Saturday, April 20, 2019


I went to the Privacy Foundation seminar yesterday. It helped me reach a few conclusions. Call them “Privacy Minimums” if you will:
First, Privacy Regulation will become universal. Today you need to consider the GDPR if you do business in the EU or with EU citizens. California and Brazil are mere months away from implementing their own, similar laws. Within the lifetime of a normal IT system, most countries will have similar regulations.
Second, none of the follow-on laws will make compliance simpler. You must comply with the toughest law, so why even consider “separate but simpler?”
Third, for each system (old or new) and for each data element, you will need to know where the data comes from, how it is used, everywhere it is stored and where (and when) it goes. Can it be used to identify an individual by itself or combined with other data? Do you have “opt in” permission? Has that individual ever exercised “opt out?”




How to handle a ransomware attack: back up in an hour!
A ransomware attack took The Weather Channel off the air
The Weather Channel was hit by a ransomware attack on Thursday, briefly taking a live TV program off the air, according to .a Wall Street Journal report
The attack came amid severe weather in the southeastern United States and knocked out the cable channel for more than an hour. The FBI told the Journal a ransomware attack was the source of the problem and that the agency is investigating.
We experienced issues with this morning’s live broadcast following a malicious software attack on the network,” the channel confirmed in a tweet about the incident, adding that “backup mechanisms” had allowed the channel to restore service.




Three freedoms of the Internet?
Don't Regulate The Internet Like Every Company Is The Same
key to his approach is a more modern update to the common "free as in speech v. free as in beer" concept that everyone in the open source world is familiar with. Ben talks about a third option that has been discussed for decades, which is "free as in puppy" -- meaning something that you get for free, but which then has an ongoing cost in terms of maintaining the free thing you got.



Friday, April 19, 2019


Hiding in the weeds.
Mueller report sheds new light on how the Russians hacked the DNC and the Clinton campaign
The Mueller report contains new information about how the Russian government hacked documents and emails from Hillary Clinton’s presidential campaign and theDemocratic National Committee.
At one point, the Russians used servers located in the U.S. to carry out the massive data exfiltration effort, the report confirms.
The operatives working for the Russian intelligence directorate, the GRU, sent dozens of targeted spearphishing emails in just five days to the work and personal accounts of Clinton Campaign employees and volunteers, as a way to break into the campaign’s computer systems.
By stealing the login details of a system administrator who had “unrestricted access” to the network, the hackers broke into 29 computers in the ensuing weeks, and more than 30 computers on the DNC.
In all, some 70 gigabytes of data were exfiltrated from Clinton’s campaign servers and some 300 gigabytes of data were obtained from the DNC’s network.
I hope you’re able to find the 30,000 emails that are missing,” said then-candidate Trump at a press conference, referring to emails Clinton stored on a personal email server while she headed the State Department. Mueller’s report said “within approximately five hours” of those remarks, GRU officers began targeting for the first time Clinton’s personal office.




Big, but not a record.
Remember what I said earlier today about India being a data protection mess? Here’s another example. Mohit Kumar reports:
An unprotected database belonging to JustDial, India’s largest local search service, is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy “88888 88888” customer care number, The Hacker News has learned and independently verified.
Founded over two decades ago, JustDial (JD) is the oldest and leading local search engine in India that allows users to find relevant nearby providers and vendors of various products and services quickly while helping businesses listed in JD to market their offerings.
Rajshekhar Rajaharia, an independent security researcher, yesterday contacted The Hacker News and shared details of how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone to view profile information of over 100 million users associated with their mobile numbers.
Read more on The Hacker News,




Completely foreseeable. Outages will identify organizations that didn’t monitor the growth of the routing table.
Some internet outages predicted for the coming month as '768k Day' approaches
An internet milestone known as "768k Day" is getting closer and some network administrators are shaking in their boots fearing downtime caused by outdated network equipment.
The fear is justified, and many companies have taken precautions to update old routers, but some cascading failures are still predicted.
The term 768k Day comes from the original mother of all internet outages known as 512k Day.
512k Day happened on August 12, 2014, when hundreds of ISPs from all over the world went down, causing billions of dollars in damages due to lost trade and fees, from a lack of internet connectivity or packet loss.
The original 512k Day took place because routers ran out of memory for storing the global BGP routing table, a file that holds the IPv4 addresses of all known internet-connected networks.
Many legacy routers received emergency firmware patches that allowed network admins to set a higher threshold for the size of the memory allocated to handle the global BGP routing table.
Most network administrators followed documentation provided at the time and set the new upper limit at 768,000 – aka 768k.




