Fallout From Ashley Madison Breach Includes Extortion and Possible Suicides
There were bound to be consequences after hackers posted two extensive Ashley Madison data dumps last week. Canadian police said Monday that they have confirmed reports of extortion in which criminals threatened to expose someone whose name is on the user list if they didn’t pay to keep it quiet. Authorities have reported two alleged suicides among Ashley Madison users, though they have not confirmed whether they are connected to the data breach.
The Associated Press reports that Toronto Police Acting Staff-Superintendent Bryce Evans said, "This hack is one of the largest data breaches in the world. ... This is affecting all of us." He described the breach as having an "enormous social and economic fallout" and noted that the police are also investigating a link between the breach and some recent hate crimes.
Avid Life Media Inc., which owns Ashley Madison and is a Toronto-based company, is offering a $500,000 Canadian (about $379,000) reward in an attempt to get information about the identity of the hackers. The AP reports that Canadian police are working with the FBI to try to identify the culprits.
At least one company is using the whole unfortunate situation as a PR opportunity. Travel group CheapAir.com is offering $50 vouchers for anyone who sends the company a message from an email address that was disclosed on the leaked user list. "If your relationship is in ruins and you’re thinking about heading out of town, we have a solution for you," the company wrote. "You may have made some mistakes, but a vacation may be just what you both need right now." Tasteful.
Though most of the damage has already been done, there is one thing people can do to mitigate further loss: Remember that the Ashley Madison data is already public (if slightly tricky to access). Don't believe anyone who says they can remove your information for a fee. It's too late.
Twitter Shutters Accounts That Log Politicians’ Deleted Tweets
The cool thing about Twitter is that most of the things posted on it are public. You can see what anyone is thinking about, whether they're friends you know IRL, celebrities, or professionals you admire. But this quality isn't just a "cool thing," it's ... the whole point of Twitter, a fact that Twitter has possibly forgotten.
On Friday night, Twitter blocked 31 accounts owned by the Open State Foundation (a digital transparency group) that logged deleted tweets from politicians and diplomats around the world. We already knew that Twitter didn't take fondly to these types of accounts, because it removed the Sunlight Foundation's Politwoops U.S. account (which monitored the gaffs and revisions of American politicians) in June.
The company told the Open State Foundation that it had considered its decision carefully and said in a statement, “Imagine how nerve-racking—terrifying, even—tweeting would be if it was immutable and irrevocable? No one user is more deserving of that ability than another. Indeed, deleting a tweet is an expression of the user’s voice.”
This is an extension of the statement Twitter gave in June about its decision to suspend Politwoops U.S. The company told Gawker:
We strongly support Sunlight’s mission of increasing transparency in politics and using civic tech and open data to hold government accountable to constituents, but preserving deleted Tweets violates our developer agreement. Honoring the expectation of user privacy for all accounts is a priority for us, whether the user is anonymous or a member of Congress.
But there is extensive precedent—legally, journalistically, and generally—that public figures have a lower expectation of privacy than average people, especially when it comes to actions carried out in a public forum like Twitter.
Arjan El Fassed, the director of the Open State Foundation, told the Guardian, "What politicians say in public should be available to anyone. This is not about typos but it is a unique insight on how messages from elected politicians can change without notice."
There are still ways for the Open State Foundation or anyone to continue recording deleted tweets. Twitter can't stop people from watching politician's accounts in real time—the company can only block access to its application program interface, which was allowing Politwoops accounts to automate the process of monitoring for deleted tweets. The Guardian notes that the British Politwoops, formerly @deletedbyMPs, is continuing on its website.
Philip Bump wrote in the Washington Post in June that "the rationale for shuttering Politwoops is flawed." But Twitter seems set on enforcing it, at least for now.
Should Cops Be Allowed to Take Control of Self-Driving Cars?
A few lines in a seemingly routine RAND Corp. report on the future of technology and law enforcement last week raised a provocative question: Should police have the power to take control of a self-driving car?
