Saturday, May 08, 2021

Retirement plan: Move to Brazil, start a “hacking for fun and profit” school with free tuition, accept 10% of each graduate’s first job.

https://www.cpomagazine.com/cyber-security/ransomware-recovery-costs-more-than-double-in-a-year-now-average-1-85-million/

Ransomware Recovery Costs More Than Double in a Year, Now Average $1.85 Million

A new report from cybersecurity firm Sophos indicates that ransomware recovery costs have shot up in the past year, with the average case approaching $2 million in total expenses. This is up from an average of $761,000 in 2020.

Organizations are also not finding that paying the ransom circumvents the expensive cleanup; only 8% report recovering all of their data after an attack, and 29% only recovered about half of their data. While ransomware recovery costs have ballooned to an average of 10x the usual ransom demand, it is increasingly apparent that this spending will be inevitable following a breach of this type.





Keeping up.

https://www.pogowasright.org/a-roundup-of-ccpa-court-decisions-i-only-know-of-7/

A Roundup of CCPA Court Decisions (I Only Know of 7)

Eric Goldman writes:

This post recaps the court decisions analyzing the California Consumer Privacy Act (CCPA) so far. I only know of seven opinions as of May 1, 2021, a number that struck me as surprisingly small. (If you think I’m missing any, please email me).
Overview
CCPA lawsuits generally fit into one of the following four categories:
  • Data breach Private Right of Action (PRA). Since Jan. 1, 2020, the CCPA authorizes a private right of action with respect to certain data breaches. I expected this would be a popular claim; I thought plaintiffs would allege it in every data breach lawsuit. We’ve seen many of those filings, but few of the cases have issued opinions yet. 16 months isn’t very long in the lifespan of litigation, so this jurisprudence is still emerging.
  • AG enforcement. The AG’s office gained partial enforcement power on July 1, 2021 (the remainder in August 2020). An AG enforcement will produce a court opinion only if the parties actually fight in court, which businesses are reluctant to do. Plus, the CCPA also gives businesses a mandatory cure period, which further reduces the odds of litigated disputes. I’m not aware of any AG enforcements of the CCPA spilling into court. In fact, I’m not aware of any publicized CCPA enforcement actions–a surprising stat given the target-rich enforcement environment.
  • Non-data breach PRA. The CCPA does not authorize PRAs for any statutory violations other than specified data breaches. Some plaintiffs have asserted those CCPA claims anyways. They will fail.
  • Constitutional challenges. In the CCPA’s early days, I heard a lot of chatter that unhappy businesses were going to challenge the CCPA, but I don’t believe any lawsuits were ever filed. Given the CCPA’s imminent deprecation due to the CPRA, I don’t expect any court challenges to the CCPA to emerge at this point.

TL;DR: it’s been pretty quiet on the CCPA litigation front so far.

Read his roundup of case summaries on Technology & Marketing Law Blog.





Pretty serious disruption of business models, will this stand?

https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-out-of-app-tracking-in-ios-14-5-analytics-find/

96% of US users opt out of app tracking in iOS 14.5, analytics find

Some of the first data on user behavior exceeds advertisers' worst fears.

It seems that in the United States, at least, app developers and advertisers who rely on targeted mobile advertising for revenue are seeing their worst fears realized: Analytics data published this week suggests that US users choose to opt out of tracking 96 percent of the time in the wake of iOS 14.5.





Not California?

https://www.npr.org/2021/05/07/982709480/massachusetts-pioneers-rules-for-police-use-of-facial-recognition-tech

Massachusetts Pioneers Rules For Police Use Of Facial Recognition Tech

Massachusetts lawmakers passed one of the first state-wide restrictions of facial recognition as part of a sweeping police reform law.

Police must now have a court order before they can compare images to the database of photos and names held by the RMV, the FBI, or Massachusetts State Police.

"It prevents the use of it by the police when it's not relevant to an investigation, which is an important but fairly low standard. That means [law enforcement] can't track someone in their personal life for personal reasons, like an ex-spouse, and so it prevents the most bald-faced types of potential misuse," said Rose.

The new legislation also requires law enforcement to document their searches and eventually statistics on their searches will be made public. Whether or not the information will be disclosed to defendants is a question that's been put off to future legislation and a new commission.

The new law creates a commission to study due process and facial recognition as well as the technology's ability to identify people of different races, genders and ages and to provide recommendations for future use.

Even though local law enforcement can only contract with the RMV, State Police, and the FBI, nothing is stopping the FBI or State Police from contracting with a private company, which local law enforcement would then have access to.





