Tag Archives: privacy

Talking big tech | AirBnB growth | Dealing with fake news

Back on BBC News this morning and there were three meaty topics up for discussion: Combating fake news, the fallout from AirBnB’s success and dealing with big tech’s increasing control on data and the EU’s solution only serving to endanger individual’s privacy and consolidate big tech further.

Combating fake news

All the talk is of dealing with fake news by using more tech. That isn’t an easy problem to solve and even though huge amounts of it are removed some get through. Worse, big tech are nervous to deal with high profile politicians who increasingly seem to think acting responsibly is a nice to have.

A much better solution, in the same way a decade ago we learnt not to click on dodgy links in email, is to teach people how to identify it in the first place. The New York Times had a piece looking at the increasing amount of news literacy teaching happening at schools. Research by Stanford and discussed by the FT, found that while most people would say yes they can distinguish, the reality was most people were good at identifying true news but no matter the age or education, fake news was more difficult to identify.

It would be interesting to see how the performance changes for those who have been taught to identify it from a young age.

AirBnB Growth: Areas in the UK now haveone AirBnB for every four homes

The rise of AirBnB has changed the short stay world with many more properties being added and increasing the supply of rooms in cities. This success has brought short letting businesses into the platform as well.

The Guardian points out the imbalance in legal requirements between those short letting businesses and individuals letting out homes. No doubt there needs to be some common standards in place, but behind the story is really the lack of housing available generally. Stopping AirBnB is not the solution to this, building more property is.

EU trying to force Big Tech to share data

The FT discussed the EU’s new data sharing principles this week, which seek to reduce the power Big Tech companies hold on our data and use to build barriers to competition.

The EU is seeking to force Big Tech to share data like health and wellness data, which is a high value market. But this data is also highly sensitive so ensuring it stays secure is also an important factor.

In addition, privacy needs to be taken into account. If I share data with one of the Big Tech companies, I need to be in control of whether that data is shared with another.

GDPR sought to stop this sharing of data, but the end result has been more power being consolidated into the hands of companies like Google and Facebook. Google’s recent announcement that it is turning off cookies, merely serves to consolidate control of more data within Google itself.

Don’t misunderstand me, switching off cookies is the answer. It was a poorly implemented solution to a problem that never took account of privacy issues.

Today though, we need a more open standard that is independent of the large tech companies that is privacy aware.

👓Tech, politics and privacy. Where next?👓

This week looks at the big technology firms, privacy and politics. Are we doomed to end up in nineteen eighty four?

As each year goes by, technology has both an increasing hold and greater power in society.

This has created huge benefits through increased quality of life, increased convenience and easy access to knowledge to name a few. It has also created problems with disruption due to innovation, increased danger to the world through increasingly powerful weapons and increasing loneliness thanks to social networks. Again to name a few.

Whilst there are increasing challenges today as a result of technology, I suspect this is no different to how the millers felt when industrialisation happened. The scale is bigger though.

The right to privacy

Nearly every country gives people a right to privacy in the home and to secrecy of communications though this can be bypassed in certain circumstances (sometimes unjustly of course).

Today encryption techniques can mean that it is impossible for governments to “listen in” on certain types of electronic communications. Right up until 1992, the US had a ban on the exporting of cryptographic technologies which has been gradually eased. The benefits of that softening in stance led to the growth of secure communications and ecommerce and arguably therefore the very success of the internet itself. This article has a good look at the ongoing battle between the FBI and cryptography.

The debate has not stopped and with increasing volatility in the world, politicians are calling more loudly for ways to break end-to–end encryption, which prevents anyone from listening in.

Theoretically you could ban the use of end to end encryption in communication platforms though this would just push end-to-end encrypted communications platforms underground. Does that make things easier or harder to law enforcement agencies?

The risk of backdoors in technology leaves it open to attack from unwanted parties and reduced encryption levels means both increased corporate espionage and a lack of trust in security itself, which would reduce its overall usage.

Increasing corporate power

Rewind to the mid 90s and you see a world dominated in the west by services like AOL and Compuserve. These were effectively mini-Internets owned by a single organisation. They were simple and easy to use and unlike the wild west of an open standards based Internet, which were difficult to access and use at the time.

These services though quickly stagnated, whilst the Internet continued to innovate, mostly as a result of the spread of email and the world wide web and its browser wars.

Today though, whilst the standards for accessing the internet are open, the services built on top of it are proprietary.

Search is controlled by Google and social networking and communication dominated by Facebook. With the exception of email, these are both critical to the way we use the Internet today.

Whilst this is no different in some ways to Microsoft controlling the interface to your computer or Google (or Apple) controlling your mobile interface, the opportunity for misinformation is much greater.

