A library of snippets
xxx
New York City Council has voted to ban cashless stores and restaurants, arguing that they discriminate against the unbanked.
The council voted to pass a bill requiring brick and mortar outlets in the city to accept US bills and coins or face fines of up to $1000 for a first violation and $1500 for further incidents.
xxx
xxx
As part of the deal, Wells Fargo admitted that between 2002 and 2016 it pressured employees to meet “unrealistic sales goals that led thousands of employees to provide millions of accounts or products to customers under false pretenses or without consent, often by creating false records or misusing customers’ identities,” the department said in a statement.
From Wells Fargo to pay $3 billion to U.S., admits pressuring workers in fake-accounts scandal – Reuters:
xxx
When it comes to contact tracing to defeat the dread virus, it is obviously more effective to protect the population by using new technology rather than by relying on the memories and notes of people who test positive. Implementing a system to do this doesn’t have to be a Big Brother option. One of the first countries to go with a more privacy-sensitive approach was Singapore, where the Ministry of Health worked with the Government Technology Agency to launch an app for contact tracing. This app, called “TraceTogether”, was installed by more than 600,000 Singapore resident within the first week of its launch in March 2020. The app works by using Bluetooth Low Energy (BLE) signals between phones to detect other participating TraceTogether users in close proximity (ie, with 2m) for some time (originally for 30 minutes). Records of such encounters are stored locally on each person’s phone. If a person tests positive for the virus, then that person can consent to send the contact records from their phone up to the Ministry of Health, which can then message the people that the person was in contact with to suggest they get tested. That contact data is stored in encrypted form on the consumer device, is deleted after 21 days and has the person’s identity (and those of their contacts) pseudonymised. However, it remains a centralised identities could be de-anonymised relatively easily.
In Europe, a collaborative effort called “Decentralized Privacy-Preserving Proximity Tracing” (D3PT) (produced by a core team of over 25 scientists and academic researchers from across Europe and open to wide scrutiny) put forward a solution similar to TraceTogether but with a privacy-preserving architecture. At the heart of this architecture is an open protocol for proximity tracing using the same BLE functionality on mobile devices that ensures personal data and stays entirely on an individual’s device.
Under this more private approach, devices broadcast identifiers that change every hour (or day or whatever) and these “ephemeral IDs” (ephIDs) are stored by other nearby devices together with the duration the contact and a “coarse” timestamp (ie, to the nearest day). When someone is diagnosed with the diseases, their phone can upload all of the ephIDs that it broadcast while the person was infected to a health authority server somewhere. Everyone’s phone periodically checks this server to see if it had heard any of the ephIDs from an infected person and if so how long for, and can then calculate the risk and tell the user whether to go for testing or not. Since all the devices (and the health server) ever store is the ephIDs, no personal data can leak through the system. This is a good basis to proceed. Someone who I always take seriously about this sort of thing is Gus Hosein, the executive director of Privacy International. Gus has said that he is “relatively relaxed about contact-tracing apps in which data is anonymised and well-regulated” and I agree. Although, of course, notions of what might constitute “well-regulated” might differ between stakeholders.
This privacy-enhanced approach to contact tracing received a significant boost when Google and Apple announced that they would work together to deliver a similar solution for the mass market. They published a specification for just such a privacy-enhancing proximity contact tracking app and APIs for health organisations to use. Even more interestingly, in a coming version of the system (planned for June) Apple and Google say they will add the functionality as the operating system level so that users can enable contact-tracing even without an app installed, although I note that they get to decide who can use this or not.
(While it’s nothing to do with COVID-19, I can see the contact-tracing functionality being used to create a whole new class of privacy-sensitive proximity applications. If you want to explore some of these, we can start work on the demonstrators for you in our Hyperlab development team.)
Of course, there is a the question of who will maintain the database of ephID contacts. In the UK, there is an obvious answers, which is the NHS. And indeed, this is what is happening. The Health Minister, Matt Hancock, has announced that just such an app would be deployed. NHSX, the NHS’ new technology unit, has been working on the app in the hope that it can help alleviate lockdown by tracking infections.
