Saturday, July 13, 2019

Is there real concern that DHS would cover up Russian hacking?
Bipartisan Legislation to Require DHS Alerts on Election Hacking
Bipartisan legislation formally unveiled this week would require the Department of Homeland Security to send notifications on breaches affecting the election systems.
… “It has now been nearly two months since Florida delegation members were briefed by the FBI on the two hacked counties in Florida – and the voters in these counties still don’t know if Russians have accessed their personal data,” Waltz said.
The bill would require federal officials to promptly alert appropriate state and local officials and Members of Congress when there is credible evidence that an election system has been breached and voter information believed to have been altered or otherwise affected.
State and local officials would then be required to alert potentially affected voters of the incident.

Just saying…
Microsoft Office 365: Banned in German schools over privacy fears
State of Hesse says student and teacher information could be "exposed" to US spy agencies.
The state's data-protection commissioner has ruled that using the popular cloud platform's standard configuration exposes personal information about students and teachers "to possible access by US officials".
Besides the details that German users provide when they're working with the platform, Microsoft Office 365 also transmits telemetry data back to the US.
Last year, investigators in the Netherlands discovered that that data could include anything from standard software diagnostics to user content from inside applications, such as sentences from documents and email subject lines. All of which contravenes the EU's General Data Protection Regulation, or GDPR, the Dutch said.

How the police state works?
Revealed: This Is Palantir’s Top-Secret User Manual for Cops
Palantir is one of the most significant and secretive companies in big data analysis. The company acts as an information management service for Immigrations and Customs Enforcement, corporations like JP Morgan and Airbus, and dozens of other local, state, and federal agencies. It’s been described by scholars as a “secondary surveillance network,” since it extensively catalogs and maps interpersonal relationships between individuals, even those who aren't suspected of a crime.
Palantir software is instrumental to the operations of ICE, which is planning one of the largest-ever targeted immigration enforcement raids this weekend on thousands of undocumented families. Activists argue raids of this scale would be impossible without software like Palantir.
The document obtained by Motherboard for this story is public and viewable on DocumentCloud.

For a minute there I was excited. Then I realized they meant a human to ‘direct’ AI, not the other way around.
VA Appoints First-Ever Artificial Intelligence Director
The agency tapped Dr. Gil Alterovitz, a Harvard Medical School professor and member of the Computational Health Informatics Program at Boston Children’s Hospital, to spearhead its efforts to improve veteran care through AI-enabled solutions.

Making AI ubiquitous.
AI at the Very, Very Edge
TinyML is a community of engineers focused on how best to implement machine learning (ML) in ultra-low power systems.
… “TensorFlow Lite has been targeting mobile phones but we are excited about running it on ever smaller devices,” he said.
After building a model in TensorFlow, engineers can run it through the Tensor Flow Lite converter, which “makes it smaller and does things like quantisation, which allow you to reduce the size and precision of the model down to a scale where it will fit comfortably on the device you are targeting,” he said.
Situnayake described one technique that could be used to increase power efficiency, which involves chaining models together.
Imagine a cascading model of classifiers where you have a really low power model using barely any power to detect if there is a sound going on, then another model that takes more energy to run, which figures out if it’s human speech or not,” he explained. “Then a deeper network that only wakes up when these conditions are met, that uses more power and resources. By chaining these together, you only wake up the [energy intensive] one when you need to, so you can make big savings on energy efficiency.”

Baby them!
The AI technique that could imbue machines with the ability to reason
… “Obviously we’re missing something,” he said. A baby can develop an understanding of an elephant after seeing two photos, while deep-learning algorithms need to see thousands, if not millions. A teen can learn to drive safely by practicing for 20 hours and manage to avoid crashes without first experiencing one, while reinforcement-learning algorithms (a subcategory of deep learning) must go through tens of millions of trials, including many egregious failures.
The answer, he thinks, is in the underrated deep-learning subcategory known as unsupervised learning. While algorithms based on supervised and reinforcement learning are taught to achieve an objective through human input, unsupervised ones extract patterns in data entirely on their own. (LeCun prefers the term “self-supervised learning” because it essentially uses part of the training data to predict the rest of the training data.)

