Saturday, May 11, 2019


Update
Emma Hurt reports:
Equifax, the Atlanta credit bureau, revealed in its earnings release Friday that dealing with its 2017 cybersecurity incident has cost about $1.4 billion plus legal fees.
A year and a half ago, the company, which gathers consumers’ credit histories, revealed a massive security breach compromised the personal information of about 150 million people.
The hack itself happened nearly two years ago, between May and July of 2017, a few months after the Department of Homeland Security informed the company of a software vulnerability.
Read more on WABE.




As it becomes easier, expect even more.
We’ve seen a record number of incidents reported in the first quarter of 2019, and it’s not getting any better in the healthcare sector.
Whether you use HHS’s public breach tool, as Modern Healthcare does, or the system DataBreaches.net and Protenus, Inc. use to track U.S. breaches involving medical or health data, April set a new record for number of breaches or incidents disclosed during the month.
Using HHS’s breach tool, Modern Healthcare notes that there were 42 breaches each impacting or potentially impacting more than 500 patients that were reported to the federal regulator last month. Those breaches, they report, affected 686,953 people.
Although DataBreaches.net’s is still compiling and analyzing incidents disclosed in April, so far, we have 55 incidents, for which we have numbers on 49 incidents. Those 49 incidents affected 962,400 people. The number affected is nowhere near any kind of record high, but the number of incidents recorded is approximately 25% higher than monthly figures for the first quarter of this year, and a tad higher than some monthly figures from 2017, where we occasionally saw our frequency counter hit 50 or above.




This is why we teach Computer Security every Quarter.
Kevin Collier reports:
Targeted ransomware attacks on local US government entities — cities, police stations and schools — are on the rise, costing localities millions as some pay off the perpetrators in an effort to untangle themselves and restore vital systems.
The tally by cybersecurity firm Recorded Future — one of the first efforts to measure the breadth of the assaults — found that at least 170 county, city or state government systems have been attacked since 2013, including at least 45 police and sheriff’s offices.
Read more on WPTV.




Perspective.
A new way to build tiny neural networks could create powerful AI on your phone
Neural networks are the core software of deep learning. Even though they’re so widespread, however, they’re really poorly understood. Researchers have observed their emergent properties without actually understanding why they work the way they do.
Now a new paper out of MIT has taken a major step toward answering this question. And in the process the researchers have made a simple but dramatic discovery: we’ve been using neural networks far bigger than we actually need. In some cases they’re 10—even 100—times bigger, so training them costs us orders of magnitude more time and computational power than necessary.




Perspective. Have we gone “AI crazy?”
Mackmyra and Microsoft to create AI whisky
Mackmyra plans to “augment and automate” the “time-consuming” whisky-making process using AI.
The distillery has created machine learning models that are powered by Microsoft’s Azure cloud platform and AI cognitive services, and are fed with Mackmyra’s existing recipes, sales data and customer preferences.
With this information, the AI can generate more than 70 million recipes that it predicts will be popular and of the “highest quality”. According to Mackmyra, AI is much faster than manual processes involved in researching and creating whisky, and also provides blenders with “new and innovative combinations”.




Still trying to understand GDPR.
Odia Kagan of FoxRothschild writes:
The right to be forgotten does not apply in principle to medical records. However, as a patient, you may ask your health care provider to remove data from your medical record,” according to the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (AG), which has issued a guidance on GDPR and medical records.


(Related) California is trying to understand what they meant to say…
Lucas Ropek reports:
A privacy legislation package designed to give added protections to consumers while also augmenting the landmark California Consumer Privacy Act (CCPA) is making its way through the state Legislature — though its contents have changed significantly since originally introduced.
The Your Data Your Way initiative was introduced in late January by a cadre of Republican Assemblymembers, with the basis being additional data privacy protections.
A number of bills in the package recently made their way through the state Committee on Privacy and Consumer Protection (P&CP) — and now face a potential vote on the Assembly floor.
Read more on GovTech.




Get the big guys!’
Exclusive: India orders anti-trust probe of Google for alleged Android abuse – sources
India’s antitrust watchdog has ordered an investigation into Alphabet Inc’s unit Google for allegedly abusing the dominant position of its popular Android mobile operating system to block rivals, two sources aware of the matter told Reuters.




