Tag Archives: biometric data

Living in the Russian Digital Bubble

Leave a reply

Vladimir Putin, Russia’s president, has portrayed his aggression on the Ukrainian border as pushing back against Western advances. For some time he has been doing much the same online. He has long referred to the internet as a “CIA project”. His deep belief that the enemy within and the enemy without are in effect one and the same… Faced with such “aggression”, Mr Putin wants a Russian internet that is secure against external threat and internal opposition. He is trying to bring that about on a variety of fronts: through companies, the courts and technology itself.

In December 2021, VK, one of Russia’s online conglomerates, was taken over by two subsidiaries of Gazprom, the state-owned gas giant. In the same month a court in Moscow fined Alphabet, which owns Google, a record $98m for its repeated failure to delete content the state deems illegal. And Mr Putin’s regime began using hardware it has required internet service providers (ISPS) to install to block Tor, a tool widely used in Russia to mask online activity. All three actions were part of the country’s effort to assure itself of online independence by building what some scholars of geopolitics, borrowing from Silicon Valley, have begun calling a “stack”.

In technology, the stack is the sum of all the technologies and services on which a particular application relies, from silicon to operating system to network. In politics it means much the same, at the level of the state. The national stack is a sovereign digital space made up not only of software and hardware (increasingly in the form of computing clouds) but also infrastructure for payments, establishing online identities and controlling the flow of information

China built its sovereign digital space with censorship in mind. The Great Firewall, a deep-rooted collection of sophisticated digital checkpoints, allows traffic to be filtered with comparative ease. The size of the Chinese market means that indigenous companies, which are open to various forms of control, can successfully fulfil all of their users’ needs. And the state has the resources for a lot of both censorship and surveillance. Mr Putin and other autocrats covet such power. But they cannot get it. It is not just that they lack China’s combination of rigid state control, economic size, technological savoir-faire and stability of regime. They also failed to start 25 years ago. So they need ways to achieve what goals they can piecemeal, by retrofitting new controls, incentives and structures to an internet that has matured unsupervised and open to its Western begetters.

Russia’s efforts, which began as purely reactive attempts to lessen perceived harm, are becoming more systematic. Three stand out: (1) creating domestic technology, (2) controlling the information that flows across it and, perhaps most important, (3) building the foundational services that underpin the entire edifice.

Russian Technology

The government has made moves to restart a chipmaking plant in Zelenograd near Moscow, the site of a failed Soviet attempt to create a Silicon Valley. But it will not operate at the cutting edge. So although an increasing number of chips are being designed in Russia, they are almost all made by Samsung and TSMC, a South Korean and a Taiwanese contract manufacturer. This could make the designs vulnerable to sanctions….

For crucial applications such as mobile-phone networks Russia remains highly reliant on Western suppliers, such as Cisco, Ericsson and Nokia. Because this is seen as leaving Russia open to attacks from abroad, the industry ministry, supported by Rostec, a state-owned arms-and-technology giant, is pushing for next-generation 5g networks to be built with Russian-made equipment only. The country’s telecoms industry does not seem up to the task. And there are internecine impediments. Russia’s security elites, the siloviki, do not want to give up the wavelength bands best suited for 5g. But the only firm that could deliver cheap gear that works on alternative frequencies is Huawei, an allegedly state-linked Chinese electronics group which the siloviki distrust just as much as security hawks in the West do.

It is at the hardware level that Russia’s stack is most vulnerable. Sanctions imposed may treat the country, as a whole,  like Huawei is now treated by America’s government. Any chipmaker around the world that uses technology developed in America to design or make chips for Huawei needs an export license from the Commerce Department in Washington—which is usually not forthcoming. If the same rules are applied to Russian firms, anyone selling to them without a license could themselves risk becoming the target of sanctions. That would see the flow of chips into Russia slow to a trickle.

When it comes to software the Russian state is using its procurement power to amp up demand. Government institutions, from schools to ministries, have been encouraged to dump their American software, including Microsoft’s Office package and Oracle’s databases. It is also encouraging the creation of alternatives to foreign services for consumers, including TikTok, Wikipedia and YouTube. Here the push for indigenization has a sturdier base on which to build. Yandex, a Russian firm which splits the country’s search market with Alphabet’s Google, and VK, a social-media giant, together earned $1.8bn from advertising last year, more than half of the overall market. VK’s vKontakte and Odnoklassniki trade places with American apps (Facebook, Instagram) and Chinese ones (Likee, TikTok) on the top-ten downloads list.