Here’s a hypothetical scenario from the report’s introduction:
The police officer directing traffic in the intersection could see the car barreling toward him and the occupant looking down at his smartphone. Officer Rodriguez gestured for the car to stop, and the self-driving vehicle rolled to a halt behind the crosswalk.
That seems like a pretty plausible interaction. Human drivers are required to pull over when a police officer gestures for them to do so. It’s reasonable to expect that self-driving cars would do the same. To look at it another way: Self-driving cars are programmed to stop at red lights and stop signs. Surely they should also be programmed to stop when a police officer flags them down. It is, after all, the law.
It’s clear, then, that police officers should have some power over the movements of self-driving cars. What’s less clear is where to draw the line. If a police officer can command a self-driving car to pull over for his own safety and that of others on the road, can he do the same if he suspects the passenger of a crime? And what if the passenger doesn’t want the car to stop—can she override the command, or does the police officer have ultimate control?
A brief section on connected and autonomous cars later in the report outlined other ways police could take advantage of the technology:
Imagine a law enforcement officer interacting with a vehicle that has sensors connected to the Internet. With the appropriate judicial clearances, an officer could ask the vehicle to identify its occupants and location histories. … Or, if the vehicle is unmanned but capable of autonomous movement and in an undesirable location (for example, parked illegally or in the immediate vicinity of an emergency), an officer could direct the vehicle to move to a new location (with the vehicle’s intelligent agents recognizing “officer” and “directions to move”) and automatically notify its owner and occupants.
Again, that all sounds benign enough, in itself. But if police have the capability to glean personal information from a sensor-equipped car, who will ensure that they have the appropriate clearances before doing so? And what if police want to direct the movements of a self-driving car when it does have humans inside?
The RAND study, commissioned by the National Institute of Justice, did not attempt to answer those questions directly. Rather, it asked a panel of 16 experts in criminal justice and technology to identify imminent changes in information technology that might have an impact on law enforcement policies and procedures. What control police should have over self-driving cars was just one of numerous questions raised in the 32-page report, and it merited only a few paragraphs of discussion. Still, it’s clearly an issue that is on the radar of law enforcement already. And it’s likely to become more urgent in the coming years as self-driving cars attempt to cross the bridge from research project to commercial reality.
The report acknowledged that “the dark side to all of the emerging access and interconnectivity is the risk to the public’s civil rights, privacy rights, and security.” It added, “One can readily imagine abuses that might occur if, for example, capabilities to control automated vehicles and the disclosure of detailed personal information about their occupants were not tightly controlled and secured.”
You don’t even have to imagine it, really: Hackers are already taking control of cars via their onboard computers even without a built-in mechanism designed to allow it.
I asked the report’s lead author, RAND Corp. operations researcher John S. Hollywood, whether he got the sense that the law enforcement representatives on the panel were eager to push for law enforcement control of Internet-connected and self-driving cars. He told me they weren’t. Rather, in ranking their priorities, they put “developing policies and procedures for self-driving unmanned and automated vehicles” at the top of the list. Among the policy and procedure questions they may ponder: Will they need a warrant before accessing a self-driving car’s data? John Frank Weaver discussed that issue in more depth in a recent Future Tense post.
The panelists’ lowest-ranked priority: “Develop an interface for officers to directly take control of unmanned vehicles.”
While the ranking is reassuring, it’s a little unnerving that such an interface would register as a priority at all. It shouldn’t come as a surprise, however. Given how hard the federal government and its spy agencies have pushed for backdoor access to our social networks and email servers, there’s little doubt they’ll want the same with our cars.
Previously in Slate:
Mozilla Wants All Your Favorite Chrome Extensions for Firefox
Whether you want to see even more cats on the Internet or you think Alphabet should just go back to calling itself Google, there's a Chrome extension to help. You can even get every website to refer to millennials by their proper name. Though developers also make extensions for Web portals like Safari and Opera, your favorite tool may not exist for your preferred browser. Mozilla wants to change that.