It’s obvious. Perhaps we should go to a ‘per mile’ tax?
Illinois may start charging electric vehicle owners $1,000 per year
The proposal is aimed at raising money to make road improvements across the state. Electric vehicles don’t pay the state’s gas tax, which is used to fund road repairs.



Friday, May 10, 2019


Disguising malware as something that’s supposed to help you secure your data.
Cryptanalyzing a Pair of Russian Encryption Algorithms
A pair of Russia-designed cryptographic algorithms -- the Kuznyechik block cipher and the Streebog hash function – have the same flawed S-box that is almost certainly an intentional backdoor. It's just not the kind of mistake you make by accident, not in 2014.




Sounds like something I should try with my students.
Some assembly required: building an interdisciplinary superteam to tackle AI ethics
Harvard Business School Digital Initiative – “What do a communications studies professor, a politics PhD, a technology policy advisor, and a machine learning engineer have in common? They share deep expertise in the ethics and governance of artificial intelligence — and they’re members of the 2019 Assembly program. Hosted by the Berkman Klein Center for Internet & Society and the MIT Media Lab, Assembly brings together a small cohort of technologists, managers, policymakers, and other professionals to confront emerging problems related to the ethics and governance of AI.
AI technologies are increasingly embedded in our lives at home and work — powering our virtual assistants, moderating content on social networking platforms, and helping companies hire new employees. Yet, as AI technologies become more ubiquitous, applying them can raise serious ethical concerns. AI systems are trained using data from the past to make decisions or predictions about the future. This can pose serious risks as societal biases embedded in data get baked into new technical systems. Biased algorithmic outputs are opaque; sometimes even a system’s programmers aren’t sure how a prediction was made. In a world plagued by systemic bias, how do we create AI systems that reduce inequality, rather than perpetuate it? What frameworks can companies use to determine if the application of a machine learning system is unethical? How do we bring communities impacted by AI systems into conversations about AI design and use?..”


(Related)
The AI Boom: Why Trust Will Play a Critical Role
Artificial Intelligence is on the cusp of becoming the biggest technology of the information age, says Horacio Rozanski, president and CEO of Booz Allen Hamilton. However, we need to bake human judgement into it before it is too late, he writes in this opinion piece.


(Related) A useful comparison of ethical guidelines.
The Ethics of AI Ethics -- An Evaluation of Guidelines




Depressing news for my Privacy Lawyer friends?
The U.S. and Europe Are Approaching GDPR and Data Privacy Much Differently
Well, GDPR is not scaring anyone. In fact, it’s a lawyer’s dream come true. It’s becoming quite clear Europe and the U.S. are attacking GDPR compliance problems from different angles. In Europe, the compliance budget covers lawyering up, whereas the on the other side of the pond, the Americans are using their compliance budgets to solve the problems with automated solutions. Which is the opposite if what we’d expect given the litigious nature in the U.S. It seems the worm has turned.


(Related)
GDPR – The Work Ahead
… The effect of the GDPR has been noticeable, but in a subtle sort of way. However, it would be hugely mistaken to think that the GDPR was just a fad or a failed attempt at helping privacy and data protection survive the 21st century. The true effect of the GDPR has yet to be felt as the work to overcome its regulatory challenges has barely begun. So what are the important areas of focus to achieve GDPR compliance?
An essential ‘GDPR To Do’ list for the months ahead looks as follows:




Background. This is well done.
Machine learning algorithms explained
Recall that machine learning is a class of methods for automatically creating predictive models from data. Machine learning algorithms are the engines of machine learning, meaning it is the algorithms that turn a data set into a model. Which kind of algorithm works best (supervised, unsupervised, classification, regression, etc.) depends on the kind of problem you’re solving, the computing resources available, and the nature of the data.




