An anonymous reader quotes a report from The New York Times: The Senate Intelligence Committee concluded Thursday that election systems in all 50 states were targeted by Russia in 2016 (Warning: source may be paywalled; alternative source), largely undetected by the states and federal officials at the time, but at the demand of American intelligence agencies the committee was forced to redact its findings so heavily that key lessons for the 2020 election are blacked out. Even key findings at the beginning of the report were heavily redacted. It concluded that while there is no evidence that any votes were changed in actual voting machines, "Russian cyberactors were in a position to delete or change voter data" in the Illinois voter database. The committee found no evidence that they did so. While the report is not directly critical of either American intelligence agencies or the states, it described what amounted to a cascading intelligence failure, in which the scope of the Russian effort was underestimated, warnings to the states were too muted, and state officials either underreacted or, in some cases, resisted federal efforts to offer help.

A ransomware infection at an electricity provider in the city of Johannesburg, South Africa's biggest city and financial capital, has left some of its residents without power. From a report: The ransomware infection impacted City Power -- a provider of pre-paid electric power for Johannesburg residents and local companies. The malware encrypted the company's database, internal network, web apps, and official website.

An anonymous reader quotes a report from MIT Technology Review: The most common way public agencies protect our identities is anonymization. This involves stripping out obviously identifiable things such as names, phone numbers, email addresses, and so on. Data sets are also altered to be less precise, columns in spreadsheets are removed, and "noise" is introduced to the data. Privacy policies reassure us that this means there's no risk we could be tracked down in the database. However, a new study in Nature Communications suggests this is far from the case. Researchers from Imperial College London and the University of Louvain have created a machine-learning model that estimates exactly how easy individuals are to reidentify from an anonymized data set. You can check your own score here, by entering your zip code, gender, and date of birth.

On average, in the U.S., using those three records, you could be correctly located in an "anonymized" database 81% of the time. Given 15 demographic attributes of someone living in Massachusetts, there's a 99.98% chance you could find that person in any anonymized database. The tool was created by assembling a database of 210 different data sets from five sources, including the U.S. Census. The researchers fed this data into a machine-learning model, which learned which combinations are more nearly unique and which are less so, and then assigns the probability of correct identification.

"Fight For the Future, a tech-focused nonprofit, on Thursday released its Ban Facial Recognition map, logging the states and cities using surveillance technology," reports CNET -- noting that "surveillance technology" in this case includes Amazon's Ring doorbell security cameras. A CNET investigation earlier this year highlighted the close ties between Ring and police departments across the US, many of which offer free or discounted Ring doorbells using taxpayer money. The cameras have helped police create an easily accessible surveillance network in neighborhoods and allowed law enforcement to request videos through an app. The arrangement has critics worried about the erosion of privacy. Until the release of Fight for the Future's map, there was no comprehensive directory of all the police departments that had partnered with Ring. Now you can find them by going on the map and toggling it to "Police (Local)." It lists more than 40 cities where police have partnered with Amazon for Ring doorbells....

The map is far from complete. Police departments aren't always up front about the technology that they're using. On the interactive map, Fight for the Future asked visitors to send it any new entries to add to the map.... The map also has filters for airports, stores and stadiums that are using facial recognition, as well as states that provide driver's license photos to the FBI's database of faces...

. Fight for the Future's map also features a filter for regions where facial recognition use by government is banned. For now, that's only in San Francisco; Somerville, Massachusetts; and Oakland, California.
The group's deputy director told CNET that the map's goal is allowing people "to turn their ambient anxiety into effective action by pushing at the local and state level to ban this dangerous tech.

"No amount of regulation will fix the threat posed by facial recognition," he added. "It must be banned."

A giant data store quietly being built in India could free vast swathes of science for computer analysis -- but whether it is a legal pursuit remains unclear. From a report: Carl Malamud is on a crusade to liberate information locked up behind paywalls -- and his campaigns have scored many victories. He has spent decades publishing copyrighted legal documents, from building codes to court records, and then arguing that such texts represent public-domain law that ought to be available to any citizen online. Sometimes, he has won those arguments in court. Now, the 60-year-old American technologist is turning his sights on a new objective: freeing paywalled scientific literature. And he thinks he has a legal way to do it. Over the past year, Malamud has -- without asking publishers -- teamed up with Indian researchers to build a gigantic store of text and images extracted from 73 million journal articles dating from 1847 up to the present day.

