The league last year admitted that its highly popular official app, which is used by 4 million people in Spain to check incoming results live, can monitor user location and activate microphones to identify whether smartphone owners are watching a game at a public venue via an illegal feed. One of the app’s requested permissions is for access to user microphones and geopositioning “to detect fraud in the consumption of football in unauthorised public establishments”.
Read more on Telecompaper

More targets.
Cybersecurity: These are the Internet of Things devices that are most targeted by hackers
Research from cybersecurity company SAM Seamless Network found that security cameras represent 47 percent of vulnerable devices installed on home networks.
According to the data, the average US household contains 17 smart devices while European homes have an average of 14 devices connected to the network.
Figures from the security firm suggest that the average device is the target of an average of five attacks per day, with midnight the most common time for attacks to be executed – it's likely that at this time of the night, the users will be asleep and not paying attention to devices, so won't be witness to a burst of strange behavior.

Leading to a full Privacy law?
Daniel J. Moses of JacksonLewis writes:
As we recently noted, Washington state amended its data breach notification law on May 7  to expand the definition of “personal information” and shorten the notification deadline (among other changes ). Not to be outdone by its sister state to the north, Oregon followed suit shortly thereafter— Senate Bill 684 passed unanimously in both legislative bodies on May 20, and was signed into law by Governor Kate Brown on May 24. The amendments will become effective January 1, 2020.
Among the changes effected by SB 684 is a trimming of the Act’s short title—now styled the “Oregon Consumer Information Protection Act” or “OCIPA” (formerly the “Oregon Consumer Identity Theft Protection Act” or “OCITPA”). Apart from establishing a much more palatable acronym, the amended short title mirrors the national (and international ) trend of expanding laws beyond mere “identity theft protection” to focus on larger scale consumer privacy and data rights.

Will R. Daugherty and Caroline B. Brackeen of BakerHostetler write:
Texas is one of the many states that looked to be following in the footsteps of California’s enactment of a broad consumer privacy law (the California Consumer Privacy Act), which has far-ranging implications for businesses and consumers. Two comprehensive data privacy bills, HB 4390 and HB 4518, were filed and heard at the last legislative session. HB 4518, also known as the Texas Consumer Privacy Act, proposed overarching consumer protection legislation that closely resembled the California Consumer Privacy Act. HB 4518 stalled in the Texas House of Representatives in favor of HB 4390. HB 4390, also known as the Texas Privacy Protection Act, was introduced as comprehensive data privacy legislation, but was significantly less detailed than HB 4518. HB 4390 went through several rounds of revisions in both the Texas House and Senate until it was whittled down to the final version, which revises the notification requirements of the Texas Identity Theft Enforcement and Protection Act and creates the Texas Privacy Protection Advisory Council in order to develop recommendations for future data privacy legislation. HB 4390 has passed both the Texas House and Senate and is awaiting signature from the governor to be enacted.
Read more on Data Privacy Monitor.

Worth studying.
Here’s Mary Meeker’s 2019 Internet Trends report
… This morning, Meeker highlighted slowed growth in e-commerce sales, increased internet ad spending, data growth, as well as the rise of freemium subscription business models, telemedicine, photo-sharing, interactive gaming, the on-demand economy and more.
If it feels like we’re all drinking from a data firehose, it’s because we are,” Meeker told the audience.
We’ll be back later with a full analysis of this year’s report. For now, here’s a look at all 333 slides. You can view the full internet trends report archive here.

How very James Bond. “Q” would be delighted.
Facebook lets deepfake Zuckerberg video stay on Instagram
The clip is a "deepfake", made by AI software that uses photos of a person to create a video of them in action.
Facebook had previously been criticised for not removing a doctored clip of US House Speaker Nancy Pelosi.
The deepfake video of Mark Zuckerberg was created for an art installation on display in Sheffield called Spectre. It is designed to draw attention to how people can be monitored and manipulated via social media in light of the Cambridge Analytica affair - among other scandals.
It features a computer-generated image of the chief executive's face merged with footage of his body sourced from a video presentation given in 2017 at an office in Facebook's Silicon Valley headquarters. An actor provided the audio recording it is synched to.
The 16-second clip - which plays on a loop - was uploaded to Instagram on Saturday.