Perspective.
Facebook is not a monopoly, and breaking it up would defy logic and set a bad precedent
Facebook co-founder Chris Hughes laid out his arguments for breaking up the company in a lengthy op-ed for The New York Times on Thursday.
The essence of his argument seems to be that a single person, Mark Zuckerberg, has too much control over the communications platforms, including Facebook, Instagram and WhatsApp, that billions of people use. Therefore, the government should force Facebook to divest its other communications platforms and create a new agency to regulate tech companies, particularly around privacy.
The break-up argument is compelling if you're predisposed to dislike Zuckerberg and Facebook after the last few years of blunders related to user data and misinformation, and Facebook's often tone-deaf or seemingly indifferent responses to these incidents
It's also illogical, difficult and a waste of time.
Facebook is not a monopoly in its actual market — advertising — and the product it offers is not essential to the U.S. economy or society. Even worse, it's not clear that breaking Facebook up would solve the biggest problems with the platform, such as misinformation and data collection. Those problems would better be solved through targeted, strictly enforced regulation.



Thursday, May 09, 2019


This should also apply to things like changing default passwords.
Giulio Coraggion of DLA Piper writes:
The first GDPR fine was issued in Italy by the Garante for the lack of implementation of privacy security measures following a data breach on the so-called Rousseau platform operating the websites of the Movimento 5 Stelle party.
The fact of the case relating to the Rousseau platform:
Several websites affiliated to the Italian political party Movimento 5 Stelle are run, through a data processor, through the platform named Rousseau. The platform had suffered a data breach during summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of many security measures, in addition to the obligation to update the privacy information notice to give additional transparency to the data processing activities performed.
Read more on Privacy Matters.




Is there any rush to follow California?
From Covington & Burling:
The Washington Privacy Act stalled this April in the state’s House of Representatives, and will likely not reappear again for discussion until the 2020 legislative session.
The bill overwhelmingly passed the Senate, but failed to come to a floor vote in the House of Representatives before the April 17th deadline for state lawmakers to consider non-budget related matters. This delay appears to stem from a lack of consensus on key issues, such as the regulation of facial recognition technologies and potential enforcement mechanisms.
If the House had passed the bill, Washington would have become the second state in the United States to enact significant privacy legislation. Mirroring the GDPR in several respects, the bill provided access, correction, and deletion rights to consumers, and imposed disclosure and risk assessment obligations on covered businesses.
Although state lawmakers failed to pass the Washington Privacy Act, they reached a consensus on a separate bill that expands Washington’s breach notification law. The Senate and the House of Representatives passed the bill in their respective chambers in the latter half of April.
Read more on Inside Privacy.




Privacy of access to your apartment.
Tenants win as settlement orders landlords give physical keys over smart locks
In a settlement released Tuesday, a judge ordered landlords of an apartment building in New York to provide physical keys to any tenants who don't want to use the Latch smart locks installed on the building last September.
The settlement is a first, as there's no legal precedent or legislation deciding how landlords can use smart home technology. Since the technology is relatively new, lawmakers haven't had time to catch up with smart home devices, and this case in New York is one of the few legal challenges to appear in court.




Let’s really plan ahead and design a Presidential candidate. 36 minute podcast.
AI and the Genetic Revolution
Michigan State University senior vice president Stephen Hsu, a theoretical physicist and the founder of Genomic Prediction, demonstrates how the machine learning revolution, combined with the dramatic fall in the cost of human genome sequencing, is driving a transformation in our relationship with our genes. Stephen and Azeem Azhar explore how the technology works, what predictions can and cannot yet be made (and why), and the ethical challenges created by this technology.



Wednesday, May 08, 2019


Businesses exist to take risks. Boards of Directors exist to choose the risks to take.
WANE reports:
The state of Indiana has sued credit bureau Equifax for a 2017 data breach that left 147.9 million Americas, including 3.9 million Hoosiers, compromised.
[…]The state argued in its lawsuit that Equifax used cost-cutting measures like outsourcing mission-critical systems. The company failed to improve security and instead chose to increase revenue, the lawsuit argued.
Read more on WANE.


(Related) Even more important to take the right risks.
Companies Don’t Always Need a Purpose Beyond Profit




Money is becoming more attractive than espionage? More frequent, maybe.
Verizon Publishes 2019 Data Breach Investigations Report (DBIR)
This is the 12th edition since its launch in 2008, and the most extensive to date, with 73 contributors and an analysis of 41,686 security incidents including 2,013 confirmed breaches.
The trend highlighted by the 2019 DBIR (PDF ) is that financially motivated cyber-attacks are increasing across the board.




