Privacy and technology

Sep 07

Gary King, Jennifer Pan, and Margaret E. Roberts | CN | Reverse-engineering censorship in China - Randomized experimentation and participant observation [PDF] -

Abstract:

"Existing research on the extensive Chinese censorship organization uses observational methods with well-known limitations. We conducted the first large-scale experimental study of censorship by creating accounts on numerous social media sites, randomly submitting different texts, and observing from a worldwide network of computers which texts were censored and which were not. We also supplemented interviews with confidential sources by creating our own social media site, contracting with Chinese firms to install the same censoring technologies as existing sites, and - with their software, documentation, and even customer support - reverse-engineering how it all works. Our results offer rigorous support for the recent hypothesis that criticisms of the state, its leaders, and their policies are published, whereas posts about real-world events with collective action potential are censored."

Sep 06

Andrew Paterson (ICO Blog) | UK | The Internet of Things - what is it and what does it mean for you? -

From ‘Which?’s research into Smart TVs’:

"Without even realising it, many of you may already be sitting next to a device which is arguably part of the Internet of Things. While Smart TVs are still relatively expensive they are quickly coming down in price and allow you not only to browse websites, but access tailored apps and games, plus of course stream TV programmes on-demand. However, new research published by the consumer group Which? has highlighted that with greater capability, come potential threats to your privacy. […] While the results show that the information being exchanged is not particularly sensitive, in many cases it can be classed as personal information. This means that companies will routinely be using your information to tailor the services you receive. This might be through useful features such as suggesting upcoming programmes that you might like to watch, but will also include services you may be less keen to receive, such as targeted advertising – a practice that all but one of the manufacturers surveyed by Which? currently carries out."

See also: Related blog post by Which?.

Sep 05

Keaton Mowery, Eric Wustrow, Tom Wypych, Corey Singleton, Chris Comfort, Eric Rescorla, Stephen Checkoway, J. Alex Halderman, and Hovav Shacham | US | Security analysis of a full-body scanner [PDF linked from this page] -

Abstract:

"Advanced imaging technologies are a new class of people screening systems used at airports and other sensitive environments to detect metallic as well as nonmetallic contraband. We present the first independent security evaluation of such a system, the Rapiscan Secure 1000 full-body scanner, which was widely deployed at airport checkpoints in the U.S. from 2009 until 2013. We find that the system provides weak protection against adaptive adversaries: It is possible to conceal knives, guns, and explosives from detection by exploiting properties of the device’s backscatter X-ray technology. We also investigate cyberphysical threats and propose novel attacks that use malicious software and hardware to compromise the the effectiveness, safety, and privacy of the device. Overall, our findings paint a mixed picture of the Secure 1000 that carries lessons for the design, evaluation, and operation of advanced imaging technologies, for the ongoing public debate concerning their use, and for cyberphysical security more broadly."

See also: Related website.

Sep 04

Evan Selinger (Forbes) | Why a philospher teaches privacy -

From the blog post:

"Next week, the new term begins and I’ll be teaching an undergraduate philosophy course called, ‘Technology, Privacy, and the Law.’ The first order of business will be to explain why thinking critically about privacy - determining what it is, deciding when it should be protected, and pinpointing how it ought to be safeguarded—means doing philosophy. Given the practical stakes of these issues, you might not realize that getting into them involves philosophical thinking. But if you’ve got a principled bone to pick with corporate, peer, or governmental surveillance, or if you’ve good reasons for being displeased with the activists who are taking stands against it, you’ve got your philosopher’s cap on."

Sep 03

Peter Olsthoorn (Netkwesties) | The Facebook machine and the power of its algoritms -

From the blog post:

"Timelines of Facebook didn’t show information about the Ferguson shooting and riots in August 2014, analysts remarked. Time to explain Facebooks algorithms, its filter bubble, the reality of Mark Zuckerberg and why he should share algorithm transparancy and influence with us, his users."

Sep 02

Oliver Campion-Awwad, Alexander Hayton, leila Smith and Mark Vuaran | UK | The National Programme for IT in the NHS - A case history [PDF] -

From the Introduction:

"The National Programme for IT in the [National Health Service] (NPfIT) was the largest public sector IT programme ever attempted in the UK, originally budgeted to cost approximately £6 billion over the lifetime of the major contracts. After a history marked by delays, stakeholder opposition and implementation issues, the programme was dismantled by the Conservative-Liberal Democrat Government in 2011, almost ten years after Prime Minister Tony Blair initiated it at a seminar in Downing Street in 2002."

