An Italian investigation into privacy concerns has given ChatGPT 30 days to defend itself.

Italy’s Data Protection Authority (GPDP) has uncovered data privacy violations related to collecting personal data and age protections after an inquiry into OpenAI’s ChatGPT. OpenAI has 30 days to respond with a defense.

ChatGPT is an artificial intelligence (AI) chatbot that can engage in conversations with users, and answer their questions. It does this using natural, human-like language, a trick which is accomplished by training the underlying algorithm with large amounts of data from the internet.

Italy and ChatGPT historically have a troubled relationship. In April, 2023 ChatGPT was happy to announce that the artificial intelligence chatbot was available again in Italy after a month long block. To accomplish this the company had to meet the demands of Italy’s regulators who temporarily blocked ChatGPT over privacy concerns.

But Italy didn’t rest the case at that point. The GPDP started an investigation into data privacy violations. Around the same time the European Union’s European Data Protection Board set up a special task force to monitor ChatGPT.

The Italian authority has since concluded that elements indicate one or more potential data privacy violations without providing specific details, but added its investigation would take into account work done by the European task force.

In December of 2023 the European Union (EU) reached a provisional deal on landmark EU rules governing the use of artificial intelligence. This agreement requires Large Language Models (LLMs) such as ChatGPT and more general purpose AI systems (GPAI) to comply with transparency obligations before they are put on the market.

The GPDP noted two major concerns which are only voiced in general terms:

*   The available evidence pointed to the existence of breaches of the provisions contained in the EU.
*   It is concerned that younger users may be exposed to inappropriate content generated by the chatbot.

For those reasons Italy’s watchdog said it would like to see OpenAI:

> “implementing an age verification system and planning and conducting an information campaign to inform Italians of what happened as well as of their right to opt-out from the processing of their personal data for training algorithms.”

ChatGPT is already blocked in a number of other countries, including China, Iran, North Korea, and Russia. Which might turn out to be their loss. Time will tell.

We shouldn’t forget that we are talking about a revolutionary technology that is only just scratching the surface of its potential and going through some growing pains like a child would—a child with the knowledge and vocabulary of a library, but no idea what a secret is, let alone how to keep one.

To demonstrate the fact, Ars Technica found that ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users.

In November, 2023, researchers published a paper reporting how ChatGPT could be prompted into revealing email addresses and other private data that was included in training material. Those researchers warned that ChatGPT was the least private model they studied.

So, yes, it’s good to keep a keen eye on the developments and pace them where needed. But we should not do this to the extent that we push it away from the public eye. A child needs to be supervised, not locked in a basement.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 ChatGPT accused of breaking data protection rules 

Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine. 
Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time

Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine. 

Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time to dive into a few of these vulnerabilities and show how a handful of bugs that could be viewed as low-impact could be exploited as a series to carry out various malicious actions, even going as far to gaining access to the underlying system.

**Background**

The OAS Platform facilitates the simplified transfer of data between various proprietary devices and applications. It can connect products from multiple vendors, connect a product to a custom application, and more. Configuration of the platform is possible through TCP/58727 by default.

**Vulnerabilities**

During this research, we discovered eight vulnerabilities, five of which are covered here. Full technical details can be found in the respective vulnerability reports: 

TALOS-2023-1769

TALOS-2023-1770

TALOS-2023-1771

TALOS-2023-1772

TALOS-2023-1773

TALOS-2023-1774

TALOS-2023-1775

TALOS-2023-1776

**Bypass authentication via default configuration**

**TALOS-2023-1769 (CVE-2023-31242)**

By default, when the OAS Engine is installed, no admin application user is set. Without an admin application user, no authentication is required to access certain functionality that would otherwise require valid credentials, including creating new users. Additionally, if an admin user is created, but the configuration is not saved before the OAS Engine restarts, those changes will be lost and the system will revert to disregarding the authentication structure.

**Bypass authentication via stolen U\_EP**

**TALOS-2023-1770 (CVE-2023-34998)**

When a privileged request is sent by a legitimate administrator to the OAS Engine, the traffic is sent unencrypted across the wire. As such, it is possible for a bad actor capable of sniffing traffic between the client and OAS Engine to capture a valid U_EP authentication structure. The attacker can then use the structure to craft their successful privileged request. Any captured U_EP remains valid until the associated user account has been deleted.

**File overwrite**

**TALOS-2023-1771 (CVE-2023-32615)**

The OAS configuration tool provides a feature to save the running configuration to disk on the OAS engine server. When this information gets saved, the user specifies the path and filename, restricted only by the permissions of the underlying OAS user system account. If the chosen file already exists, the contents of that file will be replaced with the configuration data.

**Add user unsanitized input**

**TALOS-2023-1772 (CVE-2023-34317)**

Access to the various features of the OAS Engine and associated data is controlled through the use of OAS engine application users. 

Application administrator users can add additional users to the application with varying levels of permissions. These users exist within the OAS Engine exclusively, not on the underlying system. When adding a user, no filtering is performed on the value entered for the username, allowing a wide variety of characters not appropriate for a username to be entered and subsequently stored in the running configuration.

**List directory**

**TALOS-2023-1774 (CVE-2023-32271)**

Through the OAS Configuration tool, the functionality to load a saved configuration from disk or save a running configuration to disk is exposed to authenticated application users. 

Accompanying the configuration management tools is a remote file browser that allows users to see what files exist on the remote system.

**Attack walkthrough**

By combining these vulnerabilities, it is possible to gain access to the underlying system as the user running the OAS Engine. 

In this scenario, an adversary could: 

1.  Gain access to a valid authentication structure.
2.  Search the filesystem for evidence of an SSH server.
3.  Store an SSH key in the running OAS configuration.
4.  Write the running configuration to disk.

**Interacting with the OAS Engine**

Before an adversary can make any of the requests needed to exploit the system, they’d need to understand the protocol used by the OAS Configuration utility. These requests consist of two related Protobuf structures — Client_Send and OASPacket — concatenated together and sent to the OAS Engine via TCP/58727 (by default). Responses to these requests will be delivered in a similar format, replacing the Client_Send Protobuf with a Server_Send.