How many can we trust?
Number of fact-checking outlets surges to 188 in more than 60 countries
Poynter – Strong growth in Asia and Latin America helps fuel global increase – “The number of fact-checking outlets around the world has grown to 188 in more than 60 countries amid global concerns about the spread of misinformation, according to the latest tally by the Duke Reporters’ Lab. Since the last annual fact-checking census in February 2018, we’ve added 39 more outlets that actively assess claims from politicians and social media, a 26% increase. The new total is also more than four times the 44 fact-checkers we counted when we launched our global database and map in 2014.

What’s Behind the International Rush to Write an AI Rulebook?
There’s no better way of ensuring you win a race than by setting the rules yourself. That may be behind the recent rush by countries, international organizations, and companies to put forward their visions for how the AI race should be governed.
China became the latest to release a set of “ethical standards” for the development of AI last month, which might raise eyebrows given the country’s well-documented AI-powered state surveillance program and suspect approaches to privacy and human rights.
But given the recent flurry of AI guidelines, it may well have been motivated by a desire not to be left out of the conversation. The previous week the OECD, backed by the US, released its own “guiding principles” for the industry, and in April the EU released “ethical guidelines.”

30 years is near.
AI’s Near Future
Listen and subscribe to this podcast via Apple Podcasts | Google Podcasts | RSS
In this conversation, J├╝rgen and Azeem Azhar discuss what the next thirty years of AI will look like.

AI cheats!
Rock-Paper-Scissors Robot
How in the world did I not know about this for three years?
Researchers at the University of Tokyo have developed a robot that always wins at rock-paper-scissors. It watches the human player's hand, figures out which finger position the human is about to deploy, and reacts quickly enough to always win.

Will we need to delete the data and then retrain our AI? Expensive if necessary.
WHEN THE EUROPEAN Union enacted the General Data Protection Regulation (GDPR) a year ago, one of the most revolutionary aspects of the regulation was the “right to be forgotten”—an often-hyped and debated right, sometimes perceived as empowering individuals to request the erasure of their information on the internet, most commonly from search engines or social networks.
… Virtually every modern enterprise is in some way or another collecting data on its customers or users, and that data is stored, sold, brokered, analyzed, and used to train AI systems. For instance, this is how recommendation engines work—the next video we should watch online, the next purchase, and so on, are all driven by this process.
At present, when data is sucked into this complex machinery, there’s no efficient way to reclaim it and its influence on the resulting output. When we think about exerting the right to be forgotten, we recognize that reclaiming specific data from a vast number of private businesses and data brokers offers its own unique challenge. However, we need to realize that even if we can succeed there, we’ll still be left with a difficult question—how do we teach a machine to “forget” something?

Perspective. My search for why.
The DOJ’s antitrust chief just telegraphed exactly how it could go after Google, Apple and other big tech companies
The Department of Justice’s assistant attorney general brought the case against big tech into focus in a new speech delivered at the Antitrust New Frontiers Conference in Tel Aviv on Tuesday.
Delrahim’s speech, as transcribed on the DOJ’s website, argues existing antitrust laws are strong enough to regulate tech.
We already have in our possession the tools we need to enforce the antitrust laws in cases involving digital technologies,” Delrahim said. “U.S. antitrust law is flexible enough to be applied to markets old and new.”
One way of evaluating whether a company has violated antitrust law is through what Delrahim called the “no economic sense test.” A monopoly that makes a decision that makes no economic sense except for “its tendancy to eliminate or lessen competition” would fail the test, according to Delrahim’s definition.

For my students.