This diverse system is obviously less vulnerable to sanctions—which are nothing like as appealing a source of leverage here as they are elsewhere in the stack. Making Alphabet and Meta stop offering YouTube and WhatsApp, respectively, in Russia would make it much harder for America to launch its own sorties into Russian cyberspace. So would disabling Russia’s internet at the deeper level of protocols and connectivity. All this may push Russians to use domestic offerings more, which would suit Mr Putin well.

As in China, Russia is seeing the rise of “super-apps”, bundles of digital services where being local makes sense. Yandex is not just a search engine. It offers ride-hailing, food delivery, music-streaming, a digital assistant, cloud computing and, someday, self-driving cars. Sber, Russia’s biggest lender, is eyeing a similar “ecosystem” of services, trying to turn the bank into a tech conglomerate. In the first half of 2021 alone it invested $1bn in the effort, on the order of what biggish European banks spend on information technology (IT). Structural changes in the IT industry are making some of this Russification easier. Take the cloud. Its data centres use cheap servers made of off-the-shelf parts and other easily procured commodity kit. Much of its software is open-source. Six of the ten biggest cloud-service providers in Russia are now Russian…The most successful ones are “moving away from proprietary technology” sold by Western firms (with the exception of chips)…

Information Flow

If technology is the first part of Russia’s stack, the “sovereign internet” is the second. It is code for how a state controls the flow of information online. In 2019 the government amended several laws to gain more control of the domestic data flow. In particular, these require ISPS to install “technical equipment for counteracting threats to stability, security and functional integrity”. This allows Roskomnadzor, Russia’s internet watchdog, to have “middle boxes” slipped into the gap between the public internet and an ISPS’ customers. Using “deep packet inspection” (DPI), a technology used at some Western ISPS to clamp down on pornography, these devices are able to throttle or block traffic from specific sources (and have been deployed in the campaign against Tor). DPI kit sits in rooms with restricted access within the ISPS’ facilities and is controlled directly from a command center at Roskomnadzor. This is a cheap but imperfect version of China’s Great Firewall.

Complementing the firewall are rules that make life tougher for firms. In the past five years Google has fielded 20,000-30,000 content-removal requests annually from the government in Russia, more than in any other country. From this year 13 leading firms—including Apple, TikTok and Twitter—must employ at least some content moderators inside Russia. This gives the authorities bodies to bully should firms prove recalcitrant. The ultimate goal may be to push foreign social media out of Russia altogether, creating a web of local content… But this Chinese level of control would be technically tricky. And it would make life more difficult for Russian influence operations, such as those of the Internet Research Agency, to use Western sites to spread propaganda, both domestically and abroad.

Infrastructure

Russia’s homegrown stack would still be incomplete without a third tier: the services that form the operating system of a digital state and thus provide its power. In its provision of both e-government and payment systems, Russia puts some Western countries to shame. Gosuslugi (“state services”) is one of the most-visited websites and most-downloaded apps in Russia. It hosts a shockingly comprehensive list of offerings, from passport application to weapons registration. Even critics of the Kremlin are impressed, not least because Russia’s offline bureaucracy is hopelessly inefficient and corrupt. The desire for control also motivated Russia’s leap in payment systems. In the wake of its annexation of Crimea, sanctions required MasterCard and Visa, which used to process most payments in Russia, to ban several banks close to the regime. In response, Mr Putin decreed the creation of a “National Payment Card System”, which was subsequently made mandatory for many transactions. Today it is considered one of the world’s most advanced such schemes. Russian banks use it to exchange funds. The “Mir” card which piggybacks on it has a market share of more than 25%, says GlobalData, an analytics firm.

Other moves are less visible. A national version of the internet’s domain name system, currently under construction, allows Russia’s network to function if cut off from the rest of the world (and gives the authorities a new way to render some sites inaccessible). Some are still at early stages. A biometric identity system, much like India’s Aadhaar, aims to make it easier for the state to keep track of citizens and collect data about them while offering new services. (Muscovites can now pay to take the city’s metro just by showing their face.) A national data platform would collect all sorts of information, from tax to health records—and could boost Russia’s efforts to catch up in artificial intelligence (AI).

