DK_en 1x02 - Dumb and dumber

Episode first aired on September 21, 2017. Listen to the audio on Spreaker.com

This episode will deal with three different but closely related pieces of news that show us how, far too often, sensitive personal information is managed with not even a dash of competence, with ample doses of negligence, verging on the criminal, and possibly more than a hint of malice.

Let's call a spade a spade: the data industry is a wild circus where the contest is between those who are "merely" incompetent and those who are criminally so.

It's quite a spectacle, but we're not spectators: we are the prize.

Welcome to today's episode: "Dumb and Dumber".

Circus music

Rousseau

We'll start with my own country, Italy; we may be a remote province of the empire but when it comes to cockups we are first class.

We'll start with a system pompously called "Rousseau", hoping good old Jean-Jacques will take no offence. Rousseau is a web platform that the 5 Star movement uses to manage its own internal political activities, including online votes on issues.

The 5 Star Movement presents itself as the harbinger of networked democracy, not
unlike the Pirate parties elsewhere in Europe. There is a difference, though,
between speaking of networked democracy, and actually being able to run it.

In the case of the 5 Star Movement, the difference appears abysmal.

At the beginning of August, Rousseau was cracked by some EvaristeGal0is. The guy, whose identity is unknown, is a White Hat, that is to say a cracker that tests systems only to report the bugs to their owner.

EvaristeGal0is publishes a minisite with information regarding his breach. Enough of it for a system administrator to know what needs fixing, but not enough for any Tom, Dick and Harry to make their own personal breach.

A few days later a second cracker comes out, this one goes by the handle of r0gue_0. He accuses Galois of secretly being working for Casaleggio (Casaleggio is the web agency that owns Rousseau and seems to be masterminding the Movement).

R0gue_0 maintains to have had administrator-level access to Rousseau for months now, and is angry that Galois has spoiled his... his what?

For all we know, he may just have been lurking. Or he could have been secretly altering Rousseau's archives, including the results of the online polls and internal elections.

What we do know, from Galois the White Hat is that a simple SQL injection was enough to breach the system.

SQL injection is a technical term to mean that not one of Rousseau's builders thought of ever checking to user input, that is taken as is and interpreted by the system.
This means that if the input happens to be a valid command, like "open the door, Hal", well, Hal (or Rousseau in this case) will open the door.

As if this were not enough, Rousseau required users to choose a password no longer than 8 characters in order to access the online voting system. Eight-character passwords are simple and, since people will be people, are easily cracked.

While the Movement, usually very vocal, remains silent, Mr. Casaleggio declares he will sue the first cracker, the white hat.

Here we have a party that preaches direct democracy, and especially online direct democracy, but that does not seem to be up to it. From what we see, the Movement has managed its members' very sensitive data in a fairly amateurish way.
And once its incredible and potentially criminal negligence is revealed, it tries to deflect attention by trying to shoot the messenger.

When I say criminal it's not an exaggeration: data regarding one's political opinions are what European law calls "sensitive data". Mismanagement of sensitive data is not simply a misdemeanor, it's a serious crime.

From what we have seen, the ease of the breach seems to suggest that the system did not comply with the minimum levels of security required by law.

This means the Italian Data Protection Authority must be investigating the case now, and will eventually reach some conclusion.

I fear such conclusion may not be very harsh. Not because the Authority cannot do its job, but because in this case it will be very easy for the 5 star Movement to frame any intervention from the Authority as a political attack in disguise.

Which is sad, because the only political thing here is a political movement managing sensitive data in a way that it is an understatement to call amateurish.

But, as it happens, the 5 Star Movement are not the only amateurs around.

Circus music

Equifax

The Equifax story is about the theft of credit data regarding 143 million US citizens.
What's credit rating data? It's the data used to rate your ability to pay back a
loan. Sounds simple? It's everything but. US credit-rating agencies hoard the
wildest, most exotic personal data to compute somebody's rating.
Why? Because they can. Using lots of personal information to compute a credit
rating, even if most of the information is not credit-related, gives the rating
an aura of objectivity. It's the triumph of narratives over facts and, sadly,
it's the Zeitgeist, the spirit of the times.

So what goes into a credit rating?

• rents and mortgages
• financial loans
• utility bills
• car rentals
• Library loans
• education history
• military history
• work history
• purchase history (you didn't think credit cards and fidelity cards were simply
  for your convenience, did you?)

Basically, anything that can be known about you sooner or later is hoovered into
the computation of your credit rating.

And banks, insurance companies, and increasingly employers, buy into this
narrative because it helps deflect responsibility.

Credit rating is rapidly becoming a proxy for a person's overall dependability.
Once it has, it will be a formidable instrument of social control.

China's government is deploying a citizen-rating system, that even takes into
account social media activity, and western media express unanimous scandal and
preoccupation.

In the US, the market is building something that is functionally identical, and
everything's normal.

But I digress.

Equifax is one of the largest companies in its industry, an industry that really
is an oligopoly, as so often happens when personal data are involved.
As it happens, Equifax has been breached, and the personal data of about 143
million US citizens have been compromised. Compromised, here, is a euphemism to
say that those data are being bought and sold and used by whoever has an
interest in them, legal or otherwise.
Surely with those data impersonation and identity theft must be a breeze.