The cache, which is still being created, will be kept on a 576-terabyte storage facility at Jawaharlal Nehru University (JNU) in New Delhi. "This is not every journal article ever written, but it's a lot," Malamud says. It's comparable to the size of the core collection in the Web of Science database, for instance. Malamud and his JNU collaborator, bioinformatician Andrew Lynn, call their facility the JNU data depot. No one will be allowed to read or download work from the repository, because that would breach publishers' copyright. Instead, Malamud envisages, researchers could crawl over its text and data with computer software, scanning through the world's scientific literature to pull out insights without actually reading the text. The unprecedented project is generating much excitement because it could, for the first time, open up vast swathes of the paywalled literature for easy computerized analysis.

Dozens of research groups already mine papers to build databases of genes and chemicals, map associations between proteins and diseases, and generate useful scientific hypotheses. But publishers control -- and often limit -- the speed and scope of such projects, which typically confine themselves to abstracts, not full text. Researchers in India, the United States and the United Kingdom are already making plans to use the JNU store instead. Malamud and Lynn have held workshops at Indian government laboratories and universities to explain the idea. "We bring in professors and explain what we are doing. They get all excited and they say, 'Oh gosh, this is wonderful'," says Malamud. But the depot's legal status isn't yet clear. Malamud, who contacted several intellectual-property (IP) lawyers before starting work on the depot, hopes to avoid a lawsuit.

The database of Bulgaria's National Revenue Agency (NRA), which was hacked over the weekend and sent to local reporters, is now being shared on hacking forums, ZDNet has learned from sources in the threat intelligence community. From a report: Download links to the hacked database have been shared by a hacked data trader known as Instakilla, believed to be operating out of Bulgaria. ZDNet obtained a copy of the database and verified its authenticity with local sources, and this is a copy of the same database sent to local media over the weekend. The database contains 57 folders, 10.7 GB in size, and holds personal and financial information consistent with what Bulgarian newspapers reported receiving over the weekend. This includes personally identifiable information, tax information, from both the NRA, and from other government agencies who shared their data.

Robert Epstein, an American psychologist, professor, author and journalist critical of Google, argues that Google's monopoly on search can be broken by making its index public. An anonymous reader shares an excerpt from the report via Bloomberg: Different tech companies pose different kinds of threats. I'm focused here on Google, which I've been studying for more than six years through both experimental research and monitoring projects. (Google is well aware of my work and not entirely happy with me. The company did not respond to requests for comment.) Google is especially worrisome because it has maintained an unopposed monopoly on search worldwide for nearly a decade. It controls 92 percent of search, with the next largest competitor, Microsoft's Bing, drawing only 2.5%. Fortunately, there is a simple way to end the company's monopoly without breaking up its search engine, and that is to turn its "index" -- the mammoth and ever-growing database it maintains of internet content -- into a kind of public commons.

Doesn't Google already share its index with everyone in the world? Yes, but only for single searches. I'm talking about requiring Google to share its entire index with outside entities -- businesses, nonprofit organizations, even individuals -- through what programmers call an application programming interface, or API. Google already allows this kind of sharing with a chosen few, most notably a small but ingenious company called Startpage, which is based in the Netherlands. In 2009, Google granted Startpage access to its index in return for fees generated by ads placed near Startpage search results. With access to Google's index -- the most extensive in the world, by far -- Startpage gives you great search results, but with a difference. Google tracks your searches and also monitors you in other ways, so it gives you personalized results. Startpage doesn't track you -- it respects and guarantees your privacy -- so it gives you generic results. Some people like customized results; others treasure their privacy. In closing, Epstein writes that dozens of Startpage variants would turn up within months of opening up access to Google's index. "Many would target niche audiences -- some small, perhaps, like high-end shoppers, and some huge, like all the world's women, and most of these platforms would do a better job of serving their constituencies than Google ever could," he writes.

