Pete Recommends – Weekly highlights on cyber security issues, March 14, 2021

Subject: Creator of Tom Cruise Deepfakes Wants to Help, Not ‘Upset’
Source: The Guardian via Newser

(Newser) – If you’ve seen those TikTok videos of Tom Cruise doing magic tricks, playing golf, and telling anecdotes about Mikhail Gorbachev, you likely know they’re not real. If you don’t, you’ve been fooled by a deepfake, which is understandable, considering how well done the creations by Belgian visual effects artist Chris Ume are. Ume’s clips—which use sophisticated editing techniques to make Cruise impersonator Miles Fisher look like the real deal—went viral after the two decided to “make a funny video” and then upload it to the @deeptomcruise TikTok account Fisher created for the occasion. “Two days later, he sends me a screenshot: ‘Dude. Two and a half million views,'” Ume tells the Guardian. He notes they weren’t trying to trick anyone or “upset people” with the videos, as even the account name should’ve given away what they were doing, and now Ume wants to assist in finding better ways to detect such imaging manipulation.

Subject: Experts Find a Way to Learn What You’re Typing During Video Calls
Source: The Hacker News

A new attack framework aims to infer keystrokes typed by a target user at the opposite end of a video conference call by simply leveraging the video feed to correlate observable body movements to the text being typed. The research was undertaken by Mohd Sabra, and Murtuza Jadliwala from the University of Texas at San Antonio and Anindya Maiti from the University of Oklahoma, who say the attack can be extended beyond live video feeds to those streamed on YouTube and Twitch as long as a webcam’s field-of-view captures the target user’s visible upper body movements.


Subject: Big Data Healthcare Project Raises Privacy Issues
Source: Healthcare Info Security

Some privacy experts are raising concerns about Truveta, a new big data collaborative research effort involving 14 U.S. healthcare providers. The providers plan to share de-identified data on tens of millions of patients in an effort to advance personalized medicine – targeted treatments – through the development of an artificial intelligence and machine learning-based platform. “Through structuring, normalizing, and de-identifying data from these health providers, a new data platform will be built, with careful protection of patient privacy and security,” according to Truveta’s launch statement.

Risk Management – De-identifying data doesn’t necessarily eliminate privacy risks, says privacy attorney David Holtzman of the consultancy HITprivacy LLC. “Truveta has not ruled out that it will partner with other data processing companies that may integrate vast stores of data about individuals gathered or collected for many purposes,” he points out.  “HIPAA does not prohibit an organization from de-identifying data for secondary uses,” Holtzman notes. “Once data is de-identified, it’s no longer protected by HIPAA. The concern is that when Truveta allows large data processors to have access to great stores of data collected about individuals, how will this de-identified data be used in the AI environment to be associated with identifiable data?”

Similar Big Data Initiatives – In recent years, a few other similar big data healthcare research initiatives have been launched. For example, Google has partnered on a project dubbed “Nightingale” with St. Louis, Missouri-based Ascension Health, using the records of millions of patients. That initiative drew early scrutiny of Congress, which questioned whether Google staff had access to patients’ records without their knowledge or consent (see: Senators Demand More Info on Google’s Nightingale Project). Google also has separate predictive analytics and personalized healthcare projects with Mayo Clinic and the University of Chicago Medical Center.

Bonus RSS feed links:

Source: via beSpacific

“A directory of direct links to delete your account from web services. Many companies use dark pattern techniques to make it difficult to find how to delete your account. aims to be a directory of urls to enable you to easily delete your account from web services.”

See also How to Delete Your Old Online Accounts (and Why You Should)

Subject: Hackers Target Surveillance Firm, Exposing Live Camera Feeds
Source: Gizmodo

A hacker group claims to have recently broken into the networks of cloud-based surveillance firm Verkada, a Silicon Valley startup that sells and manages security systems to thousands of organizations across the country.

Once inside the firm’s walls, the hackers were able to use its 150,000 live camera feeds to peer into the internal workings of countless organizations, including medical facilities, psychiatric hospitals, jails, schools and police departments, and even large companies like Tesla, Equinox and Cloudflare, according to a report from Bloomberg. The scope of the hack appears massive.

The hackers claim to have downloaded large amounts of data and to have witnessed private, confidential incidents that had transpired “behind closed doors” in the many institutions on which they spied.


Subject: Rep. Suzan DelBene’s New Bill Aims to Protect Privacy in US
Source: Gizmodo

The federal government cares little about what happens to your most sensitive data. Its main focus today is stopping espionage and prosecuting computer criminals who pose a threat to itself or corporations and banks. Little energy is spent holding those same institutions accountable when malpractice and greed produce the same outcomes: millions of people threatened, once again, with identity theft, blackmail, and fraud.

Congress had a chance to take action after Equifax, one of America’s largest holders of personal information, left 147 million people hanging out to dry after it suffered a stunning data breach. Its only response was to legislate free credit freezes for victims of future breaches and drag Equifax executives on TV to shame them. Being grilled before Congress may yet be a form of deterrence for naughty executives—but it is a spectacle that, more often than not, benefits politicians more than the American people. In the face of flagrant incompetence, such inaction remains an embarrassing mark against the U.S. on the global stage. The U.S., in contrast to many of its European allies, seems at best uninterested in the digital rights of its citizens.

This week, the 117th Congress received the latest in a litany of data privacy bills introduced since the Equifax breach, all others having been cast aside so far. Admittedly, “The Information Transparency and Personal Data Control Act,” introduced by Congresswoman Suzan DelBene, offers a more attenuated approach to liability than one proposed by her more hawkish Democratic colleagues. Considerable expectations are placed on the Federal Trade Commission, which the bill would see beefed up, and the motivations of state law enforcement officials. Yet this is also matched by some of the strongest language possible on the individual’s right to privacy online….Without a comprehensive national law protecting sensitive data from daily mismanagement by unscrupulous firms, internet users in the U.S. will continue to take their identities, bank accounts, and futures into their own hands each and every time they log on…

Subject: America, Your Privacy Settings Are All Wrong
Source: The New York Times Editorial Board

The New York Times Editorial Board – Using an opt-in approach will help curb the excesses of Big Tech. “Despite what corporations profess, much of this personal data is used not to improve products themselves, but to make those products more attractive to advertisers. One straightforward solution is to let people opt in to data collection on apps and websites. Today, with few exceptions, loads of personal data are collected automatically by default unless consumers take action to opt out of the practice — which, in most cases, requires dropping the service entirely. Virginia recently had the opportunity to extend firmer data protection rights to its residents. But the state’s Consumer Data Protection Act, signed into law this month, is a business-friendly package, supported by Amazon and Microsoft, that puts the onus on consumers to opt out of most data collection, except for the most sensitive personal details. Washington State lawmakers are advancing similar legislation. Corporations say opt-out provisions put control into the hands of consumers. But users are no more likely to switch off data collection than they are to read through the onerous and lengthy terms and conditions policies that litter the web. Many companies bury their data collection controls deep within their websites. Even if consumers can find them, their choices most likely don’t apply to a company’s subsidiaries or affiliates. Because of how personal data is shared, “there could be thousands or hundreds of thousands of companies that have data on you,” said Stacey Gray, senior counsel at the nonprofit Future of Privacy Forum. “Users, however, typically do not change their default settings even when it means their data is being collected.”…

Posted in: Big Data, Congress, Cybersecurity, Ethics, Health, Healthcare, Legal Research, Legislative, Privacy, Social Media, Technology Trends