Saturday, June 20, 2020


Learn from the mistakes of others (or make the same mistakes yourself).
The UK’s contact tracing app fiasco is a master class in mismanagement
There are advantages to being one of the world’s largest single-payer health-care systems. For the UK’s National Health Service, the NHS, big data is increasingly one of them.
Its Recovery Trial, launched early in the coronavirus outbreak to collect information from across the system, has led to the discovery of dexamethasone as one of the most promising life-saving treatments for the novel coronavirus. In other areas of medicine, its cancer data store, now nearly a decade old, is one of the world’s richest sources of clinical data for cancer research.
So it was hardly surprising that when UK ministers proposed a contact tracing smartphone app, NHS officials saw an opportunity to create a world-leading piece of technology.
But on Thursday the British government announced that it was ditching its original plan in favor of a much simpler backup option —drawing criticism and anger, and leaving many concerned about the prospect of contact tracing technology in general. What happened?


(Related)
Maryam Casbarro of Davis Wright Tremaine takes a look at potential risks for firms, writing, in part:
The nature of contact tracing apps provides a number of parties in the data ecosystem with a broad set of data that could be used either purposefully or unintentionally and shared for purposes other than contact tracing. For example, it was recently revealed that public health authorities in North Dakota and South Dakota had rolled out a contact tracing app that shared location data with an outside location data aggregator, contrary to the app’s Privacy Policy.
Surreptitious data sharing (or other practices of the like) may expose the companies developing and/or deploying the contact tracing apps to typical privacy claims: collecting data beyond the scope of what the individual agreed to may lead to claims of intrusion upon seclusion, violation of constitutional rights to privacy, and breach of contract. Moreover, state laws, such as the California Consumer Privacy Act, permit consumers to prohibit sharing their data with third parties.
If the contact tracing technology collects more data than was consented to by consumers, or if the data—without notice or consent—is linked with other information about an individual to create profiles of specific individual consumers, the entities that develop and deploy the app may be subject to state “unfair and deceptive acts and practices” claims.
Read more on the firm’s Privacy & Security Law Blog.




Keep up!
French Privacy Watchdog Offers New Guidance for Web Scraping and Its Use in Direct Marketing
Explicit General Data Protection Regulation (GDPR) guidance on the subject of web scraping for purposes of direct marketing has finally been laid out to the public following the publication of a set of guidelines by France’s data watchdog, the CNIL.
According to the new recommendations, published on April 20, publicly available contact information belonging to individual people that is gathered online by companies with the intention of selling it on to third-parties for direct marketing purposes (a process known as ‘web scraping’ or ‘data extraction’), should be regarded as still being personal data, even if the data is publicly available.




Link to the sessions...
Frank Ready reports:
On Thursday, data protection provider WireWheel continued its two-day privacy technology virtual conference—Spokes 2020 —with a series of webinars examining how compliance professionals are adapting to some of the significant cultural shifts taking place across the nation. Topics ranged from the impact of COVID-19 on privacy programs to the challenges that poor data practices pose to diversity and inclusion.
While data and tech factored into the discussion, the “Privacy Leaders Panel” spent a significant portion of its runtime mulling some of the very human problems impacting the space. Panelist Barbara Lawler, chief privacy and data ethics officer at Looker, addressed the challenges of attempting to maintain team unity when COVID-19 makes physical proximity a liability.
Read more on Law.com.




Is this the model law I’ve been waiting for?
From EPIC.org:
[On June 18], the New York City Council passed the Public Oversight of Surveillance Technology (POST) Act, a law that enables public oversight of surveillance technologies used by the New York Police Department. The POST Act will require the police to publish documents explaining their use of surveillance technologies, accept public comments about them, and provide a final surveillance impact and use policy to the public. EPIC has worked for years to focus public attention on the privacy impact of emerging surveillance technologies, and has pursued open government cases against the FBI and other law enforcement agencies to release information about cell site simulators and other surveillance technologies. EPIC has recently launched a project to track and review algorithms used in the criminal justice system.
The New York Times covered the new law here.




Yes, it’s a nit but we choose to pick it.
Daniel R. Stoller reports:
Alphabet Inc.’s Google said a California federal court should dismiss a lawsuit alleging the company violated an Illinois law that protects biometric identifiers such as fingerprints, because the statute doesn’t pertain to photographs.
The plaintiffs accuse the company of creating faceprints from consumer photos, not actual people, so the Illinois Biometric Information Privacy Act doesn’t apply, Google told the U.S. District Court for the Northern District of California.
Read more on Bloomberg Law.