Now, these apps will only have an impact if a significant fraction of the population use them. It is outside my field of expertise to speculate as to what fraction will be required, but in the case of Singapore only around a fifth of population used the apps (when the authorities had been hoping for three-quarters) and this was insufficient to stave off lockdown. However, I am optimistic: if a privacy-enhanced contact-tracing capability is standard on smartphones and people can be encourage to turn it on then once every few years when a pandemic sweeps through, we can make rapid progress against the diseases.
A completely anonymous service won’t work As the security researcher Ross Anderson notes in this context, a voluntary app operated by anonymous actors is “wide open to trolling”. Someone will tie a phone to a dog and let it run around, state actors will launch denial of service attacks to cause panic and so on.
One of the arguments about the transition to a cashless, less-cash or contact-free economy is that such an economy marginalises people who a trapped in the cash economy. I’m not sure about this, though. The people who are trapped in the cash economy are the people who end up paying the highest costs. Just to pick one random news story this week (and I could have chosen many), here’s a case from China in which a man who didn’t trust banks buried his life savings underground five years ago. When he dug it up, a quarter of it was beyond repair and he lost 500,000 Yuan.
Of course, there are people who prefer to exist in a cash economy for other reasons. Criminals and corrupt politicians, for example. Cash works rather well for them, but can sometime be quite inconvenient. For remote purchasing, for example. Only yesterday I read about two freelance pharmaceutical intermediaries who were arrested in California after police caught them dumping nearly $1 million in cash which was intended to buy marijuana some distance from their main place of residence.
“Well, we’ll see how smart you are when the K9 come!” / I got 99 problems but the Bitcoin aint one.
California, incidentally, has a huge cash problem right now. The coronavirus has disrupted supply chains so that drug dealers in the USA cannot use the normal trade-based cross-border money laundering pathways to pesos. Hence, Hugh quantities of dollars are piling up outside the financial system. In other news, the Fed reports that as of 8th April there are $1.84 TRILLION of Federal Reserve notes in circulation, around $200 billion more than this time last year.
Now, I can understand why the disconnected, marginalised poor in remote parts of the world eschew the benefits of electronic payments for the currency of choice for the global criminal on the go, the $100 bill. But in California? Don’t they have Bitcoin there? Given the huge hassle of counting, bagging and transporting the Benjamins, why didn’t these entrepreneurs simply buy a few Bitcoins, drive to the drop zones and press the “send” button when the goods are in from of them. It only takes an hour or so for the half a dozen confirmations that the wholesale distributors would want to see, and then Bob’s your uncle.
But no, they packed up the greenbacks and set off in their car.
Surely, I have to reflect, if drug dealers won’t use Bitcoin, then who will? There must be many people who don’t want to carry around huge wads of cash for such purchases. Why aren’t they in crypto? What about the millions of people who buy things that they would prefer not to show up on their credit card statements? Remember the newspaper story about noted England rugby player Lawrence Dallaglio’s credit card being used in a brothel in London? A police raid on the establishment uncovered burner phones, diaries, POS terminals, a bag filled with bank cards and receipts (what a well-run organisation!) showing that customers were were paying between £80 and £100 for a gram of coke and… no Bitcoin hard wallets or passwords written on Post-Its.
(If I was off to brothel and wanted to buy some cocaine while I was there, I would certainly be at the very least reticent to use my credit card, even if the establishment was PCI-DSS compliant, which I’m pretty sure a bag full of bank cards in a plastic bag in a toilet is not.)
Anyway, back to the point. How can it be more convenient to cart around great wodges of cash than to zip some magic internet money through the interweb tubes? That’s not to say that Bitcoin is the perfect solution for criminal on the go, though. For example, in a recent Irish case, a drug dealer who wisely decided to invest in cryptocurrency rather than the euro amassed a fortune of €54 million in digital loot. He hid the passwords to the digital wallets holding his ill-gotten gains with his fishing rod. Unfortunately, the fishing rod has “gone missing” so while the Irish Criminal Assets Bureau (CAB) has in theory confiscated the 12 wallets (containing 6,000 bitcoin), in practice they cannot get hold of them.