The Server_Send Protobuf takes the following form, where the Handshake and Offset fields must be retained if a subsequent Client_Send is to be sent. 

    message Server_Send {
      int32 Version = 1;
      int32 OASVersion = 2;
      int32 Handshake = 3;
      int32 Offset = 4;
      int32 Length = 5;
    }

The Client_Send Protobuf takes the following form, where Version is 0x01, and Length is the size in bytes of the OASPacket Protobuf:

    message Client_Send {
      int32 Version = 1;
      int32 ClientHandshake = 2;
      int32 Handshake = 3;
      int32 Length = 4;
    }

The ClientHandshake and Handshake fields are used in a client/server handshake that is likely in place to prevent replay attacks. ClientHandshake is a randomly generated value less than or equal to 0x3FFFEC75 that will be used in a subsequent request's handshake process. Handshake is a value calculated by taking the Handshake field from the prior Server_Send response, adding it to the Offset field from that same response, subtracting by both 0x12CB and the value of the ClientHandshake field from the prior Client_Send request, and finally adding 0x888. This can be better visualized with the following formula:

    handshake = server_send_handshake + server_send_offset - 0x12CB - previous_client_send_handshake + 0x888

The OASPacket Protobuf takes the following form, where LDCMode, LDCHost, and SendingGUID are not always necessary, Version is 0x01, CommandNumber defines the type of request being sent, and DataAsBytes is a set of serialized Protobufs describing the request data. 

    message OASPacket {
      int32 Version = 1;
      int32 LDCMode = 2;
      int32 CommandNumber = 3;
      string LDCHost = 4;
      string SendingGUID = 5;
      bytes DataAsBytes = 6;
    }

Many of the requests contain a field of the custom type U_EP. This field contains a serialized copy of credentials used to authenticate privileged requests. The U_EP Protobuf takes the following form, where Version is 0x01, and Seed is a random value used to encrypt the credentials:

    message U_EP {
      int32 Version = 1;
      int32 Seed = 2;
      bytes DataAsBytes = 3;
    }

The DataAsBytes field contains a serialized and encrypted User_EncryptedPassword Protobuf, which takes the following form:

    message User_EncryptedPassword {
      string Username = 1;
      string EncyprtedPassword = 2;
    }

By combining the generic structures discussed here with the request-specific structures discussed later, an adversary could replicate the desired communications with the OAS Engine. 

**Bypass authentication**

Many of the requests necessary to successfully interact with the OAS Engine require authentication. At this time, two options exist to bypass this authentication requirement: abusing the default configuration or reusing a valid authentication structure. 

**Option 1: Abusing Default Configuration**

As the requests needed to gain access require authentication, it is necessary first to acquire a valid U_EP structure. 

The easiest way to obtain valid credentials is to use the vulnerability disclosed in TALOS-2023-1769. This vulnerability is only exploitable in cases where the OAS Engine is still running its default configuration. To determine if the target in question is vulnerable, an OASPacket with Version set to 0x01 and CommandNumber set to 0x13F can be used. When correctly sent, the server will return a response with the following format:

    message Version_Runtime_License {
      int32 Version = 1;
      bool Runtime = 2;
      string LicenseString = 3;
      string MtcExpirationString = 4;
      bool NetCore = 5;
      bool WinOS = 6;
      bool LinuxOS = 7;
      string AssemblyVersion = 8;
      string BaseDirectory = 9;
      bool EnableActiveDirectory = 10;
      string ActiveDirectoryEntry = 11;
      string ActiveDirectoryFilter = 12;
    }

If the server is vulnerable to TALOS-2023-1769, the MtcExpirationString field will contain the string "Create an Admin User." In this state, the server does not perform any verification of the U_EP structure, allowing privileged requests by unauthenticated users as long as any value is provided in the U_EP field.

If an admin user has already been created, the OAS Engine will not be vulnerable to TALOS-2023-1769 and will require a different approach. The vulnerability disclosed in TALOS-2023-1770 provides an alternative way to obtain a valid U_EP. 

**Option 2: Pass the U\_EP**

This vulnerability occurs when legitimate configuration requests, including privileged ones, are sent to the OAS Engine. Most of these messages are sent in cleartext, as disclosed in TALOS-2023-1770. The exception is a field within the U_EP authentication structure, referred to within the OAS Platform as the User_EncryptedPassword. The User_EncryptedPassword is a block of data containing the authenticating username and associated encrypted password that is supplied as a block of AES-encrypted, serialized data to the DataAsBytes field in a U_EP authentication structure, as shown below.

    message U_EP {
      int32 Version = 1;
      int32 Seed = 2;
      bytes DataAsBytes = 3;
    }
    
    message User_EncryptedPassword {
      string Username = 1;
      string EncyprtedPassword = 2;
    }

While it is possible to decrypt the User_EncryptedPassword and get access to the raw username and encrypted password (TALOS-2023-1776), it is not necessary for authentication. 

When a legitimate U_EP is built, a value is randomly generated and stored in the Seed field of the structure. This seed is subsequently used to build the AES key used to encrypt the User_EncryptedPassword data. This process generally results in a different U_EP value for each new configuration session when conducted through the official tool, but this process does not cause prior sessions to be terminated. 

If an attacker obtains access to legitimate configuration traffic by sniffing network traffic, obtaining an old traffic capture, or any other method, they can extract the U_EP structure and successfully authenticate for as long as the associated user exists within the OAS Engine. 

**Explore the Filesystem**

With the ability to successfully send authenticated messages, we can leverage the vulnerability disclosed in TALOS-2023-1774 to explore the filesystem. 

From here a variety of approaches could be taken, but for this deep dive, we are looking for the existence of the sshd_config file in /etc/ssh/ and the .ssh directory in the OAS user's home directory, indicating that an SSH server is likely enabled on the system. 

We can do this by using an OASPacket with Version set to 0x01 and CommandNumber set to 0x0F. Additionally, the DataAsBytes field will need to be filled with a serialized Browse_File Protobuf containing a valid U_EP, the GetDirectories and GetFiles flags set, a DirectoryPath set to the absolute path of the desired location, and a FileExtension field containing an asterisk to indicate any file type.

    message Browse_File {
      int32 Version = 1;
      U_EP UEP = 2;
      bool GetDrives = 3;
      bool GetDirectories = 4;
      bool GetFiles = 5;
      string DirectoryPath = 6;
      string FileExtension = 7;
    }

When successfully sent, the OAS Engine will respond with the results in a Browse_File_Result Protobuf, containing all of the data organized by type. 

    message Browse_File_Result {
      bool Success = 1;
      optional string ErrorString = 2;
      repeated string Drives = 3;
      repeated string Directories = 4;
      repeated string ShortDirectories = 5;
      repeated string Files = 6;
      repeated string ShortFileNames = 7;
    }

**Upload new SSH key**

After verifying with some certainty that an SSH server is running, it is possible to leverage TALOS-2023-1771 and TALOS-2023-1772 to upload a new SSH key and subsequently gain access to the underlying system.

Since there is not any dedicated file upload functionality exposed by the OAS Engine, it is necessary to get more creative. By combining the improper input validation vulnerability disclosed in TALOS-2023-1772 with the external control of the filename vulnerability disclosed in TALOS-2023-1771, it is possible to create a makeshift file upload process. 

💡

It is important to note that while functional for this scenario, this technique will result in a file that cannot be fully controlled. As such, it is likely to create a file that could be considered corrupt by most applications.

When adding a new application user to the OAS Engine, the user details are taken and written to the running OAS Engine configuration. During this process, no verification is performed to ensure that the value entered contains exclusively characters that make sense for a username. Additionally, there is no limit on the length of the username. 

