Update.

https://www.databreaches.net/310000-records-compromised-in-university-of-colorado-data-breach-including-social-security-numbers-university-financial-information/

310,000 Records Compromised In University Of Colorado Data Breach, Including Social Security Numbers & University Financial Information

Audra Streetman reports:

The University of Colorado released new information on Friday about the Accellion data breach that compromised more than 310,000 university records. Officials say the data accessed in the breach includes personally identifiable information, including grades and transcript data, visa and disability status, medical and prescription information and in limited cases, Social Security numbers and university financial account information.

Read more on CBS Denver. The university has not yet reported the number of patients who had ePHI involved — or if they have, HHS hasn’t added it to the public breach tool yet.

For my Computer Security students.

https://venturebeat.com/2021/04/09/microsoft-open-sources-tool-to-use-ai-in-simulated-attacks/

Microsoft open-sources tool to use AI in simulated attacks

As part of Microsoft’s research into ways to use machine learning and AI to improve security defenses, the company has released an open source attack toolkit to let researchers create simulated network environments and see how they fare against attacks.

Microsoft 365 Defender Research released CyberBattleSim, which creates a network simulation and models how threat actors can move laterally through the network looking for weak points. When building the attack simulation, enterprise defenders and researchers create various nodes on the network and indicate which services are running, which vulnerabilities are present, and what type of security controls are in place. Automated agents, representing threat actors, are deployed in the attack simulation to randomly execute actions as they try to take over the nodes.

Trying to keep up!

https://www.pogowasright.org/alaskas-consumer-data-privacy-act-another-ccpa-copycat-but-with-its-own-unanswered-questions/

Alaska’s Consumer Data Privacy Act: Another CCPA Copycat, but With Its Own Unanswered Questions

Nancy Libin of Davis Wright Tremaine writes:

Last week, Alaska joined the growing number of states considering comprehensive consumer privacy legislation when, at the behest of Governor Dunleavy, the Consumer Data Privacy Act was introduced in both chambers of the Alaska legislature. If enacted, the Act would become effective on January 1, 2023.

The Act is modeled after the California Consumer Privacy Act (CCPA) and provides consumers certain rights and imposes obligations on businesses that collect consumers’ personal information. Although similar to the CCPA in many respects, it diverges from the CCPA in some significant ways that would pose compliance challenges for businesses.

Read more on Privacy & Security Law Blog.

Surveillance as intimidation. (Or Commissioners as unreasonable people?)

https://www.pogowasright.org/nz-case-note-302694-2021-man-complains-about-neighbours-security-camera/

NZ: Case note 302694 [2021]: Man complains about neighbour’s security camera

From the office of the Privacy Commissioner of New Zealand, this recent decision and case note:

A man complained that his neighbour had installed a security camera aimed at the back gate of his property, which made him feel intimidated.

Section 27

The man’s complaint raised issues under section 27 of the Privacy Act 2020.

Section 27 provides that the information privacy principles do not apply to the collection of personal information where it is collected or held solely for the purposes of, or in connection with that person’s personal, family, or household affairs.

We found that section 27 applied here as there had been ongoing disputes between the man and his neighbour over parking and interactions with guests. Therefore, in our view, the information was collected in connection with the neighbour’s domestic affairs.

However, section 27 does not apply where the collection, use or disclosure of the information in question would be highly offensive to an ordinary, reasonable person. We considered that the collection of images in the man’s backyard did not reach the threshold of highly offensive.

Read more on privacy.org.nz

Even if AI does not own the patent, they will shake up this area of law.

https://www.lexology.com/library/detail.aspx?g=15897da3-9229-4ff6-bccf-62169f0e8df3

Disclosing AI Inventions - Part I: Identifying the Unique Disclosure Issues

Our recent post “Tracking AI Prosecution Trends at the U.S. Patent Office” presented USPTO data which suggests that future prosecution of AI inventions may be less focused on patent eligibility under 35 U.S.C. §101 and more focused on the traditional requirements of §§ 102, 103 and 112. This post is the first of a two part series looking into the challenges that AI inventions present to one of these traditional requirements: patent disclosure under 35 U.S.C. §112(a). In this Part I, we identify the unique disclosure issues with AI inventions. In Part II, we provide practice tips for describing and enabling AI inventions.

