An anonymous reader quotes a report from Engadget: [T]he Responsible Artificial Intelligence Institute (RAI) -- a non-profit developing governance tools to help usher in a new generation of trustworthy, safe, Responsible AIs -- hopes to offer a more standardized means of certifying that our next HAL won't murder the entire crew. In short they want to build "the world's first independent, accredited certification program of its kind." Think of the LEED green building certification system used in construction but with AI instead. Work towards this certification program began nearly half a decade ago alongside the founding of RAI itself, at the hands of Dr. Manoj Saxena, University of Texas Professor on Ethical AI Design, RAI Chairman and a man widely considered to be the "father" of IBM Watson, though his initial inspiration came even further back.

Certifications are awarded in four levels -- basic, silver, gold, and platinum (sorry, no bronze) -- based on the AI's scores along the five OECD principles of Responsible AI: interpretability/explainability, bias/fairness, accountability, robustness against unwanted hacking or manipulation, and data quality/privacy. The certification is administered via questionnaire and a scan of the AI system. Developers must score 60 points to reach the base certification, 70 points for silver and so on, up to 90 points-plus for platinum status. [Mark Rolston, founder and CCO of argodesign] notes that design analysis will play an outsized role in the certification process. "Any company that is trying to figure out whether their AI is going to be trustworthy needs to first understand how they're constructing that AI within their overall business," he said. "And that requires a level of design analysis, both on the technical front and in terms of how they're interfacing with their users, which is the domain of design."

RAI expects to find (and in some cases has already found) a number of willing entities from government, academia, enterprise corporations, or technology vendors for its services, though the two are remaining mum on specifics while the program is still in beta (until November 15th, at least). Saxena hopes that, like the LEED certification, RAI will eventually evolve into a universalized certification system for AI. He argues, it will help accelerate the development of future systems by eliminating much of the uncertainty and liability exposure today's developers -- and their harried compliance officers -- face while building public trust in the brand. "We're using standards from IEEE, we are looking at things that ISO is coming out with, we are looking at leading indicators from the European Union like GDPR, and now this recently announced algorithmic law," Saxena said. "We see ourselves as the 'do tank' that can operationalize those concepts and those think tank's work."

Apple's software engineering head Craig Federighi had a tricky task in the Epic v. Apple trial: explaining why the Mac's security wasn't good enough for the iPhone. From a report: Mac computers have an official Apple App Store, but they also allow downloading software from the internet or a third-party store. Apple has never opened up iOS this way, but it's long touted the privacy and security of both platforms. Then Epic Games sued Apple to force its hand, saying that if an open model is good enough for macOS, Apple's claims about iOS ring hollow. On the stand yesterday, Federighi tried to resolve this problem by portraying iPhones and Macs as dramatically different devices -- and in the process, threw macOS under the bus.

The second difference is data sensitivity. "iPhones are very attractive targets. They are very personal devices that are with you all the time. They have some of your most personal information -- of course your contacts, your photos, but also other things," he said. Mobile devices put a camera, microphone, and GPS tracker in your pocket. "All of these things make access or control of these devices potentially incredibly valuable to an attacker." That may undersell private interactions with Macs; Epic's counsel Yonatan Even noted that many telemedicine calls and other virtual interactions happen on desktop. Still, it's fair to say phones have become many people's all-purpose digital lockboxes. The third difference is more conceptual. Federighi basically says iOS users need to be more protected because the Mac is a specialist tool for people who know how to navigate the complexities of a powerful system, while the iPhone and iPad are -- literally -- for babies.

China's internet watchdog has named and shamed some of the country's most popular mobile applications, including the Chinese version of TikTok, Kuaishou, LinkedIn and 102 other apps, for the illegal collection and use of personal data. From a report: The Cyberspace Administration of China (CAC) said that after receiving complaints from users, it had found that 105 apps had violated several laws and had infringed personal information through illegal access, over-collection and excessive authorisation, according to a notice on its WeChat official account. Short video apps including Kuaishou and ByteDance-owned TikTok were included in the list as well as Microsoft-owned LinkedIn and Bing, Tencent-owned music streaming service Kugou, and search giant Baidu's mobile browser.