Another swing of the pendulum.
Nathan Sheard and Jennifer Lynch of EFF write:
Thanks to a recent ruling by Fairfax County Circuit Court Judge Robert J. Smith, drivers in Fairfax County, Virginia need not worry that local police are maintaining ALPR records of their travels for work, prayer, protest or play.
Earlier this month, Judge Smith ordered an injunction against the use of the license plate database, finding that the “passive” use of Fairfax County Police Department’s Automated License Plate Reader (ALPR) system violated Virginia’s Government Data Collection and Dissemination Practices Act (Data Act).
Read more on EFF.




People are responsible for Privacy Policies? What a concept!
Federal investigation of Facebook could hold Mark Zuckerberg accountable on privacy, sources say
Federal regulators investigating Facebook for mishandling its users’ personal information have set their sights on the company’s chief executive, Mark Zuckerberg, exploring his past statements on privacy and weighing whether to seek new, heightened oversight of his leadership.
The discussions about how to hold Zuckerberg accountable for Facebook’s data lapses have come in the context of wide-ranging talks between the Federal Trade Commission and Facebook that could settle the government’s more than year-old probe, according to two people familiar with the discussions. Both requested anonymity because the FTC’s inquiry is confidential under law.
Often, the FTC does not target executives in cases where it finds a company’s business practices have violated web users’ privacy. But critics said that targeting Zuckerberg could send a message to other tech giants that the agency is willing to hold top executives directly accountable for their firms’ repeated data misdeeds.
The days of pretending this is an innocent platform are over, and citing Mark in a large scale enforcement action would drive that home in spades,” said Roger McNamee, an early investor in the company and one of Zuckerberg's foremost critics.


(Related) How to bury bad news.
Facebook perfects the art of the news dump
On the Thursday before a major holiday weekend, and an hour before the much-anticipated Mueller report was released to the public, Facebook updated a month-old blog post titled "Keeping Passwords Secure" with a few lines of italicized text.
"Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users," says the update.
The original post revealed Facebook stored passwords for hundreds of millions of its Facebook users and "tens of thousands" of Instagram users as plain text in a database that could be accessed by its staff.




Almost three years now and some people still haven’t read it?
GDPR Article 27 … The ‘Unknown Obligation’ of Appointing a Nominated European Representative
… Whilst the GDPR is a European regulation, many organizations outside of Europe will be unaware that they are required to appoint a Nominated European Representative under certain conditions (as per Article 27 of the GDPR).


(Related) Dead because tech companies had input?
Hunton Andrews Kurth writes:
The much-discussed Washington Privacy Act, Senate Bill 5376 (“SB 5376”), appears to have died after failing to receive a House vote by an April 17, 2019 deadline for action on non-budget policy bills. Though the bill could be revived before the regular session ends on April 28, 2019, Washington lawmakers expressed doubt.




I’m detecting a strong anti-AI bias…
Some AI just shouldn’t exist
Human bias can seep into AI systems. Amazon abandoned a recruiting algorithm after it was shown to favor men’s resumes over women’s; researchers concluded an algorithm used in courtroom sentencing was more lenient to white people than to black people; a study found that mortgage algorithms discriminate against Latino and African American borrowers.
The tech industry knows this, and some companies, like IBM, are releasing “debiasing toolkits” to tackle the problem. These offer ways to scan for bias in AI systems — say, by examining the data they’re trained on — and adjust them so that they’re fairer. [A great entry point for hackers. Bob]
But that technical debiasing is not enough, and can potentially result in even more harm, according to a new report from the AI Now Institute.
The three authors say we need to pay attention to how the AI systems are used in the real world even after they’ve been technically debiased. And we need to accept that some AI systems should not be designed at all.
In other words, ensuring that an AI system works just as well on everyone does not mean it works just as well for everyone.