A fundamental premise of most patent systems is the quid pro quo by which an inventor discloses his or her invention to the public in return for exclusive rights to use such invention for a limited time. Recent advances in artificial intelligence (AI) have sparked debate as to whether current patent disclosure requirements can enrich the public with AI inventions such that the granting of the exclusive right is justified. This debate inevitably centers on the “black box” nature of a particular type of AI: machine learning. Machine learning is the dominant AI technique disclosed in patents.[1] As such, understanding the patent disclosure issues presented by AI inventions requires an understanding of the basics of machine learning.

(Related) Would we allow them to patent this technique?

https://www.rt.com/news/520595-machine-learning-language-cancer-alzheimers/

Algorithms used by Netflix, Amazon, and Facebook can ‘predict’ language of cancer and diseases such as Alzheimer’s – study

Researchers have developed a machine-learning algorithm similar to those used by Facebook and Netflix that can decode the molecular language of disease and potentially revolutionize the world of medicine.

Recommendations on social media and online entertainment platforms are derived from powerful machine-learning algorithms that monitor behavior patterns to suggest potential friends or connections, or the next series or film to watch on platforms such as Netflix. Predictive text on a smartphone also makes use of deep language learning to anticipate which words a user is likely to need next as they write a sentence.

If similar machine-learning algorithms can be trained to produce massive language models based on protein interactions within the human body, the results could prove to be revolutionary for the field of medicine, and may unlock the secret to defeating some of humanity’s most intractable and devastating diseases.

Perspective.

https://thehill.com/opinion/technology/547418-the-reality-of-americas-ai-talent-shortages

The reality of America's AI talent shortages

The concern about an artificial intelligence, or AI, workforce shortage in the United States is rapidly becoming a top national security priority. Calls for additional legislative action are mounting as the national security community sees talent as a key enabler in outcompeting China. An increasing number of proposals, including those in the 2021 National Defense Authorization Act and others based on the recommendations of the National Security Commission on Artificial Intelligence, have the goal of growing and cultivating the domestic AI workforce based on the premise of shortages.

However, there is little data on actual U.S. AI labor market dynamics to inform whether there is an AI workforce shortage, and if so, what type and to what extent. Moreover, there is no standard definition of “AI workforce.” This makes it difficult, if not impossible, to determine which workers are in short supply and how to best address it.

Perspective. Is this cart before the horse?

https://www.cnbc.com/2021/04/09/white-house-set-to-host-google-intel-ceos-to-discuss-computer-chip-supply-chain.html

White House set to host Google, Intel CEOs to discuss computer chip supply chain

(Related) Ready, fire, aim? OR because these poor companies are nearly broke?

https://www.windowscentral.com/white-house-calls-funding-fight-semiconductor-shortage-proposal-congress

President Biden calls on Congress to help fight semiconductor shortage

President Biden called for funding to fight the semiconductor shortage in the White House's first budget proposal to Congress today. The request from the White House includes $150 million to fund two new manufacturing programs, one of which would target semiconductor manufacturing in the U.S.

(Related) Of course, a mere $150 million won’t build a semiconductor facility.

https://www.cnbc.com/2021/03/23/intel-is-spending-20-billion-to-build-two-new-chip-plants-in-arizona.html

Intel is spending $20 billion to build two new chip plants in Arizona

Pandemic: year two.

https://dilbert.com/strip/2021-04-10

Why look through LinkedIn one user at a time?

https://www.businessinsider.com/linkedin-data-scraped-500-million-users-for-sale-online-2021-4?op=1&scrolla=5eb6d68b7fedc32c19ef33b4

Hackers scraped data from 500 million LinkedIn users — about two-thirds of the platform's userbase — and have posted it for sale online

Data from 500 million LinkedIn users has been scraped and is for sale online, according to a report from Cyber News. A LinkedIn spokesperson confirmed to Insider that there is a dataset of public information that was scraped from the platform.

“While we're still investigating this issue, the posted dataset appears to include publicly viewable information that was scraped from LinkedIn combined with data aggregated from other websites or companies," a LinkedIn spokesperson told Insider in a statement. "Scraping our members' data from LinkedIn violates our terms of service and we are constantly working to protect our members and their data."