Excerpt from Digital geopolitics: Russia is trying to build its own great firewall, Economist, Feb. 19, 2022

Alas! Computers that Really Get You

Leave a reply

 Artificial intelligence (AI) software can already identify people by their voices or handwriting. Now, an AI has shown it can tag people based on their chess-playing behavior, an advance in the field of “stylometrics” that could help computers be better chess teachers or more humanlike in their game play. Alarmingly, the system could also be used to help identify and track people who think their online behavior is anonymous

The researchers are aware of the privacy risks posed by the system, which could be used to unmask anonymous chess players online…In theory, given the right data sets, such systems could identify people based on the quirks of their driving or the timing and location of their cellphone use.

Excerpt from  Matthew Hutson, AI unmasks anonymous chess players, posing privacy risks, Science, Jan. 14, 2022

The Uses and Abuses of Alexa

Leave a reply

Excerpts from the Interview with Robert Lewis Shayon author of “The Voice Catchers: How Marketers Listen In to Exploit Your Feelings, Your Privacy, and Your Wallet” published  at the Pennsylvania Gazette July 2021

There is  emerging industry that is deploying immense resources and breakthrough technologies based on the idea that voice is biometric—a part of your body that those in the industry believe can be used to identify and evaluate you instantly and permanently. Most of the focus in voice profiling technology today is on emotion, sentiment, and personality. But experts tell me it is scientifically possible to tell the height of a person, the weight, the race, and even some diseases. There are actually companies now trying to assess, for example, whether you have Alzheimer’s based upon your voice…

The issue is that this new voice intelligence industry—run by companies you know, such as Amazon and Google, and some you don’t, such as NICE and Verint—is sweeping across society, yet there is little public discussion about the implications. The need for this conversation becomes especially urgent when we consider the long-term harms that could result if voice profiling and surveillance technologies are used not only for commercial marketing purposes, but also by political marketers and governments, to say nothing of hackers stealing data.

There are hundreds of millions of smart speakers out there, and far more phones with assistants, listening to you and capturing your voice. Voice technology already permeates virtually every important area of personal interaction—as assistants on your phone and in your car, in smart speakers at home, in hotels, schools, even stores instead of salespeople. 

Amazon and Google have several patents centering around voice profiling that describe a rich future for the practice…But consider the downside: we could be denied loans, have to pay much more for insurance, or be turned away from jobs, all on the basis of physiological characteristics and linguistic patterns that may not reflect what marketers believe they reflect.

The first thing to realize is that voice assistants are not our friends no matter how friendly they sound. I argue, in fact, that voice profiling marks a red line for society that shouldn’t be crossed.

Tesla as Catfish: When China Carps-Tech CEOs Fall in Line

Leave a reply

Many countries are wrestling with how to regulate digital records. Some economies, including in Europe, emphasize the need for data privacy, while others, such as China and Russia, put greater focus on government control. The U.S. currently doesn’t have a single federal-level law on data protection or security; instead, the Federal Trade Commission is broadly empowered to protect consumers from unfair or deceptive data practices.

Behind China’s moves is a growing sense among leaders that data accumulated by the private sector should in essence be considered a national asset, which can be tapped or restricted according to the state’s needs, according to the people involved in policy-making. Those needs include managing financial risks, tracking virus outbreaks, supporting state economic priorities or conducting surveillance of criminals and political opponents. Officials also worry companies could share data with foreign business partners, undermining national security.


Beijing’s latest economic blueprint for the next five years, released in March 2021, emphasized the need to strengthen government sway over private firms’ data—the first time a five-year plan has done so. A key element of Beijing’s push is a pair of laws, one passed in June 2021, the Data Security Law,  and the other a proposal updated by China’s legislature in Apr0il 2021. Together, they will subject almost all data-related activities to government oversight, including their collection, storage, use and transmission. The legislation builds on the 2017 Cybersecurity Law that started tightening control of data flows.

The law will “clearly implement a more stringent management system for data related to national security, the lifeline of the national economy, people’s livelihood and major public interests,” said a spokesman for the National People’s Congress, the legislature. The proposed Personal Information Protection Law, modeled on the European Union’s data-protection regulation, seeks to limit the types of data that private-sector firms can collect. Unlike the EU rules, the Chinese version lacks restrictions on government entities when it comes to gathering information on people’s call logs, contact lists, location and other data.

In late May 2021, citing concerns over user privacy, the Cyberspace Administration of China singled out 105 apps—including ByteDance’s video-sharing service Douyin and Microsoft Corp.’s Bing search engine and LinkedIn service—for excessively collecting and illegally accessing users’ personal information. The government gave the companies named 15 days to fix the problems or face legal consequences….

