News / February 2019

Media Round-Up: CLTC in the News

From the Washington Post and Politico to USA Today and the New York Times, the Center for Long-Term Cybersecurity has been in the news in recent weeks. Here’s a round-up of some of our latest media hits.

“Toward AI Security” Report in Politico, MeriTalk, and More

On February 12, CLTC released “Toward AI Security: Global Aspirations for a More Resilient Future,” a new report by CLTC Research Fellow Jessica Cussins Newman. Based on an analysis of ten government artificial intelligence (AI) strategies from around the world, the report highlights divergences between government approaches to the security implications of AI, and also identifies numerous synergies that can be leveraged to support global coordination.

Dark Reading reported on Cussins’ report, and Politico’s Tim Starks included the report in his February 12 Morning Cybersecurity Briefing. “Policymakers should coordinate with other governments on AI, use government spending to shape it and hold the technology industry accountable to protect the public interest, according to a newly released framework for global AI security,” Starks wrote. MeriTalk, a publication with a mission to engage federal chief information officers, along with their industry counterparts and federal IT policymakers, noted that the recommendations in the report “track in a similar direction to the Trump administration’s AI executive order issued earlier this week, which focuses on prioritizing Federal government investments in AI-driven projects, and development by Federal agencies of research and development budgets for AI that will support their core missions.”

CLTC Grantee Op-Ed in USA Today

Millions of Americans use Fitbits and other personal activity trackers to track their daily step patterns, often as part of their employers’ corporate wellness programs. Manufacturers of these activity-tracking devices have long maintained that each individual’s data profile has been stripped of any identifying information and therefore does not pose a risk to their privacy. But in a recent paper published by JAMA Network, “Feasibility of Reidentifying Individuals in Large National Physical Activity Data Sets From Which Protected Health Information Has Been Removed With Use of Machine Learning,” CLTC Grantee Anil Aswani and his colleagues showed that it is in fact possible, using artificial intelligence, to re-identify individuals based on their personal tracker data, despite data aggregation and removal of protected health information.

The report was picked up by a wide array of media outlets, including Reuters, CPO Magazine, Tech Xplore, Business Recorder (based in Pakistan),the Hindu Business Line (based in India), and many others. Professor Aswani, together with Professor Yoshimi Fukuoka of the UC San Francisco School of Nursing, also penned an op-ed for USA Today arguing that current law is insufficient to ensure health data remains private. They noted that the Health Insurance Portability and Accountability Act (HIPAA)—which governs how health data can be shared—should be updated and expanded in order to keep up with the rapid advancements of modern AI. “The law should now be reconsidered in light of all the potential ways that AI algorithms can determine individuals’ personal identities from supposedly ‘anonymized’ health data,” they wrote. “Our study focused on step data, but AI could be used to link a variety of health data sources under the current rules.”

Serge Egelman in NY Times, CBS News, and Other Outlets

CLTC Grantee Serge Egelman has continued to make waves with his research showing that thousands of apps on the Google Play store regularly share data about users and thus are in violation of the Children’s Online Privacy Protection Act (COPPA). CBS News cited Egelman’s research in an article entitled “Are your kids’ smart toys collecting data without your permission?” TechCrunch mentioned the research (and the ensuing efforts by the FCC to crack down on offending app developers) in a piece entitled “Consumer Advocacy Groups Call on FTC to investigate kids’ apps on Google Play.” And the New York Times also cited Egelman’s research in a December article, “Google’s Marketing of Children’s Apps Misleads Parents, Consumer Groups Say.”

In an article in Popular Mechanics, “The Weather Channel Is Being Sued for Selling Your Data. How Long Before All the Other Apps Are Next?” Egelman commented that the inadequacy of privacy policies is part of the problem: “The whole issue of notice and consent is fundamentally flawed,” he said. “The business of collecting user data and sending it to third parties, that’s how they make money, that’s absolutely true. The difference is what type of data is collected and what companies they’re selling it to.”

Weber, Barma, and Durbin in Washington Post‘s Monkey Cage

Weber on Marriott Hack

In case you missed it, Steve Weber was interviewed by The Hill for a story on Russian interference in the mid-term elections, and he was quoted for the Washington Post‘s Cybersecurity 202 briefing. He was also recently interviewed by ABC7 News, a San Francisco-based news station, for a story on the massive breach of customer data from Starwood hotels. He noted that it’s worth paying close attention to the intentions of the actors behind the attack. “One view is it’s a criminal gang who intends to sell that data on the black market for profit. It could also be a nation-state actor,” said Weber. “Governments are very interested in knowing where particular people were and what hotels they stayed in, at what times of the year and for what events, so there are national security implications as well.” Watch the interview.

CLTC Research Fellow Sean Brooks on CyberWire Podcast

The Citizen Clinic is a public-interest cybersecurity clinic that supports the capacity of politically-vulnerable organizations to defend themselves against online threats; the clinic supports interdisciplinary teams of students to assess threats to targeted organizations, recommend risk-appropriate mitigations, and to work collaboratively with clients to implement new policies and technical controls that enhance their cybersecurity. CLTC Research Fellow Sean Brooks, who serves as Director of Citizen Clinic, recently went on CyberWire’s “Hacking Humans” podcast to talk about the initiative. “There’s a huge appetite for direct technical assistance to improve the stability and resilience of civil society’s technical systems, and that demand is not necessarily being met,” Brooks said. “These organizations have done incredible things to pursue their mission and amplify the magnitude of their message by using the internet and reaching a global community of individuals and communities interested in things like defending human rights or environmentalism…. But that embracing of the internet as a critical function to pursue their mission has opened them up for a whole new host of attacks.” Listen to the interview (or read the transcript) here.