What must we do to gain their attention?
Facebook’s $5 billion FTC fine is an embarrassing joke
Facebook gets away with it again
Facebook’s stock went up after news of a record-breaking $5 billion FTC fine for various privacy violations broke today.
From some other perspectives, that $5 billion fine is a big deal, of course: it’s the biggest fine in FTC history, far bigger than the $22 million fine levied against Google in 2012. And $5 billion is a lot of money, to be sure. It’s just that like everything else that comes into contact with Facebook’s scale, it’s still entirely too small: Facebook had $15 billion in revenue last quarter alone, and $22 billion in profit last year.
The largest FTC fine in the history of the country represents basically a month of Facebook’s revenue, and the company did such a good job of telegraphing it to investors that the stock price went up.
Here’s another way to say it: the biggest FTC fine in United States history increased Mark Zuckerberg’s net worth.

Perspective. (Podcast) “I am shocked. Shocked I tell you!”
Dysfunctional Justice: What’s Wrong with the U.S. Legal System
Bruce Cannon Gibney discusses his new book about how our legal system has deteriorated since the 1950s as laws have become needlessly complex, clouded by politics and influenced by money.

Friday, July 12, 2019

Coming soon to a college near me?
Hackers target Monroe College with ransomware, demand $2 million in bitcoin
Monroe College is “under cyberattack” by hackers who demanded approximately $2 million in bitcoin, police and school officials said Thursday.
The school’s computer programs were hacked around 6:45 a.m. Wednesday by a group that got in through ransomware and halted the system, cops said.
The hackers sent a message demanding that the university, which has a location on Jerome Avenue in Kingsbridge Heights, send 170 bitcoin — the equivalent of $2 million — in order to have its system restored.
Read more on the New York Post.

There should be an easy-to-follow procedure for building a database…
K12 Inc. Data Breach Opens Doors to Students' Personal Information
A K12 Inc. company database that included information for 19,000 students was available for anyone with an internet connection to see for at least a week, according to a report from Comparitech, which describes itself as a pro-consumer organization that offers security services.
It's not clear that anyone with ill intentions accessed the information during the data exposure, which lasted from June 23 until July 1.

Worth noting.
Incident Response is Changing, Here’s Why and How
Every year Ponemon reports on the relationship between how quickly an organization can identify and contain a breach and the financial consequences. The 2018 Ponemon Cost of a Data Breach Study found that the average total cost of a data breach has now reached $3.86 million and the chance of recurrence is 28%. Mean times to identify and contain have continued to creep up and are now at 197 days and 69 days respectively. To reverse these trends and better protect themselves from future attacks, organizations need to shift from a reactive approach to incident response to a proactive incident readiness mindset.
Fortunately, organizations are recognizing this and taking action. Nearly half of the respondents to the Cisco 2019 CISO Benchmark Study say they are focusing on time to remediate as a key indicator to measure their security posture, up from 30% last year.

Good on them, but I doubt they will keep their pledge.
U.S. Mayors Pledge Not to Give in to Ransomware Demands
The United States Conference of Mayors has promised that its members will “stand united” against paying ransoms in case their systems are hit by ransomware.
The organization represents over 1,400 mayors from U.S. cities with a population of at least 30,000. At its 87th annual meeting, members adopted many resolutions, including a couple on cybersecurity. One of them is related to ransomware attacks targeted at local governments.
The Conference of Mayors has admitted that ransomware attacks can result in the loss of millions of dollars and months of work to repair damage, but highlighted that paying the attackers only “encourages continued attacks on other government systems, as perpetrators financially benefit.”
In an effort to disincentivize these attacks, the organization’s members have vowed not to pay ransoms in the event of a cyberattack.
The mayors have also urged Congress to pass the State Cyber Resiliency Act, which would provide grants to state and local governments to help support the development and implementation of cyber resiliency plans.

Dilbert explains the role of a Computer Security manager.

Let’s see how well this works.
Facebook Will Now Show You How To Opt Out Of Targeted Ads
The new tool tells you how an ad was targeted and which third-party agency or data broker was used. It also links to pages to opt out.

