What you should know from the week of 02/11/22:
- Cybersecurity Priorities: US companies lack incentives to invest in reasonable security;
- Judicial Algorithms: The "Pattern" Algorithm rules some inmates' chances of early release, but is also riddled with bias;
- Nothing Sacred: Data-hungry companies harvest intimate data from prayer apps;
- Koningshaven Bridge: An egging party for Jeff Bezos' yacht showcases rising inequality issues, as Rotterdam temporarliy dismantles symbolic monument for the yacht to pass through.
ProPublica strikes again with an excellently written and researched article on security and privacy. Cezary Podkul reports this week on the data-breach permissive culture within the US, and the criminal marketplaces that thrive on US data.
His story showcases a world where breaches happen not because offense beats defense, but because defenders (in general, not in all cases) aren't really trying.
Of particular interest are Podkul's observations on the costs of cybersecurity, and that it is generally cheaper for companies to risk a breach than it is for them to invest in reasonable security.
The low costs [of fines from breaches] don’t justify investing more in data security, according to Sasha Romanosky, a researcher at the RAND Corporation who has studied the issue. “The companies don’t bear the cost of these actions,” Romanosky said. “It is borne by the consumers.”
Unfortunately, the "cost" of a breach here is merely the company's liability for the breach, not the actual cost to consumers and society:
The tab for taxpayers is mammoth. Identity theft enabled what may turn out to be the biggest fraud wave in U.S. history, siphoning off tens if not hundreds of billions of dollars of unemployment insurance payments, small business loans and grants. For unemployment insurance systems alone, estimates of the loss have ranged from around $90 billion to $250 billion or more. Whatever the ultimate figure, it will fall on the shoulders of taxpayers.
Preventing these breaches is doable, it just isn't a priority for American companies. The hackers behind these breaches aren't, as the boilerplate breach notification language suggest "sophisticated attackers:"
People often think hackers are highly sophisticated, Troy Hunt, creator of data breach tracking website Have I Been Pwned, told ProPublica. But in reality, there’s so much unsecured data online that most of the 11.7 billion email addresses and usernames in Hunt’s collection come from young adults who watch a few instructional videos and figure out how to grab them for malicious purposes. “It’s coming from kids with internet access and the ability to run a Google search and watch YouTube videos,” Hunt said in a 2019 talk about how hackers gain access to data.
Americans are uniquely vulnerable to this kind of data theft:
"“It’s very easy to obtain data that belongs to U.S. people,” Hiếu said."
"In August [criminal hacker "Pompompurin" said] other countries have load of protection laws & shit, in the US your address is basically public information no matter how hard you try not to be put on lists like this.”"
Without creating the right liability/incentive structure for companies to invest in reasonable security, this behavior is going to continue to occur.
Carrie Johnson(no, not that one), addresses the Department of Justice's (DOJ) use of an algorithm called "Pattern" to determine inmates' chance of early release under the First Step Act:
In a report issued days before Christmas in 2021, the department said its algorithmic tool for assessing the risk that a person in prison would return to crime produced uneven results. The algorithm, known as Pattern, overpredicted the risk that many Black, Hispanic and Asian people would commit new crimes or violate rules after leaving prison. At the same time, it also underpredicted the risk for some inmates of color when it came to possible return to violent crime.
This is unacceptable.
An algorithm is just a set of defined steps in decision-making, it is as subject to bias as any other decision-making process. The benefit is that all of the decision-making steps are written down explicitly, which is why an algorithm like this that is subject to scrutiny and analysis for justice (rather than a closed and for-profit solution like COMPAS) may be salvageable.
"So that's the unfortunate thing is, it's better than gut instinct of the very flawed humans that we all are, and can we improve it more than marginally, and that's what we're all working on?" Hamilton said.
Regardless, algorithms like this—that make predictions of future behavior and themselves determine the future of the subject—are a tremendous risk to a just and free society. And these algorithms (like a personal ESG score) are getting more firmly established in our politics, commerce, and society.
Emily Baker-White's article had such a good title I just reused it here. In it, she reports on exploitative data-collection within prayer apps:
As people have turned to religious apps as a replacement for in-person church services amid COVID-19, Silicon Valley investors have seized on them as an opportunity to commercialize a set of conversations that have historically been among the most private: those with God.
Baker-White's story generally addresses Christian-focused apps, but this behavior is common across religious apps, with Vice previously reporting on several Muslim-focused apps that sold location data on users.
Baker-White provides a litany of the investors in religious apps:
These apps, which also collect extensive information about their users, are backed by some of Silicon Valley’s best-known prospectors: Greylock Partners (Pray.com), Andreessen Horowitz (Glorify), and Peter Thiel (Hallow). Greylock, Andreessen, and Thiel are also all known for their investments in Facebook, which recently ramped up its own prayer offerings by rolling out a new tool called “prayer posts.”
The whole story is worth a read, but should reinforce the fundamental truth of the internet today: any data-creating event is monetizable.
You may be aware that Jeff Bezos is building the world's largest sailing yacht, which will be about 15% longer than a football field at ~410 feet, and as Engadget's Jon Fingas notes it "is believed to cost about $500 million."
The interesting element here is that it may be unable to travel from its shipyard to sea, since the finished ship will be too large to travel under Rotterdam's Koningshaven Bridge.
As a result, there is a discussion underway regarding whether Rotterdam will dismantle part of the bridge to allow the yacht to travel through:
The city appeared to agree to the arrangement last week, with municipal project leader Marcel Walravens telling Rijnmond that the project would proceed for logistical and economic reasons. He said an exact plan was being developed but estimated it would take about a week to prepare and another week to "put everything back in place."
...That prompted an immediate backlash from locals, lawmakers and social media users, with the Rotterdam Historical Society pointing out that city officials had promised never to dismantle the bridge again after completing a major restoration in 2017.
Officials then walked back the reports, with Rotterdam's mayor telling a Dutch newspaper on Thursday that "no decision has yet been taken, not even an application for a permit," according to The Guardian.
He said the municipality would consider an application and assess the potential impacts, like whether the dismantling can be done without damaging the bridge and who would cover the costs.
Some Rotterdam citizens have expressed more vocal opposition:
Some 13,000 people are "interested" and nearly 4,000 have said they will attend a Facebook event titled "Throwing eggs at superyacht Jeff Bezos," which has been shared more than 1,000 times in the week since its creation.
Wealth can provoke envy, but I don't believe it is a key driver of social unrest. People having nicer or more stuff "than me" isn't sufficient. But when the ultra-wealthy clearly live under different rules of governance, and can break rules that other citizens have to follow, unrest is much more likely:
"Normally it's the other way around: If your ship doesn't fit under a bridge, you make it smaller," Strörmann [the organizer of the egging event] told the NL Times. "But when you happen to be the richest person on Earth, you just ask a municipality to dismantle a monument. That's ridiculous."
Interest piqued? Disagree? Reach out to me at TwelveTablesBlog [at] protonmail.com with your thoughts.