Beijing’s pressure on foreign firms to fall in line picked up with the 2017 Cybersecurity Law, which included a provision calling for companies to store their data on Chinese soil. That requirement, at least initially, was largely limited to companies deemed “critical infrastructure providers,” a loosely defined category that has included foreign banks and tech firms….Since 2021, Chinese regulators have formally made the data-localization requirement a prerequisite for foreign financial institutions trying to get a foothold in China. Citigroup Inc. and BlackRock Inc. are among the U.S. firms that have so far agreed to the rule and won licenses to start wholly-owned businesses in China…

Senior officials have publicly likened Tesla to a “catfish” rather than a “shark,” saying the company could uplift the auto sector the way working with Apple and Motorola Mobility LLC helped elevate China’s smartphone and telecommunications industries. To ensure Tesla doesn’t become a security risk, China’s Cyberspace Administration recently issued a draft rule that would forbid electric-car makers from transferring outside China any information collected from users on China’s roads and highways. It also restricted the use of Tesla cars by military personnel and staff of some state-owned companies amid concerns that the vehicles’ cameras could send information about government facilities to the U.S. In late May 2021, Tesla confirmed it had set up a data center in China and would domestically store data from cars it sold in the country. It said it joined other Chinese companies, including Alibaba and Baidu Inc., in the discussion of the draft rules arranged by the CyberSecurity Association of China, which reports to the Cyberspace Administration…

Increasingly, China’s president, Mr. Xi, leaned toward voices advocating greater digital control. He now labels big data as another essential element of China’s economy, on par with land, labor and capital.  “From the point of view of the state, anti-data monopoly must be strengthened,” said Li Lihui, a former president of state-owned Bank of China Ltd. and now a member of China’s legislature. He said he expects China to establish a “centralized and unified public database” to underpin its digital economy.

Excerpts from China’s New Power Play: More Control of Tech Companies’ Troves of Data, WSJ, June 12, 2021

Your Phone Is Listening: smart-phones as sniffers

Leave a reply

U. S. government agencies from the military to law enforcement have been buying up mobile-phone data from the private sector to use in gathering intelligence, monitoring adversaries and apprehending criminals. Now, the U.S. Air Force is experimenting with the next step.

The Air Force Research Laboratory is testing a commercial software platform that taps mobile phones as a window onto usage of hundreds of millions of computers, routers, fitness trackers, modern automobiles and other networked devices, known collectively as the “Internet of Things.” SignalFrame, a Washington, D.C.-based wireless technology company, has developed the capability to tap software embedded on as many as five million cellphones to determine the real-world location and identity of more than half a billion peripheral devices. The company has been telling the military its product could contribute to digital intelligence efforts that weave classified and unclassified data using machine learning and artificial intelligence.

The Air Force’s research arm bought the pitch, and has awarded a $50,000 grant to SignalFrame as part of a research and development program to explore whether the data has potential military applications, according to documents reviewed by The Wall Street Journal. Under the program, the Air Force could provide additional funds should the technology prove useful.

SignalFrame has largely operated in the commercial space, but the documents reviewed by the Journal show the company has also been gunning for government business. A major investor is Razor’s Edge, a national-security-focused venture-capital firm. SignalFrame hired a former military officer to drum up business and featured its products at military exhibitions, including a “pitch day” sponsored by a technology incubator affiliated with U.S. Special Operations command in Tampa, Fla.

SignalFrame’s product can turn civilian smartphones into listening devices—also known as sniffers—that detect wireless signals from any device that happens to be nearby. The company, in its marketing materials, claims to be able to distinguish a Fitbit from a Tesla from a home-security device, recording when and where those devices appear in the physical world. Using the SignalFrame technology, “one device can walk into a bar and see all other devices in that place,” said one person who heard a pitch for the SignalFrame product at a marketing industry event…

“The capturing and tracking of unique identifiers related to mobile devices, wearables, connected cars—basically anything that has a Bluetooth radio in it—is one of the most significant emerging privacy issues,” said Alan Butler, the interim executive director and general counsel of the Electronic Privacy Information Center, a group that advocates for stronger privacy protections. “Increasingly these radios are embedded in many, many things we wear, use and buy,” Mr. Butler said, saying that consumers remain unaware that those devices are constantly broadcasting a fixed and unique identifier to any device in range.

Byron Tau,  Military Tests New Way of Tracking, WSJ, Nov. 28, 2020

Breath and Sweat: the Biometrics of All Private Things

Leave a reply

It is not just DNA that people scatter to the wind as they go about their business. They shed a whole range of other chemicals as well, in their breath, their urine, their faeces and their sweat. Collectively, these molecules are referred to as metabolites….

