Month: March 2022

Going Beyond Data Literacy
By Hassan Saad | March 2, 2022

Implementing a Data-Driven Approach

During the United States’ occupation of Afghanistan, several data-intensive tools have been developed to address problems plaguing the US-Afghan military coalition. Many have proven to be quite effective and have promised to bring an increased level of sophistication to systems that were previously relying on somewhat antiquated technology. In August of 2021, however, Taliban forces overtook Afghanistan upon the US military exit, and the tools meant to protect its citizens became a potential source of harm instead.

Ghost Soldiers

One of the tools developed consists of a database called the Afghan Personnel and Pay System (APPS). It hosts information about every member of the Afghan National Army and Afghan National Police, which is collected on the first day of their enlistment. In an effort to fight the common issue of “ghost soldiers,” the US military helped fund the development of the APPS (it’s important to note that it was not directly developed by a US-based organization/ subcontractor), to ensure that Afghan military and police salaries were being legitimately paid rather than lining the pockets of corrupt officials.
Curiously, the data is not limited to features that are relevant in the context of a payroll system. Data points such as “favorite fruit” and “uncle’s name” are combined with about 40 other features including salary, blood type, address, etc. The inclusion of unnecessary information makes it clear that data collection limitation was not a concern when developing the APPS. Furthermore, it establishes that there was no consideration of the risk associated with including secondary subjects within the dataset. Both these elements highlight the inexperience with which the APPS was developed despite the extremely sensitive nature of the underlying data.

The APPS is stored on an Afghan-managed database, which made it easier for the Taliban to access the information when they overran Kabul’s government buildings in 2021. To make matters worse, it’s not clear whether the payroll system considers any deletion or data retention protocols, which means it could contain records spanning back to the system’s creation in 2016. The Taliban has said that they will not use the data in retaliation against active and former coalition forces; however, many subjects still fear retribution for themselves and their family members whose information also resides in the APPS.

Is Data Literacy Enough?

As the world becomes more reliant on data-driven solutions and strategies, the concept of data literacy has never been more important. But the Afghan Personnel and Payroll System is just one situation that makes data literacy seem inadequate on its own. The cost savings associated with the implementation of the APPS were clear, and the power of using a data-driven solution was unquestionable. The resulting danger inflicted on the citizens of Afghanistan, however, begs the question of what the Afghani subcontractor could have done differently had the risks associated with a potential data breach been made more apparent to them upfront.

Currently only 71% of world nations have data privacy legislation in place, though there is virtually no hesitation to adopt data-intensive applications regardless of whether or not official protections exist. As well-intentioned as it may be, there is a high degree of risk associated with promoting the use of data-dependent tools and leaving them in the hands of those who may have had fewer opportunities to think about the underlying privacy implications. For developed nations, as we collectively march deeper into the information age, there may be a responsibility to educate and protect others against the potential risks inherent in data science procedures well before promoting the benefits in the foreground.

References:

Gregg, Aaron. “U.S. Taxpayers Paid Millions for Afghan Payroll System That Doesn’t Work as Intended, DOD Audit Says.” Washington Post, 23 Aug. 2019, www.washingtonpost.com/business/2019/08/23/us-taxpayers-paid-million-afghan-payroll-system-that-doesnt-work-intended-dod-audit-says.

Guo, Eileen. “This Is the Real Story of the Afghan Biometric Databases Abandoned to the Taliban.” MIT Technology Review, 31 Aug. 2021, www.technologyreview.com/2021/08/30/1033941/afghanistan-biometric-databases-us-military-40-data-points.

Provost, Claire. “Poorer Countries Need Privacy Laws as They Adopt New Technologies.” The Guardian, 15 Oct. 2020, www.theguardian.com/global-development/2013/dec/04/poorer-countries-privacy-laws-new-technology.

“Afghan Troop Numbers Down With Purge of Ghost Soldiers.” The National, 5 July 2021, www.thenationalnews.com/world/asia/afghan-troop-numbers-down-with-purge-of-ghost-soldiers-1.893252.

United Nations Conference on Trade and Development. “Data and Privacy Unprotected in One Third of Countries, Despite Progress.” UNCTAD.Org, unctad.org/news/data-and-privacy-unprotected-one-third-countries-despite-progress.