GDPR requires you to protect paper too.
Just days after proudly announcing its first fine under the GDPR, the Romanian Data Protection Authority has done it again: World Trade Center Bucharest S.A. must pay 15,000 euro for breaching the provisions of Art. 32 para. (4) GDPR corroborated with Art. 32 paras. (1) and (2) GDPR.
What happened: according to the official statement posted on the website of the Romanian Authority, a paper-printed list, used in order to check the clients who were having breakfast at the hotel owned by the controller, was photographed by persons outside the company and subsequently published online, thus leading to a data breach which affected 46 persons.

(Related) Is they is or is they ain’t covered?
German Supervisory Authorities Issue Guidance on Data Subject Rights
On July 1, 2019, the Bavarian Supervisory Authority for the public sector (“SA”) published guidance on how to verify the identity of data subjects exercising their data protection rights under the GDPR. The guidance is directed at public bodies, but is also helpful for private entities.
According to the guidance, the controller may only request the provision of additional information if it has “reasonable doubts” about the data subject’s identity.

The US has no strategy. No surprise there. The full report (PDF) is 188 pages.
New Report on the Regulation of Artificial Intelligence
Everybody seems to be talking about artificial intelligence (AI). Some people laud its possibilities, whereas others envisage nightmare scenarios where robots take over. But what is AI exactly and how are countries dealing with it? The Oxford Dictionary defines AI as “the theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.” In a recently published report, “Regulation of Artificial Intelligence,” the Law Library of Congress looks at the emerging regulatory and policy landscape surrounding AI, including guidelines, ethics codes, and actions by and statements from governments and their agencies, in jurisdictions around the world. An international part deals with approaches that United Nations agencies and regional organizations have taken towards AI. The country surveys look at various legal issues, including data protection and privacy, transparency, human oversight, surveillance, public administration and services, autonomous vehicles, and lethal autonomous weapons systems (LAWS). However, the most advanced regulations were found in the area of autonomous vehicles, in particular for the testing of such vehicles. The report includes three maps on national AI strategies, a country’s position on LAWS, and the testing of autonomous vehicles. As the regulation of AI is still in its early stages and constantly evolving, this report offers a snapshot of the legal situation at the time the report was written (January 2019). Updates will be provided on the Global Legal Monitor (GLM) website..”

More and bigger (faster) computers. What else is new?
Facebook VP: AI has a compute dependency problem
Examples of systems less reliant on compute for innovative breakthroughs include Pluribus, an AI system developed by Facebook AI Research and Carnegie Mellon University and introduced today, that can take on world-class poker players. In an article in Science, researchers said Pluribus only required $150 in cloud computing to train.
The end of Moore’s Law means the compute needed to create the most advanced AI is going up.
In fact, Pesenti cited an OpenAI analysi that found the compute necessary to create state-of-the-art systems has gone up 10 times each year since 2012.
He believes bias typically comes from data sets, rather than the creators of AI systems. [Should we train AI to recognize biased datasets? (Hint: Hell yes!)]

We haven’t figured it out yet.
Asia’s AI agenda: The ethics of AI
… This report, the fourth in our “Asia’s AI agenda” series, combines an Asia-wide executive survey with expert interviews from industry, government, and academia, and takes the pulse of public and private actors in the AI ethics debate in the region.
Here are the key findings of the report:
  • AI will be a major growth driver for Asia in the coming decade.
  • Biases within AI tools are potentially dangerous for Asia—but biases about AI’s use in Asia could be even more so.
  • Asian governments are building institutional capacity and frameworks to increase AI governance—but have yet to develop regulations.
  • Asian respondents are engaged in AI ethics discussions and see a constructive role for governments.
  • AI-driven unemployment narratives are counterbalanced by the potential to enhance and augment human work.
The first part of this series, “The ecosystem,” explores Asian governments’ plans for leadership in AI. The second, “AI for business,” examines how businesses are creating strategies for deploying the technology. The third, “AI and human capital,” looks at how executives in Asia Pacific are preparing for the automation of job roles.

It’s not a tariff! US probably will retaliate with a tariff. Can you name any French firm that takes in 25 million Euros in the US? (Napoleon made strange laws.)
France passes tax on tech giants despite US threats
… Any digital company with revenue of more than €750m ($850m; £670m) - of which at least €25m is generated in France - would be subject to the levy.
It will be retroactively applied from early 2019, and is expected to raise about €400m this year.

