Rina Steenkamp - Privacy and technology
[Anonymity and encryption | ACLU Submission to the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression | Big data and differential pricing | Tracking and hacking - Security and privacy gaps put American drivers at risk | DeepFace - Closing the gap to human-level performance in face verification | The notice paradox - Secret surveillance, criminal defendants and the right to notice | Mass surveillance | Global chilling - The impact of mass surveillance on international writers | Privacy and data protection by design - from policy to engineering | The collection, linking and use of data in biomedical research and health care - ethical issues | Unique in the shopping mall - On the reidentifiability of credit card metadata | Internet of things - Privacy and security in a connected world | Promoting investment and innovation in the Internet of Things - Summary of responses and next steps | Computer-based personality judgments are more accurate than those made by humans | Exploit this - Evaluating the exploit skills of malware groups | 2014 Year-end review of class actions (and what tot expect in 2015) | ENISA Threat landscape 2014 - Overview of current and emerging cyber-threats | The Turn-Verizon zombie cookie]
Comments submitted to the United Nations by the EFF.
From 'III. Conclusion':
"Reaffirm that every individual has the right to freedom of expression, which includes the right to speak, read, and communicate anonymously; Establish that anonymity must not be restricted a priori (including legal prohibitions on anonymous speech, anonymity tools, or businesses and service providers that provide anonymous services); [...] Recognize the freedom to use encryption technology and to publish and distribute encryption technologies and research; Reiterate the dangers of prohibitions on encryption and the mandatory inclusion of 'back doors' in secure software and equipment; [...]"
Read more:
A publication by the ACLU.
From the introduction to the document:
"For two reasons, discussed at length in this submission, it would be a grave mistake to accede to official demands that technology companies be required to deliberately weaken the security of their products. First, encryption and anonymity are the modern safeguards for free expression. Without them, online communications are effectively unprotected as they traverse the Internet, vulnerable to interception and review in bulk. Encryption makes mass surveillance significantly more costly, and anonymity allows dissidents, whistleblowers, and human-rights defenders to freely express themselves, organize, and expose governmental abuse without fear of retribution. Second, and equally importantly, strong encryption is essential to cybersecurity. Over the last few years, hackers and repressive regimes have unleashed increasingly devastating cyberattacks on companies around the world, including American companies that hold the sensitive financial, medical, and other data of millions of individuals. Strong encryption is our best defense against the growing threat of such cyberattacks."
Read more:
A report by the White House - Council of Economic Advisors.
From the Executive Summary:
"[...] the combination of differential pricing and big data raises concerns that some consumers can be made worse off, and have very little knowledge why. This report finds that many companies already use big data for targeted marketing, and some are experimenting with personalized pricing, though examples of personalized pricing remain fairly limited. While substantive concerns about differential pricing in the age of big data remain, many of them can be addressed by enforcing existing antidiscrimination, privacy, and consumer protection laws. In addition, providing consumers with increased transparency into how companies use and trade their data would promote more competition and better informed consumer choice."
Read more:
See also:
A report by Ed Markey.
From the Executive Summary:
"To ensure that these new technologies are not endangering or encroaching on the privacy of Americans on the road, Senator Edward J. Markey (D-Mass.) sent letters to the major automobile manufacturers to learn how prevalent these technologies are, what is being done to secure them against hacking attacks, and how personal driving information is managed. [...] The responses reveal the security and privacy practices of these companies and discuss the wide range of technology integration in new vehicles, data collection and management practices, and security measures to protect against malicious use of these technologies and data."
Read more:
See also:
A paper by Yaniv Taigman, Ming Yang, Marc'Aurelio Ranzato and Lior Wolf.
Abstract:
"In modern face recognition, the conventional pipeline consists of four stages: detect => align => represent => classify. We revisit both the alignment step and the representation step by employing explicit 3D face modeling in order to apply a piecewise affine transformation, and derive a face representation from a nine-layer deep neural network. This deep network involves more than 120 million parameters using several locally connected layers without weight sharing, rather than the standard convolutional layers. Thus we trained it on the largest facial dataset to-date, an identity labeled dataset of four million facial images belonging to more than 4,000 identities. The learned representations coupling the accurate model-based alignment with the large facial database generalize remarkably well to faces in unconstrained environments, even with a simple classifier. Our method reaches an accuracy of 97.35% on the Labeled Faces in the Wild (LFW) dataset, reducing the error of the current state of the art by more than 27%, closely approaching human-level performance."