At about 6.6 percent market share, Mozilla's Firefox browser isn't exactly ubiquitous, but it is known for being at the fore of Web trends. (Google took a lot of cues—and Mozilla developers—from Firefox when it originally designed Chrome.) So a Friday announcement that Firefox is going to make extensions cross-compatible on different browsers could help spark a new fad.
Kev Needham, a Firefox engineer who works on search and add-ons, wrote in a blog post that:
We’ve noticed that many Firefox add-on developers also maintain a Chrome, Safari, or Opera extension with similar functionality. We would like add-on development to be more like Web development: the same code should run in multiple browsers according to behavior set by standards, with comprehensive documentation available from multiple vendors.
Needham points out that even though the change is supposed to make things easier for third-party extension developers, it will also create more work for some of them at first. For those who already develop for other browsers like Chrome, it will be easier to maintain extensions and add new features because everything will come from single codebase. But developers who have created extensions specifically for Firefox will have to put work into revising their add-ons for the new setup. "We feel the end result will be worth that effort for both Firefox’s users and developers," Needham wrote.
If it means we can have all the extensions we want on any browser, it certainly sounds worth it.
UK Orders Google to Censor Links to Articles About “Right to Be Forgotten” Removals
The “right to be forgotten” has always been a double whammy of a disaster: an awful policy based on terrible ideas. Under the right, implemented in 2014 by the European Court of Justice, private citizens can petition search engines to hide results that pertain to their pasts. As a policy, the right to be forgotten is bad because companies like Google have legitimate free speech interests in presenting their results as they see fit. As an idea, it’s bad because it bars search engines from publishing truthful information about a matter of public concern—a troubling precedent which, taken to its logical end, could lead to serious censorship.
That process has already begun in the United Kingdom, where the Information Commissioner’s Office recently pushed Google further down the memory hole. In an enforcement notice, the ICO demanded that Google take down links to articles about right-to-be-forgotten removals. The trouble began after Google actually complied with a right-to-be-forgotten request made by an individual who committed criminal acts nearly 10 years ago. The removal of all links detailing his actions became itself a news story detailed in several publications. Google retained links to those articles, and they still appear when you search the individual’s name. So he complained—and now the ICO has ordered Google to remove the newer articles, too.
Feeling Nostalgic? Floppy Disk Drives Can Play Classic Jams.
Let's go on a quick journey together. Take a deep, calming breath. It's 1996. You're looking fly and drinking Surge. You're playing solitaire on a Gateway 2000 PC, but you know you need to get some stuff done. You try to get a floppy disk out of the drive so you can put a different one in, but it's stuck. You can hear the eject mechanism whirring and grinding. You hear it, right?
Now researcher James Willis has turned that gravelly whine into music. But instead of using one or a couple of floppy drives to do it, he programmed a whole 16-drive orchestra spotted by Gizmodo.
Willis, who is an electrical engineering student at Cardiff University and has been doing field work at National Instruments in the United Kingdom, used the floppy drives plus Musical Instrument Digital Interface, or MIDI, and a miRIO controller for synchronizing everything. And even though it's an old-school rig, he can still control it wirelessly with an iPad. "The myRIO effectively plays the drives like musical instruments, by stepping the disk drive's integrated motors at specific frequencies," Willis wrote.
For the demo above, the floppy drive orchestra plays "Eye of the Tiger," "The Imperial March" from Star Wars, the Super Mario Bros. theme, "Get Lucky" by Daft Punk, and "The Final Countdown." Not a bad set for a DJ made of gears.
Update: Spotify has since clarified that its privacy policies are opt-in. Read the update here.
Spotify Wants to Go Through Your Phone
Like a jealous ex, Spotify wants to see (and collect) your photos and see who you’re talking to. What kind of media files Spotify will collect from you is vague, and why the company needs them is unclear, but it’s doing it regardless. Also, the fact that Spotify expects you to go through your contact list and ask everyone for their consent in sharing their data with Spotify is—what’s the word? Oh yes: It’s ridiculous.
