What you should know from the week of 02/11/22:

• Cybersecurity Priorities: US companies lack incentives to invest in reasonable security;
• Judicial Algorithms: The "Pattern" Algorithm rules some inmates' chances of early release, but is also riddled with bias;
• Nothing Sacred: Data-hungry companies harvest intimate data from prayer apps;
• Koningshaven Bridge: An egging party for Jeff Bezos' yacht showcases rising inequality issues, as Rotterdam temporarliy dismantles symbolic monument for the yacht to pass through.

Cybersecurity Priorities:

Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected

A surge in identity theft during the pandemic underscores how easy it has become to obtain people’s private data. As hackers are all too happy to explain, many of them are cashing in on it.

ProPublicaHarley Geiger

ProPublica strikes again with an excellently written and researched article on security and privacy. Cezary Podkul reports this week on the data-breach permissive culture within the US, and the criminal marketplaces that thrive on US data.

His story showcases a world where breaches happen not because offense beats defense, but because defenders (in general, not in all cases) aren't really trying.

Of particular interest are Podkul's observations on the costs of cybersecurity, and that it is generally cheaper for companies to risk a breach than it is for them to invest in reasonable security.

The low costs [of fines from breaches] don’t justify investing more in data security, according to Sasha Romanosky, a researcher at the RAND Corporation who has studied the issue. “The companies don’t bear the cost of these actions,” Romanosky said. “It is borne by the consumers.”

Unfortunately, the "cost" of a breach here is merely the company's liability for the breach, not the actual cost to consumers and society:

The tab for taxpayers is mammoth. Identity theft enabled what may turn out to be the biggest fraud wave in U.S. history, siphoning off tens if not hundreds of billions of dollars of unemployment insurance payments, small business loans and grants. For unemployment insurance systems alone, estimates of the loss have ranged from around $90 billion to $250 billion or more. Whatever the ultimate figure, it will fall on the shoulders of taxpayers.

Preventing these breaches is doable, it just isn't a priority for American companies. The hackers behind these breaches aren't, as the boilerplate breach notification language suggest "sophisticated attackers:"

People often think hackers are highly sophisticated, Troy Hunt, creator of data breach tracking website Have I Been Pwned, told ProPublica. But in reality, there’s so much unsecured data online that most of the 11.7 billion email addresses and usernames in Hunt’s collection come from young adults who watch a few instructional videos and figure out how to grab them for malicious purposes. “It’s coming from kids with internet access and the ability to run a Google search and watch YouTube videos,” Hunt said in a 2019 talk about how hackers gain access to data.

Americans are uniquely vulnerable to this kind of data theft:

"“It’s very easy to obtain data that belongs to U.S. people,” Hiếu said."
"In August [criminal hacker "Pompompurin" said] other countries have load of protection laws & shit, in the US your address is basically public information no matter how hard you try not to be put on lists like this.”"

Without creating the right liability/incentive structure for companies to invest in reasonable security, this behavior is going to continue to occur.

Judicial Algorithms:

Flaws plague a tool meant to help low-risk federal prisoners win early release

The Justice Department created an algorithm to measure a person’s risk of committing a new crime after leaving prison. But even after multiple tweaks, the tool is leading to racial disparities.

NPRCarrie Johnson

Carrie Johnson(no, not that one), addresses the Department of Justice's (DOJ) use of an algorithm called "Pattern" to determine inmates' chance of early release under the First Step Act:

In a report issued days before Christmas in 2021, the department said its algorithmic tool for assessing the risk that a person in prison would return to crime produced uneven results. The algorithm, known as Pattern, overpredicted the risk that many Black, Hispanic and Asian people would commit new crimes or violate rules after leaving prison. At the same time, it also underpredicted the risk for some inmates of color when it came to possible return to violent crime.

This is unacceptable.

An algorithm is just a set of defined steps in decision-making, it is as subject to bias as any other decision-making process. The benefit is that all of the decision-making steps are written down explicitly, which is why an algorithm like this that is subject to scrutiny and analysis for justice (rather than a closed and for-profit solution like COMPAS) may be salvageable.