The most common way of analysing metabolite content is gas chromatography-mass spectrometry. This technique sorts molecules by their weight, producing a pattern of peaks that correspond to different substances….There are, however, a lot of information sources out there, in the form of publicly available metabolite databases. The databases themselves are getting better, too…. A study just published by Feliciano Priego-Capote at University of Cordoba, in Spain, for example, shows it is possible to extract much meaningful information from even a dried-up drop of sweat. “The day is coming soon”, observes Cecil Lewis, a molecular anthropologist at University of Oklahoma, who is studying the matter, “when it will be possible to swab a person’s desk, steering wheel or phone and determine a wide range of incredibly private things about them….


The police may be tempted to push the boundaries as well. The fourth amendment to America’s constitution protects against unwarranted searches and seizure of evidence. This means it is hard to force someone to give a sample. But if obtaining such merely requires taking a swab of a surface in a public place—perhaps a keyboard someone has just used—the 4th amendment is unlikely to apply.

That is not necessarily wrong, if it means more criminals are caught and convicted. But it needs to be thought about carefully, because many metabolites are sticky. Cocaine is a case in point. Studies have shown that as many as two-thirds of the dollar bills in circulation in America carry traces of this substance, which might thus end up on the fingertips of the innocent, as well as the guilty.

Excerpts from Metabolites and You, Economist, Feb. 15, 2019

Biometrics Run Amok: Your Heartbeat ID, please

Leave a reply

Before pulling the trigger, a sniper planning to assassinate an enemy operative must be sure the right person is in the cross-hairs. Western forces commonly use software that compares a suspect’s facial features or gait with those recorded in libraries of biometric data compiled by police and intelligence agencies. Such technology can, however, be foiled by a disguise, head-covering or even an affected limp. For this reason America’s Special Operations Command (SOC), which oversees the units responsible for such operations in the various arms of America’s forces, has long wanted extra ways to confirm a potential target’s identity. Responding to a request from soc, the Combating Terrorism Technical Support Office (CTTSO), an agency of the defence department, has now developed a new tool for the job.

This system, dubbed Jetson, is able to measure, from up to 200 metres away, the minute vibrations induced in clothing by someone’s heartbeat. Since hearts differ in both shape and contraction pattern, the details of heartbeats differ, too. The effect of this on the fabric of garments produces what Ideal Innovations, a firm involved in the Jetson project, calls a “heartprint”—a pattern reckoned sufficiently distinctive to confirm someone’s identity.

To measure heartprints remotely Jetson employs gadgets called laser vibrometers. These work by detecting minute variations in a laser beam that has been reflected off an object of interest. They have been used for decades to study things like bridges, aircraft bodies, warship cannons and wind turbines—searching for otherwise-invisible cracks, air pockets and other dangerous defects in materials. However, only in the past five years or so has laser vibrometry become good enough to distinguish the vibrations induced in fabric by heartprints….

Candice Tresch, a spokeswoman for the cttso…. cannot discuss the process by which heartprint libraries might be built up in the first place. One starting point, presumably, would be to catalogue the heartbeats of detainees in the way that fingerprints and dna samples are now taken routinely.

Excerpts from Personal identificationPeople can now be identified at a distance by their heartbeat, Economist, Jan 23, 2020

The Biometrics Bonanza: Measuring and Identifying Humans

Leave a reply

Many African  governments have unwisely bought biometric proprietary systems of private companies, meaning that they are forced to go back to the seller for maintenance, upgrades and new components. That can be expensive. When Nigeria wanted to use its own card-printing machines, the firm that had sold it software tried to insist that Nigeria buy its machines as well… They eventually got help from Pakistan, which had software that worked on any machine.

But there are signs of change coming from within the industry itself, spurred by developments in an entirely different part of the world: India. Like Africa, it is vast, poor and home to more than a billion people. Yet as a single country India has tremendous negotiating power. When India developed its “Aadhaar” identity programme it invited leading firms to bid—but with the caveat that they provide open-source software, or code that can be examined and changed by others. This allowed engineers to knit together different bits of a system such as databases, enrollment software, fingerprint scanners and so on. The suppliers agreed because they did not want to miss out on the biggest identity bonanza the world had ever seen. Moreover, India’s spending led to a big increase in production, which caused prices to fall across the industry.