I like it, but is it even possible?

https://www.theregister.com/2021/04/09/ban_cyber_insurance_payouts/

How do we stamp out the ransomware business model? Ban insurance payouts for one, says ex-GCHQ director

Increasing numbers of senior ex-GCHQ people have called for laws preventing businesses using cyber insurance to buy off ransomware attackers – with the money merely perpetuating the criminals' business model.

… Marcus Willett, a senior cyber adviser with the International Institute for Strategic Studies and former GCHQ director of cyber (pre-NCSC), wrote at the end of March that the world needs "new laws establishing disincentives to pay ransoms to cyber criminals."

… Willett observed that "it is currently too convenient for companies simply to use their insurance to pay up" to avoid the disruption of a ransomware attack. Doing so, he argued, made a mockery of initiatives designed to raise wider awareness of basic cyber hygiene.

Partially agreeing with him, a former NCSC deputy director opined that a total ban might not be practical. Writing for the Society for Computers and Law website, Peter Yapp said previous never-pay policies have failed.

Another good reason to hack Aadhaar? A return to ‘untouchables?’

https://www.theregister.com/2021/04/09/india_facial_id_covid_vaccinations/

India uses controversial Aadhaar facial biometrics to identify COVID vaccination recipients

India’s National Health Authority has commenced a pilot of facial recognition software as a means of identifying people as they queue in the nation's COVID-19 vaccine centres.

The reason for using facial biometrics is simple: fingerprints or eyeball scans require touching equipment and getting close to machinery, both risky activities during the pandemic. A touchless and more sanitary facial recognition system therefore makes sense.

The system uses facial scans captured under India's Aadhaar national ID scheme.

I blogged about this before but didn’t link to the actual report.

https://www.vox.com/future-perfect/22321435/future-of-ai-shaped-us-china-policy-response

The future of AI is being shaped right now. How should policymakers respond?

… A new report from the National Security Commission on Artificial Intelligence (NSCAI), a committee Congress established in 2018, grapples with some of the large-scale implications of that trajectory. In 270 pages and hundreds of appendices, the report tries to size up where AI is going, what challenges it presents to national security, and what can be done to set the US on a better path.

(Related)

https://www.cbinsights.com/research/report/artificial-intelligence-top-startups/

AI 100: The Artificial Intelligence Startups Redefining Industries

CB Insights has unveiled the winners of the fifth annual AI 100. This year’s cohort of promising private AI companies represents 12 countries and is driving innovation across 18 industries and a broad range of cross-industry applications.

The products that this year’s winners are bringing to market — from drug R&D and revenue cycle management for hospitals to autonomous beekeeping and municipal waste sortation — highlight the breadth and depth of AI’s impact on industries.

… Clients can access the interactive AI 100 Expert Collection here. (If you don’t have a CB Insights login, create one here.)

AI & Law

https://www.pogowasright.org/2021-ccpa-q1-litigation-report-35-cases-filed-unsurprising-trend-of-data-event-class-actions/

2021 CCPA Q1 Litigation Report: 35+ Cases Filed, Unsurprising Trend of Data Event Class Actions

Zarish Baig and Kristin L. Bryan of Squire Patton Boggs write:

It has been a year for the record books for data privacy litigation (and we are only into Q2-who knows what Q3 and Q4 will bring!) CPW has been tracking significant developments in this area of the law—including in regards to the California Consumer Privacy Act (“CCPA”). While the statute has been in effect for a little over a year, it has already become a battleground for plaintiffs seeking to assert statutory claims against defendants for failing to maintain reasonable security procedures (even if the only harm plaintiffs allegedly suffered is speculative risk of future injury). In fact, the flood of litigation under the CCPA was cited this week as a reason for the Florida legislature to consider dropping a private right of action from a data privacy bill under consideration.

Read more on The National Law Review.