An anonymous reader quotes a report from TechCrunch: Sidewalk Labs, Alphabet's urban innovation organization, has announced the launch of Pebble, a vehicle sensor that's designed to help manage parking in cities by providing real-time parking and curb availability data. Here's how it works: Small spherical sensors are stuck to the ground on parking spaces to note the absence or presence of a vehicle. Then solar-powered gateway hardware, which can be strapped easily to street poles, uses IoT to connect the sensor to the cloud through the cellular network. The data is then viewed and analyzed by real estate developers, parking operators or municipal agencies via a dashboard. Pebble doesn't use cameras or collect identifying information about a person or vehicle, and is touting a "privacy preserving" approach.

Between 9% and 56% of traffic, and all the pollution that comes with it, is caused by people who are cruising for parking. Pebble says its real-time parking availability can be integrated into navigation apps, like Google Maps, through an API to help users spend less time circling the block. "Real-time parking information can also alert would-be drivers when spaces are limited before they even leave home, leading them to use alternative travel modes, such as park-and-ride transit or ferries," wrote Sidewalk Labs' senior creative technologist, Nick Jonas, in a blog post announcing the launch. "For example, a smart parking program at a BART park-and-ride station reduced driving by a monthly average of nearly 10 miles per person -- and even shortened commutes."

Amazon said on Tuesday it is extending a moratorium on police use of its facial recognition software. The company imposed the ban last year after the murder of George Floyd by law enforcement in June 2020. Reuters reports: Civil liberties advocates have long warned that inaccurate face matches by law enforcement could lead to unjust arrests, as well as to a loss of privacy and chilled freedom of expression. Amazon's extension, which Reuters was first to report, underscores how facial recognition remains a sensitive issue for big companies. The world's largest online retailer did not comment on the reason for its decision. Last year, it said it hoped Congress would put in place rules to ensure ethical use of the technology, though no such law has materialized. Amazon also faced calls this month from activists who wanted its software ban to be permanent.

The same technology that powers Google Duplex to call businesses and make appointments for you is being used to help you automatically change your password to a website that's been compromised in a security breach. TechCrunch reports: This new feature will start to roll out slowly to Chrome users on Android in the U.S. soon (with other countries following later), assuming they use Chrome's password-syncing feature. It's worth noting that this won't work for every site just yet. As a Google spokesperson told us, "the feature will initially work on a small number of apps and websites, including Twitter, but will expand to additional sites in the future."

A software bug that's now been fixed allowed some Eufycam owners to stream video from strangers' homes instead of their own. The Register reports: These 1080p Wi-Fi-connected devices are made by Anker, and are designed to be used indoors and outdoors. They can record to microSD cards and/or the cloud, and viewable via a mobile app. On Monday, some users found themselves staring at feeds from other people's homes -- even those in other countries -- and feared they were being watched, too. The privacy breakdown sparked an eruption of complaints on Reddit and Anker's support forum.

A spokesperson for Anker told us just a small number of customers were affected: "Due to a software bug during our latest server upgrade at 4:50 AM EST today, a limited number (0.001 per cent) of our users were able to access video feeds from other users' cameras. Our engineering team recognized this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST." We're told customers in the US, New Zealand, Australia, Cuba, Mexico, Brazil, and Argentina were affected though not GDPR-armed Europe. "We realize that as a security company we didn't do good enough," the spokesperson added. "We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again." Eufy recommends users unplug and then reconnect their devices, log out of the Eufy security app, and log in again to fix the issue.

Ever wish you could delete the last thing you searched for on Google? Now Google will let you. From a report: Google announced the new feature Tuesday during its I/O software conference, part of a package of privacy controls the Alphabet company is pushing out to appease consumers and regulators. Users now can tap on a tab inside their Google accounts to remove the last fifteen minutes of search history. The company has offered a feature to clear search histories, but people have found that data useful for tools like Maps or been unaware of the ability to delete it. The new ways to give people more privacy controls come after years of scrutiny on the search giant's behavior. "We never sell your personal information to anyone," Jen Fitzpatrick, a Google senior vice president, said at the virtual event. "It's simply off limits."

