※ All Your Face

All Your Face:

TSA going hogwild with facial recognition is going about as well as you’d expect, “but you can opt out”.

YK Hong:

 

Since folks asked what happens whenever I opt out of facial recognition, I documented it for you while going through US border patrol.

Coming out of the flight there was a row of kiosks for facial biometric capture. There were no people. Just kiosks. So I kept walking.

The next point of contact was the passport agents at their desks. Agent A asked me, “Did you take your photo at the kiosk?” I said, “No, I am opting out of biometric facial recognition.” And the agent asked, “Why?”

And I said, “Because I don’t like it.” And the agent said, “Wait here,” and then let the people behind me through.

After a bit of this punitive behavior, agent A sent me to agent B.

Agent B said, “Why? Why don’t you want to do it?” And I said, “Because I don’t want it. I want to opt out.” He paused and twisted his face.

Then he pointed at a sign and said, “Read that.”

The sign read: “U.S. citizens and select foreign nationals who are not required to provide biometrics and who wish to opt out of the new facial biometric process may simply notify a CBP officer, request a manual document check, and proceed with processing consistent with existing requirements for entry into the United States.”

It’s almost as if everyone entirely forgot how to do a manual check, which was being used for everyone until about a year ago.

And then agent B again said, “So you want to opt out?” Again I said, “Yes, I want to opt out.” And then he said, “Why?” And I said, “Because I don’t like my image being taken over and over.” And then he shook his head.

He said, “You know we already have your photo right?” And I said, “Yes, but I don’t like my biometrics continuously being captured.”

Then he said “Okay well I have to call someone.” And he just sat there looking very upset.

Then agent C arrived at the adjoining desk to begin work. And agent B said, pointing at me, “She doesn’t want to do the face scan. Which manager do I call?”

Agent C then said, “You don’t have to call anyone. Just look at her face and then compare it to her passport photo.”

And I said, “Yes, how it used to be done just a year ago.”

And agent B said, “You’re my first opt out.”

Then agent C said, you just have to enter on the screen why she doesn’t want it.” So again, I said, “I don’t like the repetitive image capture.”

Agent B said, “You’re losing the advantages of going through quickly.” I said, “That’s fine.” He shook his head.

Finally, after a lot of fumbling on their end, I was able to proceed through.

Even though it says, I can “simply notify a CBP officer,” it is not simple at all.

Opting out of facial recognition should be as easy as it is to opt in. The fact that it’s not tells you an immense amount.

Make it as hard as possible for anyone to take your very personal data.

Normalize opting out so it is never taken for granted.

Previously, previously, previously, previously, previously, previously.

Almost exactly a copy of one of the times I opted out.

※ This Hidden Facebook Tool Lets Users Remove Their Email or Phone Number Shared by Others

This Hidden Facebook Tool Lets Users Remove Their Email or Phone Number Shared by Others:

Facebook appears to have silently rolled out a tool that allows users to remove their contact information, such as phone numbers and email addresses, uploaded by others.

The existence of the tool, which is buried inside a Help Center page about “Friending,” was first reported by Business Insider last week. It’s offered as a way for “Non-users” to “exercise their rights under applicable laws.”

In case you missed this on the first go round, this is a REALLY useful option that should always have existed and should be easier to find. I’ve never liked how others could share your information without your approval.

Support for Apple Passkeys on Older Devices

Apple Passkeys:

At WWDC, Apple just announced Passkeys, their implementation of the FIDO protocols that aim to replace passwords. In Apple’s case, this capability will be available with iOS 16 and macOS Ventura, probably this fall. The other vendors are doubtless planning similar releases in a similar timeline.

Dan Moren from Six Colors has a post that gives a nice explanation of Passkeys and its operation by endusers. If you’re an Apple user with some or all of your passwords stored in the Apple iCloud Keychain, nothing much will change: you’ll authenticate with a fingerprint or face ID and a cryptographic exchange takes place between your device and the remote site to verify you. You can even use one device to log into another. Take a look at Moren’s post for the details.

(Via Irreal)

What I want Apple to do to enhance this is to extend this and other privacy efforts backwards so older Macs and other devices can take advantage.

For example, I have a 2012 Mac Mini that doesn’t support Apple Pay natively. I can use my more modern iOS devices to approve purchases made on that machine. But it doesn’t support Hide My Email or other privacy mechanisms.

Get on this, Apple!

※ In post-Roe world, privacy researcher worries about a ‘scenario where everyone is a sheriff’

In post-Roe world, privacy researcher worries about a ‘scenario where everyone is a sheriff’:

“Your phone is the snitch in your pocket,” cybersecurity researcher Zach Edwards told the Click Here podcast this week. “Every app that you download, the permissions that you give that app, all of the other… companies that are integrated into that app also get those same permissions.”

Edwards’ area of expertise is focusing on data brokers, the companies that bundle up personal information, create anonymous profiles, and then sell it. Among other things, they keep track of the websites you visit, your GPS location, how long you’re staying in one place, and a roster of other bits of your digital dust to create pattern data. Then, anyone with a credit card can buy it.