Spotify Wants to Know Where You’re Going
“Depending on the type of device that you use to interact with the Service and your settings, we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).”—Spotify
Perhaps Spotify feels left out that you are hanging out without it, because it wants to know where you are all the time. Additionally, it wants to know how fast you are moving.
Spotify Wants to Be Your Facebook Friend
“You may integrate your Spotify account with Third Party Applications. If you do, we may receive similar information related to your interactions with the Service on the Third Party Application, as well as information about your publicly available activity on the Third Party Application. This includes, for example, your “Like”s and posts on Facebook.”—Spotify
It shouldn’t surprise you that if you connect your Spotify account to Facebook, Spotify will be able to see the information you post there. If this bothers you, we suggest that you log into your Spotify preferences and disconnect Spotify from your Facebook account (more information on how to do this can be found here). After all, Facebook isn’t all that necessary to use Spotify (unless, of course, you want your friends to know you’re listening to Owl City).
So, What Can You Do About This?
Sadly, not a whole lot.
So, yeah. Spotify gives you two options: Stop using Spotify altogether, or navigate to your Spotify preferences to see what settings you can change. Trying out the second option (go to your Spotify Account, then click “Edit profile” and scroll down) will give you these three boxes:
The first two relate to how Spotify contacts you with company news, and the other one relates to third-party sharing. To be safe, uncheck all these boxes. Hopefully, by unchecking the last box, your information will be safe from being shared, but it won’t stop Spotify from collecting your data in the first place.
Unfortunately, large-scale data collection has become a new norm, and there is less and less you can do about it. This goes to show that if you are using a free tech service, you’re most likely paying with your personal information.
Also in Wired:
More Ashley Madison Data Just Leaked. A Lot More.
Day two, people. Settle in.
The “Impact Team” hackers who on Tuesday evening posted 10 gigabytes of user data from infidelity-facilitator Ashley Madison seem to have released a second trove of company data on Thursday. And this one is double the size at nearly 20GB.
Unlike the first data dump, this one isn’t a accompanied by a full letter. Instead the message from the hackers is simple: “Hey Noel, you can admit it’s real now.” Noel Biderman is the CEO of Ashley Madison owner Avid Life Media. So far the company has been vague and has mostly avoided confirming the validity of the leaked data.
Avid Life Media chief technology officer Raja Bhatia told security reporter Brian Krebs on Tuesday, “On a daily basis, we’re seeing 30 to 80 different claimed dumps come online, and most of these dumps are entirely fake and being used by other organizations to capture the attention that’s been built up through this release.”
Based on the size of the dump and some of the file names in it, the release seems to contain Biderman’s emails along with the source code for Avid Life Media websites and mobile apps. David Kennedy, the founder and CEO of cybersecurity firm TrustedSec, wrote in a blog post, “Interesting enough—if this turns out to be legitimate which it in all aspects appears to be—having full source code to these websites means that other hacker groups now have the ability to find new flaws in Avid Life’s websites, and further compromise them more.”
It’s hard to imagine how things could get much worse for Avid Life Media, but who knows; they probably can.
The Ashley Madison hack is, among other things, a nice reminder that a lot more people than just Terrorists have "something to hide."— Glenn Greenwald (@ggreenwald) August 19, 2015
Also in Slate:
Netizen Report: Authorities Finally Take Action on Bangladesh Blogger Killings
The Netizen Report offers an international snapshot of challenges, victories, and emerging trends in Internet rights around the world. It originally appears each week on Global Voices Advocacy. Mary Aviles, Ellery Roberts Biddle, Marianne Diaz, Lisa Ferguson, Sam Kellogg, Weiping Li, Hae-in Lim, and Sarah Myers West contributed to this report.