The post-Covid return to the office.

https://dilbert.com/strip/2021-05-08



Friday, May 07, 2021

How do you measure up?

https://www.databreaches.net/heres-the-breakdown-of-cybersecurity-stats-only-law-firms-usually-see/

Here’s the breakdown of cybersecurity stats only law firms usually see

Joe Uchill has a good interview with Craig Hoffman of BakerHostetler about their recent report that includes their extensive incident response experiences handling ransomware incidents.

BakerHostetler has always been one of my most trusted resources on breach responses, as they are quite blunt about their advice — even when it may be what government or other companies promote. They were the first to be clear that despite the warnings about not getting data back even if you pay ransom, almost all of their clients who paid ransom did get their data back. But that was with experts involved in making the decision to pay or not pay.

Read more on SC Magazine.





Previews of coming attractions?

https://www.pogowasright.org/austrian-dpa-has-option-to-fine-google-up-to-e6-billion/

Austrian DPA has option to fine Google up to €6 billion

From noyb.eu:

Google continues to send data from EU websites to the US – despite two Court of Justice rulings. Austrian Data Protection Authority could fine Google up to €6 billion.

Last summer, the European Court of Justice (CJEU) ruled – already for the second time – that US surveillance laws generally make the transfer of personal data from the EU to the US illegal. Google continues to ignore this decision and now argues before the Austrian DSB (PDF) that it may continue to transfer data on millions of visitors of EU websites to the US – in blatant contradiction to the GDPR. The Austrian data protection authority (DSB) now has the option to fine Google up to €6 billion under the GDPR.

Read more on noyb.eu.





What level of un-biased accuracy would bring it back? 90%? 99%?

https://nypost.com/2021/05/06/states-push-back-against-use-of-facial-recognition-by-police/

States push back against use of facial recognition by police

At least seven states and nearly two dozen cities have limited government use of the technology amid fears over civil rights violations, racial bias and invasion of privacy. Debate over additional bans, limits and reporting requirements has been underway in about 20 state capitals this legislative session, according to data compiled by the Electronic Privacy Information Center.

Complaints about false identifications prompted Amazon, Microsoft and IBM to pause sales of their software to police, though most departments hire lesser-known firms that specialize in police contracts. Wrongful arrests of Black men have gained attention in Detroit and New Jersey after the technology was blamed for mistaking their images for those of others.



(Related)

https://www.cpomagazine.com/data-privacy/eu-proposes-heavy-regulation-of-high-risk-artificial-intelligence-as-activists-call-for-facial-recognition-ban/

EU Proposes Heavy Regulation of “High Risk” Artificial Intelligence as Activists Call for Facial Recognition Ban

EU officials are considering wide-ranging regulation that would include heavy restrictions on a range of “high risk” AI applications as well as facial recognition systems used by law enforcement. A leaked document also indicates that a facial recognition ban for cases of “indiscriminate” and “generalized” mass surveillance is also being considered, but privacy watchdogs in the region would like to see things taken a step further and have the technology made entirely unavailable to the police.

An AI application categorized as “high risk” would be subject to special inspections, including examination of how its data sets are trained. These would include financial applications, college admissions, employment and critical infrastructure among other examples. Some categories might face an outright ban if deemed to be an “unacceptable risk”; examples cited here include “manipulating behavior to circumvent free will,” “targeting vulnerable groups” and using “subliminal techniques.” The risk level of an application would be determined by specific criteria including intended purpose, the number of people potentially affected and how irreversible the potential harm might be. The majority of AI applications, those that use relatively simple rule-based systems (such as chatbots and video games), would be considered low enough risk to not be subject to these regulations.





Still a bit unclear. This looks like a support organization for “privacy vendors.”

https://www.coindesk.com/organizations-data-privacy-protocol-alliance-dppa

Over 20 Organizations Form Alliance to Focus on Data Privacy and Monetization

Over 20 businesses worldwide announced the creation of the Data Privacy Protocol Alliance (DPPA) yesterday. DPPA is set to build a decentralized blockchain-based data system that it hopes will compete against data monopolies such as Google or Facebook by allowing users to take control of their own data.

Specifically, the Data Privacy Protocol Alliance will develop a set of guidelines and specifications for a version of CasperLabs’ layer-one blockchain “optimized for data sharing, data storage, data ownership, and data monetization,” according to the announcement.

The Casper Network is a proof-of-stake network where businesses can build private or permissioned applications. The network also claims to offer upgradeable smart contracts, predictable gas fees and the ability to support scale.