(On the other hand, thanks to people such as Chainalysis, the Irish police can at least find out who sent money to the wallet and where money from the wallets was sent to, which ought to help them further their investigations.)
The noted software entrepreneur John Macafee said, on a recent episode of the Breaking Banks radio show that I was co-hosting, said something similar. He said that Bitcoin is no good for this sort of thing because it can be traced and he advised listeners to use Monero instead. The price of Monero has roughly halved over the last year so I guess that there aren’t that many people following that advice right now, but who knows.
I should note, though, that the issue of more private versions of digital currencies is not of exclusive interest to criminals and corrupt politicians. To continue with the US example, there are many people who are enagaged in perfectly legal businesses (eg, selling weed in Colorado, performing adult services in Nevada or trying to buy food in Venezuela) that are excluded from the global financial system and are therefore driven to look for alternatives.
(Venezuela is an interesting example. If used to crop up in talks by Bitcoin fans although restaurants, shops, supermarkets and even the street vendors today accept – and prefer – dollars in cash or by bank transfer. You can pay by Zelle in supermarkets there!)
What, no Bitcoin?
What’s the niche for cryptocurrency then? A quick investigation tells me that the market-leading porn site accepts four cryptocurrencies, three of which I’ve never heard of, and not Monero or Zcash (the other leading privacy coin). If drug dealers, porn consumers and Venezuelans won’t use Bitcoin, then who will?
xxx
Hackers stole £2.4 million that a museum paid for a John Constable painting, as experts warn that fraudsters are targeting the art world.
The criminals intercepted emails between Rijksmuseum Twenthe in the Netherlands and Simon Dickinson, a London art dealer, who were arranging the sale of Constable’s 1824 landscape A View of Hampstead Heath: Child’s Hill, Harrow in the Distance.
Posing as Dickinson, the seller specialising in Old Master paintings, they instructed the museum to pay £2.4 million into a bank account based in Hong Kong.
From Hackers pretending to be art dealer convinced museum to pay them £2m for John Constable painting:
xxx
xxx
To get permission to leave China’s coronavirus epicenter and return to his job in Hong Kong, a Chinese banker needed two things: a letter from his company and a green health code from Alipay.
From People in China Need Alipay, Tencent Green QR Code to Leave – Bloomberg:
xxx
xxx
The shift to programmable money will reward first-mover economies. China will quickly integrate DCEP into hundreds of blockchain projects in which autonomous digital sensors and devices directly exchange information and money. Removing intermediaries from these device-to-device transactions will allow China to automate entire Internet of things ecosystems, bringing efficiency gains to smart cities, supply chains, and electricity grids.
In time, Beijing could offer DCEP-based direct machine-to-machine payments along its 60-plus-country Belt and Road Initiative.
From China is poised to beat the U.S. in the digital currency race | Fortune:
xxx
xxx
Cash could be almost killed off by the end of the summer as shoppers switch to using cards and never go back, the head of the ATM network warned last night.
John Howells, chief executive of Link, which runs Britain’s 70,000 cashpoints, said the coronavirus pandemic has dramatically sped up the switch from cash to card and online payments.
Before the shutdown, cash was still used in around a third of transactions. Now Link predicts its use will slump to just 10 per cent by August as people shop and go out less, use cards when they stock up at supermarkets and avoid coins and notes for fear of picking up the virus
xxx
xxx
As coronavirus spreads, people are worried that signing payment screens at store checkouts could make them sick. According to the card networks, they shouldn’t have to sign anyway.
Major card networks including Visa Inc., V 3.77% Mastercard Inc., MA 4.74% American Express Co. AXP 5.14% and Discover Financial Services DFS 6.34% stopped requiring signatures on almost all card purchases, no matter the dollar amount, over the past couple of years. Many stores and card companies don’t even check the signatures.
There are two main reasons for the disconnect: Some stores actually do want signatures, viewing them as a way to improve security. And many stores just haven’t updated their payment terminals to remove the signature prompt.
From In a Pandemic, Another Worry: Touching the Payment Screen at Checkout – WSJ:
xxx
Snippings