Software

MPs Call To Stop Police Facial Recognition

Posted on by Andy Miller

Following criticism of the Police use of facial recognition technology in terms of privacy, accuracy, bias, and management of the image database, the House of Commons Science and Technology Committee has called for a temporary halt in the use of the facial recognition system.

Database Concerns

Some of the key concerns of the committee were that the Police database of custody images is not being correctly edited to remove pictures of unconvicted individuals and that innocent peoples’ pictures may be illegally included in facial recognition “watch lists” that are used by police to stop and even arrest suspects.

While the committee accepts that this may be partly due to a lack of resources to manually edit the database, the MP’s committee has also expressed concern that the images of unconvicted individuals are not being removed after six years, as is required by law.

Figures indicate that, as of February last year, there were 12.5 million images available to facial recognition searches.

Accuracy

Accuracy of facial recognition has long been a concern. For example, in December last year, ICO head Elizabeth Dunham launched a formal investigation into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.  For example, the trial of ‘real-time’ facial recognition technology on Champions League final day June 2017 in Cardiff, by South Wales and Gwent Police forces was criticised for costing £177,000 and yet only resulting in one arrest of a local man whose arrest was unconnected.

Also, after trials of FRT at the 2016 and 2017 Notting Hill Carnivals, the Police faced criticism that FRT was ineffective, racially discriminatory, and confused men with women.

Bias

In addition to gender bias issues, the committee also expressed concern about how a government advisory group had warned (in February) that facial recognition systems could produce inaccurate results if they had not been trained on a diverse enough range of data, such as types of faces from different races e.g. black, asian, and other ethnic minorities.  The concern was that if faces from different races are under-represented in live facial recognition training datasets, this could lead to errors.  For example, human operators/police officers who are supposed to double-check any matches made by the system by other means before acting could defer to the algorithm’s decision without doing so.

Privacy

Privacy groups such as Liberty (which is awaiting a ruling on its challenge of South Wales Police’s use of the technology) and Big Brother Watch have been vocal and active in highlighting the possible threats posed to privacy by the police use of facial technology.  Also, even Tony Porter, the Surveillance Camera Commissioner,  has criticised trials by London’s Metropolitan Police over privacy and freedom issues.

Moratorium

The committee of MPs has therefore called for the government to temporarily halt the use of facial recognition technology by police pending the introduction of a proper legal framework, guidance on trial protocols and the establishment of an oversight and evaluation system.

What Does This Mean For Your Business?

Businesses use CCTV for monitoring and security purposes, and most businesses are aware of the privacy and legal compliance aspects (GDPR) of using the system and how /where the images are managed and stored.

As a society, we are also used to being under surveillance by CCTV systems, which can have real value in helping to deter criminal activity, locate and catch perpetrators, and provide evidence for arrests and trials. The Home Office has noted that there is general public support for live facial recognition in order to (for example) identify potential terrorists and people wanted for serious violent crimes.  These, however, are not the reasons why the MP’s committee has expressed its concerns, or why ICO head Elizabeth Dunham is launched a formal investigation into how police forces use FRT.

It is likely that while businesses would support the crime and terror-busting, and crime prevention aspects of FRT used by the police,  they would also need to feel assured that the correct legal framework and evaluation system are in place to protect the rights of all and to ensure that the system is accurate and cost-effective.

Tech Tip – The F-Secure Data Discovery Portal

Posted on by Andy Miller

The free online Data Discovery Portal from F-Secure shows you what personal information you have given to tech-giant free services Facebook, Google, Amazon, Snapchat, Twitter and Apple over the years.

If you visit https://data-discovery-portal.f-secure.com/en/ and click on the logo of each of those companies you will be taken straight to the page where you can download a copy of the information that they have collected about you (Apple requires a login).  With Amazon, for example, you can even discover the way to review, listen to, and delete any voice recordings associated with your account.

The F-Secure Data Discovery Portal is, therefore, one easy way in which you can take steps to protect your identity and guard your personal data going forward.

Microsoft Criticised By UK’s Cyber Security Agency Over Dmarc

Posted on by Andy Miller

The UK’s National Cyber Security Centre (NCSC) has complained that it has been unable to compile meaningful statistics and draw meaningful conclusions about email security in its latest report because Microsoft stopped sending Dmarc reports two years ago.

