A library of snippets
xxx
As Hong Kong’s anti-government protests stretch into their 23rd straight week, the city is being inundated with online rumors, fake news and propaganda from both sides of the political divide. The polarizing rhetoric is fueling distrust and violence, making it harder to resolve the crisis that has plunged Hong Kong into a recession and raised doubts about the city’s role as Asia’s premier financial hub.
How Fake News and Rumors Are Stoking Division in Hong Kong – Bloomberg:
xxx
xxx
Users will be able to add preferred payment methods – including most major credit and debit cards, as well as PayPal – once and then use Facebook Pay without having to re-enter their details.
xxx
xxx
“Demaskuok, which means ‘debunk’ in Lithuanian, is a piece of software that searches for the patient zeros of fake news. It was developed by Delfi, a media group headquartered in Lithuania’s capital, Vilnius, in conjunction with Google, a large American information-technology company. It works by sifting through reams of online verbiage in Lithuanian, Russian and English, scoring items for the likelihood that they are disinformation. Then, by tracking back through the online history of reports that look suspicious, it attempts to pin down a disinformation campaign’s point of origin—its patient zero.”
xxx
xxx
Two former employees of Twitter have been charged in the US with spying for Saudi Arabia. The charges, unsealed on Wednesday in San Francisco, allege that Saudi agents sought personal information about Twitter users including known critics of the Saudi government.
Ex-Twitter employees accused of spying for Saudi Arabia – BBC News:
xxx
xxx
China’s digital currency will create a “horse race” when it is launched as commercial banks and other institutions compete to provide the best services using the new form of money, a central bank official said
China’s digital currency will kick off ‘horse race’: central bank official – Reuters:
xxx
I had the pleasure of attending a “Horizon Brief” organised by the Centre for the Study of Financial Innovation (CSFI) for Dentons. The well-informed speakers, ably chaired by Andrew Hilton (Director of the CSFI), were lawyer Dominic Grieve (the day after he ceased to be an MP), lawyer Anton Moiseienko from Royal United Services Institute Centre for Financial Crime and Security, lawyer Richard Parlour (Chairman of the EU Task Force on Cybersecurity Policy for the Financial Sector at the Centre for European Policy Studies) and lawyer Antonis Patrikos from Dentons’ Privacy and Cybersecurity Practice.
There was a deal of discussion about Russia and China, cyberattacks and critical national infrastructure, and also the nature of serious crime as it shifts towards online. Much of the discussion was illuminating, and I won’t repeat it all here, but I particularly enjoyed the points made about cryptocurrency as a facilitator for cybercrime.
(I can’t resist quoting Marshall McLuhan at this point. Way back in 1970 said that “World War III is a guerrilla information war with no division between military and civilian participation”. We are already in that war, and we don’t seem to have a strategy for winning it.)
I asked the former Minister about the comments of one of his former colleagues, Margot James, the Minister for Digital Thingies. She was quoted in The Daily Telegraph that the UK must “get over” privacy and cyber security fears and adopt technology such as online identities. I was surprised by this statement because I assumed that the Minister for Digital Thingies would be campaigning non-stop for our privacy, doing everything she can to provide for our cybersecurity and working around the clock to develop a digital identity infrastructure that simultaneously delivers both of these. We don’t need to “get over” them, we need to get something done about them.
None of us should have to “get over” privacy or cybersecurity fears to use digital identity because digital identity should deliver both of them. If you understand computer security, cryptography and communications then you know that we already have the tools to do precisely this: cryptographic blinding, zero-knowledge proofs, verifiable credentials and so forth. Given that the panel was made entirely of lawyers and the government is made up of lawyers and PPEs, perhaps it is not surprising that there was little to know mention of the technologies needed to create robust cyberwar defences.
While the Minister was advocating online identities, another Minister was ending government funding for the government’s own Verify digital identity service. And more recently another Minister has scrapped the online age verification plan that would have at least bootstrapped digital identity into the mass market, even if it was to be provided by Pornhub rather than the Department for Culture, Media and Sport. To a casual observer, it might seem that the government has no actual strategy.
I wondered afterwards if there isn’t something else going on here. A couple of years ago, there was an opinion piece in The New York Times acknowledging that while there are technologies issues that contribute to poor cybersecurity throughout society, but suggestion that the underlying reason is political. This is because corporations “have poured large amounts of money into our political system, helping to create a regulatory environment in which consumers shoulder more and more of the risk, and companies less and less”.