All self-driving cars are the Terminator in disguise. Hence, “Terminator bias!”

https://www.bespacific.com/judging-autonomous-vehicles/

Judging Autonomous Vehicles

Rachlinski, Jeffrey John and Wistrich, Andrew J., Judging Autonomous Vehicles (March 17, 2021). Available at SSRN: https://ssrn.com/abstract=3806580 or http://dx.doi.org/10.2139/ssrn.3806580

The introduction of any new technology challenges judges to determine how it into existing liability schemes. If judges choose poorly, they can unleash novel injuries on society without redress or stifle progress by overburdening a technological breakthrough. The emergence of self-driving, or autonomous, vehicles will present an enormous challenge of this sort to judges, as this technology will alter the foundation of the largest source of civil liability in the United States. Although regulatory agencies will determine when and how autonomous cars may be placed into service, judges will likely play a central role in defining the standards for liability for them. How will judges treat this new technology? People commonly exhibit biases against innovations such as a naturalness bias, in which people disfavor injuries arising from artificial sources. In this paper we present data from 933 trial judges showing that judges exhibit bias against self-driving vehicles. They both assigned more liability to a self-driving vehicle than they would to a human-driven vehicle and treated injuries caused by a self-driving vehicle as more serious than injuries caused by a human-driven vehicle.”





Tools.

https://www.freetech4teachers.com/2021/05/knowt-now-offers-public-galleries-of.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+freetech4teachers/cGEY+(Free+Technology+for+Teachers)

Knowt Now Offers Public Galleries of Notes, Flashcards, and Quizzes

Knowt is a neat service that I've featured a few times over the last couple of years. It's a service that will automatically generate flashcards and quizzes from any document that you import into it. The latest update to Knowt provides registered teachers and students with a public gallery of notes, quizzes, and flashcards.

Now when you sign into a free Knowt account you have the option to browse for notes, flashcards, and quizzes according to subject area. There is also a gallery of notes, quizzes, and flashcards based on popular textbooks. All of the notes, quizzes, and flashcards found through the public galleries in Knowt can be copied directly into your account where you can modify them as you like.

Here's Knowt's promo video for their new galleries of notes, quizzes, and flashcards. And here's my overview of how to use Knowt to create your own notes, quizzes, and flashcards by importing a document into your account.



Thursday, May 06, 2021

Some interesting examples.

https://thenextweb.com/news/signals-instagram-ad-exposes-facebook-targetted-ads-data-collection

Signal’s smartass ad exposes Facebook’s creepy data collection

Facebook is notorious for generating creepily personal ads from reams of user data, but most people don’t understand how the system works.

Now, an attack ad campaign by Signal has shone some light on the opaque surveillance dragnet.

The privacy-focused messaging app tried to buy “multi-variant targeted” ads on Instagram to show what parent company Facebook knows about its users.

The campaign aimed to expose how Facebook’s array of services harvest user information to personalize ads. Advertisers can use the enormous range of data points to target audiences based on their location, age, demographics, interests, and behavior.

The resulting adverts can be eerily intimate and potentially harmful. Just last week, researchers found that Facebook had allowed advertisers to target teenage children interested in smoking, gambling, and extreme weight loss.

Signal’s plan was to use Facebook’s own tools to highlight these practices.

The ad would simply display some of the information collected about the viewer which the advertising platform uses,” Signal said in a blog post. “Facebook was not into that idea.”

According to Signal, Facebook promptly disabled the ad account. Facebook denied that the account has been shut down and dismissed the ads as a publicity stunt. But Signal has maintained the claim.

The company also shared examples of what Facebook ads would look like if they were open about the targeting.





The NSA seems to enjoy writing to obfuscate. They think it shows everyone how smart they are.

https://www.bespacific.com/this-is-the-nsas-650-page-guide-to-the-internet/

This Is the NSA’s 650-Page Guide to the Internet

Vice – ‘Untangling the Web’ was a bizarre testament to the NSA’s understating of the how the internet worked. The National Security Agency’s 2007 guide to the internet begins with a description of an ancient Persian library and a fragment of analysis of a Jorge Luis Borges short story. This introduction to the 650 page document, titled ‘Preface: The Clew to the Labyrinth,” contains 8 footnotes and ends on a word of caution. “As we enjoy, employ, and embrace the Internet, it is vital we not succumb to the chauvinism of novelty, that is, the belief that somehow whatever is new is inherently good, is better than what came before, and is the best way to go or the best tool to use,” the NSA said of the internet… Though the document was originally made public in 2013, it’s been getting some new attention on The Government Attic, a repository of government documents..”





