Polisis AI Developed to Help People Understand Privacy Policies

It looks as though this AI development could be quite useful in helping people avoid the exploitation of their personal information. Someone reading this may also want to look into a resource called Terms of Service; Didn’t Read, which “aims at creating a transparent and peer-reviewed process to rate and analyse Terms of Service and Privacy Policies in order to create a rating from Class A to Class E.”

But one group of academics has proposed a way to make those virtually illegible privacy policies into the actual tool of consumer protection they pretend to be: an artificial intelligence that’s fluent in fine print. Today, researchers at Switzerland’s Federal Institute of Technology at Lausanne (EPFL), the University of Wisconsin and the University of Michigan announced the release of Polisis—short for “privacy policy analysis”—a new website and browser extension that uses their machine-learning-trained app to automatically read and make sense of any online service’s privacy policy, so you don’t have to.

In about 30 seconds, Polisis can read a privacy policy it’s never seen before and extract a readable summary, displayed in a graphic flow chart, of what kind of data a service collects, where that data could be sent, and whether a user can opt out of that collection or sharing. Polisis’ creators have also built a chat interface they call Pribot that’s designed to answer questions about any privacy policy, intended as a sort of privacy-focused paralegal advisor. Together, the researchers hope those tools can unlock the secrets of how tech firms use your data that have long been hidden in plain sight.

[…]

Polisis isn’t actually the first attempt to use machine learning to pull human-readable information out of privacy policies. Both Carnegie Mellon University and Columbia have made their own attempts at similar projects in recent years, points out NYU Law Professor Florencia Marotta-Wurgler, who has focused her own research on user interactions with terms of service contracts online. (One of her own studies showed that only .07 percent of users actually click on a terms of service link before clicking “agree.”) The Usable Privacy Policy Project, a collaboration that includes both Columbia and CMU, released its own automated tool to annotate privacy policies just last month. But Marotta-Wurgler notes that Polisis’ visual and chat-bot interfaces haven’t been tried before, and says the latest project is also more detailed in how it defines different kinds of data. “The granularity is really nice,” Marotta-Wurgler says. “It’s a way of communicating this information that’s more interactive.”

[…]

The researchers’ legalese-interpretation apps do still have some kinks to work out. Their conversational bot, in particular, seemed to misinterpret plenty of questions in WIRED’s testing. And for the moment, that bot still answers queries by flagging an intimidatingly large chunk of the original privacy policy; a feature to automatically simplify that excerpt into a short sentence or two remains “experimental,” the researchers warn.

But the researchers see their AI engine in part as the groundwork for future tools. They suggest that future apps could use their trained AI to automatically flag data practices that a user asks to be warned about, or to automate comparisons between different services’ policies that rank how aggressively each one siphons up and share your sensitive data.

“Caring about your privacy shouldn’t mean you have to read paragraphs and paragraphs of text,” says Michigan’s Schaub. But with more eyes on companies’ privacy practices—even automated ones—perhaps those information stewards will think twice before trying to bury their data collection bad habits under a mountain of legal minutiae.

Central Database for Helping People Fight Ransomware

Ransomware is malware that encrypts or locks user files and is often attached to a ransom demand by a malicious entity. This No More Ransom database includes the encryption keys and tools for several of the existing ransomware threats, although they are predominantly of ransomware strains that have already been around for a while. Nonetheless, No More Ransom should help some people neutralize ransomware without paying a ransom.

NoMoreRansom

Two Critical Flaws Discovered in the World’s Computers

The Spectre and Meltdown security flaws are definitely very severe indeed.

Computer security experts have discovered two major security flaws in the microprocessors inside nearly all of the world’s computers.

The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks.

There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services.

“What actually happens with these flaws is different and what you do about them is different,” said Paul Kocher, a researcher who was an integral member of a team of researchers at big tech companies like Google and Rambus and in academia that discovered the flaws.

Meltdown is a particular problem for the cloud computing services run by the likes of Amazon, Google and Microsoft. By Wednesday evening, Google and Microsoft said they had updated their systems to deal with the flaw.

Amazon told customers of its Amazon Web Services cloud service that the vulnerability “has existed for more than 20 years in modern processor architectures.” It said that it had already protected nearly all instances of A.W.S. and that customers must update their own software running atop the service as well.

To take advantage of Meltdown, hackers could rent space on a cloud service, just like any other business customer. Once they were on the service, the flaw would allow them to grab information like passwords from other customers.

That is a major threat to the way cloud-computing systems operate. Cloud services often share machines among many customers — and it is uncommon for, say, a single server to be dedicated to a single customer. Though security tools and protocols are intended to separate customers’ data, the recently discovered chip flaws would allow bad actors to circumvent these protections.

The personal computers used by consumers are also vulnerable, but hackers would have to first find a way to run software on a personal computer before they could gain access to information elsewhere on the machine. There are various ways that could happen: Attackers could fool consumers into downloading software in an email, from an app store or visiting an infected website.

