Author: Eli Siems

PRG NEWS ROUNDUP: APRIL 12

by Caroline Alewaerts

A research from New York University and Michigan State University reveals that smartphone fingerprint sensors may not be as secure as we think. The researchers managed to digitally create fake fingerprints (“MasterPrints”) that could match real fingerprints up to 65% of the time. Although not tested in real-life conditions, the research still raises question as to the security of smartphones that rely on fingerprints.

Germany is about to introduce a new law designed to regulate hate speech on social media platforms. The draft law will require social media networks, such as Facebook, Twitter, etc., to remove illegal content within 24 hours of receiving a notification. Under this new legislation, failure to comply with this obligation will expose the social media company to fines up to € 50 millions ($ 53 millions).

Burger King launched a controversial TV ad this Wednesday that takes control of your Google home device. In the commercial, the actor asks “O.K. Google, what is the Whopper burger?”, which automatically activates the Google home device located near the TV and starts reciting the burger ingredients from Wikipedia. Burger King did not contact nor obtain Google’s approval before launching the ad, and it seems that, by Wednesday afternoon, Google home devices had stopped reacting to the ad. Some argue that this kind of ‘hijacking’ of smart home speakers may constitute an unauthorized access prohibited under the Computer Fraud and Abuse Act.

by Eli Siems

• The NY Times reports on an ongoing struggle between banks and tech companies over the fate of your financial data.
• On Monday, Amazon.com launched its new Amazon Cash service, allowing customers to add paper cash to an Amazon account at a physical retail location.
• The Massachusetts Attorney General announced a settlement with a digital advertising firm barring the firm’s practice of geo-fencing women near abortion clinics in order to target them with anti-abortion messages.
• The Wall Street Journal Reports on a Florida Court of Appeals ruling that searches of “black box” data from within a smart car require a warrant.
• The manufacturer of a garage door opener remotely blocked a customer’s access to his garage after the customer posted a negative review of the product.
• A Reuters poll revealed that most Americans would be unwilling to allow their individual personal data to be monitored even if it would help prevent terrorist attacks. Americans remain evenly split on the question when it is posed in regard to collective mass surveillance.
• Senator Ron Wyden introduced a bill in response to the Trump administration’s asserted extreme vetting procedure requiring everyone entering the U.S. to give over reams of personal digital information by handing over devices at the border. The bill seeks to shield American citizens from such searches but does not seek to protect non-citizens from the invasive practice.

By Alexia Ramirez

Congress overturned the FCC regulations created by the Obama Administration which would have required broadband providers to receive permission before collecting data on a user’s online activities.  Former Chairman of the FCC, Tom Wheeler, wrote an op-ed addressing the troubling ramifications of the repeal.

The European Commission announced it will propose new measures in June to make it easier for police to access data on encrypted apps such as WhatsApp. Law enforcement’s access to encrypted messaging app data has been a renewed subject of discussion in the wake of the London terrorist attack.

Google Maps will release a new feature which allows individuals to share their location with others.

Today the Supreme Court held in Expressions Hair Design v. Schneiderman that restrictions on how a seller describes legal transactions are speech restrictions. The Court remanded the case back to the lower court to determine whether the speech restriction was actually unconstitutional under the court’s commercial speech doctrine. Depending on how the court decides, the decision could affect how providers must convey information to users.

Further reading on today’s discussion topics:

• On smart toys:
  • “Toys That Listen,” from University of Washington’s Tech Policy Lab
• On Zero Day Exploits:
  • Kim Zetter, Countdown to Zero Day
  • The Columbia SIPA report on the interagency Vulnerability Equities Process (VEP)
• Alexa, 1st and 4th amendment considerations:
  • The Tattered Cover decision discussed in Amazon’s brief
  • ACLU Blog Post on the dangers of “Always-On Microphones”

Thanks to Amanda Levendowski and Hugo Zylberberg for providing these links.

by Caroline Alewaerts

Wikileaks released documents describing the software and tools used by the CIA to hack various computer devices. The leak notably reveals that the CIA can break into smart phones and access messages before and after their transmission, therefore rendering WhatsApp, Telegram, and Signal encryption features irrelevant. The CIA can also hack into an internet-based TV to record conversations. Tech companies have already indicated that they are working on fixing – or have already fixed – the vulnerabilities used by the CIA to break in their products.

Researchers at AI Lab at MIT Laboratory for Information and Decision Systems (LIDS) recently developed a system (Synthetic Data Vault) that uses machine learning to automatically create artificial/synthetic data out of a “real” database. Their research suggests that using artificial data to develop data science algorithms and models will produce substantially the same results as real data without comprising privacy.

Republicans have recently introduced a resolution to repeal the FCC’s “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” rule and to prevent the FCC from adopting similar regulation in the future. The rule was adopted last year and aimed at increasing transparency, choice, and security of customer data.

The NIH announced a new grant opportunity intended to help organizations encourage patient participation in the All of Us Research Program and the precision medicine biobank. This biobank will store millions of biospecimens and other healthcare data for precision medicine research, and will be the largest biobank in the world. Mayo Clinic, which is the organization in charge of creating the biobank, has however not yet revealed which specific measures it intends to put in place to protect the privacy and security of the biobank.

New Jersey State recently decided to replace bail hearings by an algorithm designed to evaluate the risk of release of a defendant in jail. The algorithm, however, does not replace judicial discretion, and the computer-generated score that it generates is meant to be used as a guide only.

Announcement: the NYU Information Law Institute and Department of Media, Culture, and Communications will be organizing the “International Workshop on Obfuscation: Science, Technology, and Theory” on April 7 and 8. More information about the workshop and how to register is available here. The organizers are also looking for students interested in helping organizing the event.

by Eli Siems

–Liferaft, a cloud-based open-source intelligence program, will allow lawyers and corporate professionals, among other potential clientele, to utilize a combination of data mining and geolocation to find social media posts relevant to “issues that might affect staff or assets.”

–Alexa the Amazon robot has evidence relevant to a murder. Amazon has filed a brief seeking to throw out a search warrant for Alexa’s records, saying it violates 1st Amendment rights– Alexa’s 1st Amendment rights! Amazon argues that both user commands and Alexa’s replies are constitutionally protected speech, the latter representing a novel legal argument.

-On that note, readers interested in potential A.I. 1st Amendment rights should check out this article: “Siri-ously? Free Speech Rights and Artificial Intelligence.”

-Promptly after signing a major deal with Disney, CloudPets Toys discovered that its vast data troves of children’s voice command recordings had been hacked, exposing over 800,000 user accounts and 2.2 million recordings. As of the end of February, CloudPets had not yet alerted exposed users to the breach.

-Parts of FISA are up for reauthorization this year, including Section 702 of PRISM infamy. The White House has expressed full support for the reauthorization without reform of those provisions.

-The Center for Democracy and Technology has released a new report on data deletion and consumer trust.

–Spiegel reported on documents suggesting German intelligence agencies spied on a large number of foreign journalists including BBC, reuters, and New York Times employees.

-Finally, a French businessman is suing Uber after the app continued to send updates to his wife’s phone (from which he had ordered the service) even after he had logged off, revealing to his wife his extramarital tryst. “My client was the victim of a bug in the application,” his lawyer asserts.