"These aren't just alternatives to Google, they are competitors -- thousands of search platforms, each with its special focus and emphasis, each drawing on different subsets of information from Google's ever-expanding index, and each using different rules to decide how to organize the search results they display. Different platforms would likely have different business models, too, and business models that have never been tried before would quickly be tested."

"Allowing cash to die would be a grave mistake. A cashless society is a surveillance society," writes Reason, adding that "The recent round of protests in Hong Kong highlights exactly what we have to lose..."

schwit1 shared their report: [T]ens of thousands of Hongkongers took to the streets to protest what they saw as creeping tyranny from a powerful threat. But they did it in a very particular way. In Hong Kong, most people use a contactless smart card called an "Octopus card" to pay for everything from transit, to parking, and even retail purchases. It's pretty handy: Just wave your tentacular card over the sensor and make your way to the platform. But no one used their Octopus card to get around Hong Kong during the protests. The risk was that a government could view the central database of Octopus transactions to unmask these democratic ne'er-do-wells. Traveling downtown during the height of the protests? You could get put on a list, even if you just happened to be in the area.

So the savvy subversives turned to cash instead. Normally, the lines for the single-ticket machines that accept cash are populated only by a few confused tourists, while locals whiz through the turnstiles with their fintech wizardry. But on protest days, the queues teemed with young activists clutching old school paper notes. As one protestor told Quartz: "We're afraid of having our data tracked." Using cash to purchase single tickets meant that governments couldn't connect activists' activities with their Octopus accounts. It was instant anonymity. Sure, it was less convenient. And one-off physical tickets cost a little more than the Octopus equivalent. But the trade-off of avoiding persecution and jail time was well worth it.

What could protestors do in a cashless world...? If some of our eggheads had their way, the protestors would have had no choice.
The article concludes that "there is simply no substitute for the privacy that cash, including digitized versions like cryptocurrencies, provide."

Security researchers have devised a method to abuse a legitimate Microsoft Excel technology named Power Query to run malicious code on users' systems with minimal interaction. ZDNet reports: Power Query is a data connection technology that can allow Excel files to discover, connect, combine, and manipulate data before importing it from remote sources, such as an external database, text document, another spreadsheet, or a web page. The tool is included with recent versions of Excel and available as a separate downloadable add-in for older Excel versions.

In research published today and shared with ZDNet, Ofir Shlomo, a security researcher with the Mimecast Threat Center, described a technique through which Power Query features could be abused to run malicious code on users' systems. The technique relies on creating malformed Excel documents that use Power Query to import data from an attacker's remote server. "Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened," Shlomo said. "The malicious code could be used to drop and execute malware that can compromise the user's machine." Mimecast's technique can even bypass security sandboxes that analyze documents sent via email before allowing users to download and open them. Microsoft has yet to issue a fix for the vulnerability, but did release an advisory document for users, offering a way to beef up security.

A Slashdot reader shares a story from Ars Technica about what happened after Minnesota's Department of Natural Resources sent a privacy notification to a police officer in 2013: An employee had abused his access to a government driver's license database and snooped on thousands of people in the state, mostly women. Krekelberg learned that she was one of them. When Krekelberg asked for an audit of accesses to her Department of Motor Vehicles records, as allowed by Minnesota state law, she learned that her information -- which would include things like her address, weight, height, and driver's license pictures -- had been viewed nearly 1,000 times since 2003, even though she was never under investigation by law enforcement... She later learned that over 500 of those lookups were conducted by dozens of other cops. Even more eerie, many officers had searched for her in the middle of the night.

Krekelberg eventually sued the city of Minneapolis, as well as two individual officers, for violating the Driver's Privacy Protection Act, which governs the disclosure of personal information collected by state Departments of Motor Vehicles. Earlier this week, she won. On Wednesday, a jury awarded Krekelberg $585,000, including $300,000 in punitive damages from the two defendants, who looked up Krekelberg's information after she allegedly rejected their romantic advances, according to court documents...

More lawmakers have started advocating for data privacy regulations at the state and federal level, but those conversations have mostly focused on reining in big tech companies, rather than information that public employees can access.
Minneapolis's city attorney responded that the police department has changed its policies -- which had previously encouraged officers learning how to use the database to "go back to work and look up some of [their] friends and family members."

