Saturday, February 29, 2020


Is this common? First time I’ve see it.
Ca: LifeLabs files petition to keep cyberattack report from B.C. privacy commissioner
Andrew Weichel reports:
The B.C.-based laboratory testing company that was targeted in a cyberattack last fall is trying to keep the province’s privacy commissioner from accessing a third-party report on the breach.
In a petition filed this month in B.C. Supreme Court, LifeLabs argued it shouldn’t have to turn over a report prepared by cybersecurity firm CrowdStrike because it’s protected by solicitor-client privilege.
Read more on CTV News.
[From the article:
Beyond solicitor-client privilege, the company argued the report is protected by litigation privilege, which covers documents and communications prepared expressly in anticipation of a lawsuit.




Sometimes you are your own worst enemy.
Catastrophic data loss’ affects thousands of Hamilton County Sheriff’s Office dashcam videos
Rosana Hughes reports:
A “catastrophic data loss” caused thousands of Hamilton County Sheriff’s Office videos from dashboard cameras to disappear — and potentially could jeopardize criminal and civil cases.
All dash camera footage for all 130 patrol deputies between Oct. 25, 2018, and Jan. 23 of this year was lost after a software failure on Jan. 13, according to a letter hand-delivered to the District Attorney’s Office this week. The footage could not be recovered, as that was the only server used to store the videos.
Read more on Chattanooga Times Free Press. This was not a cyberattack situation but a drive failure and discovery that the system had not been making backups correctly disaster.




How influential are these companies (or their users)?
IANS reports:
A coalition comprising digital media giants Facebook, Google and Twitter (among others) have spoken out against the new regulations approved by the Pakistani government for social media, threatening to suspend services in the country if the rules were not revised, it was reported.
In a letter to Prime Minster Imran Khan earlier this month, the Asia Internet Coalition (AIC) called on his government to revise the new sets of rules and regulations for social media, The News International reported on Friday.
Read more on Business Standard.




True for all fields?
How accurate is AI in legal research?
… “Lawyers have an exceptionalism fallacy, and they’re trained to do things completely perfect,” he said, mentioning legal research. “Lawyers are far better at research than most humans, but that doesn’t mean we’re good at it. It means we’re less horrible at it than other humans.”
That being said, Hamilton argued that there may come a time when courts demand lawyers use artificial intelligence to research arguments. He noted how quickly lawyers have gone from books, to computer programs, to online services for legal research.




A case study?
How Going All-In on Machine Learning Changed Data Collection at Morningstar
Ahmad joined Morningstar, which provides research and proprietary tools to investors, in 2010 and stepped into the role of head of technology for the data collection group in the summer of 2018. His first order of business was to automate the data collection process which, up until that point, had relied on analysts to gather information from numerous sources — ranging from SEC filings to managed investment documents — and verify its quality.
Generating training data was a challenging task in itself because we cover so many datasets. We created additional tooling to capture contextual information that had previously gone uncollected. This contextual information allowed us to train machine learning models and deliver runtime inferences to an analyst who either accepts or rejects the output, forming a feedback loop for retraining that further improves the model.




What can I say? As I used to tell my Statistics class, “Half the world is below average.”
Survey: 38% of Americans won’t buy Corona beer ‘under any circumstances’ because of coronavirus outbreak



Friday, February 28, 2020




If Google has been keeping accurate records, this is Blog post # 5,000.




Will all new privacy bills try to be the toughest?
With Enhanced Facial Recognition Technology Protections, the New Washington Privacy Act Would Be the Strongest U.S. Privacy Bill
… This new bill is noteworthy due to the strength of its terms, which compare favorably to the California Consumer Privacy Act (CCPA). The Washington Privacy Act goes farther in certain areas, however; ability to control personal data, opt-out rights and requirements of explicit consent in the use of facial recognition technology.
A side-by-side analysis provided by the Future of Privacy Forum compares the Washington Privacy Act’s terms to both the CCPA and the European Union’s General Data Protection Regulation (GDPR).