According to the researchers, the Meltdown flaw affects virtually every microprocessor made by Intel, which makes chips used in more than 90 percent of the computer servers that underpin the internet and private business operations.

Customers of Microsoft, the maker of the Windows operating system, will need to install an update from the company to fix the problem. The worldwide community of coders that oversees the open-source Linux operating system, which runs about 30 percent of computer servers worldwide, has already posted a patch for that operating system. Apple had a partial fix for the problem and is expected to have an additional update.

The software patches could slow the performance of affected machines by 20 to 30 percent, said Andres Freund, an independent software developer who has tested the new Linux code. The researchers who discovered the flaws voiced similar concerns.

This could become a significant issue for any business running websites and other software through cloud systems.

There is no evidence that hackers have taken advantage of the vulnerability — at least not yet. But once a security problem becomes public, computer users take a big risk if they do not install a patch to fix the issue. A so-called ransomware attack that hit computers around the world last year took advantage of machines that had not received a patch for a flaw in Windows software.

The other flaw, Spectre, affects most processors now in use, though the researchers believe this flaw is more difficult to exploit. There is no known fix for it, and it is not clear what chip makers like Intel will do to address the problem.

The Meltdown flaw is specific to Intel, but Spectre is a flaw in design that has been used by many processor manufacturers for decades. It affects virtually all microprocessors on the market, including chips made by AMD that share Intel’s design and the many chips based on designs from ARM in Britain.

Spectre is a problem in the fundamental way processors are designed, and the threat from Spectre is “going to live with us for decades,” said Mr. Kocher, the president and chief scientist at Cryptography Research, a division of Rambus.

“Whereas Meltdown is an urgent crisis, Spectre affects virtually all fast microprocessors,” Mr. Kocher said. An emphasis on speed while designing new chips has left them vulnerable to security issues, he said.

“We’ve really screwed up,” Mr. Kocher said. “There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.”

[…]

A fix may not be available for Spectre until a new generation of chips hit the market.

“This will be a festering problem over hardware life cycles. It’s not going to change tomorrow or the day after,” Mr. Kocher said. “It’s going to take a while.”

Antivirus Software Can be Turned Into a Powerful Spy Tool

Antivirus has fulfilled a useful role in removing malware, but it’s also quite overrated. Often better is installing security updates and using more robust software more generally. I have long used the highly secure Qubes operating system much of the time myself, and there isn’t any need to use antivirus in it.

It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool.

Security software runs closest to the bare metal of a computer, with privileged access to nearly every program, application, web browser, email and file. There’s good reason for this: Security products are intended to evaluate everything that touches your machine in search of anything malicious, or even vaguely suspicious.

By downloading security software, consumers also run the risk that an untrustworthy antivirus maker — or hacker or spy with a foothold in its systems — could abuse that deep access to track customers’ every digital movement.

“In the battle against malicious code, antivirus products are a staple,” said Patrick Wardle, chief research officer at Digita Security, a security company. “Ironically, though, these products share many characteristics with the advanced cyberespionage collection implants they seek to detect.”

Mr. Wardle would know. A former hacker at the National Security Agency, Mr. Wardle recently succeeded in subverting antivirus software sold by Kaspersky Lab, turning it into a powerful search tool for classified documents.

Mr. Wardle’s curiosity was piqued by recent news that Russian spies had used Kaspersky antivirus products to siphon classified documents off the home computer of an N.S.A. developer, and may have played a critical role in broader Russian intelligence gathering.

[…]

For years, intelligence agencies suspected that Kaspersky Lab’s security products provided a back door for Russian intelligence. A draft of a top-secret report leaked by Edward J. Snowden, the former National Security Agency contractor, described a top-secret, N.S.A. effort in 2008 that concluded that Kaspersky’s software collected sensitive information off customers’ machines.

The documents showed Kaspersky was not the N.S.A.’s only target. Future targets included nearly two dozen other foreign antivirus makers, including Checkpoint in Israel and Avast in the Czech Republic.

At the N.S.A., analysts were barred from using Kaspersky antivirus software because of the risk it would give the Kremlin broad access to their machines and data. But excluding N.S.A. headquarters at Fort Meade, Kaspersky still managed to secure contracts with nearly two dozen American government agencies over the last few years.

[…]

But, as Mr. Wardle’s research demonstrated, an untrustworthy vendor, or hacker or spy with access to that vendor’s systems, can abuse its deep access to turn antivirus software into a dynamic search tool, not unlike Google, to scan customers’ computers for documents that contain certain keywords.

serveimage

This picture above here is still fairly relevant even though it’s based on research that I would have done differently a few years ago.

New Haven App Uses a Smartphone to Guard Devices

Haven looks useful for more than it was designed for too, of course. Someone looking to secure a room in general could use the app to identify any unauthorized visitors.

It’s still in the early stages of development, but it’s one of the most promising attempts at defending against evil mail attacks for those with heightened threat models.