Even as governments think about the technical problems of recording identity, they also need to grapple with the far more consequential ones around rights, governance and privacy. The starkest warning of the misuse of identity was in the Rwandan genocide, where ID papers listed ethnicity, making it easy to target Tutsis. Since data on religion and ethnicity are not needed to provide services, governments should not be hoovering it up.

States should also be wary of denying people their rights by creating a class of citizens without papers. In Kenya, for example, the government wants everyone to register for ID  cards, but it discriminates against members of the Nubian minority by forcing them to appear before a security panel to prove their nationality. Modern identity systems promise to bring many benefits to Africa. But as they proliferate, so too will the temptation for politicians to misuse them

Excerpts from Identity Documentation in Africa: Papers Please, Economist, Dec. 7, 2019

Who Owns Your Voice? Grabbing Biometric Data

Leave a reply

Increasingly sophisticated technology that detects nuances in sound inaudible to humans is capturing clues about people’s likely locations, medical conditions and even physical features.Law-enforcement agencies are turning to those clues from the human voice to help sketch the faces of suspects. Banks are using them to catch scammers trying to imitate their customers on the phone, and doctors are using such data to detect the onset of dementia or depression.  That has… raised fresh privacy concerns, as consumers’ biometric data is harnessed in novel ways.

“People have known that voice carries information for centuries,” said Rita Singh, a voice and machine-learning researcher at Carnegie Mellon University who receives funding from the Department of Homeland Security…Ms. Singh measures dozens of voice-quality features—such as raspiness or tremor—that relate to the inside of a person’s vocal tract and how an individual voice is produced. She detects so-called microvolumes of air that help create the sound waves that make up the human voice. The way they resonate in the vocal tract, along with other voice characteristics, provides clues on a person’s skull structure, height, weight and physical surroundings, she said.

Nuance’s voice-biometric and recognition software is designed to detect the gender, age and linguistic background of callers and whether a voice is synthetic or recorded. It helped one bank determine that a single person was responsible for tens of millions of dollars of theft, or 18% of the fraud the firm encountered in a year, said Brett Beranek, general manager of Nuance’s security and biometrics business.

Audio data from customer-service calls is also combined with information on how consumers typically interact with mobile apps and devices, said Howard Edelstein, chairman of behavioral biometric company Biocatch. The company can detect the cadence and pressure of swipes and taps on a smartphone.  How a person holds a smartphone gives clues about their age, for example, allowing a financial firm to compare the age of the normal account user to the age of the caller…

If such data collected by a company were improperly sold or hacked, some fear recovering from identity theft could be even harder because physical features are innate and irreplaceable.

Sarah Krouse, What Your Voice Reveals About You, WSJ, Aug. 13, 2019

Your Typing Discloses Who You Are: Behavioral Biometrics

Leave a reply

Behavioural biometrics make it possible to identify an individual’s “unique motion fingerprint”,… With the right software, data from a phone’s sensors can reveal details as personal as which part of someone’s foot strikes the pavement first, and how hard; the length of a walker’s stride; the number of strides per minute; and the swing and spring in the walker’s hips and step. It can also work out whether the phone in question is in a handbag, a pocket or held in a hand.

Using these variables, Unifyid, a private company, sorts gaits into about 50,000 distinct types. When coupled with information about a user’s finger pressure and speed on the touchscreen, as well as a device’s regular places of use—as revealed by its gps unit—that user’s identity can be pretty well determined, ction….Behavioural biometrics can, moreover, go beyond verifying a user’s identity. It can also detect circumstances in which it is likely that a fraud is being committed. On a device with a keyboard, for instance, a warning sign is when the typing takes on a staccato style, with a longer-than-usual finger “flight time” between keystrokes. This, according to Aleksander Kijek, head of product at Nethone, a firm in Warsaw that works out behavioural biometrics for companies that sell things online, is an indication that the device has been hijacked and is under the remote control of a computer program rather than a human typist…

Used wisely, behavioural biometrics could be a boon…Used unwisely, however, the system could become yet another electronic spy on people’s privacy, permitting complete strangers to monitor your every action, from the moment you reach for your phone in the morning, to when you fling it on the floor at night.