Perspective. How will this impact Facebook’s cryptocurrency?
Jamie Redman reports:
An IRS slideshow created by James Daniels, IRS-CI cyber crimes program manager, describes some concerning methods IRS agents should use to crack down on crypto-using tax evaders. The slide follows the IRS’ recently announcing tax guidelines on cryptocurrencies, which will contain rules about the tax treatment of digital assets and forks. Even though the new tax guidelines haven’t been issued to the public, IRS agents who enforce the tax laws have have had no problems prosecuting bitcoin users for tax evasion. Agent Daniels’ recently published slide gives a lot of detail on how agents should combat crypto tax evaders by using a variety of investigation methods. Within the 181-page document, there are thorough descriptions of what a cryptocurrency is and chronicled paragraphs on assets like ripple (XRP) and bitcoin cash (BCH). The report discusses a myriad of digital currencies including BTC, XMR, BCH, XLM, XRP, and LTC. Daniels’ descriptive study even calls certain hardware wallet users “fanboys.”
Read more on Activist Post.

Could explain a lot…
Compiling a Federal Legislative History: A Beginner’s Guide

Worth mentioning to my students.
YouTube is launching educational playlists that won’t include algorithmic recommendations
YouTube is introducing a new education feature called Learning Playlists that will offer dedicated landing pages for educational videos on a variety of topics, including math, science, music, and language. The playlists will have organizational features, like chapters around key concepts, ordered from beginner to advanced lessons. The pages will also be notably free from recommended videos, letting viewers focus on their lessons without distractions.

Thursday, July 11, 2019

What constitutes a “conflict short of war?”
U.S. Offensive Cyber Operations against Economic Cyber Intrusions: An International Law Analysis – Part I
Would Economic Cyber Intrusions Against U.S. Entities Violate International Law?

I teach my students how to create their own encryption. Am I facilitating crime?
The Movement to Ban End-to-End Encryption Has Hit Another Inflection Point
It now appears that key agencies within the federal government have mixed feelings about the idea to ban end-to-end encryption. For example, on one hand are law enforcement agencies such as the FBI and Department of Justice, which view end-to-end encryption as a roadblock in their efforts to track down criminals and terrorists. On the other hand, the Commerce and State departments are less willing to take the heavy-handed step to ban end-to-end encryption, due to fears of the potential economic, security and diplomatic consequences.

Another GDPR nuance.
Dutch DPA: Banks May Not Use Payment Data for Marketing Purposes
In the wake of a recent announcement by a major Dutch bank that it would start providing its customers with personalized advertisements based on their spending patterns, the Dutch Data Protection Authority (DPA) has sent a letter to all Dutch banks urging them to thoroughly review their direct marketing practices. The DPA specifically asked any bank contemplating the use of transaction data for direct marketing to reconsider. In its analysis, the DPA may have introduced a very onerous obligation to re-collect personal data for every single use.
Under the GDPR, personal data must be collected for a specific purpose and not further processed for a different purpose if that further purpose is incompatible with the original purpose.
The DPA then specifically held that a bank does not collect transaction data for the purpose of direct marketing (contrary to the Dutch bank’s privacy statement).
The DPA subsequently concluded that the purpose of direct marketing is incompatible with the purpose of enabling financial transactions.

Another perspective on AI.
The Metamorphosis
AI will bring many wonders. It may also destabilize everything from nuclear d├ętente to human friendships. We need to think much harder about how to adapt.

A lot of questions about privacy, AI, liability, etc.
Amazon Alexa will now be giving out health advice to UK citizens
MIT Technology Review – “The UK’s National Health Service hopes that its partnership with Amazon could help to reduce demand on its services.
  • The news: From this week, when UK users ask their Amazon smart speaker health-related questions, it will automatically search the official NHS website, which is full of medically-backed health tips and advice.
  • The aim: The government believes it will ease the burden on over-stretched doctors and hospitals, but also help elderly, disabled or blind patients who may struggle to access this information otherwise.
  • The worries: There are concerns that the voice service might discourage genuinely ill people from seeking proper medical help. It being Amazon, there are also concerns over data privacy, especially over an area as sensitive as health. The firm says all data can be deleted by customers…