After its recent announcement about plans to add telemetry collection prompted backlash, popular audio editor Audacity has announced it won't go ahead with the plan to collect its users' data. BetaNews reports: Audacity's new owner, Muse Group, has bowed to pressure from users and privacy advocates, announcing that the planned telemetry collection will no longer be going ahead. The company is blaming "communication mistakes" and public "misunderstanding" for the negative response to its previous data collection announcement.

A tech columnist for Inc. noticed that on June 8th Amazon will finally power up its massive "Sidewalk" mesh network (which uses Bluetooth and 900MHz radio signals to communicate between devices). And millions and millions of Amazon customers are all already "opted in" by default: The idea behind it is actually really smart — make it possible for smart home devices to serve as a sort of bridge between your WiFi connection and one another. That way, if your Ring doorbell, for example, isn't located close to your WiFi router, but it happens to be near an Echo Dot, it can use Sidewalk to stay connected.

The same is true if your internet connection is down. Your smart devices can connect to other smart devices, even if they aren't in your home. The big news on this front is that Tile is joining the Sidewalk network on June 14. That means that if you lose a Tile tracker, it can connect to any of the millions of Echo or Ring devices in your neighborhood and send its location back to you.

That's definitely a nice benefit, but it's also where things get a little murky from a privacy standpoint. That's because other people's devices, like your neighbor's, can also connect to your network. Amazon is pretty clear that Sidewalk uses three layers of encryption so that no data is shared between say, someone's Tile tracker and your network. The signal from the Tile is encrypted all the way back to the Tile app on your iPhone or Android smartphone... [But] whether or not you want your device connecting to other devices, or want your neighbors connecting to your WiFi, Amazon went ahead and made Sidewalk opt-out.
Opt out (for all your devices) using Alexa app's More tab (at the bottom): Settings > Account Settings > Amazon Sidewalk > Enabled.

The New York Times shares the dilemma of Jeff Sheu, managing director of a private equity firm, who is "exactly the type of high earner California does not want to lose. When people in his tax bracket leave, the state is likely to audit them to make sure they really have left."

But fortunately, there's an app for that: With the May 17 tax filing deadline approaching, people who have moved to another state or are working more remotely need to be extra vigilant with their tax documents. For Mr. Sheu, that involves an app on his smartphone that uses location services to track him all the time. What he is sacrificing in privacy, he is gaining in peace of mind, knowing he will be able to show exactly when and where he was in a particular state, should California's tax authority come after him... "I'm never apart from my phone," Mr. Sheu said... "It feels to me like a pretty undebatable way to track where I am...."

Tax apps like TaxBird — which Mr. Sheu uses — and TaxDay and Monaeo were created years ago... "We've seen a fourfold increase in our app without any advertising in the past year," said Jonathan Mariner, founder and president of TaxDay, who was himself audited when he worked for Major League Baseball in New York but lived in Florida. "When people are concerned about privacy, I say you probably have a dozen apps on your phone that are tracking you, and you don't even know it...." Monaeo makes a point of describing how the data is cataloged — city, state and country, but without specific locations. It also says upfront that it does not share any data. (All three of the apps are vigilant about that.) While each tax app has different levels of precision and features to upload supporting documents, they all fulfill the basic need to prove your location to a tax authority. When it comes time to file taxes, users download reports detailing where they worked with varying degrees of specificity, from a simple day count to more detailed location information...

With hundreds of millions of dollars at stake, states in need of revenue are not going to let the money go without a fight. "This has the potential to become as messy as you can envision it," said Dustin Grizzle, a tax partner at MGO, an accounting firm. "States are going to say, 'Hey you're just using Covid to give you the ability to work remotely.'"