See also: Related blog post.

Sep 01

PwC | The future of work - A journey to 2022 [PDF linked from this page] -

From ‘The Blue World of 2022’:

"The data profiling that drives customer management will increasingly be replicated among employees as screening and monitoring move to a new level. Sensors check their location, performance and health. The monitoring may even stretch into their private lives in an extension of today’s drug tests. Periodic health screening gives way to real-time monitoring of health, with proactive health guidance and treatment to enable staff to perform more efficiently, reduce sick leave and work for more years before needing to retire. […] The ‘contract’ with employees is defined by the handing over of data (e.g. health, performance, possibly even private life) in return for job security. More than 30% of the participants in our global survey would be happy for their employers to have access to their personal data. Younger people tend to be more open to this than older generations, so this kind of monitoring could become routine in the years to come."

See also: Full text in PDF.

Aug 31

Matthew Green (A few thoughts on cryptographic engineering) | What's the matter with PGP? -

From the text:

"Last Thursday, Yahoo announced their plans to support end-to-end encryption using a fork of Google’s end-to-end email extension. This is a Big Deal. With providers like Google and Yahoo onboard, email encryption is bound to get a big kick in the ass. This is something email badly needs. So great work by Google and Yahoo! Which is why following complaint is going to seem awfully ungrateful. I realize this and I couldn’t feel worse about it. As transparent and user-friendly as the new email extensions are, they’re fundamentally just re-implementations of OpenPGP — and non- legacy-compatible ones, too. The problem with this is that, for all the good PGP has done in the past, it’s a model of email encryption that’s fundamentally broken. It’s time for PGP to die."

(Source: security.nl)

Aug 30

World Economic Forum / A.T. Kearney | Rethinking personal data - A new lens for strengthening trust [PDF linked from this page] -

From the Executive Summary:

"As we look at the dynamic change shaping today’s data-driven world, one thing is becoming increasingly clear. We really do not know that much about it. Polarized along competing but fundamental principles, the global dialogue on personal data is inchoate and pulled in a variety of directions. It is complicated, conflated and often fueled by emotional reactions more than informed understandings. The World Economic Forum’s global dialogue on personal data seeks to cut through this complexity. A multi-year initiative with global insights from the highest levels of leadership from industry, governments, civil society and academia, this work aims to articulate an ascendant vision of the value a balanced and human-centred personal data ecosystem can create."

See also: Full text in PDF.

(Source: cyberlaw.stanford.edu)

Aug 29

James Bamford (Wired) | The most wanted man in the world -

From the article:

"The message arrives on my ‘clean machine,’ a MacBook Air loaded only with a sophisticated encryption package. ‘Change in plans,’ my contact says. - Be in the lobby of the Hotel ______ by 1 pm. Bring a book and wait for ES to find you.’ ES is Edward Snowden, the most wanted man in the world. For almost nine months, I have been trying to set up an interview with him - traveling to Berlin, Rio de Janeiro twice, and New York multiple times to talk with the handful of his confidants who can arrange a meeting. Among other things, I want to answer a burning question: What drove Snowden to leak hundreds of thousands of top-secret documents, revelations that have laid bare the vast scope of the government’s domestic surveillance programs?"

(Source: schneier.com)

Aug 28

Center for Digital Democracy | EU | US | Request for investigation of 30 companies' violation of the U.S.-EU Safe Harbor program [PDF documents linked from this page] -

From the Executive Summary:

"This request for investigation arises from research by the Center for Digital Democracy (CDD) and its ongoing investigation of data marketing and profiling companies that have joined to the U.S.-EU Safe Harbor framework, as developed by the U.S. Department of Commerce (DOC) and formally accepted by the European Commission (EC). These 30 companies (data marketing and profiling companies) are similar in that they collect, use and share EU consumers’ personal information to create digital profiles about them, analyze their behavior, and use the data to make marketing and related decisions regarding each of them. While these companies are largely unknown to EU citizens, they pride themselves on knowing everything about individuals and how to comprehensively profile and target them. The commercial surveillance of EU consumers by U.S. companies, without consumer awareness or meaningful consent, contradicts the fundamental rights of EU citizens and European data protection laws, and also violates the intention of the Safe Harbor mechanism to adequately protect EU consumers’ personal information. This filing is intended to provide the Federal Trade Commission (FTC) with factual information and legal analysis on probable violations of Safe Harbor commitments that materially mislead EU consumers."