Shortly after Politico published a Supreme Court draft opinion suggesting the conservative majority was prepared to overturn Roe v. Wade, the landmark decision legalizing abortion, Edwards went into a roster of data broker platforms to see how the information stored there might be weaponized in states that come to outlaw — and possibly criminalize — abortion. 

Some of his findings were published in a report by Joseph Cox at Motherboard, which made clear that just about anyone with the inclination and a credit card could access granular data about abortion clinics from public sites like SafeGraph and Placer.ai  (both companies have since removed Planned Parenthood as a searchable option).

In the latest episode of Click Here, Edwards explained how simple weaponizing data can be and  why people living in rural areas need to be especially careful. 

(By Dina Temple-Raston and Will Jarvis at The Record)

Zach Edwards is not wrong. The ease with which one can acquire bulk surveillance data in the US without ever having to do the surveillance is frightening.

The US needs strong privacy legislation. Tech moguls don’t want it.

I recommend asking those seeking your vote what they will do in office to protect privacy, among other problems with such legislation.

The sky, black with lawyers

jwz on How to fix social media:

What we need is this one simple trick:

A site that scrapes, collates, and de-dups your friends’ posts on every social media site, and then shows you the union of all of those posts as one feed.

This is the only way to break Facebook’s back: to allow your friends’ transition from one social network’s data silo to another to be so gradual and effortless that you don’t even notice it happening.

The thing that makes this difficult, of course, is not the coding, but the fact that if you succeed at it in any meaningful way, the sky will blacken with lawyers, and the data silos’ spending on technical countermeasures will absolutely smother you.

Sadly, people have little agency in all of this. Social Media’s End User License Agreements (EULA) and Terms of Service (TOS) make that clear.

Hurtful language hurts politicians

United States Senator Bill Hagerty on Tuesday joined Senator Tom Cotton (R-AR) and nine other colleagues to introduce the Public Servant Protection Act, which protects public officials and employees and their families from having their home addresses displayed publicly online. Text of the bill may be found here. …

United States Senator Bill Hagerty on Tuesday joined Senator Tom Cotton (R-AR) and nine other colleagues to introduce the Public Servant Protection Act, which protects public officials and employees and their families from having their home addresses displayed publicly online. Text of the bill may be found here.

(Via Chattanoogan.com)

That’s not how free speech works.

Should public servants and their families be protected by law enforcement? Yes. We all should, and those serving in office should get protection specific to their role as the vitriol is particularly incendiary and the service they provide is important.

Should government officials be sheltered from voters who disagree with them, those who say things they don’t like, in a peaceful manner? No. If the voices are dangerous? Yes.

Should journalists and news outlets couch political grandstanding as “protection” from “threats”? No.

Should public employee addresses be public record? That’s not clear cut. I think elected officials should have their addresses on record since their residence is part of the requirement to hold office. If public service employees, like fire and police, are required to live in their community, then that should be public record as well.

Of course, this is largely moot. Most everyone volunteers their location on social media. It would not take much work to figure out where a public servant lives based on posts by themselves, their significant others, or their offspring.

Lawn care specialists, house cleaning professionals, au pairs, and the like could also post location information.

Maybe neighbors post their own information and it becomes easy to triangulate a voted-on public servant’s house?

No escape

There is no way to escape the machine systems that surveil us, whether we are shopping, driving or walking in the park. All roads to economic and social participation now lead through surveillance capitalism’s profit-maximizing institutional terrain, a condition that has intensified during nearly two years of global plague.

(Shoshana Zuboff via NYT)

Compare this with the underhanded way Vizio spies on paying customers:

If you think that some companies want to make money the honest way, by selling you stuff, while other companies are full of evil wizards who want to spy on you in order to deprive you of free will, then the answer is simple: just pay for stuff, and you’ll be fine. But time and again, we learn that companies spy on you – and abuse you in other ways – whenever it suits them – even companies that make a lot of noise about how they don’t need to spy on you to make money.

(Via Cory Doctorow)

The outside world is surveilled. I don’t like it. What I can do about it, I do.

The inside world, the world in my house and yard and car, that I only want surveilled by one person — me.

  • When I shop for a new thing I ask a few key questions:
    • Will the device work without a network connection?
    • Without a subscription?
    • Without advertising? Tracking?
    • Do I own the thing I bought?
    • Can I repair it? Modify it? Resell it?

    Analog stuff is great. There is no debate. Getting “smart” in one’s home is harder.

    H/t Dave Pell.

    The US military’s privacy pearl clutching

    Status

    The Ease of Tracking Mobile Phones of U.S. Soldiers in Hot Spots – WSJ:

     

    In 2016, a U.S. defense contractor named PlanetRisk Inc. was working on a software prototype when its employees discovered they could track U.S. military operations through the data generated by the apps on the mobile phones of American soldiers.

    …  The discovery was an early look at what today has become a significant challenge for the U.S. armed forces: how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk, and available for purchase by America’s adversaries.