Excerpts from Behavioural biometrics: Online identification is getting more and more intrusive, Economist, May 23, 2019

Your Biometric Data in Facebook

Leave a reply

A federal judge has dismissed a class action lawsuit against Facebook after the California-based social media site claimed there was a lack of personal jurisdiction in Illinois.The plaintiff in the case, Fredrick William Gullen, filed the complaint alleging violations of the Illinois Biometric Information Privacy Act. Gullen is not a Facebook user, but he alleged that his image was uploaded to the site and that his biometric identifiers and biometric information was collected, stored and used by Facebook without his consent. The Illinois Biometric Information Privacy Act, implemented in 2008, regulates the collection, use, and storage of biometric identifiers and biometric information such as scans of face or hand geometry. The act specifically excludes photographs, demographic information, and physical descriptions….

In the Facebook case, no ruling has been made on whether the information on Facebook counts as biometric identifiers and biometric information under the Illinois Biometric Information Privacy Act. Instead, the judge agreed with Facebook that the case could not be tried in Illinois.

However, the company is currently facing a proposed class action in California relating to some of the same questions….How the California class action will play out remains to be seen. California does not yet have a clear policy on biometric privacy.A bill pending in the state’s legislature would extend the scope of the data security law to include biometric data as well as geophysical location, but it has not yet become law.  The question of privacy in regards to biometric information is one that has garnered increasing attention in recent months. On Feb. 4, 2016 the Biomterics Institute, an independent research and analysis organization, released revised guidelines comprising 16 privacy principles for companies that gather and use biometrics data.

Excerpts from Emma Gallimore, Federal judge boots Illinois biometrics class action against Facebook, Legal Newswire, Feb. 22, 2016, 12:15pm

See also the case (pdf)

Behavior Mining

Leave a reply

Understanding and assessing the readiness of the warfighter is complex, intrusive, done relatively infrequently, and relies heavily on self-reporting. Readiness is determined through medical intervention with the help of advanced equipment, such as electrocardiographs (EKGs) and otherspecialized medical devices that are too expensive and cumbersome to employ continuously without supervision in non-controlled environments. On the other hand, currently 92% of adults in the United States own a cell phone, which could be used as the basis for continuous, passive health and readiness assessment.  The WASH program will use data collected from cellphone sensors to enable novel algorithms that conduct passive, continuous, real-time assessment of the warfighter.

DARPA’s WASH [Warfighter Analytics using Smartphones for Health] will extract physiological signals, which may be weak and noisy, that are embedded in the data obtained through existing mobile device sensors (e.g., accelerometer, screen, microphone). Such extraction and analysis, done on a continuous basis, will be used to determine current health status and identify latent or developing health disorders. WASH will develop algorithms and techniques for identifying both known indicators of physiological problems (such as disease, illness, and/or injury) and deviations from the warfighter’s micro-behaviors that could indicate such problems.

Excerpt from Warfighter Analytics using Smartphones for Health (WASH)
Solicitation Number: DARPA-SN-17-4, May, 2, 2018

See also Modeling and discovering human behavior from smartphone sensing life-log data for identification purpose

Biometrics Gone Wrong

Leave a reply

Despite their huge potential, artificial intelligence and biometrics still very much need human input for accurate identification, according to the director of the Defense Advanced Research Projects Agency.  Speaking at  an Atlantic Council event, Arati Prabhakar said that while the best facial recognition systems out there are statistically better than most humans at image identification, that when they’re wrong, “they are wrong in ways that no human would ever be wrong”….

“You want to embrace the power of these new technologies but be completely clear-eyed about what their limitations are so that they don’t mislead us,” Prabhakar said. That’s a stance humans must take with technology writ large, she said, explaining her hesitance to take for granted what many of her friends in Silicon Valley often assume  — that more data is always a good thing.  More data could just mean that you have so much data that whatever hypothesis you have you can find something that supports it,” Prabhakar said

DARPA director cautious over AI, biometrics, Planet Biometrics, May 4, 2016

The Transparent Individual

Leave a reply

By integrating data you want into the visual field in front of you Google Glass is meant to break down the distinction between looking at the screen and looking at the world. When switched on, its microphones will hear what you hear, allowing Glass to, say, display on its screen the name of any song playing nearby…It could also contribute a lot to the company’s core business. Head-mounted screens would let people spend time online that would previously have been offline. They also fit with the company’s interest in developing “anticipatory search” technology—ways of delivering helpful information before users think to look for it. Glass will allow such services to work without the customer even having to reach for a phone, slipping them ever more seamlessly into the wearer’s life. A service called Google Now already scans a user’s online calendar, e-mail and browsing history as a way of providing information he has not yet thought to look for. How much more it could do if it saw through his eyes or knew whom he was talking to…

People may in time want to live on camera in ways like this, if they see advantages in doing so. But what of living on the cameras of others? “Creep shots”—furtive pictures of breasts and bottoms taken in public places—are a sleazy fact of modern life. The camera phone has joined the Chinese burn in the armamentarium of the school bully, and does far more lasting damage. As cameras connect more commonly, sometimes autonomously, to the internet, hackers have learned how to take control of them remotely, with an eye to mischief, voyeurism or blackmail.  More wearable cameras probably mean more possibilities for such abuse.