"Delta Air Lines announced it will give passengers who fly out of Minneapolis-St. Paul International Airport the option to use facial recognition to board their flight instead of a standard boarding pass," reported a CBS affiliate this week.

The facial scanners will be installed this week at 16 gates, with availability on all international flights through Delta beginning in July. The airline is working with Customs and Border Protection on the process. The way it works is gate agents use facial scans for boarding passengers so that they don't need to manually compare their faces and their passport photos. They can skip to using the facial technology. Delta says the process saves about two seconds per passenger or about nine minutes for a plane with 270 people.
Delta says 72% of its customers have said they prefer facial recognition to standard boarding procedures. But James Lileks, a columnist for the Star Tribune, explains some of the ways this makes him uncomfortable: Here's the thing. You don't sign up for the facial recognition. You don't send them your face. They already have it. This part is just... glided over in the news reports, waved away like a minor detail you needn't worry your silly little head about.

The picture they probably have is my passport photo, taken in 2010... So I guess I'll have to stuff my cheeks with cotton before I lean into the machine that connects to a database of everyone's mug, and hope it doesn't go off
"I don't know what they do with people who grew a beard," Lileks adds, "but there's probably the option to shave on the spot."

83-year-old former U.S. Senatior Ron Paul has published a new editorial on Zero Hedge: Last week, the House of Representatives voted in favor of a Labor, Health and Human Services, and Education appropriations bill amendment to repeal the prohibition on the use of federal funds to create a 'unique patient identifier.' Unless this prohibition, which I originally sponsored in 1998, is reinstated, the federal government will have the authority to assign every American a medical ID.

This ID will be used to store and track every American's medical history.

A unique patient identifier would allow federal bureaucrats and government-favored special interests to access health information simply by entering an individual's unique patient ID into a database. This system would also facilitate the collection of health information without a warrant by surveillance state operatives...

The unique patient identifier system puts the desires of government bureaucrats and politically powerful special interests ahead of the needs of individual patients and health care providers. Instead of further intervening in health care and further destroying our privacy and our liberties, Congress should give patients control over their health care by giving them control over health care dollars through expanding access to Health Savings Accounts and health care tax credits. In a free market, patients and doctors can and will work tighter to ensure patients' records are maintained in a manner that provides maximum efficiency without endangering privacy or liberty.

An anonymous reader quotes a report from ZDNet: A MongoDB database was left open on the internet without a password, and by doing so, exposed the personal details and prescription information for more than 78,000 U.S. patients. The database contained information on 391,649 prescriptions for a drug named Vascepa; used for lowering triglycerides (fats) in adults that are on a low-fat and low-cholesterol diet. Additionally, the database also contained the collective information of over 78,000 patients who were prescribed Vascepa in the past. Leaked information included patient data such as full names, addresses, cell phone numbers, and email addresses, but also prescription info such as prescribing doctor, pharmacy information, NPI number (National Provider Identifier), NABP E-Profile Number (National Association of Boards of Pharmacy), and more. According to vpnMentor, the company that left the database open may have violated HIPAA, and may be in line for a hefty fine for failing to encrypt the patient data it had stored on the database server, a HIPAA golden rule," the report adds. "However, Dissent, the administrator of DataBreaches.net, a website dedicated to tracking data breaches and HIPAA violations, told ZDNet that just because a system stores medical information, it doesn't mean it's necessarily covered by HIPAA. Until the database owner is found, no other conclusions can be drawn."

Over a quarter of all the major content management systems (CMSs) use the old and outdated MD5 hashing scheme as the default for securing and storing user passwords. From a report: Some of the projects that use MD5 as the default method for storing user passwords include WordPress, osCommerce, SuiteCRM, Simple Machines Forum, miniBB, MyBB, SugarCRM, CMS Made Simple, MantisBT, Phorum, Observium, X3cms, and Composr. The MD5 algorithm has been cracked for years now, meaning all passwords stored in this format can be reversed back to their plaintext version. This means that unless website owners changed these default settings by modifying the CMS source code, most websites built on top of these CMSs puts user passwords at risk in the case a hacker steals the site's database. This revelation is just one of the many observations that came out of an extensive academic research project at the University of Piraeus, in Greece. Academics examined 49 commonly used CMSs and 47 popular web application frameworks and looked at their default password storage mechanism, namely their password hashing schemes.