Perspective.

https://techcrunch.com/2021/04/08/consumers-now-average-4-2-hours-per-day-in-apps-up-30-from-2019/?guccounter=1

Consumers now average 4.2 hours per day in apps, up 30% from 2019

The coronavirus pandemic has increased our collective screen time, and that’s particularly true on mobile devices. According to a new report from mobile data and analytics firm App Annie, global consumers are now spending an average of 4.2 hours per day using apps on their smartphones, an increase of 30% from just two years prior. In some markets, the average is even higher — more than five hours.

Perspective. The days of outsourcing to China are over. Where do they look to outsource?

https://www.cnbc.com/2021/04/09/chinas-factories-automate-as-worker-shortage-looms.html

China’s factories automate as worker shortage looms

Factories in China are turning to technology to tackle a pending labor shortage.

Per official figures, the country’s working age population has shrunk by more than 5 million people in the last decade as births have dropped – despite a rollback of the controversial one-child policy.

And for the factories that have driven much of modern China’s growth, workers are already in short supply, pushing wages up. That’s forcing companies to relocate or increase automation, especially as the labor shortage looks like it will only get worse.

Young people today aren’t willing to work on factory floors, said Shirley Zhou, IT director at Midea, a home appliance giant based in southern China.

Tools.

https://www.makeuseof.com/tag/10-tools-make-bootable-usb-iso-file/

How to Create a Bootable USB From an ISO: 6 Useful Tools

An advance notice:

The Privacy Foundation encourages you to save April 30^th for the 2021 Virtual Spring Seminar: US State and EU Privacy Developments. The panel experts will delve into the impact of the CCPA and the GDPR since they were initiated. CLE credit is being applied for.

This spring’s panelists include Tyler Thompson, of GreenbergTraurig, Arielle Brown, of Hogan Lovells US LP, Bob Sprague, Professor of Business Law, University of Wyoming, and Camila Tobón, of Davis Graham and Stubbs LLP.

Stay tuned for a follow-up email containing the seminar schedule and registration link to the webinar.

As I see more and more articles like these, I wonder if we are getting close enough to the line for more people to start sending warnings.

https://threatpost.com/crossing-line-cyberattack-act-war/165290/

Crossing the Line: When Cyberattacks Become Acts of War

… The question is, when does a cyberattack cross the line between a criminal action or mere prank, to an act of war? Is it the nature of the victim? The nature of the attacker? The nature of the damage? Or a combination of them all?

(Related)

https://thenextweb.com/insights/2021/04/08/should-countries-ever-respond-to-cyberattacks-with-physical-force/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheNextWeb+%28The+Next+Web+All+Stories%29

Should countries ever respond to cyberattacks with physical force?

In conventional warfare, it’s accepted that if a state finds itself under attack, it’s entitled to respond – either with defensive force, or with a counterattack. But it’s less clear how countries should respond to cyberattacks: state-backed hacks which often have dangerous real-world implications.

(Related)

https://www.theregister.com/2021/04/08/india_admits_china_outmatches_cyber_defences/

Indian defense chief admits China’s cyber-weapons would ‘disrupt large number of systems’ whenever Beijing presses the button

The highest-ranked officer in India’s armed forces has admitted that China has cyber-war capabilities that can overwhelm his nation’s defenses and suggested that only cross-forces collaboration will get India to parity with its giant neighbor.

The FBI claims that encryption makes their job impossible. Perhaps they should sub-contract to the guys from Belgium?

https://www.theregister.com/2021/04/08/sky_ecc_drugs/

Belgian police seize 28 tons of cocaine after 'cracking' Sky ECC's chat app encryption

The Belgian plod says it seized 27.64 tons of cocaine worth €1.4bn (£1.2bn, $1.65bn) from shipments into Antwerp in the past six weeks after defeating the encryption in the Sky ECC chat app to read drug smugglers' messages.

"During a judicial investigation into a potential service criminal organization suspected of knowingly providing encrypted telephones to the criminal environment, police specialists managed to crack the encrypted messages from Sky ECC," the Belgian police claimed, CNN reports.

Sounds bad, but they may be correct.

https://www.reuters.com/article/us-facebook-data-leak-idUSKBN2BU2ZY

Facebook does not plan to notify half-billion users affected by data leak

Facebook Inc did not notify the more than 530 million users whose details were obtained through the misuse of a feature before 2019 and recently made public in a database, and does not currently have plans to do so, a company spokesman said on Wednesday.