See also: Executive Summary in PDF.

(Source: futureofprivacy.org)

Aug 27

Mat Honan (Wired) | I liked everything I saw on Facebook for two days. Here's what it did to me -

From the article:

"This is a problem much bigger than Facebook. It reminded me of what can go wrong in society, and why we now often talk at each other instead of to each other. We set up our political and social filter bubbles and they reinforce themselves—the things we read and watch have become hyper-niche and cater to our specific interests. We go down rabbit holes of special interests until we’re lost in the queen’s garden, cursing everyone above ground. But maybe worse than the fractious political tones my feed took on was how deeply stupid it became."

Aug 26

Shane Harris (Foreign Policy) | SG | The social laboratory - Singapore is testing whether mass surveillance and big data can not only protect national security, but actually engineer a more harmonious society -

From the article:

"In October 2002, Peter Ho, the permanent secretary of defense for the tiny island city-state of Singapore, paid a visit to the offices of the Defense Advanced Research Projects Agency (DARPA), the U.S. Defense Department’s R&D outfit best known for developing the M16 rifle, stealth aircraft technology, and the Internet. Ho didn’t want to talk about military hardware. Rather, he had made the daylong plane trip to meet with retired Navy Rear Adm. John Poindexter, one of DARPA’s then-senior program directors and a former national security advisor to President Ronald Reagan. Ho had heard that Poindexter was running a novel experiment to harness enormous amounts of electronic information and analyze it for patterns of suspicious activity - mainly potential terrorist attacks. The two men met in Poindexter’s small office in Virginia, and on a whiteboard, Poindexter sketched out for Ho the core concepts of his imagined system, which Poindexter called Total Information Awareness (TIA). It would gather up all manner of electronic records - emails, phone logs, Internet searches, airline reservations, hotel bookings, credit card transactions, medical reports - and then, based on predetermined scenarios of possible terrorist plots, look for the digital ‘signatures’ or footprints that would-be attackers might have left in the data space. The idea was to spot the bad guys in the planning stages and to alert law enforcement and intelligence officials to intervene. […] Ho returned home inspired that Singapore could put a TIA-like system to good use. Four months later he got his chance, when an outbreak of severe acute respiratory syndrome (SARS) swept through the country, killing 33, dramatically slowing the economy, and shaking the tiny island nation to its core."

(Source: techdirt.com)

Aug 25

Richard J. Danzig (Center for a New American Security) | US | Surviving on a diet of poisoned fruit - Reducing the national security risks of America's cyber dependencies [PDF linked from this page] -

From the Executive Summary:

"Digital technologies, commonly referred to as cyber systems, are a security paradox: Even as they grant unprecedented powers, they also make users less secure. Their communicative capabilities enable collaboration and networking, but in so doing they open doors to intrusion. Their concentration of data and manipulative power vastly improves the efficiency and scale of operations, but this concentration in turn exponentially increases the amount that can be stolen or subverted by a successful attack. The complexity of their hardware and software creates great capability, but this complexity spawns vulnerabilities and lowers the visibility of intrusions. Cyber systems’ responsiveness to instruction makes them invaluably flexible; but it also permits small changes in a component’s design or direction to degrade or subvert system behavior. These systems’ empowerment of users to retrieve and manipulate data democratizes capabilities, but this great benefit removes safeguards present in systems that require hierarchies of human approvals. In sum, cyber systems nourish us, but at the same time they weaken and poison us."

See also: Full text in PDF.

(Source: justsecurity.org)

Aug 24

Conseil National du Numérique | FR | Platform neutrality - Building an open and sustainable digital environment [PDF] -

From ‘Part II - Ensure data system fairness’:

"Data has many and varied sources. It may originate from individuals, groups or machines in a private or public environment, geared towards market or non-market wealth generation. It is increasingly processed, stored, exchanged and aggregated, and has become a critical input and a key driver for the new economy, enabling new value chains to be established. Platforms benefit from collecting this readymade and easily-accessible commodity together with an increasing stream of personal data and digital footprints. These represent yield value that grows with user traffic and the widening of the catchment area. The very nature of data is currently being debated. Is it an unsaleable asset, a common asset, private transferable property, or a right of use or usage? There are also many ethical and economic issues, as well as issues concerning the enforcement of fundamental freedoms. This new economic and social landscape has to be organised, in compliance with core values to guarantee sustainable development."

(Source: edri.org)