Attempts to have AI interpret politicians caused the AI to stroke out.
A neural network can read scientific papers and render a plain-English summary
… a form of artificial intelligence (AI) ... can read scientific papers and render a plain-English summary in a sentence or two.
Even in this limited form, such a neural network could be useful for helping editors, writers, and scientists scan a large number of papers to get a preliminary sense of what they're about.




Interesting. Managers don’t want to listen to their lawyers?
The Rise of Risk Management in Financial Institutions – Diminution of Legal Function
Business Law Today – The Rise of Risk Management in Financial Institutions and a Potential Unintended Consequence – The Diminution of the Legal Function By: Thomas C. Baxter, Jr. After the global financial crisis, a highly respected group of financial supervisors from the industrialized world convened to consider what might have caused the worst financial crisis experienced since the Great Depression. This group – aptly named the “Senior Supervisors Group” – concluded that a material contributing cause was what they characterized as a “colossal failure of risk management.” The Senior Supervisors Group was not alone. Many other bodies have taken up the same topic and reached a similar conclusion. In the 10 years since the global financial crisis ended, the financial community has responded to the identified causes of the financial crisis, adopting lessons learned and significantly reforming the financial system. This work has resulted in a financial system with individual institutions that are demonstrably more safe and more sound than before, and a much more resilient banking system overall. In contrast to what existed on the eve of the crisis – early 2007 – today’s financial system has considerably higher capital and liquidity, as government officials and other commentators have observed. In addition, and perhaps even more importantly if we accept the conclusion of the Senior Supervisors Group, there has been a revolution in the discipline of risk management and in the “build-out” of processes and procedures for identifying, measuring, monitoring, and controlling risk. In the United States, for example, one may witness the Dodd-Frank Wall Street Reform and Consumer Protection Act, which President Obama signed into law on July 21, 2010 (the “Dodd-Frank Act”). The Dodd-Frank Act introduced varied and different requirements for risk management, including a series of “enhanced prudential standards,” as well as governance directed at risk management requirements, like the requirement for a risk committee of the board of directors….
This article will discuss whether the rise of the risk management function has had one very specific unintended consequence – the diminution of the legal function. To place such an important question in a proper context, this article will focus on the potential inverse relationship – it is not only that the legal function has declined in importance, but it is also that the decline has come as the direct result of the rise in risk.



Thursday, April 18, 2019


There’s an App for that!
More Than 100 High-End Cars Were Stolen Using An App In A Possible Chicago Crime Spree
The Chicago Police Department said in a statement Wednesday that the car sharing company, car2go or SHARE NOW, alerted authorities that its vehicles may have been taken through "deceptive" practices through the company's app.
CBS Chicago reported that many of the vehicles were allegedly used to commit other crimes. Police did not provide any details about how the vehicles were used but said the investigation is ongoing.
[From the Car2go website:
Cars are available on the street and in designated lots around the city. A live map is available on our app.




One measure of success?
Game of Thrones’ season 8 premiere was pirated almost 55 million times in the first 24 hours




Over protecting?
GDPR is very protective of children, and like FERPA, can be confusing at times to parents who want to understand what is allowed and what is not. Adrian Weckler reports:
Irish school principals who tell parents they cannot take photos at communions or sports days “because of GDPR” are wrong, says Ireland’s data privacy authority.
The Data Protection Commissioner has issued new guidance because of confusion among parents, teachers and children’s organisations over the matter.
This type of activity falls under the so-called household exemption under the GDPR,” says the DPC’s newly-published guidance.
This provides that the GDPR does not apply when a person processes personal data, for example, a photograph of someone, in the course of a purely personal or household activity.”
The privacy authority also says that GDPR doesn’t strictly prohibit posting photos taken at school events on social media, either.
Read more on Independent.ie.




One Privacy future.
Microsoft denied police facial recognition tech over human rights concerns
Microsoft has said it turned down a request from law enforcement in California to use its facial recognition technology in police body cameras and cars, reports Reuters.
Anytime they pulled anyone over, they wanted to run a face scan,” said Smith of the unnamed law enforcement agency. “We said this technology is not your answer.”