Does “share with the public” really mean “share with anyone?” Can I limit what you do with data I flag as “public?”

https://www.databreaches.net/scraping-episodes-highlight-debate-over-anti-hacking-laws-scope/

Scraping Episodes Highlight Debate Over Anti-Hacking Law’s Scope

Andrea Vittorio reports:

Recent data scraping incidents at Facebook Inc. and LinkedIn Corp. highlight an ongoing debate over whether companies can invoke an anti-hacking law to restrict rivals or other actors from harvesting information from people’s online profiles.
The issue could reach the U.S. Supreme Court, in a case over a data-scraping dispute between LinkedIn and workforce analytics startup hiQ Labs Inc. The court is being asked to review hiQ’s ability to gather user information from the job search site, testing the applicability of the Computer Fraud and Abuse Act to data that’s publicly available online.

Read more on Bloomberg Law.





Perspective. Is Facebook really that powerful?

https://www.npr.org/2021/05/06/994063372/why-facebooks-decision-on-trump-could-be-make-or-break-for-his-political-future

Why Facebook's Decision On Trump Could Be 'Make Or Break' For His Political Future

Facebook's Oversight Board on Wednesday essentially punted the decision back to the company on whether to eventually allow former President Donald Trump back on Facebook and Instagram. What the social media giant decides in the coming months will likely have major consequences for Trump's political power.

"It could be a make-or-break moment for Trump's political future," said Eric Wilson, a Republican political technologist.

That's because being on Facebook is crucial for modern-day political campaigns, as a majority of Americans use the platform and those who do log into it multiple times daily. Facebook has become crucial for raising money and for targeting supporters and swing voters, something the Trump campaign did in unprecedented ways. The majority of online ad dollars go to either Facebook or Google.

"Even with all the resources Donald Trump has," Wilson said, "Facebook is so much bigger than that, that you can't get around it."





These could be useful the next time I teach Excel.

https://www.makeuseof.com/tag/10-helpful-spreadsheet-templates-help-manage-finances/

15 Personal Finance Excel Spreadsheet Templates for Managing Money



Wednesday, May 05, 2021

We trust too much?

https://venturebeat.com/2021/05/04/securelink-51-of-organizations-experienced-a-third-party-data-breach/

SecureLink: 51% of organizations experienced a third-party data breach

A new Ponemon Institute report found that 51% of organizations have experienced a data breach caused by a third-party.

Findings revealed that organizations are not taking the necessary steps to reduce third-party remote access risk, and are exposing their networks to security and non-compliance risks. As a result, 44% of organizations have experienced a breach within the last 12 months, with 74% saying it was the result of giving too much privileged access to third-parties.

Read SecureLink’s full report, A Crisis in Third Party Remote Access Security.





The first thing to do in any European war is to overrun Belgium.

https://news.softpedia.com/news/belgium-was-hit-by-a-massive-cyberattack-532812.shtml

Belgium Hit by Massive Cyberattack

Belgium was hit by a major cyberattack on Tuesday, according to Belgian media, affecting many of the country's most important institutions. Its source is still unknown.

The attack was a major distributed denial of service (DDoS) attack that took down both internal and public-facing networks.

Hackers targeted Belnet, Belgium's government-founded Internet Service Provider that connects national government organizations such as the Parliament, ministries, educational institutions, and research centers. In addition, all the websites hosted on the .be top-level domain were affected.

It is estimated that more than 200 Belgian government agencies have been affected by the attack. Although Belnet claims the situation is currently stabilized, they remain vigilant.





Every law enforcement entity will want at least one.

https://www.bespacific.com/report-how-law-enforcement-can-extract-sensitive-data-from-your-car/

Report – how law enforcement can extract sensitive data from your car

The Verge: “A new report from The Intercept has shed light on a worrying new technology that lets law enforcement agencies extract personal data from people’s cars. It reports that US Customs and Border Protection (CBP) recently made an order worth hundreds of thousands of dollars from Swedish data extraction firm MSAB which included iVe “vehicle forensics kits” made by US firm Berla. Here’s what MSAB advertises the kits can do, according to The Intercept:

MSAB marketing materials promise cops access to a vast array of sensitive personal information quietly stored in the infotainment consoles and various other computers used by modern vehicles — a tapestry of personal details akin to what CBP might get when cracking into one’s personal phone. MSAB claims that this data can include “Recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been.” MSAB even touts the ability to retrieve deleted data, divine “future plan[s],” and “Identify known associates and establish communication patterns between them.”…





What could possibly go wrong?

https://www.cnn.com/2021/05/04/tech/pimeyes-facial-recognition/index.html

Anyone can use this powerful facial-recognition tool — and that's a problem

You probably haven't seen PimEyes, a mysterious facial-recognition search engine, but it may have spotted you.