By supplying the entirety of an SSH public key that we control as the username of a new entry, it is possible to abuse this lack of verification to get our desired file data stored in the running OAS configuration

We can do this through the use of an OASPacket with Version set to 0x01 and CommandNumber set to 0x88. Additionally, the DataAsBytes field will need to be filled with a serialized String Protobuf containing a Version number, a valid U_EP, and a String value containing the public key data. 

    message String {
      int32 Version = 1;
      U_EP UEP = 2;
      string String = 3;
    }

With our key stored in the running configuration, we can then trigger it to get written to a file of our choice, in this case, the OAS user's authorized_keys, file, by saving the configuration to disk. While the file will contain a large amount of OAS configuration information that is meaningless to the SSH server, the public key supplied via a username will still be interpreted successfully as long as it is surrounded by newline characters.

We can do this by using an OASPacket with Version set to 0x01 and CommandNumber set to 0x74. The DataAsBytes field must again be filled with a serialized String Protobuf containing a Version number, a valid U_EP, and a String value, this time containing the absolute path to the file where the configuration should be written. 

    message String {
      int32 Version = 1;
      U_EP UEP = 2;
      string String = 3;
    }

If everything works correctly and the target has its SSH server running, it will be possible to log in as the underlying OS user running the OAS engine via SSH.

**Mitigations**

Before the release of this walkthrough and the associated vulnerabilities, Cisco Talos worked with Open Automation Software to ensure that patches were made publicly available in Version 19. All users are recommended to upgrade to the latest version. 

For Snort coverage, (SIDs 61991 - 61994, 62003, and 62004) that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges

By Waqas
The US Treasury Department announced sanctions against two Egyptian nationals, Mu'min Al-Mawji Mahmud Salim and Sarah Jamal Muhammad Al-Sayyid, for running the Electronic Horizons Foundation (EHF), a platform allegedly providing cyber tools and training to ISIS supporters.
This is a post from HackRead.com Read the original post: U.S. Treasury Imposes Sanctions on Alleged ISIS Cybersecurity Experts

The FBI is offering a $20,000 reward for anyone providing information to the agency regarding the whereabouts of cybersecurity expert Mu’min Al-Mawji Mahmud Salim, also known as ‘Taqni al-Mujahedeen’.

The US Treasury Department announced sanctions today against two Egyptian nationals, Mu’min Al-Mawji Mahmud Salim (alias “Taqni al-Mujahedeen”) and Sarah Jamal Muhammad Al-Sayyid, for allegedly running the Electronic Horizons Foundation (EHF), a platform providing cyber tools and training to **ISIS** supporters.

Mu’min Al-Mawji Mahmud Salim, identified as the alleged creator and leader of the apparent ISIS-affiliated platform Electronic Horizons Foundation (EHF), has been accused of providing cybersecurity guidance and training to ISIS supporters. His partner, Sarah Jamal Muhammad Al-Sayyid, allegedly aided in establishing EHF and procured web servers to host ISIS platforms.

****The Accusation:****

The Treasury Department accuses EHF of playing a crucial role in bolstering ISIS’s online presence and financial networks. Their alleged activities include:

*   **Providing online security tutorials:** EHF reportedly taught ISIS supporters how to evade law enforcement through encryption, anonymization tools, and online cover-up techniques.
*   **Facilitating cryptocurrency fundraising:** The platform allegedly instructed ISIS members on using cryptocurrency wallets and exchanges to fundraise for the group’s activities without detection.
*   **Sharing technical expertise:** EHF is accused of offering technical assistance to ISIS, such as building and maintaining a secure online infrastructure for communication and propaganda dissemination.

****Impact of the Sanctions:****

The Treasury Department’s sanctions freeze any assets Salim and Al-Sayyid hold in the United States and prohibit US citizens and businesses from engaging in financial or commercial transactions with them. Additionally, a **$20,000 reward** (PDF) is offered for information leading to their arrest or conviction.

**According to** Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E., these measures aim to disrupt ISIS’s financial operations, including the use of cryptocurrency, and prevent the group from leveraging its online presence for recruitment and propaganda purposes.

This announcement can be a significant development in disrupting ISIS’s online activities. Cybercrime and anonymous fundraising are vital to the group’s operations, and these sanctions aim to cripple their financial and technological support networks.

Notably, this isn’t the first US action against ISIS’s online presence. **In August 2020**, the United States claimed to have disrupted three cryptocurrency campaigns run by terror groups, including the Al-Qassam Brigades (the military wing of Hamas), Al-Qaeda, and ISIS.

****_RELATED ARTICLES_****

1.  **Man Accused of Terrorism Over Encrypting His Blog Site**
2.  **Anonymous hacks ISIS website; infecting users with malware**
3.  **Someone Hacked Swedish Radio Station to Play Pro-ISIS Song**
4.  **Muslim Hackers Hack ISIS website; expose 2,000 subscribers list**
5.  **Anonymous Muslim Group Confusing ISIS with Porn and Fake News**
6.  **Russian hackers sent death threats to US army wives posing as ISIS**

U.S. Treasury Imposes Sanctions on Alleged ISIS Cybersecurity Experts

By Waqas
With businesses continuing to generate a vast amount of data, from financial records to client information, understanding the…
This is a post from HackRead.com Read the original post: Best Methods for Storing, Protecting Digital Company Files: Secure Strategies for Data Safety

With businesses continuing to generate a vast amount of data, from financial records to client information, understanding the best methods to store and protect these digital files becomes imperative.

Efficient data storage and security practices are critical for ensuring that sensitive information remains confidential and intact.

Your approach to data storage and digital file management will impact everything from operational efficiency to regulatory compliance. Putting robust file security protocols can prevent data breaches, which preserves customer trust and protects your company’s reputation. 

It’s essential to establish a system where access to important files is controlled and monitored, reducing the risk of both internal and external threats. Let’s take a closer look at the best practices, benefits, and methods of secure file storage.

****Establishing Secure Digital Storage Practices****

As you approach the safeguarding of digital files, remember that the choice of storage solutions, access controls, and encryption methods are vital to preventing unauthorized access and data breaches. 

There are a couple of key features that you should be on the lookout for — but also keep in mind that the right storage solution will depend chiefly on the specifics of your business and your needs.

****Choosing the Right Storage Solutions****

When selecting storage solutions for your sensitive documents, consider a blend of cloud storage and physical hard drives. Cloud services offer scalability and remote access, with options like Google Drive leading the market. 

However, it’s crucial to ensure that the chosen service provides robust data security measures. On the other hand, hard drives should be used in a secure location with environmental controls to protect against physical damage.

****Implementing Access Controls****

Good practice dictates that you limit access to sensitive information. Implement strong access control measures, starting with unique passwords that are changed regularly. 

See to it that employees have access only to the data necessary for their roles — this principle of least privilege can significantly reduce the risk of a data breach. Use features like user access logs, real-time monitoring, and multi-factor authentication to enhance security.

****Data Encryption and Protection****

Securing your data with strong encryption is non-negotiable. Whether data is at rest or in transit, encryption acts as a robust lock that shields sensitive documents from unauthorized users. 

