Saturday, April 13, 2019


Philosophy or policy? Interesting questions. How much more interesting if they were asked in court with the CEO in the witness chair?
Attorney Matt Fisher writes:
Notice of a new data breach is posted at least once a day. A frequent feature of many notices is the disclosure that the conduct giving rise to the breach happened months earlier, with the delay sometimes going into years in some instances.
The notices typically do not provide much insight into the reasoning for the delays, which gives rise to the question; when should notice of a data breach be provided?
The answer is seemingly straightforward. The HIPAA data breach notification rule states that, absent certain narrow exceptions, a covered entity needs to provide notice without unreasonable delay, which should be no more than 60 days following discovery of the breach.
The language “without unreasonable delay” is key.
Read more of Matt’s commentary on Health Data Management The issue of when a breach is considered “discovered” for purposes of starting any clock is one I grapple with on almost a daily basis. Matt seems to take a fairly firm position about what “discovered” means, but I am aware that there are entities who argue to the effect of “Well, how do you know who to notify and what to tell them if you are still investigating at 60 days?”
That seems to be a fairly logical argument, until I respond, “Well, why couldn’t you have have determined that sooner?” Did you allow too much ePHI to accumulate in employees’ email accounts? Did you fail to check logs regularly? Did you not hire enough people to investigate this breach intensively?” When did you start the intensive investigation after discovery?
But then, it’s easy to sit at a desk in my office and lob questions at entities when I would not want to change places with those trying to respond to an incident.




I’m probably missing dozens (hundreds?) of articles on CCPA.
Joseph J. Lazzarotti of JacksonLewis writes:
As we reported, in late February, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the California Consumer Privacy Act (CCPA). This week, the Senate Judiciary Committee referred the bill to the Senate Appropriations Committee by a vote of 6-2. This move came despite concerns raised about the scope of the amendment’s expanded private right of action. It is worth noting that a restricted private right of action is believed to have been fundamental to the compromise that led to the CCPA becoming law.
If SB 561 becomes law, it would make a number of significant changes to the current law.
Read more on Workplace Privacy, Data Management & Security Report. Alan Friel of BakerHostetler also comments on this over on Data Privacy Monitor.
In other news about CCPA proposed amendments, Liisa Thomas, Craig Cardon, Rachel Tarko Hudson and Brian Anderson of ShepherdMullin discuss AB-25 in their post, Will CCPA’s Definition of Consumer Be Narrowed?


(Related) “No on expects the Spanish Inquisition!”
New Report Highlights Potential Privacy Blind Spot Resulting from Data Sharing and Data Inventory Practices
A comprehensive new study (“2019 Data Privacy Maturity Study”) from Seattle-based Integris Software suggests that many mid- to large-sized enterprises simply are not prepared for the avalanche of private data in the marketplace today, or for the growing proliferation of data sharing agreements with other companies. Add in the fact that government regulations appear to be mushrooming on a state-by-state basis across the United States, and it’s easy to see why a clear majority (79%) of these enterprises now support a federal privacy law that would provide clear guidelines on data sharing and data inventory practices.
However, the big question is whether enterprises are really able to scale their data sharing and data inventory practices past a certain level. Enterprises with more than 500 employees, for example, typically have far-flung operations all over the globe. Moreover, they have a huge network of vendors, suppliers and partners. Recognizing the inherent complexity involved in navigating all of this personal data, only 23% of enterprises said they were ready for the upcoming California Consumer Privacy Act, which is set to go into effect in 2020. Moreover, only 36% said they were ready for the General Data Protection Regulation (GDPR), which went into effect in May 2018. This last figure is particularly troubling, because it has now been almost one year since the GDPR went into effect, and the majority of enterprises are still having a hard time coping with the new rules surrounding data subjects, data mapping, data sharing and data inventory.
[From the report:
Forward looking organizations are treating privacy as part of a broader data protection strategy where privacy tells you what’s important and why, and security is the how.