What Is Dmarc?

Domain-based message authentication, reporting and conformance (Dmarc) is a protocol, developed by the Trusted Domain Project, to help provide greater assurance on the identity of the sender of a message, and it builds upon the email authentication technologies SPF and DKIM developed over a decade ago and the work on a collaborative system pioneered by PayPal Yahoo! Mail and later Gmail.

Dmarc allows email and service providers to share information about the validity of emails they send to each other, including giving instructions to mailbox providers about what to do if a domain’s emails aren’t protected and verified by SPF and/or DKIM e.g. moving a message directly to a spam folder or rejecting it outright. Information about messages that have passed or failed DMARC evaluation is then fed back to a DMARC register, thereby providing intelligence to the sender about messages being sent from their domain and enabling them to identify email systems being used by spammers.

Dmarc works on inbound email authentication by helping email receivers to determine if a message “aligns” with what the receiver knows about the sender and if not, Dmarc includes guidance on how to handle the “non-aligned” messages e.g. phishing and other fraudulent emails.

Why Were Microsoft’s Dmarc Reports So Important?

Microsoft’s email platforms form one of the biggest receivers of email, and data from Microsoft about the number of emails failing Dmarc gives a good indication of the number of suspicious emails being sent.  The lack of this data in the NCSC’s Mail Check service means that the NCSC’s ability to monitor and report on email security driven by Dmarc adoption has been hampered. This blind spot could have a knock-on negative impact on email security for everyone.

Public Sector Uptake – Good News

The NCSC’s latest report contains good news, however, about a significant uplift in the public sector adoption of email security protocols.  For example, public sector domains using Dmarc more than tripled from December 2017 to December 2018 to 1,369, and the number of domains with a Dmarc “quarantine” or “reject” policy (to prevent suspicious emails being delivered to inboxes) also tripled.

What Does This Mean For Your Business?

Having a collaborative intelligence sharing and effective protocol and process such as Dmarc that is being widely adopted by many organisations has significantly improved email security.  This is particularly valuable at a time when businesses face significant risks from malicious emails e.g. phishing and malware, and email is so often the way that hackers can gain access to business networks.

Sharing intelligence about the level and nature of email security threats and how they are changing over time e.g. in the trusted NCSC report, is an important tool to help businesses and security professionals understand more about how they tackle security threats going forward.  It is, therefore, disappointing that one of the world’s biggest receivers of email, which itself benefits from Dmarc, is not providing reports which could be of benefit to all businesses and organisations.

1000+ Android Apps Harvest Our Data Without Our Permission

Posted on by Andy Miller

Researchers from the International Computer Science Institute have reported that up to 1,325 Android apps are gathering data from devices after people have denied them permission, and Google claims that it will address the problem with the introduction of the new Android “Q” Operating System.

Apps Finding Way Around Privacy Restrictions

According to the ICSI researchers, who presented their findings last month at the Federal Trade Commission’s PrivacyCon, 1000+ apps are finding their way around privacy restrictions and are able to gather geolocation data, phone identifiers, and other data from users who may be thinking that they have successfully denied apps access to such data.

For example, in the study of 88,000+ apps from the Google Play store, the researchers were able to identify 1,325 apps that violate permissions on Android by using workarounds hidden in their code that can enable personal data to be taken from multiple sources including Wi-Fi connections and metadata stored in photos.

Which Apps?

The researchers highlighted apps such as Shutterfly photo-editing app which gathers GPS coordinates from photos and sends the data to its own servers, even after users have declined to give permission to access location data, and Baidu’s Hong Kong Disneyland park app and Samsung’s Health and Browser apps were found (like 13 other apps) to be able to piggyback off other apps that had been granted permission in order to obtain data like phone identifiers and IMEI numbers.

Android Q Could Help

It is thought the introduction of the latest (17th) version of Android’s Operating system, Android Q, released as a beta on March 13th and due for wider release later this year may be able to address many of these privacy concerns thanks to more stringent security features.  For example, users will be able to definitively choose and control when apps have permission to see their location i.e. never, only when the app is in use and running, or all the time when in the background. With Android Q, background apps won’t be able to jump into the foreground, and there will also be new permissions relating to the accessing of background photos, video, and audio files.