Make sure that any data storage service you employ uses advanced encryption standards. Additionally, implementing a consistent backup strategy will protect against data loss, keeping your company’s files recoverable in an emergency.

****Optimizing File Organization and Management****

To maintain an efficient digital workspace, it is crucial to cultivate robust file organization strategies and a reliable management system. This not only enhances productivity but also strengthens data security.

****Effective PDF Management****

Managing PDF files effectively is an integral part of a digitized workplace. Utilizing a comprehensive PDF editor enables you to directly modify PDF content, ensuring that your records remain current and accurate. 

Consistent categorization and naming of PDF files streamline retrieval, while the option to annotate allows for clearer communication within your team.

****Document Control and Versioning****

A systematic approach to document control is essential for ensuring the integrity of company records. Implement version control within your document management system to track changes over time, avoiding the confusion of multiple file versions. 

This records management practice provides a clear audit trail, demonstrating which team member made edits, what changes were made, and when they occurred. 

Establish a convention for file names that includes version numbers, which will make it easier to navigate through your digital filing system and locate the most recent version of a document.

****Protecting Against Data Loss and Theft****

In the digital era, safeguarding your company’s data from loss and theft is a multifaceted challenge that requires a dynamic and comprehensive strategy. 

This involves deploying a variety of critical tactics, including the implementation of robust backup strategies, vigilance against identity fraud, and comprehensive measures to thwart data leakage and theft. Each of these components plays a crucial role in creating a secure data environment

****Implementing Data Backup Strategies****

To effectively guard against the potentially catastrophic consequences of data loss, implementing a thorough and regular backup regimen is essential for any business. This approach should encompass several key components::

*   **Local backups**: Establish a routine for creating physical copies of important files. Use external hard drives, network-attached storage (NAS) systems, or even dedicated backup servers. Place these storage devices in a secure, environmentally controlled location to protect them from physical damage or environmental hazards. Regularly update these backups and test them to ensure data integrity.
*   **Offsite Backups:** Employ cloud-based services for offsite backups, offering another layer of security against local disasters such as fires or floods. Choose cloud providers known for their strong security measures and reliability. Ensure that these backups are encrypted and periodically test the recovery process to verify the speed and efficiency of data restoration.
*   **Backup Policies and Monitoring:** Develop clear and concise policies regarding the frequency and methods of backups. These policies should detail what data needs to be backed up, how often, and who oversees this process. Implement a monitoring system to routinely check the health and status of your backups.
*   **Diverse Backup Strategies:** Incorporate a mix of incremental and full backups. Incremental backups save time and resources by only backing up data that has changed since the last backup. Full backups, while more resource-intensive, provide a complete snapshot of your data at a specific point in time.

Establish clear policies on the frequency and method of backups. Ensure routine monitoring of backup processes to verify their integrity and functionality.

****Protecting Against Identity Fraud****

With the prevalence of the digital in today’s time, identity theft has become a significant threat. It’s important to stay aware of this risk, as well as emerging new attack methods such as synthetic identity fraud. To combat this, it’s imperative to:

*   **Educate and Train:** Regularly educate yourself and your employees about the latest trends in identity fraud. Conduct training sessions to recognize signs of fraudulent activities, such as unusual account behaviour or discrepancies in personal information.
*   **Stringent Verification Policies:** Implement and enforce rigorous identity verification processes. This could involve multi-layered verification techniques, including new advances in the field like biometric verification, in addition to traditional methods like passwords and security questions.
*   **Continuous Monitoring:** Maintain continuous monitoring of all activities within your systems. This involves real-time surveillance of transactional data, access logs, and user activities. Quickly identifying and responding to suspicious activities can prevent potential fraud.

****Preventing Data Leakage and Theft****

Data leakage and breaches pose significant risks. Develop a layered security approach involving both technological solutions and employee training to recognize and act on potential threats. To secure your documents from unauthorized access and theft:

*   **Use comprehensive encryption methods for sensitive information**. By Implementing state-of-the-art encryption methods for all sensitive information, you can ensure that data, whether at rest or in transit, is inaccessible to unauthorized users. Use industry-standard encryption protocols like AES (Advanced Encryption Standard) for stored data and SSL/TLS (Secure Sockets Layer/Transport Layer Security) for data in transit. 
*   **Implement strict access control measures**. This involves setting strong, unique passwords, implementing role-based access control systems, and regularly updating access rights based on employees’ current roles and responsibilities
*   **Regularly update systems to address security vulnerabilities**. Implement a systematic process for applying security patches and software updates to protect against known exploits. Regularly conduct security audits and vulnerability assessments to identify and mitigate potential weaknesses in your IT infrastructure

****Ensuring Legal Compliance and Record Keeping****

When managing your company’s digital files, it’s imperative to adhere strictly to legal and regulatory standards and to implement an archiving system that ensures future accessibility. This not only safeguards your sensitive documents but also maintains their integrity for legal and ownership verification.

****Adhering to Legal and Regulatory Standards****

For your contracts and sensitive documents, compliance with legal regulations is not optional. You must understand and apply the specific legal requirements that pertain to your industry and the type of records you handle. For instance:

*   **Contracts**: Store in a secure and encrypted format, allowing access only to authorized personnel.
*   **Sensitive Documents**: Implement policies that comply with privacy laws, such as GDPR or HIPAA, depending on your location and the nature of your business.

****Archiving for Future Accessibility****

Archiving is essential for records management and ensures that your documents remain accessible over time. Small businesses, in particular, need to establish archiving processes that allow for easy retrieval and clear documentation of records. Here are the steps you could follow:

1.  **Identification**: Determine which documents require archiving.
2.  **Categorization**: Organize documents in a way that supports your business operations.
    *   Legal Records: Sorted by case number or client name.
    *   Ownership: Grouped by asset or property type.
3.  **Selection of Archiving Solutions**:
    *   On-premise servers or cloud-based solutions can be used, each with its own benefits for storage and accessibility.

For long-term archiving and accessibility, consider exploring digital systems that cater to your firm’s needs.

****Conclusion****

Your organization’s documents, including financial reports, customer data, and intellectual property, are the lifeblood of your business—treat their security with the utmost priority. 

By incorporating these methods into your company’s policies, you’ll enhance the integrity and confidentiality of your digital files, reducing potential risks and loss. It’s not merely about compliance—it’s about building a resilient foundation for your business’s continued success and growth.

1.  **Approaching Complex Data Security for Small Businesses**
2.  **How Blockchain Can Revolutionize Personal Data Storage?**
3.  **What is the tokenization process and why it is so important?**
4.  **Cyqur Launches Data Encryption, Fragmentation Web Extension**
5.  **Insights on Google Cloud Backup and Disaster Recovery Service**

Best Methods for Storing, Protecting Digital Company Files: Secure Strategies for Data Safety

Explicit deepfake images of Taylor Swift caused problems on social media and caused politicians to ask for more legislation

Deepfake images of Taylor Swift have really made some serious waves. Explicit images of the popstar, generated by Artificial Intelligence (AI) were posted on social media and Telegram. The images were viewed millions of times.