(Related) Words you can’t use in French? Will this ruling translate?
Catherine Muyl and Marion Cavalier of Foley Hoag write:
It has been rough weather for Google in France. Three weeks after the French ‎Data Protection Authority imposed a record fine against Google for non-compliance with the GDPR, the Paris District Court (“Tribunal de Grande Instance”) invalidated 38 clauses of Google’s Privacy Policy and Terms of Use for Google+, the Internet-based social media network owned and operated by Google. This decision was rendered on February 12, 2019 in an action that was initiated against Google Inc. in 2014 by an old French consumer not-for-profit organization, UFC QueChoisir.




Perspective. Miracles aside, could we create an AI indistinguishable from God?
How Southern Baptists Are Grappling With Artificial Intelligence
Traditional theist religions have “turned from a creative into a reactive force,” as historian Yuval Noah Harari put it in his 2016 book, Homo Deus. “They now mostly agonize over the technologies, methods and ideas propagated by other movements.”
That reputation makes a statement on artificial intelligence released Thursday by the Southern Baptist Convention all the more intriguing. The SBC’s public-policy arm, the Ethics and Religious Liberty Commission, spent nine months researching and writing “Artificial Intelligence: An Evangelical Statement of Principles,” and it has been signed by 68 prominent evangelical thinkers. The brief document is intended to respond to the “existential questions” raised by A.I. technology. It takes a strikingly optimistic tone in doing so. “This was created not out of fear, but out of an understanding that [A.I.] is a tool that God has given us,” said Jason Thacker, who headed the project at the ERLC.




Any technology invented before the Civil War is not advisable in modern business.



Friday, April 12, 2019


Is there anyplace where we can find all “terrorist” content, if for no other reason, to train our defensive AI systems to recognize it.
EU Tells Internet Archive That Much Of Its Site Is 'Terrorist Content'
We've been trying to explain for the past few months just how absolutely insane the new EU Terrorist Content Regulation will be for the internet. Among many other bad provisions, the big one is that it would require content removal within one hour as long as any "competent authority" within the EU sends a notice of content being designated as "terrorist" content. The law is set for a vote in the EU Parliament just next week.
And as if they were attempting to show just how absolutely insane the law would be for the internet, multiple European agencies (we can debate if they're "competent") decided to send over 500 totally bogus takedown demands to the Internet Archive last week, claiming it was hosting terrorist propaganda content.
And just in case you think that maybe the requests are somehow legit, they are so obviously bogus that anyone with a browser would know they are bogus. Included in the list of takedown demands are a bunch of the Archive's "collection pages" including the entire Project Gutenberg page of public domain texts, it's collection of over 15 million freely downloadable texts, the famed Prelinger Archive of public domain films and the Archive's massive Grateful Dead collection. Oh yeah, also a page of CSPAN recordings. So much terrorist content!




You may get answers to these questions next Friday at the Privacy Foundation Seminar on the CCPA. (See details at https://www.law.du.edu/privacy-foundation) Their seminar on GDPR completely changed the way I teach my Computer Security and System Architecture classes.
Companies Are Ready and Willing to Comply with CCPA – But First, They Need to Know How
No one disputes the importance of guarding the privacy of consumer information. But the recently enacted California Consumer Privacy Act (CCPA) threatens businesses with potentially crippling liabilities, while also harming consumers who benefit from innovation (including new ways to use data to offer personalized services and product recommendations) and enjoy free services made possible by data collection, processing and usage.
California’s Attorney General and legislature are currently proposing amendments to the law. Their proposals, however, may do little to aid businesses in knowing how to comply with CCPA, and may instead dramatically increase liability risks for non-compliance. Indeed, the amendments currently under consideration appear calculated to please the plaintiff class action bar above all others. The proposed amendments would incentivize private enforcers to sue defendants for annihilating penalties, even where the alleged violations are morally blameless and do not cause actual harm, while also removing the limited mechanisms currently available by which companies can obtain guidance on how to comply.