Perhaps the way to get the right technology in place is then regulatory. Looking at banking. It wasn’t technology that brought us open banking, for example. Or payments. In the UK, there is a new code of conduct in place for Authorised Push Payment (APP) fraud which means that, essentially, if you are tricked into sending money to crook then the bank (not the crook) has to give you your money back. I can’t see new code of conduct that means if your computer is hacked then Apple or Microsoft is responsible (for selling you a hackable computer) but I can see a way to make intermediaries work harder on behalf of consumers.
I’ll give you a simple example of an absolutely typical fraud that we see in the UK on a daily basis. A Mr Pibworth instructed a firm of solicitors to pay money out of his client account at midday on January 25th of this year. It was a Friday (as is typical for these frauds). He asked for the money to be paid into a joint account that he and his brother have. However, a few hours later the solicitors received an email purporting to be from Mr Pibworth (but which was actually from a fraudster) with new instructions saying the money should be paid into a different account. Which they then did.
And £60,000 was sent off to the fraudsters.
(The same firm of solicitors, incidentally, lost £100K to a similar fraud in 2016.)
I imagine that the solicitors didn’t bother checking that they were sending to the correct account any more because the banks have to pay up if they transfer cash to fraudsters. According to the code, these solicitors would only have to demonstrate that they had taken “the requisite level of care” and then bank customers would have to cough up and compensate them. But what is a “requisite level of care”? It’s certainly not taking for granted the contents of an e-mail! Perhaps they should have phoned Mr. Pibworth to check that he had sent the e-mail? But then the Wall Street Journal reports that criminals used artificial intelligence-based software to impersonate CEOs’s boss to and instruct him to transfer money! The CEO of a U.K.-based firm thought he was speaking on the phone with his boss, the CEO of the German parent company, who asked him to send the funds to a Hungarian supplier.
(I think that the requisite level of care should be linked to using digital identities with credentials provided by someone that you can sue – such as a bank – if the identity turns out to be fraudulent, but that’s a topic for another day.)
If you ask me, however, Mr. Pibworth was negligent for sending sensitive financial details by unencrypted e-mail, since everyone knows that e-mail has absolutely no security associated with it at all and you should generally assume that any unencrypted e-mail without a digital signature with financial details is fraudulent. Solicitors should have a code of conduct that ignores any financial instructions in an e-mail. WhatsApp, Signal, Messenger and perhaps even Instagram* yes, but e-mail no.
I had the pleasure of attending a “Horizon Brief” organised by the Centre for the Study of Financial Innovation for Dentons. The well-informed speakers, ably chaired by Andrew Hilton (Director of the CSFI), were lawyer Dominic Grieve (who used be the Attorney General and, until yesterday, Chair of Parliament’s Intelligence and Security Committee), lawyer Anton Moiseienko from Royal United Services Institute Centre for Financial Crime and Security, lawyer Richard Parlour (Chairman of the EU Task Force on Cybersecurity Policy for the Financial Sector) and lawyer Antonis Patrikos from Dentons’ Privacy and Cybersecurity Practice.
During questions, I asked about the comments of one of Dominic’s former colleagues, Margot James, the Minister for Digital Thingies. She was quoted in The Daily Telegraph that the UK must “get over” privacy and cyber security fears and adopt technology such as online identities. While this Minister was advocating online identities, another Minister was ending government funding for the government’s own Verify digital identity service. And more recently another Minister has scrapped the online age verification plan that would have at least bootstrapped digital identity into the mass market.
To a casual observer, I noted, it might seem that the government has no actual strategy. As Mr. Grieve pointed out in response to my question, there is a tension at the heart of government strategy. I will paraphrase, but the issue is that the government wants to accumulate data but the accumulation of data raises the likelihood of cyberattack. So this left me wondering how to deal with this tension and make some progress. This point was illustrated rather well this week, when the Parliament’s Joint Human Rights Committee recommended that The Government should “explore the practicality and usefulness of creating a single online registry that would allow people to see, in real time, all the companies that hold personal data on them and what data they hold.”