Preparing my students to deal with Big Data, as processors of the data and as (involuntary) providers.
Your car is watching you. Who owns the data?
Roll Call – Computers on wheels raise thorny questions about data privacy: “If you’re driving a late model car or truck, chances are that the vehicle is mostly computers on wheels, collecting and wirelessly transmitting vast quantities of data to the car manufacturer not just on vehicle performance but personal information, too, such as your weight, the restaurants you visit, your music tastes and places you go. A car can generate about 25 gigabytes of data every hour and as much as 4,000 gigabytes a day, according to some estimates. The data trove in the hands of car makers could be worth as much as $750 billion by 2030, the consulting firm McKinsey has estimated. But consumer groups, aftermarket repair shops and privacy advocates say the data belongs to the car’s owners and the information should be subject to data privacy laws…”




My students will need to interface with several Apps. This is just one.
Google Maps Is Ready to Transform the World of Superapps: A Skift Deep Dive
Like Tencent-owned WeChat and, to a lesser extent Meituan in China, as well as Grab in Southeast Asia, many are pointing to Google Maps, with its more than 1 billion users, as the next ubiquitous, all-encompassing superapp. In other words, a superapp can do it all, or nearly everything, relatively speaking, and obviates the need to call up specialty apps to perform specific tasks.
Need your Chicago Transit, Uber, or Yelp apps to see if your train is delayed, book a rideshare, or reserve a table for a Saturday night repast? Not really. The Google Maps app has you basically covered on all these fronts — and many more.
Our reporting finds that Alphabet is already generating several billion dollars annually from Google Maps, an amount that isn’t yet material to the company’s financial results




Another industry not ready for the CCPA?
Joseph Lazzarotti of JacksonLewis writes:
Following recent examinations of SEC-registered investment advisers and broker-dealers, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) published a privacy risk alert on April 16, 2019. OCIE is hoping to remind advisers and broker-dealers about providing compliant privacy and opt-out notices, and adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P.
Privacy Notices. During the examinations, OCIE observed advisors and broker-dealers were not providing initial privacy notices, annual privacy notices and opt-out notices to their customers. When these notices were provided, many did not accurately reflect firms’ policies and procedures and/or notify customers of their right to opt out of having their nonpublic personal information shared with nonaffiliated third parties.
Read more on The National Law Review.




When you absolutely, positively have to waste a few hours...
Barnes & Noble is offering free download of the Mueller report




It looks like ransom.
A company in San Diego co-founded by a former Marine has been scooping up the abandoned scooters that litter city streets owned by the startups Bird and Lime for months, giving some of them back to Bird in November in exchange for more than $40,000. Bird and Lime have since called the company’s activities “ransom,” and a legal battle has begun.
The civil complaints—both filed in California Superior Court in San Diego, Lime’s on March 19 and Bird’s a day later—make for good reading, and describe a pattern of scooter confiscations that the companies say started last summer.
The dispute highlights a larger tension in tech, in that it lays bare some pretty fundamental questions about Silicon Valley, i.e. are so-called mobility companies actually helping us solve some of our larger transportation issues? Or is really what we have at the end of the day just a bunch of new trash?
Bird and Lime also say that a lot of scooters are taken from public property, and against normal procedures tow trucks might use when impounding a vehicle.
A court might ultimately decide that, but Scooter Removal, for its part, says on its website that the removals are a noble cause, a reaction to scooters’ increasing presence—some say littering—across the city.




Perspective. ..and a trip to the library. (Podcast)
Don’t Panic: The Digital Revolution Isn’t as Unusual as You Think
Knowledge@Wharton: When new technology is introduced to the masses, is the initial reaction of shock pretty much the same from one century to the next?
Wheeler: Yes, it really is amazing that the original reaction of people when they hear about things is to push back. “Oh my God, this is changing what I’ve been comfortable with.” My favorite example is that when Samuel F. B. Morse went to the Congress to get funding for his first telegraph line, when that bill got to the floor of the House of Representatives, everybody was laughing at it. The idea that you could send messages by sparks was just too much to believe. It literally was a circus on the floor. When the House finally voted, they voted 89 for, 83 against, and 70 abstentions because these members of Congress were afraid to go back and explain to their constituents how they were spending their tax dollars on this crazy idea of messages by sparks.