Perspective. Clearest indication yet that software (think: self-driving) has moved to a place as significant as engine design. Manufacturers no longer feel comfortable outsourcing this work.
VW vows to go it alone on software despite mishaps
Carmaker rules out working with tech companies in order to “retain control” of vehicle data



Friday, June 19, 2020


Acts of war? Soon, someone is going to say, “Enough!” Will they respond with bytes or bombs?
Australia cyber attacks: PM Morrison warns of 'sophisticated' state hack
Australia's government and institutions are being targeted by ongoing sophisticated state-based cyber hacks, Prime Minister Scott Morrison says.
He declined to identify a specific state actor and said no major personal data breaches had been made.
The attacks have happened over many months and are increasing, he said.
The prime minister said his announcement on Friday was intended to raise public awareness and to urge businesses to improve their defences.
But he stressed that "malicious" activity was also being seen globally, making it not unique to Australia.


(Related) Perhaps attacks on critical/beloved infrastructure (Beer!) will be the trigger.
Ransomware Attack Confirmed by Australia-Based Beverage Manufacturer


(Related)
Hidden Cyber War Between Israel and Iran Spills Into Public View With Attacks on Physical Infrastructure
For decades now there has been something of a tacit agreement among nations that spying and hacking are not enough to constitute acts of war, and that these battles are to be kept in the shadows for the most part. The general public is occasionally impacted by this quiet cyber war in the form of a personal information breach or a state-sponsored raid on the confidential assets of a private company, but attackers have generally stopped short of executing virtual attacks that create real damage in the physical world.
Israel and Iran have crossed that line in recent months, and may be redefining the terms of cyber warfare. Attacks by each on the opposite’s public utilities and ports have caused physical disruptions that impact the general civilian population, a move that could force a change in the unspoken rules of cyber defense as non-government entities are increasingly drawn into the fray.




Worth reading. I keep thinking about labor related protests and strikes that seem to have some immunity from such active prosecution. Is that just me?
The FBI used a Philly protester’s Etsy profile, LinkedIn, and other internet history to charge her with setting police cars ablaze
As demonstrators shouted, fires burned outside City Hall, and Philadelphia convulsed with outrage over the death of George Floyd, television news helicopters captured footage of a masked woman with a peace sign tattoo and wearing a light blue T-shirt setting a police SUV ablaze.
More than two weeks after that climactic May 30 moment, federal authorities say they’ve identified the arsonist as 33-year-old Philadelphia massage therapist Lore Elisabeth Blumenthal by following the intricate trail of bread crumbs she left through her social media history and online shopping patterns over the years.
The path took agents from Instagram, where amateur photographers also captured shots of the masked arsonist, to an Etsy shop that sold the distinctive T-shirt the woman was wearing in the video. It led investigators to her LinkedIn page, to her profile on the fashion website Poshmark, and eventually to her doorstep in Germantown.
Their pursuit, described in court filings this week, sheds light on the extent to which the FBI and Justice Department have used news footage, online histories, and social media footprints to track down and identify demonstrators believed to be responsible for acts of violence or property destruction.




Clearly location data is useful in many ways. Will we become dependent on it? Could it even become mandatory?
AI model uses smartphone location data to predict power grid usage
In a paper published on the preprint server Arxiv.org, Microsoft and the University of Washington researchers propose an AI system that uses smartphone location data to forecast electrical load. They say their architecture, which takes into account data from geographical regions both within the U.S. and Europe, can outperform conventional forecasting methods by more than three times.
The pandemic shows no sign of abating, and it’s made a striking impact on the global electrical grid.




Another set of opinions. Useful until we get AI to take over.
The Bigot in the Machine: Bias in Algorithmic Systems
The New York Technical Services Librarians, an organization that has been active since 1923 – imagine all that has happened in tech services since 1923! – invited me to give a talk about bias in algorithms. They quickly got a recording up on their site and I am, more slowly, providing the transcript. Thanks for the invite and all the tech support, NYTSL.
The Bigot in the Machine: Bias in Algorithmic Systems Abstract: We are living in an “age of algorithms.” Vast quantities of information are collected, sorted, shared, combined, and acted on by proprietary black boxes. These systems use machine learning to build models and make predictions from data sets that may be out of date, incomplete, and biased. We will explore the ways bias creeps into information systems, take a look at how “big data,” artificial intelligence and machine learning often amplify bias unwittingly, and consider how these systems can be deliberately exploited by actors for whom bias is a feature, not a bug. Finally, we’ll discuss ways we can work with our communities to create a more fair and just information environment. I want to talk about what we mean by “the age of algorithms,” and about how bias creeps into or is purposefully designed into algorithmic systems using examples in public health surveillance and in law enforcement. We’ll talk about how racists exploit the affordances of these systems to pollute our information environment. Finally, because I want to be hopeful, we’ll talk about some of the ways people are apply anti-racism to address the bigot in the machine and what we can do as librarians…”