Read more:
See also:
An article by Patrick C. Toomey and Brett Max Kaufman.
Abstract:
"In this Article, we seek to explain the legal and factual components of the Notice Paradox. The Notice Paradox exists because at precisely the moment that novel and legally untested surveillance techniques are multiplying, one of the most essential restraints on illegal searches — notice — is fast disappearing. Though the Paradox affects, in principle, all Americans, this Article explores those effects chiefly with respect to criminal defendants. In Part II, we recount the historical and legal roots of the notice requirement, and we explain its practical significance in the context of government searches and criminal prosecutions. Part III, a survey of recent disclosures about secret uses of electronic surveillance and the government's manipulation of the notice right, illustrates the significant shift away from notice as a given, as well as some of the associated dangers of that trend. We conclude in Part IV by suggesting several legal and policy recommendations that would help mitigate the costs of faltering notice to individuals and society at large."
Read more:
A report by Pieter Omtzigt (Parliamentary Assembly, Council of Europe).
From 'Explanatory memorandum by mr Pieter Omtzigt, rapporteur':
"Since June 2013, disclosures by journalists to whom Mr. Edward Snowden, a former employee of the CIA and of a private contractor working for the US National Security Agency (NSA), had entrusted a large amount of top secret data concerning mass surveillance carried out by the NSA and others have triggered a massive public debate on privacy in the internet age. The extent of mass surveillance programmes the NSA and other countries' intelligence agencies conducted all around the world is stunning. The disclosures have confirmed the need for the Council of Europe to encourage its member and observer states to reassess their own surveillance programmes, assess loopholes which enable such programmes to target their own citizens by foreign services, and consider possible redress, including through legislative means, international agreements and the promotion of mass encryption. This is a matter not only of the protection of our fundamental rights, but also a matter of national security, which is under threat from rogue states, terrorists, cyber-terrorists and ordinary criminals who can do enormous damage by making use of weaknesses in encryption and other internet security measures deliberately created by intelligence agencies in order to facilitate mass surveillance."
Read more:
See also:
Results of an international survey of writers by PEN American Center.
From the Introduction:
"Levels of concern about government surveillance in democratic countries are now nearly as high as in non-democratic states with long legacies of pervasive state surveillance. Writers living in liberal democratic countries have begun to engage in self-censorship at levels approaching those seen in non-democratic countries, indicating that mass surveillance has badly shaken writers' faith that democratic governments will respect their rights to privacy and freedom of expression, and that - because of pervasive surveillance - writers are concerned that expressing certain views even privately or researching certain topics may lead to negative consequences."
Read more:
See also:
A paper by George Danzis, Josep Domingo-Ferrer, Marit Hansen, Jaap-Henk Hoepman, Daniel Le Metayer, Rodica Tirtea and Stefan Schiffner (ENISA).
From the Executive Summary:
"This report contributes to bridging the gap between the legal framework and the available technological implementation measures by providing an inventory of existing approaches, privacy design strategies, and technical building blocks of various degrees of maturity from research and development. Starting from the privacy principles of the legislation, important elements are presented as a first step towards a design process for privacy-friendly systems and services. The report sketches a method to map legal obligations to design strategies, which allow the system designer to select appropriate techniques for implementing the identified privacy requirements. Furthermore, the report reflects limitations of the approach. It distinguishes inherent constraints from those which are induced by the current state of the art. It concludes with recommendations on how to overcome and mitigate these limits."
Read more:
A report by the Nuffield Council on Bioethics.
From the Executive Summary:
"There is a growing accumulation of data, of increasing variety, about human biology, health, disease and functioning, derived ultimately from the study of people. Advances in information technology and data science provide more ways, and more powerful ways, to collect, manage, combine, analyse and derive insight from these data. The result is that data are now seen as a valuable resource with an indefinite range of potential uses. [...] Compliance with the law cannot guarantee that a use of data is morally acceptable. Faced with contemporary data science and the richness of the data environment, protection of privacy cannot reliably be secured merely by anonymisation of data or by using data in accordance with the consent from 'data subjects'. Effective governance of the use of data is indispensable."
Read more:
A report by Yves-Alexandre de Montjoye, Laura Radaelli, Vivek Kumar Singh and Alex "Sandy" Pentland.