The Chair of the Committee, the lawyer Harriet Harman, said “It should be simple to know what data is shared about individuals and it must be equally easy to correct or delete data held about us as it was to us to sign up to the service in the first place”. As far as I can see, this completely impractical, expensive and pointless mechanism for logging in to some government website to find out if you signed up for the Weatherspoons loyalty scheme when you were rat-arsed last night will be of no benefit whatsoever. The vast majority of the population neither know nor care what the Tesco Clubcard database holds about them so long as they get money off vouchers now and then. The Committee’s concerns about privacy are real and valid (we share them) but their proposed solution will not address them. Apart from anything else, what is stop hackers from getting into the database, finding out that you have an account at Barclays and then using this to phone you up and asking you to transfer your money into a safe account?
I wonder if the lawyers are aware that technologists can help resolve this fundamental paradox. Having had a few years’ experience in delivering highly secure systems to the financial sector, my colleagues at Consult Hyperion are familiar with a number of cryptographic techniques – such as homomorphic encryption cryptographic blinding, zero-knowledge proofs and verifiable credentials – that can deliver apparently paradoxical results. It is possible to store data about perform computations on it without reading it, it is possible to determine that someone is over 18 without seeing their age and it is possible to find out whether you ate at a certain restaurant without disclosing your name.
Right now, the use of these technologies is nothing more than a hygiene factor for the companies involved. But as legislation (and social pressure) steadily converts personal information into toxic waste, so more and more companies will want to avoid it. Privacy will become part of the overall package that a company offers to its customers and we understand the technologies that can deliver it and how to deploy them at population scale. Give us a call – our number’s not a secret.
xxx
“Accenture noted that revenue from credit card transactions by business dropped by 33 per cent globally between 2015 and 2018, while consumer debit card transactions fell by nearly 15 per cent during that period.”
xxx
xxx
Potential visitors to the US were recently confronted with a new requirement on the long and complicated visa application form — to provide information about their social media identities.
Does cyber security cross the line when crossing borders? | Financial Times:
xxx
The last time that I bought a car, I paid for it this way. I went to look at the car, test drove it and then did a bit of online research. The price seemed fair for the condition, so I called the dealer back and agreed the sale. He told me his bank sort code and account number. I put these into my Barclays account and transferred £10 to the dealer. He texted me a minute or so later to confirm that the money had been received. So then I called my insurance company to add the car to my policy. Then I drove over to the dealership and to pick up the car and the documents. While I was there, I used the Barclays app on my phone to transfer a few thousands of quids to the dealer. About 30 seconds later he checked his account and saw that the money was there, so he gave me the keys and off I went.
(Meanwhile, my friend Simon told me that to pay his rent in New Jersey, he logs in to his American bank account to instruct the payment, then the bank prints out a paper cheque that it mails to his landlord. The landlord then takes the cheque to his bank to pay it in, and after a couple more days the money shows up in this account. This expensive and inconvenient payment mechanism sometimes takes
Meanwhile, back in the UK, my friend Nick bought a boat a while ago. He saw that someone had the boat he wanted and went over to look at it. A sale was agreed, he transferred the money on the spot using the phone and drove away towing his new boat.
Now, you would think that this wouldn’t be much of a crime. After all, thanks our comprehensive and expensive know your customer (KYC) and anti-money laundering regulations, the police should find it very easy to arrest the criminals. If my Dad transfers money to someone who turns out not to be the fraud department of the NatWest, there are really on two possibilities: the recipient bank knows who the account belongs to (in which case the police can arrest the account holder) or they don’t know who the account belongs to (in which case the police can arrest the head of compliance at the bank for not doing proper KYC). And if the destination account is a “mule” then, well, they should be arrested.
The Treasury Select Committee takes a different view. If my Dad sends money from his Barclays to someone who turns out not to be the fraud department of the NatWest, then under the current guidelines that is Barclays’ fault and they have to compensate him. The compensation is paid for from an instant payments levy. To cut down on the amount of fraud, the Committee is now suggesting that all instant payment transfers to new payees be revocable for 24 hours. So in the future I will have to wait a day to pick up my new car and my friend Nick will have to wait a day to pick up his new boat.
So we are all going to be inconvenienced (and charged) because people send money to fraudsters.
The underlying problem here is that we have no working digital identity infrastructure for use by financial services. Bank customers who are tricked by fraudsters have no idea who they are actually sending the money to.
Snippings