AI hasn’t arrived at my University, yet.
'It's an educational revolution': how AI is transforming university life
Beacon is unlike any other member of staff at Staffordshire University. It is available 24/7 to answer students’ questions, and deals with a number of queries every day – mostly the same ones over and over again – but always stays incredibly patient.
That patience is perhaps what gives it away: Beacon is an artificial intelligence (AI) education tool, and the first digital assistant of its kind to be operating at a UK university.
… Students can chat with Beacon via text or voice conversation, and as use increases, it becomes smarter. Eventually, it will be able to remind students about classes and deadlines.




For the toolkit.




Dilbert illustrates a problem MY students could solve.



Wednesday, April 17, 2019


An update.
Norsk Hydro Delays Financial Report Due to Cyberattack
Norwegian aluminum giant Norsk Hydro last week announced that its financial report for the first quarter of 2019 will be delayed by over one month due to the recent cyberattack that caused significant disruptions to the company’s operations.
The company has been transparent regarding the impact of the cyberattack, but it could not share too many technical details due to the ongoing law enforcement investigation. It revealed recently that the incident had caused losses of up to $41 million in the first week after the intrusion was uncovered.




File this under “less than adequate response?”
On April 5, Metrocare Services in Texas notified HHS that it was notifying 5,290 clients of a breach. A notice on their web site explains:
On February 6, 2019, we learned an unauthorized third party gained access into some Metrocare employees’ email accounts beginning on January 2019. We immediately took steps to secure the accounts and began an investigation. The investigation determined the unauthorized access occurred and could not rule out whether emails containing individuals’ information were accessed by the third party. We determined information of some individuals were in the affected email accounts, and may have included individuals’ names, dates of birth, health insurance information, driver’s license information, health information related to services received connected to Metrocare, and in some cases, Social Security numbers.
You can read the full notice on their site, which includes steps they have taken to prevent a recurrence. It’s a shame they didn’t take all of these steps in November, 2018 when they had what sounds like an identical breach, but did not follow up by implementing multifactor authentication. At that time, they wrote:
To help prevent something like this from happening in the future, Metrocare is taking steps to add additional security measures to its current information technology infrastructure, including strengthening its email system, and providing additional information security training to its employees.
That incident has no closing summary on HHS’s public breach, so it may still be under investigation.
This time, they write:
To help prevent something like this from happening in the future, we are taking steps to add additional security measures to our current information technology infrastructure, including strengthening the security of our e-mail system and have implemented multi-factor authentication on its email systems.
The breach in 2018 affected more than 1,800 patients. The more recent breach, which was also discovered within a month after it started, affected more than 5,200 patients. Will OCR find Metrocare’s actions reasonable? And what happens if this happens again?




More concerns.
GDPR, CCPA, LGDP and More: Staying Afloat in the Sea of Global Privacy Regulations
The global privacy legislation landscape continues to be a complex sea to navigate. To date we have seen 117 omnibus laws (GDPR) and another 28 sectoral laws (CCPA) come into play. We are expecting more amendments to the CCPA and LGDP, and there seems to be no end in sight to countries and regions bringing their own legislation into effect over the coming months.


(Related)
The EDPB’s Narrow View of Contractual Necessity
According to the EDPB, processing must be necessary for the particular contract at issue to be carried out.


(Related) Thank you Harvard! A new term and the need for Privacy Audits.
Don’t Acquire a Company Until You Evaluate Its Data Security
When Marriott International acquired Starwood in 2016 for $13.6 billion, neither company was aware of a cyber-attack on Starwood’s reservation system that dated back to 2014. The breach, which exposed the sensitive personal data of nearly 500 million Starwood customers, is a perfect example of what we call a “data lemon” — a concept drawn from economist George Akerlof’s work on information asymmetries and the “lemons” problem. Akerlof’s insight was that a buyer does not know the quality of a product being offered by a seller, so the buyer risks purchasing a lemon — think of cars.
We are extending that concept to M&A activity. In any transaction between an acquiring company and a target company (seller), there is asymmetric information about the target’s quality. While managers have long understood this concept, recent events shed light on an emerging nuance in M&A — that of the data lemon. That is, a target’s quality may be linked to the strength of its cybersecurity and its compliance with data privacy regulation. When an acquirer does not protect itself against a data lemon and seek sufficient information about the target’s data privacy and security compliance, the acquirer may be left with a data lemon — a security breach, for example — and resulting government penalties, along with brand damage and loss of trust.