The impact of the deepfake was enormous. Social media platform X (formerly known as Twitter) even blocked searches for Taylor Swift’s name, saying:

> “This is a temporary action and done with an abundance of caution as we prioritize safety on this issue.”

X’s policies say it explicitly prohibits the sharing of “synthetic, manipulated, or out-of-context media that may deceive or confuse people and lead to harm”, as well as the posting of Non-Consensual Nudity (NCN) images. But apparently it was not easy to quickly remove the images and take actions against the accounts that were posting them.

Searches for Taylor Swift and some related terms were also blocked on Instagram, instead displaying “the search terms used were sometimes associated with activities of dangerous organizations and individuals.”

The uproar about the fake images of the popstar was so loud that some politicians started calling for laws to prohibit the creation of deepfakes. While in many countries and some US states, the creation of deepfakes is prohibited, there are currently no federal laws against the sharing or creation of deepfake images.

In 2020 we discussed deepfake legislation in the United States. In a rare example of legislative haste, roughly one dozen state and federal bills were introduced in 2019 to regulate deepfakes, mostly out of fear that they could upend democracy.

Although it is doubtful that any law would have stopped the creation of the images, it might have blocked or dampened the rapid way in which the images were spread.

However, deepfakes started as a new form of pornography and most of the deepfakes created and posted online today are still of a pornographic nature. They also disproportionally target women, which should make appropriate legislation a bigger priority than being able to recognize deepfakes.

Like Adam Dodge, founder of the nonprofit End Technology-Enabled Abuse, or EndTAB, said a few years ago:

> “The reality is, when it comes to the battle against deepfakes, everybody is focused on detection, on debunking and unmasking a video as a deepfake. That doesn’t help women, because the people watching those videos don’t care that they’re fake.”

Well-known women, like actresses and musicians, are particularly at risk of falling victim to this type of abuse.

Taylor Swift herself is furious about the AI images circulating online and is considering legal action against the sick deepfake porn site hosting them.

Taylor Swift has a legal team at her disposal, but if you are the victim of “revenge porn” or other forms of non-consensual nudity, you should know it’s much easier to take down nonconsensual porn content than it used to be. A growing number of companies will voluntarily take down nonconsensual porn on their platforms, regardless of whether the victim owns the copyright.

For step-by-step instructions on how to report and take down nonconsensual porn across multiple technology platforms including Instagram, X (Twitter), Reddit, Tumblr, Google, Facebook, and TikTok, you can use Cyber Civil Rights Initiative’s new Online Removal Guide.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Deepfake Taylor Swift images circulate online, politicians call for laws to ban deepfake creation 

Italy's data protection authority (DPA) has notified ChatGPT-maker OpenAI of supposedly violating privacy laws in the region.
"The available evidence pointed to the existence of breaches of the provisions contained in the E.U. GDPR [General Data Protection Regulation]," the Garante per la protezione dei dati personali (aka the Garante) said in a statement on Monday.
It also said it

Generative AI / Data Privacy

Italy's data protection authority (DPA) has notified ChatGPT-maker OpenAI of supposedly violating privacy laws in the region.

"The available evidence pointed to the existence of breaches of the provisions contained in the E.U. GDPR \[General Data Protection Regulation\]," the Garante per la protezione dei dati personali (aka the Garante) said in a statement on Monday.

It also said it will "take account of the work in progress within the ad-hoc task force set up by the European Data Protection Framework (EDPB) in its final determination on the case."

The development comes nearly 10 months after the watchdog imposed a temporary ban on ChatGPT in the country, weeks after which OpenAI announced a number of privacy controls, including an opt-out form to remove one's personal data from being processed by the large language model (LLM). Access to the tool was subsequently reinstated in late April 2023.

The Italian DPA said the latest findings, which have not been publicly disclosed, are the result of a multi-month investigation that was initiated at the same time. OpenAI has been given 30 days to respond to the allegations.

BBC reported that the transgressions are related to collecting personal data and age protections. OpenAI, in its help page, says that "ChatGPT is not meant for children under 13, and we require that children ages 13 to 18 obtain parental consent before using ChatGPT."

But there are also concerns that sensitive information could be exposed as well as younger users may be exposed to inappropriate content generated by the chatbot.

Indeed, Ars Technica reported this week that ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users who are said to be employees of a pharmacy prescription drug portal.

Then in September 2023, Google's Bard chatbot was found to have a bug in the sharing feature that allowed private chats to be indexed by Google search, inadvertently exposing sensitive information that may have been shared in the conversations.

Generative artificial intelligence tools like ChatGPT, Bard, and Anthropic Claude rely on being fed large amounts of data from multiple sources on the internet.

In a statement shared with TechCrunch, OpenAI said its "practices align with GDPR and other privacy laws, and we take additional steps to protect people's data and privacy."

**Apple Warns Against Proposed U.K. Law**

The development comes as Apple said it's "deeply concerned" about proposed amendments to the U.K. Investigatory Powers Act (IPA) could give the government unprecedented power to "secretly veto" privacy and security updates to its products and services.

"It's an unprecedented overreach by the government and, if enacted, the U.K. could attempt to secretly veto new user protections globally preventing us from ever offering them to customers," the tech giant told BBC.

The U.K. Home Office said adopting secure communications technologies, including end-to-end encryption, cannot come at the cost of public safety as well as protecting the nation from child sexual abusers and terrorists.

The changes are aimed at improving the intelligence services' ability to "respond with greater agility and speed to existing and emerging threats to national security."

Specifically, they require technology companies that field government data requests to notify the U.K. government of any technical changes that could affect their "existing lawful access capabilities."

"A key driver for this amendment is to give operational partners time to understand the change and adapt their investigative techniques where necessary, which may in some circumstances be all that is required to maintain lawful access," the government notes in a fact sheet, adding "it does not provide powers for the Secretary of State to approve or refuse technical changes."

Apple, in July 2023, said it would rather stop offering iMessage and FaceTime services in the U.K. than compromise on users' privacy and security.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Italian Data Protection Watchdog Accuses ChatGPT of Privacy Violations

By Deeba Ahmed
From Snowden to Shady Markets: The Long History of NSA's Unchecked Surveillance.
This is a post from HackRead.com Read the original post: NSA Admits Buying American Browsing Records From Shady Markets

According to a letter from NSA director Paul Nakasone to Wyden, the agency purchased Netflow data and information from electronic devices used both domestically and internationally.

The US National Security Agency (NSA) has confirmed purchasing American users’ internet browsing records without warrants, according to Oregon Democratic Senator Ron Wyden. Congressman Wyden, a staunch privacy advocate, spent three years attempting to disclose the NSA’s practice, including purchasing smartphone location data without a warrant.