Politico writes: President Joe Biden on Wednesday ordered a sweeping overhaul of the federal government's approach to cybersecurity, from the software that agencies buy to the security measures that they use to block hackers, as his administration continues grappling with vulnerabilities exposed by a massive digital espionage campaign carried out by the Russian government... Biden's order requires agencies to encrypt their data, update plans for securely using cloud hosting services and enabling multi-factor authentication...

It also creates a cyber incident review group, modeled on the National Transportation Safety Board that investigates aviation, railroad and vehicle crashes, to improve the government's response to cyberattacks. And it sets the stage for requiring federal contractors to report data breaches and meet new software security standards.

The directive, which sets deadlines for more than 50 different actions and reports, represents a wide-ranging attempt by the new Biden administration to close glaring cybersecurity gaps that it discovered upon taking office and prevent a repeat of Moscow's SolarWinds espionage operation, which breached nine federal agencies and roughly 100 companies... In addition to requiring agencies to deploy multi-factor authentication, the order requires them to install endpoint detection and response software, which generates warnings when it detects possible hacks. It also calls for agencies to redesign their networks using a philosophy known as zero-trust architecture, which assumes that hackers are inside a network and focuses on preventing them from jumping from one computer to another... Officials say current federal monitoring programs are outdated — they can only spot previously identified malware, and they can't protect increasingly pervasive cloud platforms...

Biden's executive order attempts to prevent another SolarWinds by requiring information technology service providers to meet new security requirements in order to do business with the federal government. These contractors will need to alert the government if they are hacked and share information about the intrusion.
The order "reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security," one senior administration official told reporters. The order notes "persistent and increasingly sophisticated malicious cyber campaigns" that "threaten the public sector, the private sector, and ultimately the American people's security and privacy," calling for "bold changes and significant investments."

But the order also argues that "In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is..." warning that "The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors." To that end, the order also requires guidelines for a "Software Bill of Materials" or "SBOM," a "formal record containing the details and supply chain relationships of various components used in building software... analogous to a list of ingredients on food packaging." [A]n SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
ZDNet reports that "the Linux and open-source community are already well on their way to meeting the demands of this new security order," citing security projects in both its Core Infrastructure Initiative (CII) and from the Open Source Security Foundation (OpenSSF).

sandbagger shares a report from The Register: FingerprintJS, maker of a browser-fingerprinting library for fraud prevention, on Thursday said it has identified a more dubious fingerprinting technique capable of generating a consistent identifier across different desktop browsers, including the Tor Browser. Konstantin Darutkin, senior software engineer at FingerprintJS, said in a blog post that the company has dubbed the privacy vulnerability "scheme flooding." The name refers to abusing custom URL schemes, which make web links like "skype://" or "slack://" prompt the browser to open the associated application. "The scheme flooding vulnerability allows an attacker to determine which applications you have installed," explains Darutkin. "In order to generate a 32-bit cross-browser device identifier, a website can test a list of 32 popular applications and check if each is installed or not."

Visiting the schemeflood.com site using a desktop (not mobile) browser and clicking on the demo will generate a flood of custom URL scheme requests using a pre-populated list of likely apps. A browser user would typically see a pop-up permission modal window that says something like, "Open Slack.app? A website wants to open this application. [canel] [Open Slack.app]." But in this case, the demo script just cancels if the app is present or reads the error as confirmation of the app's absence. It then displays the icon of the requested app if found, and moves on to its next query. The script uses each app result as a bit to calculate the identifier. The fact that the identifier remains consistent across different browsers means that cross-browser tracking is possible, which violates privacy expectations.

Facebook lost a court fight over an initial order from a European Union privacy watchdog threatening its transfers of users' data across the Atlantic. From a report: An Irish court on Friday rejected the social network's challenge, saying it didn't establish "any basis" for calling into question the Irish Data Protection Commission's decision. The dispute is part of the fallout from July's shock decision at the EU's Court of Justice, which toppled the so-called Privacy Shield, an EU-approved trans-Atlantic transfer tool, over fears citizens' data isn't safe once shipped to the U.S. That EU court ruling was quickly followed by a preliminary order from the Irish authority telling Facebook it could no longer use an alternative tool, known as standard contractual clauses, to satisfy privacy rules when shipping data to the U.S.