There have been plenty of calls to breakup Google over the years, though this would not solve the control it has over searching for content. Likewise with Facebook, how would you break it up in a way which didn’t demolish its very utility.

You could of course define both services as utilities and if a layer of the tool is mature and changing little, this could be done. But content continues to innovate so search will need to adapt. EU anti-trust is targeting Google though on services like product search and even its Android operating system where it believes Google has misused its power.

Digital communication is far from being mature but perhaps Facebook could be forced eventually to open up its network of people as a layer open to be used by anyone?

Monopolies can hinder innovation, but it is easy to argue that disruption within mobile has created a challenge to Google’s search proposition as less people use search on a mobile.

Voice assistants like Alexa are likely to be the next battleground for access to online knowledge and services, so it is no surprise to see Google battling it out on this front. Revenue-wise though Google’s search revenues remain unchecked.

At least today though, innovation does not seem to slowing down. If anything it seems to be accelerating.

Increasing misuse

All these platforms are tools and in an increasingly volatile world, they are being increasingly misused. This has been illustrated by fake news, the Russians manipulating the US elections and increasing access to extremist content.

Both Google and Facebook are reacting to these issues, both using artificial intelligence, though there is plenty of evidence that it displays the bias of its creators. Regardless, Google believes it does a better job than humans do.

Manual intervention is expensive at the scale of Facebook and Google though, but when automation is involved problems can and do occur. Facebook saw it recently with its ability advertising to target anti-Semitic groups. Its solution has been to take a sledgehammer to a nail and remove self-identifying information from being able to be targeted. Hopefully a more nuanced solution will appear.

Meanwhile, Theresa May last week demanded tech companies take down terror content within 2 hours or face the threat of fines. Currently the target is 24 hours, which they are struggling to consistently meet. This will require the tech companies to be more aggressive with their approach, which in turn will lead to more false positives.

There is plenty of danger here then.

Who defines terror content. It seems pretty straightforward today but there are always grey areas and it can be very easy to broaden the definition until before you know it, we are censoring things that we never thought would be.

Cloudflare recently decided to stop protecting the Daily Stormer, a neo-Nazi website. Its CEO, Matthew Prince wrote very well about why he felt uncomfortable doing this here.

These are difficult conversations and it is good to see the tech companies working with the governments to resolve them.

However, there is a clear need for transparency when it comes to censorship of any kind and an opportunity to challenge it in a transparent way. Something our politicians do not seem keen to deliver on.

Do tech and politics mix?

Church and state. Two spheres of influence that should stay separate. With the power of business and the media, should these be included?

Theoretically, when you take political office you are supposed to relinquish control over assets that can influence you. Trump has obviously been running rings around this with his vast empire still under his control via his children.

There are plenty of rumours that Mark Zuckerberg’s tour of the US this year has been a precursor to him running for president in 2020. He vehemently denies it today but even Republicans think he would be a formidable opponent.

One political strategist believes he is more powerful than the publisher of the New York Times, which if he were allowed to manipulate Facebook’s algorithms for his own gain or his opponent’s detriment would certainly be true given its vast reach into not just the US population but also globally.

The risk of that alone means that any presidential bid would require Zuckerberg to relinquish his control over Facebook at the start of the race not the end – unless he has Trump’s ability to manage a huge swathe of opinion in the midst of media outrage.

Facebook and the other tech giants should work with governments without being in their pockets (and vice versa). But a technology company should never be in politics.

Mark Zuckerberg was keen to retain control of Facebook even after he had sold the majority of his stock for his foundation. This aim only got withdrawn when the value of the stock shot up meaning he no longer needed to sell as many shares. Would he be able to give up Facebook in order to run for office?

Overall though, if disruption to jobs increases (whether due to artificial intelligence or some other technology) or if technology is not serving the majority of people, a public backlash against technology will only slow innovation in the western world.

Today, technology means social media and the internet. It does not equate to improvements to healthcare, education or a better quality of life etc. Maybe we should give a more powerful voice to innovation happening there.

📡📡privacy, equifax and data

Whilst it might be nice to focus on the new Apple iPhone released last week, it can pretty much be summarised by the word ‘meh’. So the focus is instead on the Equifax data breach and the impact it could have on the world.

Number obfuscation

Credit: Peter Sheik (flickr)

Did Equifax really think it could hide behind the total number of people affected being smaller than other recent data breaches?

Sometimes the top-line numbers can obscure the real story and so was the case with the Equifax data breach, which affected 143m Americans and around 400,000 Brits. Initially, it felt like the story was downplayed because of other much larger data breaches involving 700m people globally. But there is a huge difference here and it shouldn’t have been a surprise that this erupted into a major failure for Equifax.