These “warrantless purchases” included information about websites visited and apps used, explained Wyden. This means, that US government agencies frequently access commercial marketplaces to gather sensitive information about Americans without obtaining court warrants.

According to a letter from NSA director Paul Nakasone to Wyden, the agency only purchased Netflow data and information from electronic devices used both domestically and internationally. The data, mainly related to Internet communications, did not include American communications content. The NSA claims to use commercially available Netflow data for cybersecurity and foreign intelligence missions, to defend US military networks from foreign hackers, minimizing the collection of U.S. personal information through technical filters.

In a letter to the Director of National Intelligence (DNI), Avril Haines, Wyden has urged the Biden administration to stop this “warrantless surveillance of Americans” through internet data purchases. He argues that the US government should not fund and legitimize a shady industry, raising questions about its legality.

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal.”

Collecting user browsing habits metadata is a risky practice as it can expose personal information on websites related to mental health, sexual assault, domestic abuse, and telehealth, posing a significant privacy risk.

It must be noted that the Federal Trade Commission (FTC) has banned Outlogic (previously called X-Mode Social) and InMarket Media from selling location information without users’ informed consent, also barring Outlogic from collecting location data for sensitive locations like medical clinics and religious places.

Purchasing data from companies falling in the legal gray area is unethical as consumers/users are unaware of how it’ll be shared or used. Third-party apps incorporating SDKs from these brokers do not inform users about location data sales for advertising or national security purposes, either.

The revelation comes amid growing concerns about foreign governments acquiring US citizens’ data. The Biden administration is already preparing an executive order to curb such purchases, reports CNN. But the government itself is involved in such practices.

However, the NSA has a history of mass surveillance practices, therefore, Wyden’s disclosure doesn’t seem surprising. Back in 2015, a lawsuit was filed by Wikipedia against the NSA to protect the rights of its 500 million monthly users, arguing that their mass surveillance potentially violates the Fourth Amendment and First Amendment and that their activities exceed the authority granted by the Foreign Intelligence Surveillance Act.

Ex NSA contractor Edward Snowden’s 2013 revelation of a secret NSA mass surveillance program, which has been secret for over a decade created havoc globally, exposing the agency’s spying practices.

In 2015, a three-judge panel of the Second Circuit Court of Appeals ruled that the agency’s telephone metadata collection program, which gathered millions of American citizens’ phone records daily, is illegal under the Patriot Act.

****_RELATED ARTICLES_****

1.  **How Dutch Police Busted Hansa Dark Web Marketplace**
2.  **Snowden Explains Why Telegram Messenger App is Unsafe**
3.  **Prometei botnet uses NSA exploit, hits MS exchange servers**
4.  **Hacker uses NSA-reported Windows 10 vulnerability to troll NSA**
5.  **Baltimore City ransomware attack powered by stolen NSA hacking tool**

NSA Admits Buying American Browsing Records From Shady Markets

Senior Privacy Advocate David Ruiz speaks with Bruce Schneier about artificial intelligence, surveillance, and an era of "mass spying."

For decades, governments and companies have surveilled the conversations, movements, and behavior of the public.

And then the internet came along and made that a whole lot easier.  

Today, search engines collect our queries, browsers collect our device information, smartphones collect out locations, social media platforms collect our conversations with one another, and, depending on the country, governments either collect that same information from the companies that maintain it, or they gather it directly themselves by monitoring their people.

That’s a lot of data that, until now, has been difficult to parse at scale.

But cryptographer and computer security professional Bruce Schneier believes that’s going to change, all because of the advent of artificial intelligence.

Already equipped with reams of data, governments and companies will now be able to ask AI models to make conclusions _from_ the data, Schneier said, supercharging the human work of inquiry with the limitless scale of AI.

“Spying is limited by the need for human labor,” Schneier wrote. “AI is about to change that.”

In January, Senior Privacy Advocate David Ruiz (and host of the Lock and Code podcast) spoke with Schneier about the future of AI-enabled mass spying—the implications, the responses from the public, and whether there’s any hope in dismantling a system so deeply embedded in the modern world.

Below is an edited transcript of their conversation.

**DAVID RUIZ**: We know that mass surveillance has this “Collect it all” mentality—of the NSA, obviously, but also from companies that gather clicks and shares and locations and app downloads and all of that.

What is the mass spying equivalent of that?

**BRUCE SCHNEIER**: So, it’s “Collect it all,” but it’s “Collect different things.”

Let’s step back here.

We kind of know what mass surveillance, mass spying looks like. It’s the kind of thing we saw in former East Germany, where like 10 percent of the population spied on 90 percent of the population. And it was incredibly manpower intensive.

Now, we moved into a world of automatic mass surveillance with the rise of the internet and the rise of cheap data storage and processing. This is maybe 20 years ago, when companies and the NSA start collecting mass surveillance data, and that is metadata—the kind of data that Snowden talked about—data about data. Data from your phone, from your browser, who you spoke to, where you went, what you spent money on, what websites you visited, that’s kind of mass surveillance data.

> Spying, the difference I’m making, is about conversations.

And while computers were easily able to interpret location data and data about who you spoke to—your email “from” and “to” lines—they weren’t able to interpret what you said.  Voice conversations, text conversations, email conversations, they could do keyword searches and if you think about, Chinese censorship is based pretty naively on keyword searches. \[For instance,\] you say the bad word, you get censored. That’s still very primitive.

Spying—listening in on a conversation, knowing what people are saying—required human beings, and there weren’t enough humans to listen to everything. So, you had this automatic surveillance: We can know where everybody is, that’s easy.  But knowing what everybody’s saying, we still couldn’t do—we didn’t have the people.

As AI becomes increasingly capable of understanding and even having conversations, it can start doing the role that people used to do and engage in this kind of spying at a mass level.

Now, the question you asked started me in this monologue is what did that look like? And the answer is: We have no idea.

We kind of know what East Germany looked like, former Soviet Union. We do know what some of these countries look like. But I don’t think it’s the same. It is not this kind of mass spying by corporations. Or by democratic governments. So, we don’t know. But it’s worth at least thinking about. 

**DAVID RUIZ**: When I was trying to answer my own question, I feel like one of the potential futures here is, instead of “Collect it all,” it’s this attempt at “Know it all.”

**BRUCE SCHNEIER**: It always was “Know it all,” but now it becomes more possible.

**DAVID RUIZ**: Yeah, and I was hypothesizing that there might be companies that say “We have created a package of questions that we use on AIs that we know and trust to discover these new insights,” and \[they\] sell these packages to companies that are trying to find out XYZ and ABC about their customers, or governments about their persons.

And that already sounds awful. It sounds both boring and dreadful, which is what I think surveillance is today—it is boring operationally in terms of \[how\] we don’t see data brokers. We don’t see what gets collected every single day behind the interface of the web. But it is used so much to power the direction of the web.

**BRUCE SCHNEIER**: And my guess is that’s right. And it’s not actually boring. Certainly, the companies wanted you to think that. It is very hidden. Data brokers spent a lot of effort making sure that there’s no visibility into their industry, so we don’t know the data being collected on us.