Face-recognition technology, which allows software to match portraits to people, could take things further. The technology is improving, and is already used as an unobtrusive, fairly accurate way of knowing who people are. Some schools, for example, use it to monitor attendance. It is also being built into photo-sharing sites: Facebook uses it to suggest the names with which a photo you upload might be tagged. Governments check whether faces are turning up on more than one driver’s licence per jurisdiction; police forces identify people seen near a crime scene. Documents released to the Electronic Frontier Foundation, a campaign group, show that in August 2012 the Federal Bureau of Investigation’s “Next Generation Identification” database contained almost 13m searchable images of about 7m subjects.

Face recognition is a technology, like that of drones, which could be a boon to all sorts of surveillance around the world, and may make mask-free demonstrations in repressive states a thing of the past. The potential for abuse by people other than governments is clear, too…In America, warrants to seize user data from Facebook often also request any stored photos in which the suspect has been tagged by friends (though the firm does not always comply). Warrants as broad as some of those from which the National Security Agency and others have benefited in the past could allow access to all stored photos taken in a particular place and time.

The people’s panopticon, Economist,  Nov. 16, 2013, at 27

Watching your Internet Fingerprint

Leave a reply

The current standard method for validating a user’s identity for authentication on an information system requires humans to do something that is inherently difficult: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus, unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.

The Active Authentication program seeks to address this problem by developing novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software-based biometrics. Biometrics is defined as the characteristics used to uniquely recognize humans based upon one or more intrinsic physical or behavioral traits. This program focuses on the computational behavioral traits that can be observed through how we interact with the world. Just as when you touch something with our finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a “cognitive fingerprint.”

This BAA addresses the first phase of this program. In the first phase of the program, the focus will be on researching biometrics that does not require the installation of additional hardware sensors. Rather, DARPA will look for research on biometrics that can be captured through the technology already in use in a standard DoD office environment, looking for aspects of the “cognitive fingerprint.” A heavy emphasis will be placed on validating any potential new biometrics with empirical tests to ensure they would be effective in large scale deployments.

The later planned phases of the program that are not addressed in this BAA will focus on developing a solution that integrates any available biometrics using a new authentication platform suitable for deployment on a standard Department of Defense desktop or laptop. The planned combinatorial approach of using multiple modalities for continuous user identification and authentication is expected to deliver a system that is accurate, robust, and transparent to the user’s normal computing experience. The authentication platform is planned to be developed with open Application Programming Interfaces (APIs) to allow the integration of other software or hardware biometrics available in the future from any source.

The combined aspects of the individual that this program is attempting to uncover are the aspects that are the computational behavioral “fingerprint” of the person at the keyboard. This has also been referred to in existing research as the “cognitive fingerprint.” The proposed theory is that how individuals formulate their thoughts and actions are reflected through their behavior, and this behavior in turn can be captured as metrics in how the individual performs tasks using the computer.

Some examples of the computational behavior metrics of the cognitive fingerprint include:

− keystrokes

− eye scans

− how the user searches for information (verbs and predicates used)

− how the user selects information (verbs and predicates used)

− how the user reads the material selected

• eye tracking on the page

• speed with which the individual reads the content

− methods and structure of communication (exchange of email)

These examples are only provided for illustrative purposes and are not intended as a list of potential research topics. The examples above include potential biometrics that would not be supported through this BAA due to a requirement for the deployment of additional hardware based sensors (such as tracking eye scans).

Excerpt from, Broad Agency Announcement, Active Authentication, DARPA-BAA-12-06, January 12, 2012

On Feb. 12, 2013, two groups announced related projects. The first is an industry group calling itself the FIDO (Fast IDentity Online) Alliance. It consists of the computer-maker, Lenovo, the security firm, Nok Nok Labs, the online payment giant, PayPal, the biometrics experts, Agnito, and the authentication specialists, Validity. The second is the Defense Advanced Research Project Agency (DARPA), a research and development arm of the Defense Department.

Excerpt from DARPA, FIDO Alliance Join Race to Replace Passwords, CNET, Feb. 12, 2013