An anonymous reader quotes a report from Motherboard: The Pentagon is carrying out warrantless surveillance of Americans, according to a new letter written by Senator Ron Wyden and obtained by Motherboard. Senator Wyden's office asked the Department of Defense (DoD), which includes various military and intelligence agencies such as the National Security Agency (NSA) and the Defense Intelligence Agency (DIA), for detailed information about its data purchasing practices after Motherboard revealed special forces were buying location data. The responses also touched on military or intelligence use of internet browsing and other types of data, and prompted Wyden to demand more answers specifically about warrantless spying on American citizens.

Some of the answers the DoD provided were given in a form that means Wyden's office cannot legally publish specifics on the surveillance; one answer in particular was classified. In the letter Wyden is pushing the DoD to release the information to the public. A Wyden aide told Motherboard that the Senator is unable to make the information public at this time, but believes it would meaningfully inform the debate around how the DoD is interpreting the law and its purchases of data. "I write to urge you to release to the public information about the Department of Defense's (DoD) warrantless surveillance of Americans," the letter, addressed to Secretary of Defense Lloyd J. Austin III, reads. Wyden and his staff with appropriate security clearances are able to review classified responses, a Wyden aide told Motherboard. Wyden's office declined to provide Motherboard with specifics about the classified answer. But a Wyden aide said that the question related to the DoD buying internet metadata.

"Are any DoD components buying and using without a court order internet metadata, including 'netflow' and Domain Name System (DNS) records," the question read, and asked whether those records were about "domestic internet communications (where the sender and recipient are both U.S. IP addresses)" and "internet communications where one side of the communication is a U.S. IP address and the other side is located abroad." Netflow data creates a picture of traffic flow and volume across a network. DNS records relate to when a user looks up a particular domain, and a system then converts that text into the specific IP address for a computer to understand; essentially a form of internet browsing history. Wyden's new letter to Austin urging the DoD to release that answer and others says "Information should only be classified if its unauthorized disclosure would cause damage to national security. The information provided by DoD in response to my questions does not meet that bar."

Computer hardware maker MSI is warning gamers not to visit a website that's impersonating the brand and its graphics card overclocking software, Afterburner, to push malware. From a report: On Thursday, MSI published a press release warning of "a malicious software being disguised as the official MSI Afterburner." "The malicious software is being unlawfully hosted on a suspicious website impersonating as MSI's official website with the domain name https:// afterburner - msi [ . ] space," the company wrote. "MSI has no relation with this website or the aforementioned domain. [...] This webpage is hosting software which may contain virus, trojan, keylogger, or other type of malicious program that have been disguised to look like MSI Afterburner," the company added. "DO NOT DOWNLOAD ANY SOFTWARE FROM THIS WEBSITE."

An anonymous reader quotes a report from The Register: A dozen Wi-Fi design and implementation flaws make it possible for miscreants to steal transmitted data and bypass firewalls to attack devices on home networks, according to security researcher Mathy Vanhoef. On Tuesday, Vanhoef, a postdoctoral researcher in computer security at New York University Abu Dhabi, released a paper titled, "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" [PDF]. Scheduled to be presented later this year at the Usenix Security conference, the paper describes a set of wireless networking vulnerabilities, including three Wi-Fi design flaws and nine implementation flaws. Vanhoef, who in 2017 along with co-author Frank Piessens identified key reinstallation attacks (KRACKs) on the WPA2 protocol (used to secure Wi-Fi communication), has dubbed his latest research project FragAttacks, which stands for fragmentation and aggregation attacks.

The dozen vulnerabilities affect all Wi-Fi security protocols since the wireless networking technology debuted in 1997, from WEP up through WPA3. [...] In total, 75 devices -- network card and operating system combinations (Windows, Linux, Android, macOS, and iOS) -- were tested and all were affected by one or more of the attacks. NetBSD and OpenBSD were not affected because they don't support the reception of A-MSDUs (aggregate MAC service data units). [...]