What Does This Mean For Your Business?

With mobile and app use being a normal part of everyday life, and with most people unable and unlikely to spend the time checking permissions and T&Cs on everything, we have to take on trust that when we deny it permissions, an app will abide by our decisions.  It may be a surprise, therefore, at a time when GDPR is in force and data privacy and security is a topic that many users think about and actively try to protect that so many apps are able to find workarounds that enable them to keep gathering data about us. It appears that it may be much more difficult to stay private online than many of us believe.

It is good news, therefore, that Android Q may provide a way to offer us greater protection and provide more of a challenge to companies and organisations that want access to our data e.g. to help target us with advertising, even though app developers may argue that they are simply using the gathered data to help enhance and personalise our experiences of their apps (to keep us using them).  App developers are in a highly competitive and crowded market and although gathering and using customer data to make their apps more indispensable may seem legitimate, most of us value our online privacy, would object to having our data permissions effectively ignored, and may feel frustrated that we still have so few tools and cues to help us effectively control our privacy.

Googlemail’s Tracking of Your Purchase History

Posted on by Andy Miller

CNBC research has highlighted how Googlemail creates a (difficult to delete) page of your purchase history by tracking your purchase receipt emails, and perhaps details stored in locations other than the inbox.

Not Obvious

Back in May, CNBC researchers highlighted how your Googlemail account creates a page of your purchases, which it was believed was created by tracking the purchase receipts that arrive in the email inbox.  According to Google, the feature is included as a way of organising things “to help you get things done”.  In Google’s account help section, Google states that “Your Google Account includes purchases and reservations made using Search, Maps, and the Assistant, as well as your order confirmations from Gmail”.

In the announcements of the results of CNBC’s research back in May, it was noted that this “private destination” purchases page wasn’t mentioned on the Data & Personalization page in a Google Account and as such, it may have been inconvenient for users to have to search for it.  It was also noted by researchers at the time that the only way to ensure that purchase data was deleted from the page was to go to the time and trouble of finding the digital receipt in the Gmail account and deleting it.

Hard To Delete

In the latest CNBC research findings, it has been claimed that, even though researcher Todd Haselton deleted each single purchase email from his Gmail inbox in order to clear the purchases page, on returning three weeks later, he found that all of his purchases (over years) were again listed on the purchases page.  This has led to the assumed conclusion that the listing of our purchases may also be stored in another location other than the inbox.

How To Delete From Your Purchases Page

In Google’s help section here https://support.google.com/accounts/answer/7673989 and in the subsection ‘delete your purchases and reservations’, Google provides instructions on how to delete them i.e. sign in to your Google account, go to the Purchases page (for which a link is provided),  view your purchase details and select ‘Remove Purchase’, and follow the on-screen deletion instructions.

Privacy?

Some commentators have expressed the view that automatically collecting and storing online and offline purchase details in this way may appear to be at odds with Google’s public position of being focused on privacy.

This is certainly not the first time that Google has faced criticism over privacy matters.  For example, Google recently faced criticism over its reCaptcha V3 bot-detecting login system apparently requiring a Google cookie to be installed on a user’s browser which could potentially put the user’s browsing history privacy at risk.   Other examples of Google making the news over privacy concerns include a microphone was discovered in Google’s Nest Guard product that was not listed in tech spec (which was put down to an erroneous omission by Google), and in December last year, research by Internet Privacy Company DuckDuckGo reporting evidence that could show that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

Chrome Browser Alternatives

If you’re concerned about having aspects of your online behaviour tracked by Google’s Chrome browser, Wired recently compiled a list of anti-tracking web browsers which you may like to try.  These include new privacy-enhanced browser Brave, Ghostery which available as a standalone browser on mobile, Tor which provides layers of encryption and routing through various locations to protect your identity, DuckDuckGo for mobile devices, and FireFox Focus.

What Does This Mean For Your Business?