This week Pinboard founder Maciej Ceglowski (also a web developer and social critic) asked readers of his blog to consider an emerging threat to ambient privacy.

He defines it as "the understanding that there is value in having our everyday interactions with one another remain outside the reach of monitoring, and that the small details of our daily lives should pass by unremembered." Until recently, ambient privacy was a simple fact of life. Recording something for posterity required making special arrangements, and most of our shared experience of the past was filtered through the attenuating haze of human memory. Even police states like East Germany, where one in seven citizens was an informer, were not able to keep tabs on their entire population. Today computers have given us that power. Authoritarian states like China and Saudi Arabia are using this newfound capacity as a tool of social control. Here in the United States, we're using it to show ads. But the infrastructure of total surveillance is everywhere the same, and everywhere being deployed at scale....

Because our laws frame privacy as an individual right, we don't have a mechanism for deciding whether we want to live in a surveillance society. Congress has remained silent on the matter, with both parties content to watch Silicon Valley make up its own rules. The large tech companies point to our willing use of their services as proof that people don't really care about their privacy. But this is like arguing that inmates are happy to be in jail because they use the prison library. Confronted with the reality of a monitored world, people make the rational decision to make the best of it.

That is not consent...

Our discourse around privacy needs to expand to address foundational questions about the role of automation: To what extent is living in a surveillance-saturated world compatible with pluralism and democracy? What are the consequences of raising a generation of children whose every action feeds into a corporate database? What does it mean to be manipulated from an early age by machine learning algorithms that adaptively learn to shape our behavior? That is not the conversation Facebook or Google want us to have. Their totalizing vision is of a world with no ambient privacy and strong data protections, dominated by the few companies that can manage to hoard information at a planetary scale. They correctly see the new round of privacy laws as a weapon to deploy against smaller rivals, further consolidating their control over the algorithmic panopticon.

An anonymous reader quotes a report from TechCrunch: U.S. Customs and Border Protection has confirmed a data breach has exposed the photos of travelers and vehicles traveling in and out of the United States. The photos were stolen from a subcontractor's network through a "malicious cyberattack," a CBP spokesperson told TechCrunch in an email. "CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network," said an agency statement. "Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract," the statement read. he agency first learned of the breach on May 31. When asked, a spokesperson for CBP didn't say how many photos were taken in the breach or if U.S. citizens were affected. The agency also didn't name the subcontractor. The database that the agency maintains includes traveler images, as well as passport and visa photos. Congress has been notified and the CBP said it is "closely monitoring" CBP-related work by the subcontractor.

The world's seed-bearing plants have been disappearing at a rate of nearly 3 species a year since 1900 -- which is up to 500 times higher than would be expected as a result of natural forces alone, according to the largest survey yet of plant extinctions. From a report: The project looked at more than 330,000 species and found that plants on islands and in the tropics were the most likely to be declared extinct. Trees, shrubs and other woody perennials had the highest probability of disappearing regardless of where they were located. The results were published on 10 June in Nature Ecology & Evolution. The study provides valuable hard evidence that will help with conservation efforts, says Stuart Pimm, a conservation scientist at Duke University in Durham, North Carolina. The survey included more plant species by an order of magnitude than any other study, he says. "Its results are enormously significant."

The work stems from a database compiled by botanist Rafael Govaerts at the Royal Botanic Gardens, Kew, in London. Govaerts started the database in 1988 to track the status of every known plant species. As part of that project, he mined the scientific literature and created a list of seed-bearing plant species that were ruled extinct, and noted which species scientists had deemed to be extinct but were later rediscovered. In 2015, Govaerts teamed up with plant evolutionary biologist Aelys Humphreys at Stockholm University in Sweden and others to analyse the data. They compared extinction rates across different regions and characteristics such as whether the plants were annuals that regrow from seed each year or perennials that endure year after year. The researchers found that about 1,234 species had been reported extinct since the publication of Carl Linnaeus's compendium of plant species, Species Plantarum, in 1753. But more than half of those species were either rediscovered or reclassified as another living species, meaning 571 are still presumed extinct.