Patches for many affected devices and software have already been deployed, thanks to a nine-month-long coordinated responsible disclosure overseen by the Wi-Fi Alliance and the Industry Consortium for Advancement of Security on the Internet (ICASI). Linux patches have been applied and the kernel mailing list note mentions that Intel has addressed the flaws in a recent firmware update without mentioning it. Microsoft released its patches on March 9, 2021 when disclosure was delayed tho Redmond had already committed to publication. Vanhoef advises checking with the vendor(s) of Wi-Fi devices about whether the FragAttacks have been addressed. "[F]or some devices the impact is minor, while for others it's disastrous," he said.

Chinese television maker Skyworth has issued an apology after a consumer found that his set was quietly collecting a wide range of private data and sending it to a Beijing-based analytics company without his consent. From a report: A network traffic analysis revealed that a Skyworth smart TV scanned for other devices connected to the same local network every 10 minutes and gathered data that included device names, IP addresses, network latency and even the names of other Wi-Fi networks within range, according to a post last week on the Chinese developer forum V2EX. The data was sent to the Beijing-based firm Gozen Data, the forum user said. Gozen is a data analytics company that specialises in targeted advertising on smart TVs, and it calls itself Chinaâs first "home marketing company empowered by big data centred on family data."

The user did not identify himself, and efforts to contact the person received no reply. However, the post quickly picked up steam, touching a nerve among Chinese consumers and prompting angry comments. "Isn't this already the criminal offence of spying on people?" asked one user on Sina.com, a Chinese financial news portal. "Whom will the collected data be sold to, and who is the end user of this data?"

Facebook was ordered to stop collecting German users' data from its WhatsApp unit, after a regulator in the nation said the company's attempt to make users agree to the practice in its updated terms isn't legal. From a report: Johannes Caspar, who heads Hamburg's privacy authority, issued a three-month emergency ban, prohibiting Facebook from continuing with the data collection. He also asked a panel of European Union data regulators to take action and issue a ruling across the 27-nation bloc. The new WhatsApp terms enabling the data scoop are invalid because they are intransparent, inconsistent and overly broad, he said. "The order aims to secure the rights and freedoms of millions of users which are agreeing to the terms Germany-wide," Caspar said in a statement on Tuesday. "We need to prevent damage and disadvantages linked to such a black-box-procedure." The order strikes at the heart of Facebook's business model and advertising strategy. It echoes a similar and contested step by Germany's antitrust office attacking the network's habit of collecting data about what users do online and merging the information with their Facebook profiles. That trove of information allows ads to be tailored to individual users -- creating a cash cow for Facebook.

An anonymous reader quotes a report from NBC News: The Department of Homeland Security has begun implementing a strategy to gather and analyze intelligence about security threats from public social media posts, DHS officials said. The goal is to build a warning system to detect the sort of posts that appeared to predict an attack on the U.S. Capitol on Jan. 6 but were missed or ignored by law enforcement and intelligence agencies, the officials said. The focus is not on the identity of the posters but rather on gleaning insights about potential security threats based on emerging narratives and grievances. So far, DHS is using human beings, not computer algorithms, to make sense of the data, the officials said. "We're not looking at who are the individual posters," said a senior official involved in the effort. "We are looking at what narratives are resonating and spreading across platforms. From there you may be able to determine what are the potential targets you need to protect."

The officials didn't describe what criteria or methods the analysts would use to parse the data. They said DHS officials have been consulting with social media companies, private companies and nonprofit groups that analyze open-source social media data. Law enforcement officers and intelligence analysts are legally entitled to examine -- without warrants -- what people say openly on Twitter, Facebook and other public social media forums, just as they can take in information from reading newspapers. But civil liberties groups generally oppose government monitoring of social media, arguing that it doesn't produce much intelligence and risks chilling free speech.