Another strange Alexa “skill.”
Joe Cadillic writes:
If ever there was a red flag story about Amazon’s Alexa then this is it.
If you watch the “Alexa for Medical Care Advice” video posted above, you will hear Alexa asking Peggy, to “tell me about the symptoms or problems that are troubling you the most.”
Divulging your health issues to a private corporation is extremely troubling as you will see.
Let’s start with the obvious concerns and talk about something you will not see in the video.
Like Peggy telling Alexa, it is none of Amazon’s business what her health concerns are and Alexa should stop listening to everything she says.
Read more on MassPrivateI.




Who sets moral standards? Do they vary by geography or ethnicity?
Instagram Will Now Judge Posts That Can be Classified as Inappropriate, as it Adopts The Nanny Role
Artificially intelligent algorithms and machine learning are possibly going to dictate morals and perhaps more.
Facebook owned Instagram is making tweaks to the Community Guidelines that dictate the posts that you see in the recommendations as well as with hashtag searches. The social network is reworking the algorithms to filter out posts that could be labeled as “inappropriate” but may actually not be breaking any rules or going against community guidelines.
“We have begun reducing the spread of posts that are inappropriate but do not go against Instagram’s Community Guidelines, limiting those types of posts from being recommended on our Explore and hashtag pages,” says Instagram in an official post. But what sort of posts would these be?
Apparently, Instagram will judge the content of each post and then decide whether it violates any community guidelines or not. If it doesn’t, but Instagram still doesn’t like the looks of it, the post will be classified as “inappropriate” and sent to sit on the naughty step. Instagram gives the example of a sexually suggestive post, which may be targeted in this new regime where artificially intelligent algorithms and machine learning are possibly going to dictate morals and perhaps more.
Instagram says such a post will still appear on your Feed if you follow the account that posts it. [So you can still see what the Grand Kleagle has to say, but recruiting new klansmen might become a bit more difficult. Bob] However, these posts will be downrated in a way, and may not appear in the Explore tab, the hashtag pages as well as when a user makes a specific search with a hashtag.


(Related) Would we be better off if the government set the standards?
No smoking, no tattoos, no bikinis: inside China’s war to ‘clean up’ the internet
    • China’s social media companies employ thousands to censor content that falls afoul of the country’s stringent regulations governing the internet
    • While AI is used to remove banned content, many decisions are taken by humans, especially if they involve context




Little lawyers have big ears. (More polite than: Admirals have big mouths.)
How the Navy’s top commander botched the service's highest-profile investigation in years
One officer asked a question that touched on a sensitive topic: two collisions of warships in the Pacific in the summer of 2017 that left 17 sailors dead in the Navy's worst maritime accidents in decades.
The Navy had recently announced that it would criminally prosecute the captains of the vessels and several crew members for negligence leading to the fatal accidents. The questioner wanted to know whether officers now had to worry about being charged with a crime for making what could be regarded as a mistake.
Richardson answered by saying that he could not discuss pending cases. As a bedrock principle of military law, commanders cannot signal a preferred outcome. But then, almost as an afterthought, he attempted to reassure the man that the collisions were no accidents.
I have seen the entire investigation. Trust me, if you had seen what I have seen, it was negligent," Richardson told the audience, according to court records.
Pollio, a Navy attorney, was alarmed. It appeared to her that Richardson had effectively pronounced guilt before trial. And he had done so in public, in front of an audience whose members could conceivably participate in the military's judicial proceedings.




This is sort of a: Microsoft wouldn’t let us have data stored in Ireland, so we wrote a law so now they have to.
Department of Justice Releases White Paper on CLOUD Act
On Wednesday, the U.S. Department of Justice released a white paper and FAQ on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which was enacted in March 2018 and creates a new framework for government access to data held by technology companies worldwide. The paper, titled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” addresses the scope and purpose of the CLOUD Act and responds to 29 frequently asked questions about the Act.




For my Vets.
Get out of the house with these free tickets to outdoor events for veterans and their families
Below is a sampling of the hundreds of events Vet Tix has free tickets to for Vet Tix members. Don't see anything in your area? We get new events daily so be sure to check your emails for new events.
April 22nd – Denver, Co., Colorado Rockies vs. Washington Nationals
May 18th – Morrison, CO. – Napa Night of Fire & Thunder
To become a VetTixer and to request tickets to these and hundreds of other events, which are free except for a very small delivery fee, visit VetTix.org to create a free account. Once you've created an account and we've verified your status as military or a veteran, you can review hundreds of upcoming events across the country.