United Nations Conference on Trade and Development. “Data Protection and Privacy Legislation Worldwide.” UNCTAD.Org, unctad.org/page/data-protection-and-privacy-legislation-worldwide.

Self-Driving Cars or Surveillance on Wheels?
By MaKenzie Muller | March 2, 2022

Through the years, automotive safety has vastly improved with the help of new technology such as back-up cameras, driver assist functions, automatic lane detection, and self-driving modes. These new features require constant input from their surroundings – including the driver behind the wheel. From dash-cams and 360 degree sensors to infrared scans of driver head movement, our cars may be gathering more data on us than we think.

New and Improved Features

In March of 2020, Tesla announced a software update that would begin the use of it’s driver facing cameras in the Model Y and Model 3 vehicles. These rear-view mirror cameras existed in the cars for almost three years without use. While Elon Musk stated that the cameras were intended to prevent vandalism during Tesla’s taxi program, the release notes asked consumers to allow the camera to capture audio and video in order to “develop safety features and enhancements in the future”. While the software update and enabling the new camera were optional, the tactic of urging drivers to authorize the camera use for research and development casts a shadow on how the information may be used for business purposes.

Keeping passengers safe or putting them at risk?

Driver monitoring systems aren’t limited to just one brand. Trusted makers such as Ford and BMW also deliver driver assist features. In June 2020, Ford announced that it’s newest Mustang and F150 trucks would be equipped with hands-free driving technology on pre-mapped North American highways. To further limit distracted driving, Beverly Bower of JD Power writes, “an infrared driver-facing camera will monitor head positioning and eye movement, even if the driver is wearing sunglasses.” Ford delineates the information they collect about drivers in their vehicles in their Connected Vehicle privacy policy; they gather data about the car’s performance, driving behavior and patterns, audio and visual information, as well as media connections to the car itself. They do not specify how long recordings or other personal information may be stored. The policy specifically recommends that the driver “inform[s] passengers and other drivers of the vehicle that Connected Vehicle Information is being collected and used by us and our service providers.” The company also vaguely states that they retain data for as long as necessary to fulfill their services, essentially allowing them to keep it as long as it is useful for the business. Suggesting that a Ford owner divulge the use of data collection to passengers implores a look into exactly what information is being gathered and why.

Second-hand cars and second-hand data

On the surface, it appears that companies are following privacy guidelines and requirements, but have very little in the way of ensuring that consumers understand the impact of their decisions. Most of the driver assist policies reviewed for this article reiterate the optional use of these features, and that driver data often does not leave the vehicle. The vehicle manufacturers elicit consent from buyers in order to use the services, much in the same manner websites and mobile apps do. The policies also include information about how the data can be retained locally on a SIM card in the console, for example. To that end, owner to owner used car sales introduce a unique potential harm of inadvertently passing personal information onto the next buyer. Ford in particular recommends performing a master reset of the vehicle prior to selling second-hand. Continually, as cars become more and more advanced, it is becoming increasingly difficult to opt out of the many cutting-edge features. Paying premium for the latest models only to not use these pricy features leaves many buyers in a difficult spot.

References
https://www.enisa.europa.eu/news/enisa-news/cybersecurity-challenges-in-the-uptake-of-artificial-intelligence-in-autonomous-driving

https://www.jdpower.com/cars/shopping-guides/what-is-ford-active-drive-assist

Tesla releases new software update with bunch of new features

https://www.optalert.com/optalert-drowsiness-attentiveness-monitoring/

https://news.ucar.edu/132828/favorable-weather-self-driving-vehicles

The Flawed Federal Expansion of Facial Recognition Software
By Amar Chatterjee | March 2, 2022

The past few months at the I.R.S. have been mired in controversy over the partnership with a facial recognition technology company called ID.me. In November 2021, the agency made a major decision requiring all citizens to create an ID.me account in order to access basic online services such as applying for a payment plan or checking the payment status of child tax credits. Citing a desire to improve user experience, the I.R.S. plowed forward with the rollout clearly not having thought through possible side-effects. The arduous 13-step registration process is not for the tech illiterate, requiring photos of official documentation as well as a video selfie to be uploaded to the company’s servers for identity verification.

For the thousands of citizens who faced hurdles during the registration process due to inadequate technical skills, resources, or a myriad of other possible issues, the only option was to wait on hold for hours to speak with an ID.me “Trusted Referee”. It would be easy to repeatedly abandon or postpone the registration process for the average American balancing their daily responsibilities.