(Related)
Tassanai Kiratisountorn, Pimchanok Eianleng, Anna Gamvros, and Ruby Kwok of Norton Rose Fulbright write:
The Personal Data Protection Act B.E. 2562 (2019) (PDPA) was published on 27 May 2019 in Thailand’s Government Gazette and became effective the following day. However, most of the operational provisions, including provisions relating to the rights of a data subject, the obligations of a data controller and the penalties for non-compliance, will become effective on 27 May 2020, 1 year after the PDPA is published.
The PDPA is under the supervision of the Ministry of Digital Economy and Society and the main supervising authority of the PDPA is the Office of Data Protection Committee (Office).
Read their summary of the key features of the law on Data Protection Report.




More on Clearview and the growing Face war…
A face recognition app used by thousands of law enforcement agencies, which has drawn considerable scrutiny in past weeks over its creator’s dubious data collection methods, contains code hinting at an unreported range of potential features, based on a version of the app discovered by Gizmodo.
Reporters were able to download the most recent Android version of the app
The app, which will not access Clearview’s face recognition system without a login, was found on an Amazon server that is publicly accessible.
… While not all of the app’s activity can be observed without a user account, reporters inspected data being sent to Google Analytics, Crashlytics, and App-Measurement, three companies that record basic details about any mobile devices running the app and tell Clearview whether the app is running smoothly. The app also grants access to Android’s Fine Location API, which determines the most precise location possible from available location providers, including the Global Positioning System (GPS) as well as wifi and mobile cell data.
Other bits of code appear to hint at features under development, such as references to a voice search option; an in-app feature that would allow police to take photos of people to run through Clearview’s database; and a “private search mode,” no further descriptions of which are available through surface-level access.
… The app also contains a script created by Google for scanning barcodes in connection with drivers licenses. (The file is named “Barcode$DriverLicense.smali”) Asked about the feature, Ton-That responded: “It doesn’t scan drivers licenses.”
… In addition to more than 2,200 law enforcement agencies, BuzzFeed said, Clearview’s software had been sold to companies in 27 countries, including major U.S. retailers such as Macy’s, Walmart, and Best Buy.


(Related)
ICE has run facial-recognition searches on millions of Maryland drivers
The agency’s unlimited access to drivers’ photos has alarmed immigration and privacy activists, who fear it is being used to target immigrants who sought driver’s licenses after 2013
U.S. Immigration and Customs Enforcement officials have been permitted to run facial-recognition searches on millions of Maryland driver’s license photos without first seeking state or court approval, state officials said — access that goes far beyond what other states allow and that alarms immigration activists in a state that grants special driver’s licenses to undocumented immigrants.




Are you sure your mail is secure? The ‘scanning for evil’ technology could easily be modified to scan for other stuff.
Google Confirms New AI Tool Scans 300 Billion Gmail Attachments Every Week
… Google reckons that malicious documents currently represent 58% of all malware that targets Gmail users. Now Google is fighting back by employing "Deep Learning" AI to prevent this malware from reaching your inbox.




I’m trying to keep my students from becoming Luddites.
Einride shows how AI will create new kinds of jobs
Artificial intelligence (AI) will either destroy jobs or create new jobs — depending on which report you read. In truth, it’s probably a little of both — AI will undoubtedly replace human workers in some spheres, but it will also create new roles, many of which we can’t yet imagine. A recent report from PA Consulting, titled “People and machines: From hype to reality,” supports this theory and predicts AI is more likely to create jobs than destroy them.
The research behind this report, based on 750 cross-industry businesses in the U.K., found that 32% of respondents had invested in AI and automation in the last five years, split evenly across tools for cognitive and physical tasks. Of those that had invested, 43% reported an increase in jobs as a result, while 40% reported a reduction.




Ford sees itself as a transportation company, not just a car manufacturer. The scooter business allows them to create tools they want for their “car sharing service.”
Ford Takes Its Electric Scooter Company for a Spin Outside U.S.
Spin, the scooter-sharing service owned by Ford Motor Co., is expanding to new markets outside of the U.S.
The company will launch its first international fleet of electric scooters in Cologne, Germany, as soon as the spring, according to a statement. It will start with several hundred scooters and plans to increase the number quickly, though pricing hasn’t been decided. Spin also will apply in Paris for a scooter-sharing permit next month.