A map of plant extinctions produced by the team shows that flora in areas of high biodiversity and burgeoning human populations, such as Madagascar, the Brazilian rainforests, India and South Africa, are most at risk. Humphreys says that the rates of extinction in the tropics is beyond what researchers expect, even when they account for the increased diversity of species in those habitats. And islands are particularly sensitive because they are likely to contain species found nowhere else in the world and are especially susceptible to environmental changes, says Humphreys.

Police investigators have used popular online DNA databases to solve at least 50 open murder and rape cases, reports the Associated Press. But now, "complaints about invasion of privacy have produced a backlash, leading the Florida-based database known as GEDmatch to change its policies." The nonprofit website's previous practice was to permit police to use its database only to solve homicides and sexual assaults. But its operators granted a Utah police department an exception to find the assailant who choked unconscious a 71-year-old woman practicing the organ alone in church. The assailant's DNA profile led detectives to the great-uncle of a 17-year-old boy. The teen's DNA matched the attacker's, and he was arrested. GEDmatch soon updated its policy to establish that law enforcement only gets matches from the DNA profiles of users who have given permission.

That closed off more than a million profiles. More than 50,000 users agreed to share their information -- a figure that the company says is growing. The 95% reduction in GEDmatch profiles available to police will dramatically reduce the number of hits detectives get and make it more difficult to solve crimes, said David Foran, a forensics biology professor at Michigan State University...

The American Civil Liberties Union and other critics say granting law enforcement exceptions that violate a website's policies is a slippery slope. They also believe broad genetic searches violate suspects' constitutional rights. While many people instinctively support the technique if used to catch serial killers or rapists, they might feel differently about their DNA profiles being analyzed to pursue burglars and shoplifters.
The site's co-founder tells the AP they've now sent an email to users encouraging them to opt-in to police searches.

Microsoft has quietly pulled from the internet its database of 10 million faces [Editor's note: the link may be paywalled; alternative source], which has been used to train facial recognition systems around the world, including by military researchers and Chinese firms such as SenseTime and Megvii. From a report: The database, known as MS Celeb, was published in 2016 and described by the company as the largest publicly available facial recognition data set in the world, containing more than 10m images of nearly 100,000 individuals. The people whose photos were used were not asked for their consent, their images were scraped off the web from search engines and videos under the terms of the Creative Commons license that allows academic reuse of photos.

Microsoft, which took down the database days after the FT reported on its use by companies, said: "The site was intended for academic purposes. It was run by an employee that is no longer with Microsoft and has since been removed." Two other data sets have also been taken down since the FT report was published in April, including the Duke MTMC surveillance data set built by Duke University researchers, and a Stanford University data set called Brainwash.

Microsoft and Oracle announced a new alliance today that will see the two companies directly connect their clouds over a direct network connection so that their users can then move workloads and data seamlessly between the two. This alliance goes a bit beyond just basic direct connectivity and also includes identity interoperability. TechCrunch reports: This kind of alliance is relatively unusual between what are essentially competing clouds, but while Oracle wants to be seen as a major player in this space, it also realizes that it isn't likely to get to the size of an AWS, Azure or Google Cloud anytime soon. For Oracle, this alliance means that its users can run services like the Oracle E-Business Suite and Oracle JD Edwards on Azure while still using an Oracle database in the Oracle cloud, for example. With that, Microsoft still gets to run the workloads and Oracle gets to do what it does best (though Azure users will also continue be able to run their Oracle databases in the Azure cloud, too).

For now, the direct interconnect between the two clouds is limited to Azure US East and Oracle's Ashburn data center. The two companies plan to expand this alliance to other regions in the future, though they remain mum on the details. It'll support applications like JD Edwards EnterpriseOne, E-Business Suite, PeopleSoft, Oracle Retail and Hyperion on Azure, in combination with Oracle databases like RAC, Exadata and the Oracle Autonomous Database running in the Oracle Cloud.