This could be a handy tool.
Google’s new Chrome extension lets you link directly to specific text on a page
Link to Text Fragment is a new Chrome Extension from Google that lets you generate URLs to specific text on a webpage, regardless of the page’s formatting.
With the extension installed, simply highlight the text you want to link to, right click, and select “Copy Link to Selected Text.” This can then be shared and opened by anyone using a compatible browser. For example, clicking this link in Chrome or Edge will bring you directly to a highlighted section at the bottom of the article.




Travel for shut-ins.
Explore the Royal Academy of Arts in Google's Arts & Culture Apps
This morning Google announced a new collection with the Arts & Culture site. That collection features the Royal Academy of Arts.
The highlight of the Royal Academy of Arts collection within Google Arts & Culture is a collection of 31 online exhibits, The exhibits tell the stories of the artists and art showcased in the Royal Academy of Arts collections. You can also take a virtual tour through the Academy and some of the galleries. Visitors can navigate through the tour much like navigating in Google Street View imagery.



Thursday, June 18, 2020


Something my Computer Security students should read carefully.
Stopping Hackers in Their Tracks
A nightmare scenario for many organizations recently became one Atlanta-based tech company’s reality. But the steps the company took before and after their sensitive data was stolen by a hacker in 2018 helped the FBI identify and arrest the culprit.
Christian Kight used his computer programming skills to hack into various businesses for money while on parole for previous crimes. Kight downloaded scripts from hacker forums and used them to attack company networks.
In the case of the Atlanta company, Kight spent a few weeks hacking into the company’s network, using various tactics to hide his identity. He then downloaded the data to his own computer and deleted it from the company’s systems.
Once he had the data, Kight emailed the company’s CEO to demand payment in exchange for the data—but he insisted that it wasn’t extortion.
And no, I’m really NOT an extortionist, I would like to see how much you think it’s worth, and if it’s fair, we’ll leave it at that,” Kight wrote, according to court documents.
But whether you call it extortion or not, stealing data and demanding money to have it returned is illegal.
The data that he took is really valuable,” said Special Agent Tyson Fowler, who investigated this case out of the FBI’s Atlanta Field Office. “He threatened to release this data if they didn’t pay him the ransom.”
The company contacted the FBI and got to work on both restoring their data and assisting in the investigation. Fortunately, the company had a robust backup system, so employees restored the data within days.
Additionally, the company shared critical information from its network’s access logs and other records, which helped the FBI track the IP address of the hacker. After getting a search warrant based on that information, agents found overwhelming evidence against Kight in his San Clemente, California home.
In the cyber world, it’s very hard to secure a network to the point that it’s never breachable, but you can make it as difficult as possible to break in,” Fowler said.
If someone does break into a network, having strong activity logging on the network in place beforehand can help authorities track the hacker.
The cooperation from the victim company was critical in this case.
Last December, Kight pleaded guilty to extortion, computer fraud, and wire fraud. He was sentenced in March to more than seven years in prison.
Source: The FBI




Who do you want to win and by how much?
Feds, states unveil pilot program meant to secure voter databases and other election systems
The pilot program will focus on making the software that’s used in election systems more secure as it is developed, and before it is deployed. The aim is to close a gap in security testing for the broad set of election infrastructure outside of voting machines, which are already the subject of voluntary federal security guidelines.
There is no standard process for verifying that non-voting election technology is secure, reliable, and usable,” said the nonprofit Center for Internet Security, which is spearheading the pilot program.


(Related)
Online Voting Platform in Three U.S. States Vulnerable to Multiple Types of Attacks
Security researchers from the Massachusetts Institute of Technology (MIT) and the University of Michigan found numerous security issues and vulnerabilities within Democracy Live’s OmniBallot platform.
The COVID-19 pandemic is pushing more states to look into the possibility of letting constituents vote online. Some states in the U.S. already have this option, while others are adapting existing systems to suit their needs. The same is true for the OmniBallot platform, which is used for blank ballot delivery, ballot marking, and (optionally) online voting.