Thursday, February 27, 2020


How can you not follow even the simplest Best Practices? Was this more than a random hack?
Ransomware Attack in Florida Forces Prosecutor to Drop Charges in Drug Cases
When a ransomware attack hits an institution or company, expectations are roughly the same. People either pay to restore services, which doesn’t always guarantee a decryption key from the attackers, or they don’t pay and lose the information entirely. If they’re lucky, they have backups. [No luck required! Bob] The entire process is followed by the purchase of new equipment and services. This means the overall cost of a ransomware attack is usually much higher than the ransom itself, and way higher than the cost of avoiding the whole problem in the first place by setting up a security solution.
In the Stuart incident, the ransomware hit police servers and infrastructure, resulting in the loss of data that included evidence against various defendants. After the dust settled, the State Attorney’s Office had to drop 11 narcotic cases for loss of evidence.
Much of the non-physical evidence in a trial is stored on police computers. Things like photos and videos were wiped clean, setting back the prosecutorial process so much that it was impossible to continue with the cases.




The problem with collecting lots of data useful to hackers. (Perhaps they do not store the data on servers they own?)
Clearview AI has billions of our photos. Its entire client list was just stolen
Clearview AI, a startup that compiles billions of photos for facial recognition technology, said it lost its entire client list to hackers.
The company said it has patched the unspecified flaw that allowed the breach to happen.
In a statement, Clearview AI's attorney Tor Ekeland said that while security is the company's top priority, "unfortunately, data breaches are a part of life. Our servers were never accessed." He added that the company continues to strengthen its security procedures and that the flaw has been patched.
In a notification sent to customers obtained by Daily Beast, Clearview AI said that an intruder "gained unauthorized access" to its customer list, which includes police forces, law enforcement agencies and banks. The company said that the person didn't obtain any search histories conducted by customers


(Related) Perhaps we need databases of all parts and pieces?
This AI needs your help to identify child abusers by their hands
Algorithms will match the suspect's hands to those found in images of abuse




Hacking the election with social engineering rather than social media.
Online 'Impersonator' Tried to Contact Campaigns, DNC Says
The Democratic National Committee has warned its presidential candidates to be cautious after Bernie Sanders’ campaign reported that an “impersonator” with a domain registered overseas had posed as one of its staffers and sought conversations with members of at least two other campaigns.
Bob Lord, the DNC’s chief security officer, wrote in an email to his party’s presidential campaigns on Wednesday that “adversaries will often try to impersonate real people on a campaign” to get people to “download suspicious files, or click on a link to a phishing site.” Lord said attackers may also try to set up a call or in-person meeting that they can record and publish.




Follow-up.
Nigerian man arrested 3 years after $850,000 stolen from Boulder Valley School District
Dara Bitler reports:
The Boulder County Sheriff’s Office says a Nigerian man has been arrested more than three years after $850,000 was stolen from the Boulder Valley School District in an email scam.
According to the arrest affidavit, Sherifdeen Mogaji, 39, was arrested on February 21 and booked into the Boulder County Jail on suspicion of theft of $100,000 to $999,000, computer crime and forgery.
Read more on KDVR.




Speeding the maturity of IoT?
Securing the Internet of Things through Class-Action Lawsuits
This law journal article discusses the role of class-action litigation to secure the Internet of Things.
Basically, the article postulates that (1) market realities will produce insecure IoT devices, and (2) political failures will leave that industry unregulated. Result: insecure IoT. It proposes proactive class action litigation against manufacturers of unsafe and unsecured IoT devices before those devices cause unnecessary injury or death. It's a lot to read, but it's an interesting take on how to secure this otherwise disastrously insecure world.
And it was inspired by my book, Click Here to Kill Everybody.