(Related) My students are writing a policy for firms that sell voice activated devices to ensure that any evidence of criminal (or terrorist) activity is identified and reported to the proper authorities. Wish them luck.
GOOGLE, AMAZON, AND Apple say their AI-powered virtual assistants make it easier to get things done on smartphones or at home. Last month, a couple in the Waasmunster area of Belgium got an unexpected lesson in how these supposedly automated helpers really work.
Tim Verheyden, a journalist with Belgian public broadcaster VRT, contacted the couple bearing a mysterious audio file. To their surprise, they clearly heard the voices of their son and baby grandchild—as captured by Google’s virtual assistant on a smartphone.
Verheyden says he gained access to the file and more than 1,000 others from a Google contractor who is part of a worldwide workforce paid to review some audio captured by the assistant from devices including smart speakers, phones, and security cameras.
WIRED reviewed transcripts of the files shared by VRT, which published a report on its findings Wednesday. In roughly 150 of the recordings, the broadcaster says the assistant appears to have activated incorrectly after mishearing its wake word. [So, the other 850 were not recorded “in error?” Bob]
Privacy scholars say Google’s practices may breach the European Union privacy rules known as GDPR introduced last year, which provide special protections for sensitive data such as medical information and require transparency about how personal data is collected and processed.

A privacy podcast.
Internet Privacy: What Issues Arise Over Accessing Private Information Online?
Gov. Janet Mills recently signed into law The Act to Protect the Privacy of Online Consumer Information. It is one of the nation’s strictest internet privacy protection bills. It requires Maine ISPs to get customers' approval before sharing or selling their personal data. The law prohibits ISPs from offering customers discounts in exchange for selling their data. We discuss the issues that arise over how best to protect private information.
Listen to the full program here..52:48 :

Another swing of the pendulum.
Five new bills threaten California's privacy act, experts say
Five digital privacy bills are up for consideration in the California Senate’s judiciary committee on Tuesday that would drastically alter the California Consumer Privacy Act. The new legislation could reverse many of the measures improving security of consumers’ personal data under the landmark privacy bill, which is set to go live in 2020.
The bills — AB 1416, AB 25, AB 873, AB 846 and AB 1564 — are intended to repeal and amend much of the CCPA, which set a new standard for consumer data protection after being signed into law last June.
AB 1416, identified by privacy advocates as the most pernicious of the five bills up for consideration, would allow any business to sell personal information even after a consumer opts out, if the sale is conducted for the purposes of detecting fraud or other illegal activity.

Because we can? Will IP lawyers be able to determine what the AI based its design on? (Note the company’s URL)
THE T-SHIRTS SOLD by Cross & Freckle, a New York–based fashion upstart, don't look revolutionary at first glance. They come in black or white, they're cut for a unisex fit, and they sell for $25. Each of them has a little design embroidered into the cotton that references staples of New York City life: pigeons, dollar pizza slices, subway rats.
Cross & Freckle doesn't just use AI to create its designs; it also got the brand's name and logo from a neural net, called the Hipster Business Name Generator and used an AI text generator to create the mumbo-jumbo marketing copy on the company's website. It's a new model for a brand that relies entirely on AI.

Perspective. Technology moves too fast for employees to make a full career of one skill.
Amazon commits $700M to retrain 100k employees, acknowledging impact of tech on jobs
Amazon is embarking on a $700 million effort to retrain its U.S. workforce, in a high-profile acknowledgment of the impact of technology and automation on jobs and the workforce.
The company says it will spend the money over the next five years to “upskill” roughly 100,000 employees, about one-third of its U.S. workforce. The free program, announced Thursday morning, will allow Amazon workers to reboot their careers in hot areas such as data mapping specialist, data scientist, solutions architect and business analyst.

An Amazon enabled occupation I knew noting about.
Anderson is an Amazon nomad, part of a small group of merchants who travel the backroads of America searching clearance aisles and dying chains for goods to sell on Amazon. Some live out of RVs and vans, moving from town to town, only stopping long enough to pick the stores clean and ship their wares to Amazon’s fulfillment centers.

Dilbert give a great example of something so many people believe that it can’t possibly be “fake news!”