LIKE MANY OTHER journalists, activists, and software developers I know, I carry my laptop everywhere while I’m traveling. It contains sensitive information; messaging app conversations, email, password databases, encryption keys, unreleased work, web browsers  logged into various accounts, and so on. My disk is encrypted, but all it takes to bypass this protection is for an attacker — a malicious hotel housekeeper, or “evil maid,” for example — to spend a few minutes physically tampering with it without my knowledge. If I come back and continue to use my compromised computer, the attacker could gain access to everything.

Edward Snowden and his friends have a solution. The NSA whistleblower and a team of collaborators have been working on a new open source Android app called Haven that you install on a spare smartphone, turning the device into a sort of sentry to watch over your laptop. Haven uses the smartphone’s many sensors — microphone, motion detector, light detector, and cameras — to monitor the room for changes, and it logs everything it notices. The first public beta version of Haven has officially been released; it’s available in the Play Store and on F-Droid, an open source app store for Android.

[…]

You can configure Haven to send you real-time encrypted alerts of what it detects to your other phone, the one you carry with you, when an intrusion is detected. You can choose to get encrypted Signal notifications, and you can also configure Haven to run a Tor onion service website (that is, a darknet site), and use Tor Browser on another device to connect in and view all of the alerts — all without giving anyone else access to these evidence logs unless you choose to share them. Haven also supports SMS text notifications, which can be intercepted but which might be more reliable in some situations.

Profile of Whistleblower Reality Winner

Reality Winner (and her name is explained in the profile) is the latest example in how the corporate U.S. government treats its national security whistleblowers. The 1917 Espionage Act is truly among the worst parts of U.S. law.

Reality Winner would have been making the best money of her life at Pluribus, but she had never been particularly interested in what money can buy. She rented, sight unseen, an 800-square-foot house in a part of Augusta the Atlanta Journal-Constitution calls “hardscrabble” and her ex-boyfriend calls “blighted”; her neighbors parked their cars on brown, patchy lawns. (“I did not look at a map when I signed the lease,” she’d later tell the FBI, “but I’m well armed.”) The rooms were filled with workout equipment, sneakers, and sticky notes on which were scrawled workout regimes (“Bench 5×5, Back Squat 5×5”) but also stray thoughts about issues with which she was preoccupied (“Peace-making is less of a rational-economic model of dividing resources and territory fairly”; “Further research: Deserts versus rainforest”). Months later, when her mother walked me through the house, she’d point to Reality’s room and say, “The world’s biggest terrorist has a Pikachu bedspread.”

Reality was searched for thumb drives and cell phones every morning as she walked into the Whitelaw Building; her lunch, security guards noted as they pawed through it, was very healthy. She translated Farsi in documents relating to Iran’s aerospace program, work for which she had no particular affinity and which seems to have bored her. For those mornings when she did not feel like reading more documents about Iran’s aerospace program, she evidently had access to documents well outside her area of expertise. She had access, for example, to a five-page classified report detailing a Russian attempt to access American election infrastructure through a private software company. This would be, ultimately, the document she leaked. According to the analysis in the report, Russian intelligence sent phishing emails to the employees of a company that provides election support to eight states. After obtaining log-in credentials, the Russians sent emails infected with malware to over 100 election officials, days before the election, from what looked like the software company’s address.

Giant Data Leak Exposes Data on 123 Million U.S. Households

This is yet another data breach that would be much less likely to happen if the NSA would primarily do its actual job and protect Americans instead of spying on them and other relatively innocent foreign citizens. Up to 90 percent of the NSA’s budget is dedicated to offense and spying when it should be dedicated to securing vital technological infrastructure and defending the public instead. Unfortunately though, the NSA today is largely an example of the government — compromised through excessive corporate control — treating its own domestic population as the enemy, and that sort of example happens far too frequently in the modern world.

Researchers revealed Tuesday that earlier this year they discovered a massive database — containing information on more than 123 million American households — that was sitting unsecured on the internet.

The cloud-based data repository from marketing analytics company Alteryx exposed a wide range of personal details about virtually every American household, according to researchers at cybersecurity company UpGuard. The leak put consumers at risk for a range of nefarious activities, from spamming to identity theft, the researchers warned.

Though no names were exposed, the data set included 248 different data fields covering a wide variety of specific personal information, including address, age, gender, education, occupation and marital status. Other fields included mortgage and financial information, phone numbers and the number of children in the household.

“From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers,” UpGuard researchers Chris Vickery and Dan O’Sullivan wrote in their analysis.

A cascade of recent database breaches has left consumers on edge about the security of their personal information. After credit monitoring company Equifax revealed in September that cybercriminals had made off with data on more than 145 million Americans, US lawmakers began efforts to hold such businesses accountable to the everyday people whose data they collect for profit.

[…]

“The data exposed in this bucket would be invaluable for unscrupulous marketers, spammers and identity thieves, for whom this data would be largely reliable and, more importantly, varied,” the researchers said. “With a large database of potential victims to survey — with such details as ‘mortgage ownership’ revealed, a common security verification question — the price could be far higher than merely bad publicity.”