Google’s Chrome may be the most popular browser, but there may be many features about it that users may not be aware of and may be a little surprised about, the purchases page being one of them.  It’s a shame that users seem to have to actively seek out elements such as the purchases page and how to delete things from it rather than it being made more obvious and easily accessible with a Google account.  Even though Google has said that only the user can see it and that the details on the purchases page aren’t used for targeted advertising, it may still be of concern to many that data about their purchases over years is being collected and being stored, and that it may not be a simple task to delete it.  It is not surprising, therefore, that some users may be turning to privacy-enhanced browser alternatives as they feel less sure that tech giants such as Google are demonstrating that a real commitment to the kinds of privacy matters that are important to users.

Ad-Free Firefox Browser Service For $4.99 Per Month

Posted on by Andy Miller

Mozilla looks likely to be entering the premium browsing market later this year by offering a subscription-based (advert-free) browsing experience of selected journalism websites and other value-adding features via a special version of Firefox.

What’s The Problem?

Many news content websites rely on the revenue from adverts, but this can make for a distracting and annoying experience (adverts, pop-ups and auto-play videos) if you’re trying to browse the content on these websites.  This means that many people choose to use ad blockers, but these deprive the news websites of the ad revenue that enables them to produce free, quality content.

Google’s Idea

Google, for example, has entered the premium browsing market, but in a way that some commentators believe could alienate free Chrome users and non-Enterprise-level paying users. This is because Google has chosen to eliminate ad-blockers in Chrome unless users upgrade G Suite premium services.

Mozilla’s Firefox – Partnering With Publishers

Mozilla’s premium solution, however, is to include more value-adding features for a premium browsing subscription rather than simply taking away a browser feature (ad blocker) and to find a way for online content publishers to still make their money.  With the Firefox premium browsing deal, Mozilla is reported to have partnered with leading publishers so that Firefox’s premium service subscribers can access the content on key journalism websites, without being bothered by adverts, but with payments being made directly to the sites they read out of the revenue raised from subscriptions – a win/win.

The ad-free browsing deal will be available for desktop and mobile browsers, and it has been reported that a single monthly fee looks likely to cover ad-free browsing on all a subscriber’s devices.  One value-adding feature for subscribers reported to be built-in to the premium browsing experience is a reading sync system (already available on Pocket) that will enable Firefox users to pick up articles where they left off, even on other devices.

Other Features

It has also been reported that the Premium Firefox service could include bundled extra features (many of which are available as free add-ons now) such as audio versions of articles, a content discovery app and recommended reading selections.

What Does This Mean For Your Business?

For so-called ‘power users’ who like/need to access journalistic content from popular platforms in a fast, convenient way, across multiple devices, this premium service bundle may be a small price to pay and may prove popular. Google’s Chrome may be the market leader, but Mozilla may gain some ground here with a more inclusive and less alienating offering to all users.

Content providing websites may also find this to be quite an appealing service because it removes the need for the dreaded ad blockers and enables them to still make the necessary money to keep providing the content.

‘Mobile-Sensing System’ Could Evaluate Your Workplace Performance

Posted on by Andy Miller

A newly developed ‘Mobile-Sensing System’ that uses a combination of smartphone, fitness bracelet, app and cloud-based machine learning algorithms can track and rank the workplace performance of employees with 80% accuracy.

Based On Student Monitoring App

The underlying technology blueprint for the new system, which was developed by a group of researchers including Dartmouth University computer science professor Andrew Campbell, is a student monitoring app that was used to help improve productivity. The ‘StudentLife’ app monitored student behaviour and predicted academic performance.

The ‘Mobile-Sensing System’

The new ‘Mobile-Sensing System’ uses the combination of a smartphone to track physical activity, location, phone usage and ambient light, a wearable fitness tracker to monitor heart functions, sleep, stress, and body measurements e.g. weight and calorie consumption, and location beacons that can be placed in the home or office to provide information about time at work and breaks.

The number-crunching for the system is carried out by cloud-based machine learning algorithms that have been trained to classify workers by performance level.

Why?

The system provides feedback to both the employee and employer and, according to the researchers, by using this ‘passive’ sensing and machine learning system, companies have another way of assessing how individuals are doing in their jobs, and employees can be helped to see how they can optimise and boost their performance.