     

    A bunch of thoughts:

    I can’t help but immediately think about the push in many political quarters to weaken security by breaking encryption. I’ll get back to that.

    Why did this get attention in 2016? And no, this was not “an early look”.

    The government has known for decades that cell phones are trackable if they have power and their transceiver is on. It’s how cell phones work. Anyone who’s watched any incarnation of Law & Order in this century or the last also knows this. The government could have mandated a phone system that would have afforded protections but the carriers resisted, I expect.

    And don’t forget cell phones aren’t always phones – laptops and tablets and watches and Kindles and a bunch of other things might – and eventually will – have cell connectivity. With 5G, the distinction might go away if the media (cell, wired, wifi, &c.) converge as advertised. Imagine golf gloves that report your stats back to the cloud.

    By the way, all that additional social media data is gravy to the buyer, but someone specifically wanting to track the movement of US military personnel around the globe don’t need it … from military personnel.

    Take this scenario:

    • They script a tool like the McDonalds Ice Cream Machine tracker to scrape airline seat assignments to see if open seat availability suddenly drops on certain routes;
    • They scrape social media for hub airport and airline workers who are talking about increases in military personnel coming through; and
    • They watch counts for private Facebook groups for military families to see if their memberships increase.

    Based off of that trivial-to-collect data (It’s free or for sale), and we assume they just generally monitor social media and the news, it’s not hard to get an idea of what’s happening. And before anyone complains that my loose lips are sinking ships, this is a simple scenario that is well understood and the plot of several books, movies, and TV shows.

    Note, my above scenario assumes all the military personnel are disconnected and analog.

    Also note that the above scenario works for advertisers as well as it does for bad actors and for industrial espionage …  and other use cases..

    That things would evolve into what the Wall Street Journal article describes was predictable:

    buried in the data was evidence of sensitive U.S. military operations by American special-operations forces in Syria. The company’s analysts could see phones that had come from military facilities in the U.S., traveled through countries like Canada or Turkey and were clustered at the abandoned Lafarge Cement Factory in northern Syria, a staging area at the time for U.S. special-operations and allied forces.

    The U.S. military’s clutching of pearls and muttering, “Well, I do declare that I never …  ,” about this situation is perhaps disingenuous. ※

    The U.S. government has built robust programs to track terrorists and criminals through warrantless access to commercial data. Many vendors now provide global location information from mobile phones to intelligence, military and law-enforcement organizations.

    But those same capabilities are available to U.S. adversaries, and the U.S.—having prioritized a free and open internet paid for largely through digital advertising with minimal regulation of privacy—has struggled to effectively monitor what software service members are installing on devices and whether that software is secure.

    Which brings us back to encryption – strong, uncompromized encryption –  is one of the tools that the government could bring to bear to help protect troop movements. There are innumerable ways they could, and do, leverage encryption. By the way, we need strong encryption for e-commerce, on-line banking, and a ton of other critical things.

    There’s some reflection on the tech industry welding batteries into their phones (and devices) and adopting eSIMs, predicating an always on-line but always trackable society, that needs considering.

    Solving this problem, the consolidation of anyone’s/everyone’s/each-of-our on-line and off-line life into a revenue stream for the advertising companies that are Facebook and Google, one that is very much the government’s own creation yet needs to be solved by the government, is a complex undertaking that will require the private sector to forgo some profits for the greater good. Oh, it could fix some of the military troop movement leak issue as a byproduct.

    ※ There is a American trope about the White southern belle or matriarch who, when faced with realities with which she does not want to deal, does what I describe.

    The End of Reputation

    AI can now easily (8 seconds) change the identity of someone in a film or video.
    Multiple services can now scan a few hours of someone’s voice and then fake any sentence in that person’s voice. […]
    Don’t buy anything from anyone who calls you on the phone. Careful with your prescriptions. Don’t believe a video or a photo and especially a review. Luxury goods probably aren’t. That fish might not even be what it says it is.
    But we need reputation. The people who are sowing the seeds of distrust almost certainly don’t have your best interests in mind-we’ve all been hacked. Which means that a reshuffling is imminent, one that restores confidence so we can be sure we’re seeing what we think we’re seeing. But it’s not going to happen tomorrow, so now, more than ever, it seems like we have to assume we’re being conned.
    Sad but true.
    What happens after the commotion will be a retrenchment, a way to restore trust and connection, because we have trouble thriving without it.

    (Via The end of reputation; photo via Raphael Lovaski on Unsplash)
    Apologies to Seth for quoting nearly his whole post, but it’s important and scary.
    Neal Stephenson, in his book Fall; Or, Dodge in Hell 🇺🇸 🇯🇵, addresses this very issue of reputation and authenticity. In very simplistic & basic terms, it involves leveraging something like blockchain to “check in” or “sign in” to legitimate things by you or things you control. He also talks about Editors, who are human professional social media filters, which takes us down a different rabbit hole.
    As I move my on-line life as much on to platforms I control or trust, I am thinking about how to validate “me” outside of that without that validation coming back to bite me later, assuming such a thing is possible.
    What do you think?