Closer to a declared CyberWar?
Aggressive Changes to Deterrence, International Response and the Use of Offensive Cyber Capabilities on the Horizon
Secretary of State Mike Pompeo announced that certain types of cyber attacks on Japan could trigger an armed response from the United States. This level of military commitment by the Trump administration is unusual in the realm of international response to offensive cyber maneuvers, and could signal a broader sea change in foreign policy.
This particular statement was clearly prompted by the actions of China, which has ramped up to about 128 billion cyber attacks on Japan each year. While it is still very unlikely that the United States would ever take military action against China for these attacks, the language of the statement is unusually strong.
While all-out war in response to nation-state hacking would be untenable, there are signs that United States allies are less willing to accept the status quo of letting brazen cyber attacks slide. Consequences are being discussed, and the most likely shape they would take would be a NATO-like alliance in which a large-scale joint offensive cyber response occurs when any one member state is attacked online.


(Related) No surprise.
Report: Russia is using social media to influence European Parliamentary elections
A new report is out claiming that Russian bad actors are increasingly pouring misinformation through social media channels with a clear goal to influence the upcoming European Parliamentary elections.
SafeGuard Cyber’s report also provides evidence that Russia is behind these misinformation campaigns, discovered by tracking bots, trolls and other malicious parties, referred to as ‘bad actors,’ against 52 risk signatures as part of the company’s machine learning threat detection tool,” reads the press release.




For my Computer Security students.
Webinar on Hacking 101: How it works and how to mitigate risk
Please join the Hogan Lovells Privacy and Cybersecurity team on May 15 for our webinar, Hacking 101: How it Works and How to Mitigate Risk. We will explore how certain common hacks work from a technical perspective and how to mitigate related risks from a legal and compliance perspective.
… CLE credit will be offered for webinar attendance. To register for the webinar, click here.




A Wharton podcast. Perhaps it’s because Smartphone owners have to tell someone right now!
User-generated Content: The Medium Impacts the Message
In her latest research, Wharton marketing professor Shiri Melumad finds that consumers who write out their thoughts on smartphones tend to be more emotional than those who wait until they get home to type on their personal computers. Her findings have implications for both marketers and consumers who rely on user-generated content to inform their decisions.




Perspective.
CRUISE'S $1 BILLION INFUSION SHOWS THE STAKES IN SELF-DRIVING TECH
FOR AN INDUSTRY that has yet to scale a commercial product, the folks building self-driving cars sure have raised a lot of money. The latest eye-popping investment comes via Cruise, the San Francisco-based autonomous vehicle unit that is mostly owned by General Motors. The company announced Tuesday that it had raised $1.15 billion, at a valuation of $19 billion—roughly one-third of the valuation of GM, despite not having sold a single car. The infusion comes from one new investor, the global asset management firm T. Rowe Price Associates, plus existing partners GM, Honda, and the Softbank Vision Fund, which poured $2.25 billion into the self-driving unit a year ago. Cruise says it has raised $7.25 billion in the past year, which places it in the top tier of AV fund-raisers.




Could be fun…
An Interactive Map of English Myths and Legends
Thanks to the Maps Mania blog I just learned about English Heritage's Map of Myth, Legend, & Folklore. The interactive map feature a couple of dozen historical sites that under the care of English Heritage. As the name of the map implies, each of the sites on the map is basis for a myth or legend.
Click on one of the landmarks on the Map of Myth, Legend, & Folklore to read the legend connected to that landmark.



Tuesday, May 07, 2019


Better if I had a copy of my ballot. What happens if I say my votes were recorded incorrectly? I have no proof.
Microsoft offers free system to let voters ensure their votes are counted
Details: The voter auditing system, called ElectionGuard, was developed with the security firm Galois, and uses what's known as homomorphic encryption to protect voter information while allowing voters to check it.
  • Homomorphic encryption allows computers to process information without ever decrypting it, meaning that a ballot would stay private even from the computers used to collect it.
  • "The voter gets a tracker that they will be able to enter later to see that their vote was correctly recorded and counted," said Burt.
  • And the system as a whole would allow third parties to tally votes on their own, ensuring there wasn't a miscalculation.