Abstract:
"Large-scale data sets of human behavior have the potential to fundamentally transform the way we fight diseases, design cities, or perform research. Metadata, however, contain sensitive information. Understanding the privacy of these data sets is key to their broad use and, ultimately, their impact. We study 3 months of credit card records for 1.1 million people and show that four spatiotemporal points are enough to uniquely reidentify 90% of individuals. We show that knowing the price of a transaction increases the risk of reidentification by 22%, on average. Finally, we show that even data sets that provide coarse information at any or all of the dimensions provide little anonymity and that women are more reidentifiable than men in credit card metadata. "
Read more:
A staff report by the FTC.
From the Executive Summary:
"Six years ago, for the first time, the number of 'things' connected to the Internet surpassed the number of people. Yet we are still at the beginning of this technology trend. Experts estimate that, as of this year, there will be 25 billion connected devices, and by 2020, 50 billion. Given these developments, the FTC hosted a workshop on November 19, 2013 – titled 'The Internet of Things: Privacy and Security in a Connected World'. This report summarizes the workshop and provides staff's recommendations in this area."
Read more:
See also:
A report by Ofcom.
From 'About this document':
"The Internet of Things (IoT) is set to enable large numbers of previously unconnected devices to communicate and share data with one another - its services span industries from agriculture and energy to transport, healthcare and much more, with the potential for significant benefits to citizens and consumers. There are already over 40 million devices connected via the IoT in the UK alone. This is forecast to grow more than eight-fold by 2022, with hundreds of millions of devices carrying out more than a billion daily data transactions. Ofcom has identified several priority areas to help support the growth of the IoT. Following feedback from stakeholders in 2014, these areas include spectrum availability, data privacy, network security and resilience, and network addresses."
Read more:
A paper by Wu Youyou, Michal Kosinski, and David Stillwell.
From the Abstract:
"Judging others' personalities is an essential skill in successful social living, as personality is a key driver behind people's interactions, behaviors, and emotions. Although accurate personality judgments stem from social-cognitive skills, developments in machine learning show that computer models can also make valid judgments. This study compares the accuracy of human and computer-based personality judgments, using a sample of 86,220 volunteers who completed a 100-item personality questionnaire."
Read more:
See also:
A report by Gabor Szappanos (SophosLabs).
From the Introduction:
"Our deep analysis of malware samples using the CVE-2014-1761 vulnerability gave us a rare opportunity to compare the skill of a few different malware author groups. This is not a full and comprehensive test; we could estimate the skills only by a single criterion: the attackers' understanding of the exploit. But the situation is the same as with any other test: if you know exactly what you are measuring, you can make valid conclusions. This is what we attempt in this paper."
Read more:
A publication by BakerHostetler.
From 'B. Data privacy class actions':
"Looming large in the 2014 world of data privacy class actions was the Supreme Court's 2013 decision in Clapper v. Amnesty International USA that a plaintiff may not sue based on a risk of future harm unless that harm is “certainly impending.” Courts are split over whether Clapper dooms data-breach claims based on the increased risk of identity theft. Several courts of appeals also weighed in on standing based solely on a statutory violation—uniformly allowing such claims. And as in years past, 2014 brought several novel theories of liability seeking to create damages following a data breach, including RICO's first appearance and a greater focus on “overpayment” theories of liability. These and the other issues outlined below made 2014 a big year for data privacy class actions."
Read more:
A report by Louis Marinos (ENISA).
From the Executive Summary:
"[...] there is a dark side of the threat landscape of 2014:
- SSL and TLS, the core security protocols of the internet have been under massive stress, after a number of incidents have unveiled significant flaws in their implementation.
- 2014 can be called the year of data breach. The massive data breaches that have been identified demonstrate how effectively cyber threat agents abuse security weaknesses of businesses and governments.
- A vulnerability found in the BASH shell may have a long term impact on a large number of components using older versions, often implemented as embedded software.
- Privacy violations, revealed through media reports on surveillance practices have weakened the trust of users in the internet and e-services in general.
- Increased sophistication and advances in targeted campaigns have demonstrated new qualities of attacks, thus increasing efficiency and evasion through security defences."
Read more:
An article by Jonathan Mayer (Web Policy).
From the article:
"Verizon Wireless injects a unique header into customer web traffic. When the practice came to light last year, it was widely panned. Numerous security researchers pointed out that this 'supercookie' could trivially be used to track mobile subscribers, even if they had opted out, cleared their cookies, or entered private browsing mode. But Verizon persisted, emphasizing that its own business model did not use the header for tracking. Out of curiosity, I went looking for a company that was taking advantage of the Verizon header to track consumers. I found one - Turn, a headline Verizon advertising partner. They're 'bringing sexy back to measurement.'"
Read more:
See also: