AI can now easily (8 seconds) change the identity of someone in a film or video.
Multiple services can now scan a few hours of someone’s voice and then fake any sentence in that person’s voice. […]
Don’t buy anything from anyone who calls you on the phone. Careful with your prescriptions. Don’t believe a video or a photo and especially a review. Luxury goods probably aren’t. That fish might not even be what it says it is.
But we need reputation. The people who are sowing the seeds of distrust almost certainly don’t have your best interests in mind-we’ve all been hacked. Which means that a reshuffling is imminent, one that restores confidence so we can be sure we’re seeing what we think we’re seeing. But it’s not going to happen tomorrow, so now, more than ever, it seems like we have to assume we’re being conned.
Sad but true.
What happens after the commotion will be a retrenchment, a way to restore trust and connection, because we have trouble thriving without it.

(Via The end of reputation; photo via Raphael Lovaski on Unsplash)

Apologies to Seth for quoting nearly his whole post, but it’s important and scary.

Neal Stephenson, in his book Fall; Or, Dodge in Hell 🇺🇸 🇯🇵, addresses this very issue of reputation and authenticity. In very simplistic & basic terms, it involves leveraging something like blockchain to “check in” or “sign in” to legitimate things by you or things you control. He also talks about Editors, who are human professional social media filters, which takes us down a different rabbit hole.

As I move my on-line life as much on to platforms I control or trust, I am thinking about how to validate “me” outside of that without that validation coming back to bite me later, assuming such a thing is possible.

What do you think?

The Department of Justice wants access to encrypted consumer devices, but promises not to infiltrate business products or affect critical infrastructure. Yet that’s not possible, because there is no longer any difference between those categories of devices. Consumer devices are critical infrastructure. They affect national security. And it would be foolish to weaken them, even at the request of law enforcement.

(Via The Myth of Consumer Security – Lawfare)

No clue what to do about it, but sure something should be done about it, and picking the wrong thing to do about it: the Trump administration in a nutshell. There’s already been a “sensational case” – the San Bernadino one in 2016 – and the FBI paid an Israeli company about $1m to break into the iPhone in question, to find nothing useful. There was more, and better, data on the terrorists’ Facebook profiles.
unique link to this extract

(Via The Overspill)

Similar to my earlier post on AG Barr’s complete lack of understanding about how encryption actually works and benefits the entire economy.

Attorney General William Barr Really Wants to Read Your iMessages:

It is almost impressive how people with no clue about how encryption works have, time and time again, ignored the advice of actual experts in it. If [US Attorney General William] Barr were in charge of NASA, he’d demand a faster-than-light Space Shuttle even after being told that it is impossible.

(Via Pixel Envy)

This Ars Technica article is a pretty good summary of Barr’s latest attack on working encryption.

Mozilla Firefox to Enable Hyperlink Ping Tracking By Default by Lawrence Abrams:

Firefox
Mozilla has told BleepingComputer that they will be enabling the tracking feature called hyperlink auditing, or Pings, by default in Firefox. There is no timeline for when this feature will be enabled, but it will be done when their implementation is complete.
For those not familiar with hyperlink auditing, it is a HTML feature that allows web sites to track link clicks by adding the “ping=” attribute to HTML links. When these links are clicked, in addition to navigating to the linked to page, the browser will also connect to the page listed in the ping= attribute, which can then be used to record the click.

When these links are displayed on the page, they will appear as a normal link and if a user clicks on it, there is no indication that a connection is being made to a different page as well.

Mozilla feels it’s a performance improvement

While some users feel this feature is a privacy risk, browsers developers feel that trackers are going to track, so you might as well offer a solution that provides better performance.

When we asked if they felt that users should at least be given the ability to disable the feature if they wish, Mozilla stated that they did not believe it would have any “meaningful improvement” to a user’s privacy.
“We don’t believe that offering an option to disable this feature alone will have any meaningful improvement in the user privacy, since website can (and often already do) detect the various supported mechanisms for hyperlink auditing in each browser and disabling the more user friendly mechanisms [ed: bold mine] will cause them to fall back to the less user friendly ones, without actually disabling the hyperlink auditing functionality itself.”

How is this “user friendly” exactly? Let’s block all of the tracking mechanisms and let people explicitly opt in to share their data … especially considering this method is already being used in DDoS attacks.

Or maybe just be transparent. That the user doesn’t know and can’t know without parsing the HTML themselves that these are there is … problematic at best.

British parliament releases contentious Facebook emails by Mathew Ingram:


When a British parliamentary committee looking into Facebook’s role in misinformation and data privacy seized documents last week from an American businessman involved in a lawsuit with Facebook, the committee threatened to make the files public, even though they were sealed by a California court order. And that’s exactly what it did on Wednesday: Damian Collins, the head of the committee–and the man who used a little-known British law to send a Serjeant-at-Arms to the American businessman’s hotel room to escort him to the House of Commons–published more than 200 pages of emails and other documents. The files came from a court case with Six4Three, makers of an app that allowed users to search their friends’ photos for bathing suit pictures. The details in the documents won’t come as a surprise to anyone who has been following Facebook and its various privacy blunders, but it is illuminating to see some of the company’s practices exposed in black and white.
One of the most contentious revelations revolves around a proposal to update the Facebook app for Android phones so that the social network could read and store the call logs of users. It would then use the data from a user’s call history, as well as their text messages, to tweak the News Feed algorithm and other features (including the “people you might know” feature, which recommends other users to friend on the network). An email from a senior Facebook staffer admits this is “a pretty high-risk thing to do from a PR perspective, but it appears that the growth team will charge ahead and do it.” A subsequent email says the team has figured out that if the app only wants access to the call logs, it could offer a simple “click to upgrade” option without having to get users to give their permission through a special dialog box. Ashkan Soltani, former chief technology officer for the Federal Trade Commission, pointed out that this kind of behavior may be a breach of the “consent decree” that Facebook signed with the FTC in 2011, in which it agreed not to engage in certain kinds of behavior.
From the British committee’s viewpoint, one of the more interesting email chains has to do with Facebook’s data policies; the committee is investigating the company’s behavior in the Cambridge Analytica scandal, in which the company wrongfully acquired personal data on more than 50 million users that they provided by signing up for a personality quiz app. Facebook has said repeatedly that access to this kind of data was closed off in 2015, but the emails and other documents make it clear that for certain “whitelisted” companies, access to that data continued (as _The Wall Street Journal_ has reported). The committee’s preamble to the documents continues: “It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted.”
In another document, Facebook outlines the restrictions it places on certain companies when it comes to accessing Facebook data. “We maintain a small list of strategic competitors that Mark personally reviewed,” the document states. “Any usage beyond that specified is not permitted without Mark level sign-off.” In the case of certain competitors, especially ones that competed with Facebook’s pet features (like video), Facebook would terminate virtually all access to user data. It did this in the case of Twitter’s short-lived Vine video app, for example: in an email to Zuckerberg in 2013, a Facebook product manager says Vine (which had just launched that same day) allowed users to find friends by using the Facebook API. He suggested shutting down Twitter’s access to this data immediately, and Zuckerberg responded: “Yup, go for it.”
In a response to the documents’ publication, Zuckerberg pointed out that in the time leading up to the changes to its platform in 2015, the company was driven primarily by a desire to connect people in as many different ways as possible, until it discovered that developers were building “shady apps that abused people’s data.” Without naming the bikini app company, the Facebook CEO says some of the developers whose apps were kicked off the platform sued in an attempt to reverse the change, “but we’re confident this was the right thing to do and that we’ll win these lawsuits.” Whether the published emails will also provide more ammunition for those looking to regulate the social network remains to be seen.

Obviously things progressed since this news came out. It should cause users to, yet again, reflect on their use of Facebook’s platforms.

Updates:

  • [Internal Documents Show Facebook Has Never Deserved Our Trust or Our Data – Motherboard](https://motherboard.vice.com/en_us/article/7xyenz/internal-documents-show-facebook-has-never-deserved-our-trust-or-our-data)
  • [Facebook Fined $11.3M for Privacy Violations | Threatpost | The first stop for security news](https://threatpost.com/facebook-fined-privacy/139824/)

Creating systems of trust and real security for users should be all hands on deck, from government to the private sector. We need to encrypt the web, secure data at rest and in transit, and ensure that homes, cars and anything that can be connected to the internet are safe and trustworthy. The array of options is poor since security architects have to bolt security onto insecure systems. But that’s all the more reason to encourage people who understand how computer security works (and how it fails) to help. After all, there are only so many hours in the day, and the more attention we pay to these problems, the faster and better we can address them.

It’s not just individuals and private institutions who should be focusing on improving security for users, of course. Governments should be shouldering their responsibility for public safety by leading, incentivizing and, in places, even legally mandating real digital security for their increasingly vulnerable citizens.

But they are not. While the U.S. government has pushed hard to make sure that companies give them information about security problems—in the Department of Homeland Security’s Information Sharing and Analysis Centers and in the Cybersecurity Information Sharing Act passed in 2015, for example—there has been very little information or tools coming back to protect the public as technology users. This is even as we’re pushed into a world that increasingly relies on the internet for every facet of our daily lives. It’s also as the consequences of losing control of our data grow larger and more dire. Digital networks are now increasingly coming into our homes and cars. There are pushes to move to online voting, to the horror of security experts. The vast majority of us carry our phones with us everywhere; with them comes access to a tremendous amount of intimate information about us, our loved ones and our business and personal associations, both stored on the device and accessible through them.

The government should generate, incentivize and support efforts to build a more secure and trustworthy internet, along with the devices and services that rely on it. Instead, law enforcement in the U.S. and elsewhere too often demonize companies and individuals that offer strong security and pressure them to offer worse tools, not better ones.

Resisting Law Enforcement’s Siren Song: A Call for Cryptographers to Improve Trust and Security – Lawfare

Great piece, especially in light of the recent actions in Australia.

Find out what Twitter and Facebook think you like:

Facebook and Twitter don’t like to talk about how, exactly, their algorithms determine users’ interests. According to their privacy policies, both collect basic information you provide in your profile, like your birthday and gender, as well as details around your log-ins, like what devices you use and your location, and your posts and “likes.” Twitter and Facebook may also receive information from your browser cookies, what links you click, and third party apps that you’ve connected to your account. They might also be able to match additional info from their partners to you based on your phone number or email address.

Though the details of their algorithms aren’t clear, Facebook and Twitter are at least attempting to be somewhat transparent about the end result of those programs. Your Twitter and your Facebook ad settings allow you a glimpse into what social media companies (and the advertisers who pay them) think you’re into.

(Via Quartz)

Encryption debate reminiscent of climate change arguments: Senetas:

Chair of Australian security vendor Senetas Francis Galbally has told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) that the current debate surrounding the proposed encryption-busting Assistance and Access Bill is similar to the one surrounding climate change in Australia.

Despite being told over and over again by experts that accessing encrypted communications will introduce weaknesses into the system, committee members continued to press that a solution is possible.

“It’s a bit like the people denying climate change — all the scientists say there’s climate change, but you politicians don’t admit it,” Galbally said towards the end of the hearing on Friday morning. “It’s the same thing here.

“You cannot do it without creating a systemic weakness. There’s no definition of it, but we’ve had everyone around the world telling you the same thing.”

Galbally detailed how the company had conducted an assessment of the Bill at its own expense, and identified three “catastrophic outcomes” as certain or likely to occur if the Bill is passed.

“The Bill, should it become law, will profoundly undermine the reputations of Australian software developers and hardware manufacturers in international markets; there is simply no doubt that this will result in a significant reduction in local R&D and manufacturing as a consequence of declining employment and export revenue,” Galbally said.

“Foreign governments and competitors will use the mere existence of this legislation to claim that Australian cybersecurity products are required to use or collaborate in creating encryption backdoors.”

[Galbally] added that customers and global competitors are not interested in the nuances and exemptions that could possibly be added to the Bill, as the company will be undercut and lose business.

“In the cut and thrust of the sales world, the existence of such legislation is enough for us to lose a sale,” Galbally added.

“I can say confidently that Senetas will be directly affected, and with exports representing over 95 percent of our sales, there will be a substantial impact on our business, were we to remain in Australia.”

… Should the Bill proceed, Senetas said it could find itself, and up to 200 jobs, moving offshore to avoid perception issues.

… ”The Russians, for example, they haven’t even done it because they know to do it upsets other things far greater than what they are trying to do.

“You have a problem with insurgents in Syria, you don’t drop an atom bomb on those insurgents and see what happens, the consequences that happen to everybody else around. This is the equivalent of dropping an atom bomb to find some nefarious character.

“You will destroy, eventually, Australian’s own data protection — that’s what it is.”

(Via Latest Topic for ZDNet in security)

The battle in Australia over encryption and data protection makes my eyes roll every time I read about it. But the Deputy U.S. Attorney General has similar ideas to the Aussies:

“There is nothing virtuous about refusing to help develop responsible encryption, or in shaming people who understand the dangers of creating any spaces—whether real-world or virtual—where people are free to victimize others without fear of getting caught or punished,” Rosenstein said.

He is wrong. There are myriad virtues for privacy, for freedom and liberty, for capitalism, for trust in the economy, and a bunch of other things. Rosenstein wants to manage to the exception — basically treating edge cases (criminality) as the norm — instead of manage by exception.

“Responsible encryption,” as the Deputy U.S, A.G. defines it, is weak encryption … at best.

Back to Australia, here’s a nice bit of hand waving and false equivalency (&| false analogy) from the Committee chair:

Towards the end of the hearing, PJCIS chair Andrew Hastie justified the encryption-busting legislation due to the amount of methamphetamine use in his electorate.

“We use more ice in regional WA than in Sydney or Melbourne, so my point is from an economic perspective, we have a serious problem in this country with ice, and of course, my electorate has a large meth problem,” he said.

“I’ll just put on the record, different perspectives on this question.”

It’s not different perspectives. They are not related … except by exception.

Baby, meet bathwater.

How Surveillance Inhibits Freedom of Expression:

Privacy encourages social progress by giving the few room to experiment free from the watchful eye of the many. Even if you are not personally chilled by ubiquitous surveillance, the society you live in is, and the personal costs are unequivocal.

(Via Schneier on Security)

Take a few minutes and give the whole piece a good read.