"So that's the unfortunate thing is, it's better than gut instinct of the very flawed humans that we all are, and can we improve it more than marginally, and that's what we're all working on?" Hamilton said.

Regardless, algorithms like this—that make predictions of future behavior and themselves determine the future of the subject—are a tremendous risk to a just and free society. And these algorithms (like a personal ESG score) are getting more firmly established in our politics, commerce, and society.

Nothing Sacred:

Nothing Sacred: These Apps Reserve The Right To Sell Your Prayers

Prominent venture capitalists are flocking to invest in Christian worship apps. The apps say users’ prayers are a business asset.

BuzzFeed NewsEmily Baker-White

Emily Baker-White's article had such a good title I just reused it here. In it, she reports on exploitative data-collection within prayer apps:

As people have turned to religious apps as a replacement for in-person church services amid COVID-19, Silicon Valley investors have seized on them as an opportunity to commercialize a set of conversations that have historically been among the most private: those with God.

Baker-White's story generally addresses Christian-focused apps, but this behavior is common across religious apps, with Vice previously reporting on several Muslim-focused apps that sold location data on users.

Baker-White provides a litany of the investors in religious apps:

These apps, which also collect extensive information about their users, are backed by some of Silicon Valley’s best-known prospectors: Greylock Partners (Pray.com), Andreessen Horowitz (Glorify), and Peter Thiel (Hallow). Greylock, Andreessen, and Thiel are also all known for their investments in Facebook, which recently ramped up its own prayer offerings by rolling out a new tool called “prayer posts.”

The whole story is worth a read, but should reinforce the fundamental truth of the internet today: any data-creating event is monetizable.

Koningshaven Bridge:

The Dutch vow to egg Jeff Bezos’ yacht if a bridge is dismantled to let his boat pass

After early reports that Rotterdam would briefly take apart a historic bridge for the yacht’s passage, thousands of people joined a Facebook event called “Throwing eggs at superyacht Jeff Bezos.”

NPRRachel Treisman

You may be aware that Jeff Bezos is building the world's largest sailing yacht, which will be about 15% longer than a football field at ~410 feet, and as Engadget's Jon Fingas notes it "is believed to cost about $500 million."

The interesting element here is that it may be unable to travel from its shipyard to sea, since the finished ship will be too large to travel under Rotterdam's Koningshaven Bridge.

As a result, there is a discussion underway regarding whether Rotterdam will dismantle part of the bridge to allow the yacht to travel through:

The city appeared to agree to the arrangement last week, with municipal project leader Marcel Walravens telling Rijnmond that the project would proceed for logistical and economic reasons. He said an exact plan was being developed but estimated it would take about a week to prepare and another week to "put everything back in place."

...That prompted an immediate backlash from locals, lawmakers and social media users, with the Rotterdam Historical Society pointing out that city officials had promised never to dismantle the bridge again after completing a major restoration in 2017.

Officials then walked back the reports, with Rotterdam's mayor telling a Dutch newspaper on Thursday that "no decision has yet been taken, not even an application for a permit," according to The Guardian.

He said the municipality would consider an application and assess the potential impacts, like whether the dismantling can be done without damaging the bridge and who would cover the costs.

Some Rotterdam citizens have expressed more vocal opposition:

Some 13,000 people are "interested" and nearly 4,000 have said they will attend a Facebook event titled "Throwing eggs at superyacht Jeff Bezos," which has been shared more than 1,000 times in the week since its creation.

Wealth can provoke envy, but I don't believe it is a key driver of social unrest. People having nicer or more stuff "than me" isn't sufficient. But when the ultra-wealthy clearly live under different rules of governance, and can break rules that other citizens have to follow, unrest is much more likely:

"Normally it's the other way around: If your ship doesn't fit under a bridge, you make it smaller," Strörmann [the organizer of the egging event] told the NL Times. "But when you happen to be the richest person on Earth, you just ask a municipality to dismantle a monument. That's ridiculous."

Interest piqued? Disagree? Reach out to me at TwelveTablesBlog [at] protonmail.com with your thoughts.

Photo by Tamara Gak on Unsplash