The use of facial recognition software by the government to this degree is also unprecedented, with far too much risk around how the data will be protected into the future. There are no federal regulations in existence today to govern facial recognition technology on a national scale, nor how that data might be shared externally. ID.me’s Privacy Terms do little to quell concerns on data usage and management, and registrants could easily find themselves the victim of Big Brother government tactics. There have been numerous issues associated with facial recognition inaccuracies that have disproportionately impacted certain communities, especially persons of color.

Finally, after months of horrible press due to the clunky registration process, poor customer service, and cries from civil rights groups to put a stop to the program, the I.R.S. finally walked back its strategy in early February 2022. A rare display of overwhelming bipartisan backlash put the final nail in the coffin, and the I.R.S. has stated they will “transition away” from using ID.me as an authentication service provider (Rappeport and Hill 2022).

So where do we go from here? For starters, let’s cease the use of facial recognition technology as a precursor to accessing essential services. Let’s also insist that our federal agencies think far more critically about these implementations to understand impacts prior to going live. The sad reality is that few employees in charge of devising and spearheading such programs are rarely ever in a position to need to use them, hampering their ability to meaningfully consider all perspectives. Additionally, if the federal government is serious about combatting identity theft, then it should invest appropriately in a robust government-sponsored program rather than a third-party, for-profit organization. It is worth noting that the $86 million dollar contract awarded to ID.me by the Treasury Department was not its first governmental contract, as it maintains active partnerships with the Social Security Administration, the Department of Veterans Affairs, as well as many state agencies (Rappeport and Hill 2022). Senate Finance Committee Chair Ron Wyden (D-Oregon) has suggested that the I.R.S. simply leverage Login.gov, an existing authentication system that is already used by millions of Americans for some federal services (Chu 2022).

The jury is still out on how the biometric data of millions whom have already registered for an ID.me account will be managed, or better yet, purged. Earlier this month, the company did publish a statement that “it will let anyone who created an account through the company to delete their selfies starting March 1”, but that process remains to be seen (Picchi and Ivanova 2022). While the I.R.S. has committed to helping have user data deleted, there have been no further details provided on how that will be accomplished. This is an extremely fluid situation with new information weekly, but hopefully we will see a swift and fair resolution soon.

In 1789 Ben Franklin famously said, “In this world, nothing is certain except death and taxes”. Let’s not add a violation of privacy to that list.

References:

1. Chu, K. (2022, February 7). Wyden calls on IRS to end use of facial recognition for online accounts: The United States Senate Committee on Finance. United States Senate Committee On Finance. Retrieved February 18, 2022, from https://www.finance.senate.gov/chairmans-news/wyden-calls-on-irs-to-end-use-of-facial-recognition-for-online-accounts

2. Harwell, D. (2022, January 27). IRS plan to scan your face prompts anger in Congress, confusion among taxpayers. The Washington Post. Retrieved February 18, 2022, from https://www.washingtonpost.com/technology/2022/01/27/irs-face-scans/

3. Joshi, N. (2019, November 9). Six reasons you should be worried about facial recognition. Allerin. Retrieved February 18, 2022, from https://www.allerin.com/blog/six-reasons-you-should-be-worried-about-facial-recognition

4. Krebs, B. (2022, January 19). IRS will soon require selfies for online access. Krebs on Security. Retrieved February 18, 2022, from https://krebsonsecurity.com/2022/01/irs-will-soon-require-selfies-for-online-access/

5. Picchi, A., & Ivanova, I. (2022, February 9). ID.me says users can delete selfies following IRS backlash. CBS News. Retrieved February 18, 2022, from https://www.cbsnews.com/news/irs-id-me-delete-facial-recognition-tax-returns-backlash/

6. Rappeport, A., & Hill, K. (2022, February 7). I.R.S. to end use of facial recognition for identity verification. The New York Times. Retrieved February 8, 2022, from https://www.nytimes.com/2022/02/07/us/politics/irs-idme-facial-recognition.html

7. Roth, E. (2022, January 29). The IRS is reportedly looking for ID.ME alternatives amid privacy concerns. The Verge. Retrieved February 8, 2022, from https://www.theverge.com/2022/1/29/22907853/irs-idme-facial-recognition-alternatives-privacy-concerns