Business Insider reported last week that phone numbers and other details from user profiles were available in a public database. Facebook said in a blog post on Tuesday that “malicious actors” had obtained the data prior to September 2019 by “scraping” profiles using a vulnerability in the platform’s tool for synching contacts.

The Facebook spokesman said the social media company was not confident it had full visibility on which users would need to be notified. He said it also took into account that users could not fix the issue and that the data was publicly available in deciding not to notify users. Facebook has said it plugged the hole after identifying the problem at the time.

How broad is this coverage? Would a Colorado victim be able to sue a Utah breached company?

https://www.databreaches.net/utah-is-the-2nd-state-to-create-a-safe-harbor-for-companies-facing-data-breach-litigation/

Utah is the 2nd State to Create a Safe Harbor for Companies Facing Data Breach Litigation

Joseph J. Lazzarotti, Jason C. Gavejian, and Maya Atrakchi of JacksonLewis write:

In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80 ) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense.

In short, the Act seeks to incentivize individuals, associations, corporations, and other entities (“persons”) to maintain reasonable safeguards to protect personal information by providing an affirmative defense in litigation flowing from a data breach. More specifically, a person that creates, maintains, and reasonably complies with a written cybersecurity program that is in place at the time of the breach will be able to take advantage of an affirmative defense to certain claims under the Act:

Read more on Workplace Privacy, Data Management & Security Report

Such ignorance at this late date is concerning.

https://www.bespacific.com/sorry-judges-encrypted-chat-is-not-like-a-private-thought/

Sorry, judges, encrypted chat is not like a private thought

Engadget: “A state judge recently ruled that two of the men who plotted to kidnap Michigan’s governor did not make terrorist threats because they used an encrypted chat app to do so. Since federal agencies and lawmakers have been trying to get encrypted comms backdoored by arguing that they are the tool of choice for terrorists, we won’t blame you if your double-take gave you whiplash. It already boggles the mind to see a terrorism charge dropped against people doing domestic terrorism things, like plan and coordinate to attack the Capitol, blow up a bridge to stop police, murder law enforcement that got in the way to kidnap a US state governor, and murder said governor. But hang on. Just try not to strain anything when we tell you that the judge’s reason not to charge the foiled kidnappers for “threatening an act of terrorism” is because 12th District Court Judge Michael Klaeren said that using encrypted comms is the same as having private thoughts. “After onboarding new members through mediums such as Facebook, the group’s conversations took place in encrypted chats,” reported The Detroit News…”

Interesting topic. Registration required.

https://biztechmagazine.com/article/2021/04/cdw-tech-talk-finding-humanity-artificial-intelligence-and-big-data

CDW Tech Talk: Finding the Humanity in Artificial Intelligence and Big Data

Data is at the core of everything businesses do. Sometimes, however, organizations can be inundated with information, and they can fail to understand how ethics should inform decisions about how to use that data.

The confluence this past year of a global pandemic, an economic crisis and civil unrest exposed the need for businesses to prioritize social responsibility and humanity when making technology decisions.

The ethical use of data, technology and artificial intelligence was the subject of a recent CDW Tech Talk series session featuring Allen Clingerman, chief technology strategist for server and workloads for Dell Technologies.

“The problem’s only getting harder,” Clingerman said. “The amount of data that the average organization manages has grown to a staggering 13.53 petabytes.”

Could evolve into labels like” “flaming liberal” or “radical right” Does Facebook have rules for applying these labels as well as a procedure to challenge them? What is you call it satire but I think its true? Will the people who believe this rubbish understand what the word satire means?

https://www.theverge.com/2021/4/8/22373291/facebook-label-news-feed-page-posts-fan-satire-public-official?scrolla=5eb6d68b7fedc32c19ef33b4

Facebook hopes tiny labels on posts will stop users confusing satire with reality

Facebook is adding additional labels to posts from Pages that appear in users’ News Feeds in a bid to reduce confusion about their origin. These labels will include “public official,” “fan page,” and “satire page.” The company says it’s already started testing the deployment of these labels in the US, and will gradually add them to more posts.