A wise reversal of strategy.
Zoom says free users will get end-to-end encryption after all




If they can do this, what else follows?
FB Claims Pivot from 2016 Election Tactics to one of user choice
After announcing this feature earlier this year we are now making it available as part of our preparations for the 2020 US elections. Starting today for some people and rolling out to everyone in the US over the next few weeks, people will be able to turn off all social issue, electoral or political ads from candidates, Super PACs or other organizations that have the “Paid for by” political disclaimer on them. You can do this on Facebook or Instagram directly from any political or social issue ad or through each platform’s ad settings. However, we know our system isn’t perfect. So if you’ve selected this preference and still see an ad that you think is political, please click the upper right corner of the ad and report it to us…”



Wednesday, June 17, 2020


Nothing new, but I’m beginning to wonder if this is how they pay their hackers.
North Korea's state hackers caught engaging in BEC scams
At the ESET Virtual World security conference on Tuesday, security researchers from Slovak antivirus maker ESET have disclosed a new operation orchestrated by the Pyongyang regime's infamous state-sponsored hacker crews.
Codenamed "Operation In(ter)ception," this campaign targeted victims for both cyber-espionage and financial theft.




Like so much meat.
People Are Worth $1,285 on the Dark Web, New Study by Privacy Affairs Finds
A new press release by Privacy Affairs offers an updated estimate about what we are worth on the dark web. The researchers’ Dark Web Price Index indicates:
  • Online banking logins cost an average of $35
  • Full credit card details including associated data cost $12-20
  • A full range of documents and account details allowing identity theft can be obtained for $1,500
The report notes that a full range of documents and account details allowing identity theft can be obtained for $1285, which includes:

Stolen online banking logins, min. $100 on account
$35
U.S. driving license, high quality
$550
Auto insurance card
$70
Wells Fargo bank statement with transactions
$80
Europe national ID card
$550
Total
$1,285
Criminals can switch the European ID for a U.S. passport for an additional $950, bringing the total to $2,235 for enough data and documents to do any number of fraudulent transactions.
The full Dark Web Price Index 2020 can be found at https://www.privacyaffairs.com/dark-web-price-index-2020/




Should it also scream, “Hey! I’m lawyered up dude.”
Hey Siri, I’m getting pulled over’ shortcut makes it easy to record police
As protests against racial police violence have spread across the US, we’ve seen how video captured on mobile devices can help identify misconduct by law enforcement. But such evidence isn’t just useful at a protest, but during all sorts of routine interactions with the police, including traffic stops. That’s why the Siri shortcut “I’m getting pulled over” exists.
Once you load this (free) shortcut onto your iPhone, all you need to do is say “Hey Siri, I’m getting pulled over” and it will kickstart a chain of events. It will dim your phone, pause any music being played, and start recording video from your front-facing camera. It can also send your current location and a copy of that video to an emergency contact, though you’ll need to confirm a few pop-up messages to complete these steps.




Sometimes I wonder if Facebook has a strategy for dealing with the information on it’s system. Perhaps they only trust what they create themselves?
Mark Zuckerberg: Historic Facebook campaign will boost voter registration, turnout and voices
To achieve this, we're creating a new Voting Information Center with authoritative information, including how and when to vote, as well as details about voter registration, voting by mail and information about early voting. We'll also include posts from state election officials and verified local election authorities. We'll show this center at the top of the Facebook News Feed and on Instagram to make sure everyone gets a chance to see it.


(Related) Now if only we could turn off politicians...
Mark Zuckerberg says Facebook will allow users to turn off political ads
Facebook CEO Mark Zuckerberg on Tuesday announced the social network will allow its users to turn off seeing political ads.
For those of you who’ve already made up your minds and just want the election to be over, we hear you — so we’re also introducing the ability to turn off seeing political ads,” Zuckerberg wrote in an op-ed published on USA Today. “We’ll still remind you to vote.”




Not real, yet.
Take this dystopian job interview with an AI hiring manager to experience what life could be like if machines fully take over the workplace
In a new online interactive experience, "An Interview With Alex," Chinese-born and New York City-based multimedia artist Carrie Sijia Wang lets people imagine that world by taking them through a job interview conducted entirely by an AI hiring manager.
Over the course of around 12 minutes, Alex analyzes your facial expressions, speech patterns, and answers to abstract puzzles and intrusive questions like the one above, which Wang told Business Insider are based on a famous study that tried to create intimacy between people by having them ask each other 36 personal questions.




Fewer billable hours? That probably won’t last.
4 Ways Coronavirus May Forever Change Legal Tech
Law360: “When the novel coronavirus closed down courthouses and law firms, technology allowed attorneys, their clients and judges to move litigation forward without jeopardizing public health. Some of those emergency fixes could stick around even after life returns to normal. Legal experts say embracing remote technology has boosted efficiency, transparency and access to the courts. Here are some of the top tech fixes that attorneys hope will stick around after the pandemic...