Skip to content Skip to navigation

Friday Cyber News, April 13 2018

Cyber technology-related news and links from around the web, for the week of 4/7 - 4/13:

1. Mark Zuckerberg in the House! And the Senate, for two five-hour sessions of questioning (with some holes and plenty of promised follow-up) by lawmakers concerned with recent privacy breaches, Cambridge Analytica, and Facebook's review and takedown of hate speech and illegal pharmaceutical ads. The testimony, part of Zuckerberg's 15-year apology tour for Facebook's privacy-related missteps, revealed the discrepancies between Facebook's concerns and business practices and Congress' understanding of, and attitudes toward, the details of data sharing. In response to criticism of Facebook's effects on elections, Facebook has launched a data abuse bounty program, and teamed up with several nonprofit foundations to implement an independently-overseen research program to pair academics with questions about Facebook and elections and relevant Facebook data. (Facebook may need to step up its campaign contributions, which lag those of other large tech companies, if it wants to continue to have a say in whether and how it is regulated). [WSJ; Quartz; Wired; The Hill x2; Medium; FB Newsroom; The Verge]

2. Senators Blumenthal and Markey introduced online privacy legislation this week, called the CONSENT Act (Customer Online Notification for Stopping Edge-provider Network Transgressions; and yes, this newsletter maintains its stance against the overuse of legislative acronyms), which would require online companies like Facebook to get opt-in consent from its users for the use of data on their "financial and health information, content of communications, and web browsing and application usage history." As demonstrated by the Zuckerberg hearings, many users underestimate the amount of data collected and analyzed by companies they interact with daily, and nearly all users have an incomplete understanding of how every individual piece of data collected can provide additional information in aggregate that was never intended to be shared. [Inside Privacy; WSJ; Nature Human Behavior]

3. Empowering Cyber Command with funding, more personnel, and the ability to forward-deploy cyber operators with other combatant commands could mean that "louder" military-focused cyber operations take precedence over quieter and longer-term espionage-focused missions. [Cyberscoop]

4. FiveThirtyEight outlines all the ways that our election infrastructure remains vulnerable to hackers and to international malicious influence, even after the lessons of 2016. (This piece paints a frightening picture, but even after a year and a half, I still have doubts that FiveThirtyEight is appropriately estimating the likelihood of a worst-case scenario). [FiveThirtyEight]

5. This week in breaches: Hackers targeted Cisco routers in Iran and other countries, leaving behind pictures of the American flag and the message "don't mess with our elections." Vevo's YouTube channel was also hacked, leading to the defacement and subsequent removal of the Despacito video. [Reuters; Infosecurity Magazine]

6.​ "No one in Washington is prepared for a grid emergency caused by the sun. Russia, yes. The sun, no." A geomagnetic storm could shut down all electrical activity, and rather than 8,200 utilities, power companies, and state agencies attempting to address the fall-out, perhaps a Cyber Emergency Management Agency could better coordinate the response. In other homeland security-related news, Tom Bossert, the President's chief advisor on homeland security and a proponent of cybersecurity policy, has left his position. [The Hill; NY Times]

7. Possession of ransomware is now a crime in Michigan, after two bills were signed into law earlier this week, and researchers are wary of the protection offered by an 'intent' clause that would require them to prove that they are only going to use the ransomware they study for research purposes. [Statescoop]

8. The US's cybersecurity doctrine, which would establish where the "red line" is for cyber attacks that demand a response and which agency would be in charge of coordinating that response, is still under development, after delays from a promised 90-day post-inauguration cyber policy roll-out deadline. [Axios]

9. The US Chamber of Commerce released a Global Digital Policy Declaration this week, with guidelines for modernizing customs, data protection, and cross-border data sharing. [US Chamber of Commerce] 

10. Alongside the many stories about Facebook's treatment of user data this week, there was a bit of attention paid to a research project that Facebook was planning in conjunction with hospitals, to allow them to analyze anonymized patient data in conjunction with whatever data Facebook had on those patients. Due to privacy concerns, that research is on hiatus--it's too easy to imagine Facebook using this information to improve ad targeting for stents and pills--but a great deal of questioning in the House (and some in the Senate) addressed two issues: how Facebook identifies hate speech and harmful content on its platform, and how it plans to remove ads for illegal pharmaceutical that facilitate the misuse of opioids. Facebook has a lot of health-relevant data about you that you're not sharing with your physician (not just what foods you post pictures of, and whether you participated in Senator Cruz's lauded Chik-Fil-A appreciation day, but also who you spend time with and what their exercise and diet habits are like, and whether your messages or photos indicate that you're smoking, using drugs, or depressed). Facebook has enough trouble accurately identifying and removing opioid ads and terrorists' videos that, even by their own assessment, they're five or more years out from being able to automatically identify that type of content after it's posted. But, if in the future we want Facebook--or whichever platform replaces it--to move toward predictive tasks (determining whose behaviors and health history indicates they're likely planning harm to themselves or others; or identifying who is developing an opioid problem), this type of data sharing makes sense, and at the moment Facebook uniquely has the data needed to develop those predictive patterns. [CNBC]

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)