The researchers believe that the system can unlock and give greater insight into behaviours that drive performance and offers benefits over more traditional review techniques that can require manual effort and can be biased and unreliable.

Best Performers

The researchers have noted that, according to the new system, the best performers are likely to be those who have lower rates of phone usage, have longer deep sleep periods and are more physically active and mobile.

Surveillance?

Although the researchers have pitched the system as something that could help employer and employee, critics may say that, in the relationship where the employer has the power, this kind of close surveillance and micro-management tool could favour younger physically active people (those without disabilities or sleeping disorders), could create stress in individuals who feel that they are constantly being monitored and ‘ranked’ by a ‘big brother’ system with a view to being replaced based on numbers created by secret algorithms.

It could also mean that employees without home/family commitments or who live closer to work may be ranked as more productive because they are able to stay longer or come into the workplace outside normal hours.

What Does This Mean For Your Business?

This system does show how new technologies can be combined to provide closer insights into work and performance and in some jobs e.g. repetitive manual jobs where time is a key factor anyway.  For some employers, therefore, this system could have a real value in evaluating and improving working processes, particularly if it is accompanied by a positive rewards-based system, and if support is made available to those employees who don’t rank as highly.

This system, however, may not be able to take account of many of the other dynamics and soft factors that make up good performance, and may not be suitable as the main monitoring method in certain more specialised jobs and roles.  There is also a danger that this kind of system in the wrong hands could be used as a blunt instrument of surveillance and control over a workforce.

Privacy and security are also a major concern for businesses and employees, and whether or not the data and performance measurements can be linked to an individual, where (and how securely) that data is stored, and who the data can be shared with should be areas of concern.

Visa Adopts Blockchain For Cross-Border, Bank To Bank B2B Payments

Posted on by Andy Miller

Visa is integrating blockchain technology with its core systems to enable participant businesses to make direct, cross-border, bank to bank payments to other corporate participants.

B2B Connect

The news system called Visa B2B Connect is being built using the Hyperledger Fabric framework from the Linux Foundation, and will mean that, rather than paying another corporate by cheque, automated clearing house or wire transfer, all of which require intermediary banks and exchanges, payments can be made directly and instantly from bank to bank of corporate customers.

This will mean cost and time savings, and the ability to pay and get paid 24-hours a day, regardless of location, local time differences, and other problematic traditional banking anomalies such as data truncation, payment delays and compliance issues.

Suite of APIs

The Visa B2B Connect system essentially provides a suite of Application Programming Interfaces (APIs) which allow participating banks to automate B2B, cross-border and cross-currency payments, by developing an end-to-end B2B payments solution to onboard customers, set up their suppliers, check Visa B2B Connect foreign exchange rates and submit payments. Alternatively, banks can choose to integrate just a subset of the APIs to address more specific needs e.g. checking on the status of certain payments through the Visa B2B Connect site.

Expansion Plans

Although the new system will only work for those corporates signed-up as participants to Visa’s pilot scheme, there are already plans to expand it so that it will cover more than 30 global trade corridors and 90 markets by the end of this year.

Benefits

The benefits that the blockchain-based B2B Connect system offers include cryptographically secured B2B transactions, transaction transparency and predictability, and the peace of mind and security of operating within a trusted network where all parties are known participants on a permissioned blockchain operated by Visa.

Blockchain Lacking Functionality

Recent research by Gartner showed that Only 11% of CIOs have deployed or are in short-term planning with blockchain, partly because of the fact that, at the moment, blockchain is a technology and not a complete, ready to use application, and therefore, lacks business-friendly features like a user interface, business logic, data persistence and interoperability mechanisms.

What Does This Mean For Your Business?

For corporates, Visa’s B2B Connect system appears to unlock some of the long-promised benefits of blockchain in terms of fast and easy cross-border payments, security, transparency, and the reassurance of a trusted name in the payments world.  Also, the fact that a suite of APIs are available to participants means that the system can be set up relatively easily, thereby tackling the issue (as highlighted by the Gartner research) of confusion among corporate tech heads about how best to incorporate blockchain and worries about there being few ready to use, complete applications available.