Would they believe I don’t own a smartphone?
Whoa. Sophia Harris reports:
As more people travel with smartphones loaded with personal data, concern is mounting over Canadian border officers’ powers to search those phones — without a warrant.
The policy’s outrageous,” said Toronto business lawyer, Nick Wright. “I think that it’s a breach of our constitutional rights.”
His thoughts follow a personal experience. After landing at Toronto’s Pearson Airport on April 10, he said the Canada Border Services Agency (CBSA) flagged him for an additional inspection — for no stated reason.
Read more on CBC, especially if you are planning to travel to or through Canada, because it seems that the government CAN get away with doing to you what they did to Nick Wright.




Would the ethical bit also apply to the Facebooks of the world? “With great data gathering comes great responsibility?”
In the six months since Jamal Khashoggi was murdered by a Saudi “Rapid Intervention Group” in the Saudi Arabian consulate in Istanbul, press reports have described a variety of information swept up by U.S. intelligence that foretold or foreshadowed the heinous crime. The reporting has cast a rare light not only on our spy agencies’ activities and capabilities, but also on the complicated moral dilemmas that accompany mass surveillance. And it has intensified questions over whether the intelligence agencies that gathered this information carried out a legally required duty to warn the journalist that his life was in danger.




How much is too much? Will the pendulum swing back?
Europe Is Reining In Tech Giants. But Some Say It’s Going Too Far.
In Spain, activists were convicted for social media posts that violated an expanded antiterrorism law. The Twitter accounts of German citizens were blocked because of rules enacted last year that prohibit hate speech. And a Dutch court determined Google must remove search results about a doctor punished for poor performance, in compliance with a privacy law.
Heralded as the world’s toughest watchdog of Silicon Valley technology giants, Europe has clamped down on violent content, hate speech and misinformation online through a thicket of new laws and regulations over the past five years. Now there are questions about whether the region is going too far, with the rules leading to accusations of censorship and potentially providing cover to some governments to stifle dissent.




My students will become more literate? Or more liberal? Bias in your word processor?
Word’s new AI editor will improve your writing
If you write in Microsoft Word Online, you’ll soon have an AI-powered editor at your side. As the company announced today, Word will soon get a new feature called “Ideas” that will offer writers all kinds of help with their documents.
If writing is a struggle for you, the most important feature of Ideas is surely its ability to help you write more concise and readable text. You can think of this as a grammar checker on steroids, as it goes beyond fixing obvious mistakes and focuses on making your writing better. It uses machine learning, for example, to suggest a rewrite when you mangled a complex phrase. Ideas will also help you write more inclusive texts.




Is this an anti-GDPR? Expect arguments that all jurisdictions should be global?
New Rules On E-Evidence Could Streamline Criminal Investigations in the EU
Center for Data Innovation – “Law enforcement authorities have a problem: Evidence from crimes is often digital, such as emails or documents in the cloud, but investigators cannot easily access data stored in another country. While this issue is global, it is particularly acute within the EU. According to the European Commission, nearly two-thirds of crimes involving e-evidence held in another member state cannot be properly investigated because of lengthy delays by which time the evidence may be destroyed. To address this problem, the European Union should adopt new rules to streamline the process for obtaining and preserving e-evidence within its territory. While the European Commission has made an initial proposal on reforming the rules for e-evidence, the proposal has largely missed the mark by making the process more cumbersome for companies and shifting the burden of vetting requests to the private sector. In addition, the proposed rules threaten high fines—up to 2 percent of their global turnover —for compliance violations, which will make companies focus more on avoiding penalties rather than working cooperatively with investigators.




My students predicted this a couple of years ago. Self-driving, on demand vehicles have no human to notice problems.
Tesla vehicles can now diagnose themselves with repair and maintenance issues and they can even automatically pre-order parts for repairs.




Perspective.
Infographic: US Adults Who Do Not Use The Internet In 2019