Facebook hasn’t offered any explanation as to why it’s adding these labels, but identifying satire seems particularly important. Take a look at the social shares for any news articles written by well-known satirical sites like The Onion or The Babylon Bee and you’ll find plenty of people taking these stories at face value. In such a context these posts are essentially a type of misinformation, even if their creators did not intend this. Even high profile figures like former president Donald Trump have mistaken these stories for real reports.

Perspective.

https://www.bespacific.com/social-media-use-in-2021/

Social Media Use in 2021

Pew Research Center – “A majority of Americans say they use YouTube and Facebook, while use of Instagram, Snapchat and TikTok is especially common among adults under 30. Despite a string of controversies and the public’s relatively negative sentiments about aspects of social media, roughly seven-in-ten Americans say they ever use any kind of social media site – a share that has remained relatively stable over the past five years, according to a new Pew Research Center survey of U.S. adults. Beyond the general question of overall social media use, the survey also covers use of individual sites and apps. YouTube and Facebook continue to dominate the online landscape, with 81% and 69%, respectively, reporting ever using these sites. And YouTube and Reddit were the only two platforms measured that saw statistically significant growth since 2019, when the Center last polled on this topic via a phone survey. When it comes to the other platforms in the survey, 40% of adults say they ever use Instagram and about three-in-ten report using Pinterest or LinkedIn. One-quarter say they use Snapchat, and similar shares report being users of Twitter or WhatsApp. TikTok – an app for sharing short videos – is used by 21% of Americans, while 13% say they use the neighborhood-focused platform Nextdoor…”

Not sure I agree. Removing individual actors, even President Trump, is unlikely to bankrupt Facebook or even seriously reduce their revenues. Congressional overreaction could have that effect.

https://techpolicy.press/follow-the-money-to-rein-in-big-tech-lawmakers-are-right-to-focus-on-business-models/

Follow the money: to rein in Big Tech, lawmakers are right to focus on business models

At the March 25^th congressional hearing on disinformation, members of the House Committee on Energy and Commerce highlighted some of the more serious harms brought on by targeted advertising and content curation systems, including the January 6 attack on the U.S. Capitol and viral disinformation about COVID-19 vaccines. The CEOs of Facebook, Google, and Twitter deflected lawmakers’ questions about how their technologies actually work and drive profits. Instead, they touted their efforts to weed out disinformation and extremism with things like fact-checking labels and abuse-detecting algorithms.

These efforts are a sideshow, and members of congress finally seem to understand this. The real problem at hand, as our research group has argued for some time, was succinctly described by Committee Chairman Frank Pallone: “it’s the business model.” Companies are choosing profit over the public interest and deliberately concealing how they build their algorithmically-driven ad systems. This is not just about trade secrets or bad actors. It is about their fundamental goal: growth.

Trump’s words will get out. And some people believe them before they even see them.

https://www.bespacific.com/national-archives-cant-resurrect-trumps-tweets-twitter-says/

National Archives can’t resurrect Trump’s tweets, Twitter says

Politico: “Twitter will not allow the National Archives to make former President Donald Trump’s past tweets from his @realDonaldTrump account available on the social media platform, the company told POLITICO on Wednesday, in the latest display of Silicon Valley’s power over communications channels used by the U.S. government. The statement came as the National Archives and Records Administration has been working to create an official online archive of Trump’s tweets as president, including those that prompted Twitter to permanently suspend him earlier this year as a threat to public safety. NARA already maintains archives for the institutional and personal accounts of many other former Trump administration officials, in which the old tweets live on the Twitter platform and users can retweet, like and otherwise interact with them. Twitter’s decision is further fuel for a debate in Washington about social media companies’ control over users’ speech, amid Republican accusations that Silicon Valley’s giants are censoring conservatives. Just two days ago, Supreme Court Justice Clarence Thomas lamented in a 12-page opinion that technology has placed “control of so much speech in the hands of a few private parties,” suggesting Congress may need to step in. NARA spokesperson James Pritchett said that while the National Archives “is still exploring the best way” to make the @realDonaldTrump archival content public, the agency would defer to Twitter on whether that archive should be available on the social media site and would still post the preserved tweets to the Donald J. Trump Presidential Library website.…”