Will the survey show that Facebook is bad or that its users are ignorant? How would you run this survey?
State Launches Online Data Survey as Part of Facebook Probe
Democratic Gov. Andrew Cuomo announced Tuesday that information provided through an online consumer data privacy survey will help state regulators make policy decisions regarding the internet marketplace and how personal data is used by companies.
Among the questions on the state survey are how many smart devices are in a respondent’s household and whether they know how to access privacy settings.




Sounds like they suspect a source of bias…
The artificial intelligence field is too white and too male, researchers say
The artificial intelligence industry is facing a “diversity crisis,” researchers from the AI Now Institute said in a report released today, raising key questions about the direction of the field.
Women and people of color are deeply underrepresented, the report found, noting studies finding that about 80 percent of AI professors are men, while just 15 percent of AI research staff at Facebook and 10 percent at Google are women.


(Related) Sometimes you need bias.
Uber launched a Saudi Arabia-only feature that lets female drivers avoid taking male passengers




Because it impacts everything?
The Consumer Protection Ecosystem: Law, Norms, and Technology
Bradley, Christopher G., The Consumer Protection Ecosystem: Law, Norms, and Technology (March 8, 2019). Denver Law Review, Vol. 97, 2019. Available at SSRN: https://ssrn.com/abstract=3349190 or http://dx.doi.org/10.2139/ssrn.3349190
Consumer law provokes fierce policy debate on issues from identity theft to online privacy, from arbitration clauses and class action lawsuits to Americans’ accumulation of debt and the unsavory practices sometimes used to collect. Pervasive technology in every aspect of consumer transacting has opened up many new fronts in these battles. Scholars, policymakers, and advocates have responded in kind, devoting increased energy to this area of law, which affects every single one of us, every single day. Despite its prominence, however, confusion persists regarding what consumer protection really is or does. The realities of social and technological change have not been integrated into legal analyses of consumer transactions.
This Article constructs a novel and comprehensive model of the consumer protection ecosystem by contextualizing purely legal constraints amid the other realities of commercial relationships. Drawing on scholarship in the areas of technology, social change, and the law, the model lays out three basic types of constraints on the activities of participants in consumer commercial transactions: legal, technical, and social constraints. This model provides a basis for exploring how those constraints interact and shape behavior.
The model has significant ramifications for scholars, policymakers, and advocates. The model underscores why the area of consumer-facing commerce defies one-size-fits-all solutions; instead, it demands refined and layered consideration of consumers, merchants, and the commercial relationships they pursue, as well as the changes in the social and technological contexts of those relationships. This Article’s model provides a framework for that future research and debate.”




Simple, free, useful? Do you have an old spreadsheet lying around?
Glide - Make Your Own App by Just Making a Spreadsheet
Glide is an amazing free tool that I featured in a presentation during yesterday's TLA Tech Glamp. Glide enables anyone who can make a spreadsheet in Google Sheets to create his or her own mobile app. If that sounds simple, that's because it is just that simple. The headers that you put into your spreadsheet and the data that you enter into your spreadsheet is used by Glide to generate a mobile app for you that will work on Android and iOS devices.
To get started making your first app with Glide you will need to create a spreadsheet in Google Sheets. Your spreadsheet's column headers are what will become the sections your app. The information that you enter into your spreadsheet's columns is what will be displayed within each section your app. You can include links to videos, images, and maps in your spreadsheet and those items will be included in your app too.
After you have created your spreadsheet in Google Sheets, go to Glideapps.com and connect to your Google account. That connection will allow you to import your Google Sheet. Once your spreadsheet is imported you will be able to see a preview of your app. You can change the layout and color scheme of your app in the Glide editor. When you're happy with how it looks, hit the share button to publish your app for others to see. You can share your app publicly via QR code and public URL or you can share your app privately via email.




For my geeks.
10 Algorithms Every Machine Learning Enthusiast Should Know