Perhaps Oceania has not always been at war with Eastasia?
Brave Browser Integrates Wayback Machine to View Deleted Web Pages
Bleeping Computer – “Brave Browser has now integrated the Wayback Machine to display web pages that have been removed from a web site or not available due to a web site issue. The Wayback Machine is a digital archive of the web that is operated by the nonprofit organization Archive.org. Using the Wayback Machine you can save snapshots of existing web pages for archival or retrieve archived versions to see changes over time or deleted pages. With today’s release of Brave Browser 1.4, when you visit a web page and it returns a ‘404 Not Found’ HTTP error code indicating that a page is missing, the browser will prompt you to load the page on the Archive.org’s Wayback Machine instead. As an example, Brave’s announcement uses the Whitehouse.gov’s Climate Change page that was deleted soon after Trump became president. When visiting the page in Brave, the web server will respond with a ‘404 Not Found’ error code, which will cause Brave to prompt you to check if a saved version is available on the Wayback Machine…”




For all my students.
How to protect your privacy on Instagram




Perhaps the ‘Next Big Thing’ hides in these?
10 Breakthrough Technologies 2020
  1. Unhackable internet
  2. Hyper-personalized medicine
  3. Digital money
  4. Anti-aging drugs
  5. AI-discovered molecules
  6. Satellite mega-constellations
  7. Quantum supremacy
  8. Tiny AI
  9. Differential privacy
  10. Climate change attribution




I guess not everyone has gone vegan.
Dunkin’s latest release is quite simply a bag of bacon
Starting Wednesday, Snackin' Bacon was available at Dunkin' restaurants nationwide.
What's that, you wonder? It's just like it sounds: Eight half-strips of bacon wrapped up in a sleeve.
"Here at Dunkin', we've been working hard to formulate the perfect afternoon pick-me-up [??? Bob] and really, what's better than a bag full of bacon?" the company said in a blog post.



Wednesday, February 26, 2020


Secure your systems, or else!
New York State Expected to Increase Enforcement of Cybersecurity Practices
Companies should take note of two imminent developments in New York in the area of cybersecurity regulation: enforcement of the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (Regulation) and the effective date of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act or Act). The Regulation and the Act both contain prescriptive cybersecurity requirements and new breach notification obligations for regulated organizations. The Act has a particularly broad reach, impacting any company that owns or licenses private information of New York residents.
The NYDFS Regulation originally came into effect on March 1, 2017, and provided for a two-year implementation plan for companies to develop a robust cybersecurity program.
In addition, on July 25, 2019, Governor Cuomo signed into law the SHIELD Act. Notably, the Act applies to any company that owns or licenses “private information” of New York residents – even organizations that do not conduct business in the state. The Act contains both expanded breach notification obligations (which have been in effect since October 2019) and specific requirements to maintain reasonable administrative, technical, and physical safeguards to protect personal information. These new substantive cybersecurity requirements will take effect on March 21, 2020.




Every student a potential criminal or terrorist?
Weapon Detecting AI’ is Now Scanning Students in South Carolina Schools
Over the past year, administrators at West Florence High School have deployed a variety of new surveillance technologies, embracing a distinct vision of the future of public education.
Earlier this year, the South Carolina district installed vape detectors—which come equipped with chemical sensors and microphones that send alerts directly to the principal—in bathrooms and hallways. During their first week of use, the devices caught 12 students. School-issued Chromebook laptops also now come pre-installed with Gaggle, a new breed of surveillance software that monitors students’ every action on the devices, both on and off school grounds.
And most recently, the metal detectors that stood sentinel at school entrances have disappeared. In their place, schools across Florence District 1 are now equipped with millimeter wave body scanners from Evolv Technology. The company claims that the devices, which are similar to modern airport scanners, can scan 60 people a minute using machine learning algorithms that detect guns, knives, and other threats, and then notify security guards exactly where the objects are on a person’s body.
Educators in places like Florence are understandably predisposed to spend that money and err on the side of caution. But student privacy and civil rights advocates worry that some districts are being hoodwinked by for-profit companies that promise more than their technology can deliver in order to capitalize on the fear of mass shootings.