If you upload a picture of your face to PimEyes' website, it will immediately show you any pictures of yourself that the company has found around the internet. You might recognize all of them, or be surprised (or, perhaps, even horrified) by some; these images may include anything from wedding or vacation snapshots to pornographic images.

PimEyes is open to anyone with internet access.

PimEyes' decision to make facial-recognition software available to the general public crosses a line that technology companies are typically unwilling to traverse, and opens up endless possibilities for how it can be used and abused.

Imagine a potential employer digging into your past, an abusive ex tracking you, or a random stranger snapping a photo of you in public and then finding you online. This is all possible through PimEyes: Though the website instructs users to search for themselves, it doesn't stop them from uploading photos of anyone. At the same time, it doesn't explicitly identify anyone by name, but as CNN Business discovered by using the site, that information may be just clicks away from images PimEyes pulls up.

PimEyes lets users see a limited number of small, somewhat pixelated search results at no cost, or you can pay a monthly fee, which starts at $29.99, for more extensive search results and features (such as to click through to see full-size images on the websites where PimEyes found them and to set up alerts for when PimEyes finds new pictures of faces online that its software believes match an uploaded face).



(Related) Non-facial recognition.

https://www.makeuseof.com/tag/use-smartphone-identify-anything-camfind/

The 8 Best Apps to Identify Anything Using Your Phone's Camera

These image recognition apps let you identify coins, plants, products, and more with your Android or iPhone camera.





Another tool for the disinformation toolkit?

https://www.unite.ai/godiva-microsoft-research-asia-text-to-video-generation-image-synthesis/

Microsoft Proposes GODIVA, A Text-To-Video Machine Learning Framework

A collaboration between Microsoft Research Asia and Duke University has produced a machine learning system capable of generating video solely from a text prompt, without the use of Generative Adversarial Networks (GANs).

The project is titled GODIVA (Generating Open-DomaIn Videos from nAtural Descriptions), and builds on some of the approaches used by OpenAI’s DALL-E image synthesis system, revealed earlier this year.



(Related)

https://www.indiewire.com/2021/05/robert-de-niro-ai-dubs-movies-any-language-1234635001/

A Robert De Niro Box Office Flop Inspired an AI That Dubs Films into Any Language

British filmmaker Scott Mann directed Robert De Niro in the 2015 action thriller “Heist.” The film was a critical and box office fop ($4 million at the box office on a $15 million budget), so no one could’ve predicted at the time the film’s greatest legacy would be an artificial intelligence that automatically dubs movies into any language. Mann and his business partner Nick Lynes unveiled their new dubbing company Flawless this week in a feature published by Input Magazine. The company uses AI to digitally recreate and edit an actor’s face so that his or her mouth movements match the dub, thus maintaining the authenticity of the performance.





Not at all impressive.

https://www.bespacific.com/ai-gov-home-of-the-national-ai-initiative/

AI.gov, home of the National AI Initiative

Welcome to AI.gov, home of the National AI Initiative and connection point to ongoing activities to advance U.S. leadership in AI. The National AI Initiative Act of 2020 became law on January 1, 2021, providing for a coordinated program across the entire Federal government to accelerate AI research and application for the Nation’s economic prosperity and national security. The mission of the National AI Initiative is to ensure continued U.S. leadership in AI research and development, lead the world in the development and use of trustworthy AI in the public and private sectors, and prepare the present and future U.S. workforce for the integration of AI systems across all sectors of the economy and society…”





Anti-social media?

https://thenextweb.com/news/trumps-been-posturbating-on-private-social-media-for-months?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheNextWeb+%28The+Next+Web+All+Stories%29

Trump’s been posturbating on private social media for months

Donald Trump today launched a private social media site. Its membership is so exclusive that only former US presidents who’ve been impeached twice are allowed to post there.

The site’s called “From The Desk of Donald J Trump.” That doesn’t quite roll off the tongue like Twitter or Facebook. But I’m holding out hope that we’ll soon find out Trump’s posts are called “Deskies.” That would be cute and this story needs something to lighten the mood because it’s all very sad.





Book selections for shut-ins.

https://www.bespacific.com/8-alternative-sites-better-than-goodreads-for-book-lovers/

8 Alternative Sites Better Than Goodreads for Book Lovers

Make Use Of: Goodreads is no longer the top dog when it comes to online book communities. Here are the best alternatives. “Goodreads boasts millions of users and a database full of even more books. People flock to the site to discover new titles to consume or catalog what they’ve already read. The platform offers countless useful features; for a time, users were content with it. That’s no longer the case, with many beginning to look elsewhere to fill their cataloging needs. There are countless Goodreads alternatives that cater to book lovers’ different needs. Let’s look at some of them…”