But remember, this is still all surveillance data. It’s not the contents of your phone calls, it’s the billing information. It’s who you called, what time, how long you spoke, that kind of information. Maybe the location of your two phones when you were talking. This brings it up to another level. 

**DAVID RUIZ**: You mentioned that this is the conversations—the content of communications. And I wanted to address that immediately because I think whenever spying is discussed, a lot of folks picture someone rifling through text messages or emails. And I think some people might balk at that. They might say and reject the premise based on things like “Oh, Apple can’t look at my iMessages, and Google said it wouldn’t advertise based on email content some years ago, and my phone provider, I don’t think, is recording my phone calls.”

So, my question after those kinds of claims, is: Is that too narrow a lens to understand this future of mass spying? What am I missing when I say those things to calm myself down?

**BRUCE SCHNEIER**: I think it’s all economics. Google did realize that eavesdropping on the contents of your Gmail wasn’t terribly useful. So, they didn’t do it. Of course, they made a virtue out of it. That stuff will change.

We’re already seeing \[the questions of\] “Is this company using your data to train their AI? Will it be used to influence how an AI interacts with you?”\[And\] already we can see that the tones of voice we use with these AI chatbots is mirrored. They say they’re not storing it and using it for training—we don’t know the answer.

As this stuff becomes more valuable, as companies see a business interest in using it, of course it’s going to be used. It’s not going to be a world where we \[can\] rely on the goodness of the hearts of for-profit corporations not to abuse our privacy.

So, it’s a matter of how cheap it is. It is going to become cheap for Google to eavesdrop on the contents of everyone’s email conversations, or for Zoom to eavesdrop on all meetings? They currently say they’re not \[monitoring meetings in\] their terms of service, they’ll probably \[receive\] push back if they change it—they were already pushed back because there was a thought that Zoom would be using your information to train an AI. \[It\] turned out to not be true, but there was a little panic there. But how long does that last? 

We saw this with Facebook and their surveillance over the years and decades.

They did a new thing, there was a pushback, there’s an outcry, and after a couple months, it was the new normal. So, I don’t know where this is going to go, but the tech is moving to the point where this stuff is possible and, in fact, easy. 

**DAVID RUIZ**: We talked about the business case for \[AI-enabled mass spying\] and I wanted to ask more broadly: Who will engage in AI mass spying?

**BRUCE SCHNEIER**: The answer is going to be everybody who can.

Who are the major players here? Certainly there are corporations who are doing it for manipulation purposes. Surveillance is the business model of the internet because advertising is the business model of the internet, and advertising is convincing you to do something that you might not have done otherwise.

So, this surveillance-based manipulation is the business model, and anything that gives a company an advantage, they’re going to do. We \[already\] saw that with personalized advertising \[which is\] based on characteristics that you might not be happy sharing.

So, companies will do that.

Now, in the West, we tend not to have governments do this on their own citizens—they rely on corporations. The US government doesn’t spy on us directly, they get the spying data from corporations who do that to everybody.

You go to other countries, more totalitarian countries, and governments do engage in surveillance and will engage in spying. Here, I’m thinking about China, but other countries as well. So, very much think of it in terms of power:

> Those that have the power will engage in the behaviors because it magnifies their power. There is no surprise. 

**DAVID RUIZ**: There’s a lot of times where we could think “Why would a company do this? Why would a government do this?” And there’s a lot of alleged reasons. The NSA will say that it collects as much data as possible for national security reasons, but they’ve been saying that for decades, and the national security reason seems to change every few years, right? There’s a, there’s a “national security risk du jour.”

And it’s much easier and simpler to think of it as those that have power hope to keep that power and amass more of it.

I wanted to separately ask: We talked about corporations. We talked about governments. What about people? I have access to AI tools in a way that I don’t have access to data collection regimes.

So, are people going to spy on people?

**BRUCE SCHNEIER**:  People are already spying on people. It’s more one-on-one. There’s an entire industry of super creepy spyware that is sold to people who want to spy on their wives and girlfriends. This is kind of a gross industry, but it exists and it is used in many countries.

So, yes. But here again, the power matters, and it’s generally the more powerful spying on the less powerful in a relationship. It’s generally the man spying on the woman because that’s the power imbalance.

When you think about bulk surveillance, it’s access to the data.

I really can’t spy on my neighborhood. Sure, I can set up a camera in front of my house and watch what’s going on in my street, but that’s all I could do. I don’t have the power to put cameras everywhere. I don’t have the power to get your email or your Zoom stream.

So, I think you are going to see some use of these technologies by people who are not traditionally powerful. But in general, like all these technologies, they benefit the powerful more than the less powerful.

**DAVID RUIZ**: We know that people act differently when they know they’re being surveilled—will that also apply to mass spying?

**BRUCE SCHNEIER**: Certainly, people in the United States have lived out of this kind of regime in post-9/11. Lots of Muslims lived in a world where they were being spied on a lot.

Lots of people—Jon Penney comes to mind, there are others—have researched how the feeling that you’re under constant surveillance—or spying, they’re both the same here—leads to self-censorship.

If you think you are being watched all the time, you behave differently. We do know that there’s an enormous chilling effect on how you behave, what you do, on your conformity. And if you think you’re being watched all the time, you tend to conform. You’re not going to do something different. You’re not going to stand out.

> This seems really bad for society because that’s how society innovates. A world where people don’t try new things is a world that stagnates.

To take an easy example, about 10 years ago, I forget the year, gay marriage became legal in the United States, in all 50 states. It became the law of the land and that change was the result of a multi-decade process. For a while it was illegal and immoral, then it was illegal and moral, and then it became legal and moral.  And in order for that to happen—in order for that whole progression—somebody way back in the beginning had to try gay sex once and say: “You know, that wasn’t so bad. That was kind of fun.”

And the reason they were able to do that is that they weren’t being watched. They could do it in the privacy of their own bedroom and no one could stop them.

If you live in a world where, whether it’s gay sex or marijuana or whatever it is that becomes the mainstream moral norm over several generations, if you can’t try it, if there can’t be a counterculture of doing it, it never will become the social norm. If everybody who tried pot in the ‘50s was immediately discovered and arrested, you’d never get to legalization. You never would get a generation of people that would say, “You know, that’s not that bad. Why are we criminalizing this kind of not harmful drug?”

**DAVID RUIZ**: On the current environment that we live in, where so much surveillance happens every day—again, both from corporations and from governments—it doesn’t seem like there’s any way to dismantle it. And it feels like the potential of mass spying to produce even deeper insights means that we’ve lost the battle on surveillance. Have we lost that battle?

**BRUCE SCHNEIER**: I never think it’s too late, and that kind of fatalism doesn’t make sense when you look at history. It’s like saying in the 1200s, “Well, we tried to fight against monarchy. I guess that didn’t work. It’s too late.” Or centuries later, “You know, we tried to fight against slavery, that didn’t work.” Or, “You know, we’ll never give women the vote. That ship has sailed.”