Those who do not understand encryption are doomed to repeat this question.
Dan Sabbagh reports:
MI5’s director general has called on technology companies to find a way to allow spy agencies “exceptional access” to encrypted messages, amid fears they cannot otherwise access such communications.
Sir Andrew Parker is understood to be particularly concerned about Facebook, which announced plans to introduce powerful end-to-end encryption last March across all the social media firm’s services.
Read more on The Guardian.
[From the article:
Parker called on the tech firms to “use the brilliant technologists you’ve got” to answer a question: “Can you provide end-to-end encryption but on an exceptional basis – exceptional basis – where there is a legal warrant and a compelling case to do it, provide access to stop the most serious forms of harm happening?”




In case you missed something.
FTC Releases 2019 Privacy and Data Security Update
The Federal Trade Commission today released its annual privacy and security update for 2019, highlighting a record year for enforcement actions aimed at protecting consumer privacy and data security.




Start planning...
Close to the Finish Line: Observations on the Washington Privacy Act
We wrote last week that Washington State seems poised to become the second US state to pass a major comprehensive privacy bill. The proposed Washington Privacy Act (WPA) would be mostly aligned with the EU’s GDPR, the global gold standard for data protection (although there are still some significant differences). Read our full comparison of the WPA with GDPR and other privacy laws. At a minimum, the WPA goes much further than the California Consumer Privacy Act (CCPA). Perhaps the most significant difference between the WPA and CCPA is that the WPA would require companies and even non-profits to obtain affirmative (“opt in”) consent for the collection of sensitive data, including biometric data and geolocation data.




Let’s talk about an architecture for education.
A Vision of AI for Joyful Education
In a 2013 post, Facebook CEO Mark Zuckerberg sketched out a “rough plan” to provide free, basic internet to the world and thus spread opportunity and interconnection. However, the United Nations Human Rights Council reported that, in Myanmar, Facebook’s efforts to follow through on such aspirations accelerated hate speech, fomented division, and incited offline violence in the Rohingya genocide. Free, basic internet now serves as a warning of the complexities of technological impact on society. For Chris, an AI researcher in education, and Lisa, a science educator and student of international cyber policy, this example gives pause: What unintended consequences could AI in education have?




Does this make them a target for a bunch of lawsuits?
Musicians Algorithmically Generate Every Possible Melody, Release Them to Public Domain
Two programmer-musicians wrote every possible MIDI melody in existence to a hard drive, copyrighted the whole thing, and then released it all to the public in an attempt to stop musicians from getting sued.




Freebies!
Smithsonian Releases 2.8 Million Images Into Public Domain
Smithsonian Magazine – “Culture connoisseurs, rejoice: The Smithsonian Institution is inviting the world to engage with its vast repository of resources like never before. For the first time in its 174-year history, the Smithsonian has released 2.8 million high-resolution two- and three-dimensional images from across its collections onto an open access online platform for patrons to peruse and download free of charge. Featuring data and material from all 19 Smithsonian museums, nine research centers, libraries, archives and the National Zoo, the new digital depot encourages the public to not just view its contents, but use, reuse and transform them into just about anything they choose—be it a postcard, a beer koozie or a pair of bootie shorts And this gargantuan data dump is just the beginning. Throughout the rest of 2020, the Smithsonian will be rolling out another 200,000 or so images, with more to come as the Institution continues to digitize its collection of 155 million items and counting. “Being a relevant source for people who are learning around the world is key to our mission,” says Effie Kapsalis, who is heading up the effort as the Smithsonian’s senior digital program officer. “We can’t imagine what people are going to do with the collections. We’re prepared to be surprised.”
The database’s launch also marks the latest victory for a growing global effort to migrate museum collections into the public domain. Nearly 200 other institutions worldwide—including Amsterdam’s Rijksmuseum, New York’s Metropolitan Museum of Art and the Art Institute of Chicago —have made similar moves to digitize and liberate their masterworks in recent years. But the scale of the Smithsonian’s release is “unprecedented” in both depth and breadth, says Simon Tanner, an expert in digital cultural heritage at King’s College London…”