For smaller businesses the hope of being able to use blockchain to add value, reduce costs and gain competitive advantages is being boosted by a growing Blockchain as a Service (BaaS) market which offers the chance to deploy distributed ledgers without the cost or risk of deploying it in-house, and without needing to find in-house developers.  The cloud-based CRM platform ‘Salesforce’ for example, is adding a low code, blockchain-powered service that will allow enterprise users to share data with third parties in a secure, transparent, and auditable way.

Google’s reCAPTCHA v3 System Prompts Privacy Criticism

Posted on by Andy Miller

The widely used Google  reCaptcha V3 bot-detecting login system has come in for some criticism after two security researchers claimed that one of the ways that Google determines whether you’re a malicious user depends on whether you have a Google cookie installed on your browser, which could also mean that the privacy of your browsing habits may also be at risk in using the system.

What Is reCaptcha V3?

Google’s reCaptcha V3 is the latest version of Google’s bot-detecting login system, introduced last autumn, that can detect abusive traffic/malicious user-behaviour on your website without user friction i.e. without the need to tick an ‘I am not a robot’ box, or identify items in pictures.  With this version of the reCaptcha system, background monitoring assigns a risk score to a user, which then enables the system to decide how to handle that user e.g. if a user with a high-risk score tries to log in, they may then be required to use two-factor authentication. From Google’s point of view, the idea is to give users a better experience and avoid the kinds of interactions that can inhibit users from intuitively and painlessly reaching their goals within a digital interface. With reCaptcha V3, Google may be happy with the trade-off between the possibility of some inconvenience for legitimate users versus greater protection for websites.

Widely Used

It has been reported that 650,000 websites already use reCaptcha v3, including 25% of the top 10,000 sites.  This makes any concerns about the system a potentially serious issue.

What’s The Problem?

The concern suggested by the two researchers, Marcos Perona and Mohamed Akrout, who have studied reCaptcha V3 is that, being a Google product, not only does it appear likely to deem a user less of a risk if they have a Google cookie on their browser i.e. they have a Google account and are signed in, but that cookies like these can also pass on data which is unnecessary for login, about a person’s browsing habits, thereby posing a possible threat to privacy.

The research found, for example, that those who went to a website with reCaptcha v3 while logged into their Google account were given a low-risk score by the system, whilst those who visited using private browsers such as Tor or a VPN were scored as high risk. Also, the research found that to make the risk-score system work properly, web admins need to embed reCaptcha v3 code on all pages on the website.  This will enable reCaptcha to learn about how website users act on the site over time, thereby assisting the machine learning algorithm to generate more accurate risk scores. Unfortunately, installing reCaptcha v3 every page of a website could mean that those signed into their Google account are unwittingly passing on data about every web page they go to that has embedded reCaptcha v3, thereby potentially having their privacy compromised to an extent.

What Does This Mean For Your Business?

It should be remembered that these are the conclusions of pieces of research which may or may not have valid points, but it certainly wouldn’t be the first time that Google has been accused of potentially causing concern in matters of user privacy. For example, a microphone was discovered in Google’s Nest Guard product that was not listed in tech spec (which was put down to an erroneous omission by Google), and in December last year, research by Internet Privacy Company DuckDuckGo reported evidence that could show that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

Users and businesses appreciate the value of frictionless interactions and positive experiences with websites, as well as both appreciating the need to keep introducing new versions of products with improved security to stay one step ahead of attackers.  Privacy, however, is also an important issue, both legally and personally, and the heightened concerns about it may mean that Google gets a little bad publicity where users feel that data may be unnecessarily gathered, or is collected in a way that doesn’t appear to be made entirely obvious.

Tech Tip – ‘Over’ App

Posted on by Andy Miller

Stylish and engaging social media posts are an important part of marketing communications.  The Over app has the tools to help you to quickly and easily create stylish designs packed with photos, images and text, ready for Instagram, Facebook and other social sites, as well as for posters and flyers.

Over has over 84,000 graphics, over 350 fonts, and over 500 customisable templates so that you can create posts to suit your requirements.

To get ‘Over’, go to the Google Play Store or Apple’s App Store.