Thursday, April 11, 2019


Insecurity by design.
Cars Exposed to Hacker Attacks by Hardcoded Credentials in MyCar Apps
A small aftermarket telematics unit from Montreal, Canada-based AutoMobility, MyCar provides users with a series of smartphone-controlled features for their cars, including geolocation, remote start/stop and lock/unlock capabilities.
The easy-to-use MyCar app interface gives you control to remote start, lock, unlock and locate your vehicle from anywhere just by pushing a button on your smartphone,” the vendor says .
Hardcoded admin credentials found in the MyCar Controls mobile apps can be used to communicate with the server endpoint for a targeted user’s account, without having their username and password.
A remote un-authenticated attacker may be able to send commands to and retrieve data from a target MyCar unit. This may allow the attacker to learn the location of a target, or gain unauthorized physical access to a vehicle,” Carnegie Mellon University’s CERT Coordination Center notes in a security alert.




Amusing. (To those of us with no Facebook page.)
Transparency tool on FB inadvertently provides window into confusing maze of companies who have your data
BuzzFeedNews – “On Facebook under Settings, there’s a page in the Ads section where you can view your Ad Preferences. Most of this is fairly straightforward — choices about how you’ll allow ads and how advertisers target you based on things like what pages you’ve liked. But there’s one section there that will probably surprise you: a list of advertisers “Who use a contact list added to Facebook.”… According to the description, “These advertisers are running ads using a contact list they or their partner uploaded that includes info about you. This info was collected by the advertiser or their partner. Typically this information is your email address or phone number.” The list of Advertisers, a feature Facebook added for transparency, is incomprehensible to anyone who isn’t an expert in advertising (and even some who are!), and leads to the unsettling realization that…, man, our data is out there and trafficked without our consent and being used by advertisers in ways we have no clue about…”




Did I miss this one? I think I did.
COMMENTS ON THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA)




I guess Privacy is trending. (See how the Times selects their coverage, below)
The New York Times has launched what it calls The Privacy Project:
a monthslong initiative to explore the technology, to envision where it’s taking us, and to convene debate about how we should control it to best realize, rather than stunt or distort, human potential.
Here are the articles they’ve posted to get it started:




Impacts both Computer Security and System Architecture.
In an attempt to to build in transparency and accountability into the next generation of world-changing technology, American lawmakers introduced a bill on Wednesday to require large companies to audit machine learning systems for bias.
Democratic Senators Ron Wyden and Cory Booker introduced the Algorithmic Accountability Act on Wednesday. Democratic Congresswoman Yvette Clarke introduced an equivalent bill in the House of Representatives.
The new bill would task the Federal Trade Commission with crafting regulations making companies conduct “impact assessments” of automated decision systems to assess the decision making systems and training data “for impacts on accuracy, fairness, bias, discrimination, privacy and security.”
Companies making over $50 million per year or holding the data of over one million individuals would be targeted by the bill.


(Related) Did they ever promise not to? Auditing for bias? Probably not.
Amazon Workers Are Listening to What You Tell Alexa
Amazon.com Inc. employs thousands of people around the world to help improve the Alexa digital assistant powering its line of Echo speakers. The team listens to voice recordings captured in Echo owners’ homes and offices. The recordings are transcribed, annotated and then fed back into the software as part of an effort to eliminate gaps in Alexa’s understanding of human speech and help it better respond to commands.
Occasionally the listeners pick up things Echo owners likely would rather stay private: a woman singing badly off key in the shower, say, or a child screaming for help. The teams use internal chat rooms to share files when they need help parsing a muddled word—or come across an amusing recording.