> We, as a species, regularly make our society more moral, more ethical, more egalitarian. It’s slow, it’s bursty, but decade over decade, century over century, we are improving.

So, no, I don’t think from now until the end of our species, the level of surveillance we see today cannot be rolled back. I think that is ridiculous.

We no longer send five-year-olds up chimneys to clean them. We don’t do that. We changed. We no longer allow companies to sell pajamas that catch on fire. We changed. We can do that here.

Like the other big things, like monarchy, like slavery, like the patriarchy, these things are going to be hard to dismantle, but they are dismantlable.

Near term, I think you’re right. Near term, both companies and governments are just punch-drunk on our data, and they’re not going to give it up. But long term, lots of things are possible and will happen. 

**DAVID RUIZ**: I mean this as a high compliment: You are the most optimistic guest we’ve had on the podcast.

**BRUCE SCHNEIER**: I’m near term pessimistic and long term optimistic. Near term, I think we’re screwed. The tech monopolies are so powerful, and we saw that with social media. Both Republicans and Democrats agreed—this never happened before—that Facebook was harming our society in different ways, but it’s harming society. \[They\] called Zuckerberg in, called the other companies in, yelled at them, \[said\] something must be done, and nothing was done.

That is sheer lobbying power right there in operation.

So, near term, I don’t see any solution, but our species has handled harder problems than this. This won’t be the one that stumps us.

**DAVID RUIZ**: What do we do at this point? 

**BRUCE SCHNEIER**: I want this to be a political issue. This stuff changes when it becomes an issue that voters care about. If there is a debate question on this, if this becomes something that politicians are asked about, then change will happen, right? If it isn’t, then it is really just the lobbyists that get to decide what happens.

“What should we do?” is agitate for change. Make this political, make this something that politicians can’t ignore.

Where change is happening is the EU. You have listeners in the EU, and they will know that things are happening there. Right now, Europe is the regulatory superpower on the planet. They are the jurisdiction where we got a comprehensive data privacy law, where they are passing an AI security law, stuff that you would never see in the United States.

So, look outside the US right now, but make this political. That’s how we’re going to make it better.

But we’re fighting uphill. It’s very hard in the United States to enact policies that the money doesn’t want. Money gets its way in in US policy. And the money wants this. 

**DAVID RUIZ**: And I think disentangling money from politics in the United States is a different \[conversation\], and unfortunately we don’t have the time for it.

**BRUCE SCHNEIER**: No, surely you can solve that in half an hour.

**DAVID RUIZ**: Actually, are you booked for the next half hour?

**BRUCE SCHNEIER**: If I was able to solve that, I would be not doing what I’m doing now, because, you’re right, that might not be the most important problem, but as Professor Larry Lessig said, it’s the first problem. It’s a problem we need to solve to solve every other problem.

 In conversation: Bruce Schneier on AI-powered mass spying 

This week on the Lock and Code podcast, we speak with Bruce Schneier about a future of AI-powered mass spying.

_This week on the Lock and Code podcast…_

If the internet helped create the era of mass surveillance, then artificial intelligence will bring about an era of mass spying.

That’s the latest prediction from noted cryptographer and computer security professional Bruce Schneier, who, in December, shared a vision of the near future where artificial intelligence—AI—will be able to comb through reams of surveillance data to answer the types of questions that, previously, only humans could.  

“Spying is limited by the need for human labor,” Schneier wrote. “AI is about to change that.”

As theorized by Schneier, if fed enough conversations, AI tools could spot who first started a rumor online, identify who is planning to attend a political protest (or unionize a workforce), and even who is plotting a crime.

But “there’s so much more,” Schneier said.

“To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with Bruce Schneier about artificial intelligence, Soviet era government surveillance, personal spyware, and why companies will likely leap at the opportunity to use AI on their customers.

> “Surveillance-based manipulation is the business model \[of the internet\] and anything that gives a company an advantage, they’re going to do.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Bruce Schneier predicts a future of AI-powered mass spying: Lock and Code S05E03 

Members of Congress say the DOJ is funding the use of AI tools that further discriminatory policing practices. They're demanding higher standards for federal grants.

The United States Department of Justice has failed to convince a group of US lawmakers that state and local police agencies aren't awarded federal grants to buy AI-based “policing” tools known to be inaccurate, if not prone to exacerbating biases long observed in US police forces.

Seven members of Congress wrote in a letter to the DOJ, first obtained by WIRED, that the information they pried loose from the agency had only served to inflame their concerns about the DOJ’s police grant program. Nothing in its responses so far, the lawmakers said, indicates the government has bothered to investigate whether departments awarded grants bought discriminatory policing software.

“We urge you to halt all Department of Justice grants for predictive policing systems until the DOJ can ensure that grant recipients will not use such systems in ways that have a discriminatory impact,” the letter reads. The Justice Department previously acknowledged that it had not kept track of whether police departments were using the funding, awarded under the Edward Byrne Memorial Justice Assistance Grant Program, to purchase so-called predictive policing tools.

Led by Senator Ron Wyden, a Democrat of Oregon, the lawmakers say the DOJ is required by law to “periodically review” whether grant recipients comply with Title VI of the nation’s Civil Rights Act. The DOJ is patently forbidden, they explain, from funding programs shown to discriminate on the basis of race, ethnicity, or national origin, whether that outcome is intentional or not.

Independent investigations in the press have found that popular “predictive” policing tools trained on historical crime data often replicate long-held biases, offering law enforcement, at best, a veneer of scientific legitimacy while perpetuating the over-policing of predominantly Black and Latino neighborhoods. An October headline from The Markup states bluntly: “Predictive Policing Software Terrible At Predicting Crimes.” The story recounts how researchers at the publication recently examined 23,631 police crime predictions—and found them accurate roughly 1 percent of the time.

“Predictive policing systems rely on historical data distorted by falsified crime reports and disproportionate arrests of people of color,” Wyden and the other lawmakers wrote, predicting—as many researchers have—that the technology serves only to create “dangerous” feedback loops. The statement notes that “biased predictions are used to justify disproportionate stops and arrests in minority neighborhoods,” further biasing statistics on where crimes occur.

Senators Jeffrey Merkley, Ed Markey, Alex Padilla, Peter Welch, and John Fetterman also cosigned the letter, as did Representative Yvette Clarke.

The lawmakers have requested that an upcoming presidential report on policing and artificial intelligence investigate the use of predictive policing tools in the US. “The report should assess the accuracy and precision of predictive policing models across protected classes, their interpretability, and their validity,” to include, they added, “any limits on assessing their risks posed by a lack of transparency from the companies developing them.”

Should the DOJ wish to continue funding the technology after this assessment, the lawmakers say, it should at least establish “evidence standards” to determine which predictive models are discriminatory—and then reject funding for all those that fail to live up to them.

Tag

#intel