No data breach involving personal data is minor as it can lead to attempts to use the data to gain further personal information. In the case of Equifax, the amount of data on each individual was much bigger and included names, addresses, phone numbers, credit card numbers, birth dates and social security numbers. This is the type of data used to authenticate people at banks and do not change over time and are not protected for fraud as credit card numbers are.

Luckily for the 400,000 Brits, it seems to be a much smaller footprint but still includes names, date of birth, email addresses.

The response from Equifax has been a textbook failure.

Disclosure

Equifax knew about this breach since July and took 40 days to disclose. The breach itself happened in May.

GDPR – the European regulations coming in May 2018 and also being adopted in the UK will require you to disclose a breach to authorities within 72 hours.

Luckily for Equifax, GDPR is not active yet, though current laws still require them to notify the Information Commissioner’s Office (ICO) within 24 hours of knowing the essential details. The penalties under GDPR are also very different – up to €20m or 4% of global turnover. Today they are limited to £500,000.

I am sure the UK and European regulatory bodies will be paying close attention to this breach beyond just the delay to notify as it seemed like there was a further delay to publicly notifying people internationally.

Even today there is no site available to confirm if you are affected in the UK. Their disclosure is also unclear as they are stating that UK systems were unaffected and UK data was held on US servers between 2011 and 2016.

Given the breach happened in 2017 and UK data was affected – that would imply data was held beyond 2016 but maybe I am missing something.

Whilst in the US, you are required to go to a website to find out if you are affected, Equifax is writing to affected customers in the UK. How they will contact people who have changed addresses over the time-frame mentioned is anyone’s guess.

Both options should have been available to all affected customers.

A simple failure

Staying on top of security patches is requirement number one for all companies not just a data company like Equifax but the breach was caused by a security flaw patched two months before.

There may have been some mitigating factors around this delay as the flaw required web apps to be rebuilt and tested. If the apps were old this may have taken longer to fix but it is not clear whether this was the case or not as communication around this aspect has been poor.

Public Relations fail

Given the delay to notifying people, you would think that they had time to figure out the best approach to communicating the failure but from the start it has felt like they were on the back foot and not in control. Surely they needed to show people that they understood the scale of this breach and that they were doing everything they could to safeguard their customers.

Instead of projecting care for their customers, the message that Equifax was poor in regards to its data security approach and might even make money out of this became the message.

Calamity

The way the organisation is structured is likely to be one factor but it also seems to be a lack of preparation and organisation for this scenario.

It took the CEO five days to say anything about it publicly.

The typical response of companies who experience a data breach is to provide one year of free credit monitoring. Equifax’s standard terms includes a clause which prevents you from suing them if you use their credit monitoring offering.

They eventually confirmed this will not be the case. Regardless, the level of breach means that one year of credit monitoring is unlikely to be sufficient.

The site itself even had a common security flaw, which allowed hackers to siphon off the personal information of visitors.

One other option is for users to freeze their credit, but Equifax continued to charge for this before eventually saying it will waive fees for 30 days.

This may have just been a poorly thought through commercial decision, but those that did freeze their credit then found that Equifax were using easily guessable pin numbers. Eventually this got fixed as well.

The security issues didn’t stop there as it was discovered that Equifax Argentina’s employee portal could be accessed with a username and password of ‘admin’.

All of this suggests poor security processes being in place.

One of their customer service team tweeted “Happy Friday..” on an Equifax social media account, which unsurprisingly resulted in mass derision and had to be quickly deleted.

Finally, if statements from Equifax are to be believed, even the CFO, along with two other senior members of the team, were unaware of the breach as all three proceeded to sell nearly $2m worth of Equifax shares in the days after it was identified.

The fall out

The chief security officer and chief information officer have both resigned and the stock price has fallen 35%.

So far the FTC and SEC in the US have announced investigations, whilst the ICO has remained quiet other than demanding Equifax notify customer affected. I suspect there will also be class action suits in the US.

The bigger questions though are around dealing with how long it took for Equifax to notify people and why US and international citizens were not treated equally.

Hasty and reactive laws are never a good thing, but I suspect this breach could lead to a closer look in the US at how responsibilities for protecting people’s data are defined and penalties applied.

Someone I suspect will also be looking at the UK data held in the US and whether it was even allowed to be there in the first place.

This in turn could lead to a closer look at the current Privacy Shield framework which is designed to protect UK and European data held in the US. Whilst an improvement on the previous Safe Harbour agreement, which collapsed under a court case, some thought the current framework could also collapse in the same way. Could this be the trigger?