But I'm just stating the obvious, who knows what a creative criminal may be able
to do with them.

There are many worrying details in this story.

The first is that it took Equifax five weeks since the alleged date of the
breach to break news of it. In the five weeks, three executives found the time to sell 2 million dollars in stock, before it tanked. Equifax tells us that the executives were not privy to the breach, and that 2 million is but a small part of the stock they own. What a consolation.

The funny side in all this is that an Equifax insider has just come out saying
that Equifax knew of the breach FIVE MONTHS before the date the same Equifax
reported as the date of the breach.

Be as it may, Equifax remained silent for as long as it wanted in the wake of
one of the worst breaches in history. Not the worst, mind you, but one of the
worst.

It would be very easy to say "remember this the next time they tell you of their
attention to the customer.

It would be easy and it would be wrong, because in the data industry the
customers are banks, insurance companies, Colleges, Universities and employers.

We the people are data cows, nothing more.

Of course there's also the small detail that Equifax has announced it will
charge for a rating freeze.

Allow me to translate for you: I, the credit rater, allowed your data to be
stolen; suppose somebody uses those data to impersonate you and default on a
payment; I, the credit rater, will be glad to take your money to not consider
that default into your rating.

All this while there is not one Equifax executive charged with anything. As with
the banks in 2008, shit happens and no one is held accountable for anything.
Except the lone cracker, who'll soon be forgotten until the next breach.

When this is the attitude of our governments, one really prays for Jupiter's lightning to strike. Sadly, though, the old gods are not really the fashion any
longer.

And let's come to facebook now.

Circus music

Facebook

Propublica has found that Facebook campaigns can be targeted to some curious categories.

• "jew hater"
• "antisemitism"
• German Schutzstaffel (written as I pronounce it: with no umlaut and as
  if it were a singular; apparently it's not enough to be a Nazi, being ignorant is also a requirement)
• SS nazis
• and of course NDP, the German extreme-right party

and the list goes on.

ProPublica is worried about what it has found, and alerts Facebook to it.

Facebook's reply is straight out of a comedy script:

we were not aware of these demographic categories; categories are automatically
generated by algorithms, not by humans, from direct user input

Which is like apologising to your school teacher because your failed math homework was actually your father's doing.

That nobody thought of checking user input speaks volumes of how much actual thought really goes into the social giant design.

By the way, don't you find it odd that in the current climate there was no comparable demographics targeting muslim people? I find it odd.

But let's admit it, this is a staple of all these marvellous Silicon Valley gimmicks: the intellectual depth of a Derek Zoolander and the ethical sense of a Teflon pan. Plus, of course, ungodly pre-IPO valuations.

There are a few points to make here:

1. first, the categories that ProPublica found reached just less than 200 thousand people. Which, given a user base of almost 2 billion, is just less than one person every ten thousand
2. the second point is a direct consequence of the first one: we must wake up to the fact that, given a large enough sample of people, there's room in it for absolutely anything; this is nothing more than the "niche" theory so popular with social media marketers: no matter how rare your customers are, social networks will allow you to target your niche with precision; well, neonazis surely are a niche
3. third, the category-generating algorithm was surely written by a human programmer and surely approved by a human manager, possibly more than one the direct user input the algorithm uses comes from fields such as: "field of study" and "employer"; man, it's like saying "Country", you can make a list of admissible values and be done with it.

So, let's look beyond the scandal behind us and wonder whether really there is nothing wrong in targeting or if some targets should not be such.

Because you see, paedophile was another target category, but it did not make much news. Maybe scandals too are seasonal, and nazis are the dernier cri
now.

Do we really want the free market to cater for the needs of the likes of neonazis and paedophiles? Or maybe, just maybe those interests cannot express any legitimate need?
Do all personal needs have a right to be satisfied or maybe needs that imply damage to others or to society don't?

Remember this the next time you hear someone extolling the virtues of a free market: neonazis and paedophiles are a market, too. Maybe we should reflect.

One reflection

The data industry is now pervasive. Standard contract clauses along the lines of

and then we'll do whatever else we want and can with your data

have no more reason to exist. I could even say they are suggestive of potential
malicious intent.

This also applies to the standard clause that reads

your data may also be used for purposes that exceed the scope of the service

These clauses can be worded so obliquely as to hide practically anything. I know, I wrote some. Luckily for us Europeans, the General Data Protection Regulation will improve the situation by a lot, which is why US corporations are lobbying hard for the so-called Privacy Shield, which would allow them to have their way with our data under the pretense that we Europeans would enjoy the same protection we do under European Law. Yeah, sure. And Santa will bring us candy if we're nice.

What I mean is that we no longer can afford to be naive or lax.

Unless you tell me exactly what data you will use to improve what metrics, I am
not going to give you permission to use my data. Of course, this applies to "free" services as well as to paid ones.

And this is it.

Whatever you think, you must realise that the algorithmic is political. Tech is too important to leave it to tech companies, all of us are involved.