(Related) Customers are told it may reduce the cost of their insurance. Could it also cause them to be dropped from any insurance plan?
A.I. Is Changing Insurance
A smartphone app that measures when you brake and accelerate in your car. The algorithm that analyzes your social media accounts for risky behavior. The program that calculates your life expectancy using your Fitbit
This isn’t speculative fiction — these are real technologies being deployed by insurance companies right now.
The idea is that if your Fitbit or Apple Watch can tell whether or not you’re living the good, healthy life — and if you are, your insurance premium will go down .
This is the cutting edge of the insurance industry, adjusting premiums and policies based on new forms of surveillance. It will affect your life insurance, your car insurance and your homeowner’s insurance — if it hasn’t already. If the Affordable Care Act’s protections for people with pre-existing conditions should vanish, it will no doubt penetrate the health insurance industry as well.


(Related)
Affectiva raises $26 million to bring emotional intelligence AI to car safety systems
Affectiva wants its solution to be incorporated into cameras used in car safety systems to recognize when a driver is happy, sad, drowsy, or frustrated.
In the future the company wants its detection systems to include more context about how vehicle passengers interact with each other and objects in a vehicle.




Apparently he could not resist trying to stay involved. To keep his name in the news?
Julian Assange: Wikileaks co-founder arrested in London
Video footage shows Julian Assange being dragged from the Ecuadorian embassy in London
Mr Assange took refuge in the embassy seven years ago to avoid extradition to Sweden over a sexual assault case that has since been dropped.
Ecuador's president said it withdrew his asylum after repeated violations of international conventions.
But he still faces a lesser charge of skipping bail in 2012 and he says this could lead to an extradition to the US for publishing US secrets on the Wikileaks website.
Scotland Yard said it was invited into the embassy by the ambassador, following the Ecuadorian government's withdrawal of asylum.
After his arrest for failing to surrender to the court, police said he had been further arrested on behalf of US authorities under an extradition warrant.
Press freedom organisation Reporters Without Borders said that the UK should resist extradition, because it would "set a dangerous precedent for journalists, whistleblowers, and other journalistic sources that the US may wish to pursue in the future".




Silly me. I thought journalists were reporting on important things.
Lifting Journalism by Knowing What Readers Are Looking For
Claudio E. Cabrera, who specializes in search engine optimization, describes how he keeps track of what’s hot in search and how that informs coverage — and what the limits are.




Perspective. We’re not ready for cashless.
After pushback from states and cities, Amazon Go might accept cash
According to CNBC, Amazon executive Steve Kessel told employees at a recent all-hands meeting that the company's brick-and-mortar, cashier-less Amazon Go stores would start accepting "additional payment mechanisms" to combat charges of discrimination.
An Amazon spokesperson later told CNBC that those additional mechanisms included accepting cash. "You’ll check out, pay with cash, and then get your change,” the spokesperson said. [What a bold new concept! Bob]




My guess is that President Trump’s Library will be measured in “Tweets.”
Obama’s Presidential Library Is Already Digital
The Atlantic – The question now is how to leverage its nature to make it maximally useful and used… ”The debate about the Obama library exhibits a fundamental confusion. Given its origins and composition, the Obama library is already largely digital. The vast majority of the record his presidency left behind consists not of evocative handwritten notes, printed cable transmissions, and black-and-white photographs, but email, Word documents, and JPEGs. The question now is how to leverage its digital nature to make it maximally useful and used…the record of President Obama’s White House: 1.5 billion “pages” in the initial collection, already more than 33 times the size of President Johnson’s library. I use “pages” because the Obama Foundation has noted that “95 percent of the Obama Presidential Records were created digitally and have no paper equivalents.” The email record alone for these eight years is 300 million messages, which NARA (the U.S. National Archives and Records Administration) estimates amounts to more than a billion printed pages. In addition, millions of other “pages” associated with the Obama administration are word-processing documents, spreadsheets, or PDFs, or were posted on websites, apps, and social media. Much of the photographic and video record is also born-digital. There are also 30 million actual pages on paper, which are currently stored in a suburb near Chicago. Given the likelihood that a decent portion of this paper record actually came from digital files—think about all of the printouts of PDFs, for instance—only a miniscule portion of what we have from Obama’s White House is paper-only…”




I will share this with my “students who text during class.”