After four brutal killings of secular bloggers over the last six months in Bangladesh, authorities finally have identified multiple suspects in their cases. Three men, all said to be affiliated with the religious hardliner group Ansarullah Bangla Team, were arrested Aug. 18 as suspects in the assassinations of Avijit Roy and Anant Bijoy Das, both of whom were hacked to death in public. Earlier in the week, two others were arrested in connection with the murder of Niloy Neel, who was killed in his apartment on Aug. 7, and the attempted murder of Asif Mohiuddin, a blogger who survived a brutal attack during the 2013 mass protests in Dhaka, the nation’s capital.*
In 2013, a group of conservative Muslim clerics submitted to a special government committee a list of 84 people accused of “atheism” and writing against Islam. Since then, 11 individuals on the list, including the four bloggers, have been murdered. Left shell-shocked by increasingly common attacks, some of the country's most active bloggers now fear they may face jail or will die at the hands of the assailants. Others have left the country or stopped writing.
Prime Minister Sheikh Hasina has condemned the attacks, but high-ranking police officials have made public statements warning bloggers not to cross the line, saying that while the killers of the bloggers will be brought under the law, “those who illogically write against religion in blogs are also extremists.”
Bots inflate popularity of Venezuelan prez
Nicolas Maduro is the third most-retweeted public figure in the world, just after Pope Francis and the king of Saudi Arabia. But a deeper look into the actual accounts responsible for his popularity reveals that the sources behind many of these tweets may not be what they seem: Researchers recently identified classic “bot” characteristics among hundreds of accounts retweeting government posts and sending messages with pro-government hashtags. Automated platforms also appear to play a key role, including an app allowing people (or bots) to automatically retweet every message Maduro posts. While Maduro surely has plenty of real-life followers, the findings help to explain the seemingly inflated online reputation of the president, whose public approval ratings lie below 30 percent.
Mexican mobile operators mess with net neutrality
Network operators in Mexico have begun providing a tiered pricing structure for mobile Internet services, wherein some websites are free to access, while others require an additional fee. According to a new report by the Network in Defense of Digital Rights, Telcel, Movistar, Iusacell, and Nextel are all engaging in these practices, known among experts as “zero-rating” and distorting the market, with detrimental effects on net neutrality and freedom of expression in Mexico. The Federal Telecommunications Institute plans to open a public consultation to define the country’s provisions on net neutrality and management of Internet traffic in August, and it will release its results in September.
Counterterror efforts trigger censorship in Tunisia
A Tunisian mathematics teacher was arrested for alleging on Facebook that an attack by a gunman in June was part of a conspiracy. The teacher, Abdelfattah Saied, is accused of “complicity in terrorism” under an anti-terrorism law, which could lead to a five-year jail sentence. While conspiracy theories are nothing new in the Arab region, his arrest has left many Tunisians divided between those who welcome his prosecution and those who see it as a violation of free speech, says Global Voices’ Afef Abrougui.
In Turkey, the heat is on (and so are the censors)
Turkish Internet users have seen a wave of Web blocking this summer, coinciding with an inconclusive election and the country’s involvement in the conflict in Iraq and Syria. Among blocked websites are those of major news outlets known for being critical of the ruling Justice and Development Party.
China’s cyber police are building their own stations
The Chinese government will be launching “cybersecurity police stations” to be located at major tech firms and websites, state media announced. The stations will be responsible for “inspecting the operation of websites and enforcing laws governing online activities,” according to Public Security Vice Minister Chen Zimin. While “cyber police” have long operated in China, this suggests a future with even more policing of online content in China.
Germany puts food porn under copyright lock and key
Germany’s Federal Court of Justice extended copyright protections to include Instagrammed food porn, finding that “elaborately arranged food” falls under the “artistic property of the creator.” While no chefs have filed a complaint as yet, Eater says the new rules could result in hefty fines or court proceedings for foodies.
Is South Africa trying to become the world’s strictest jurisdiction for copyright?
Revisions to South Africa’s copyright laws could mean dramatic expansions to copyright protections, granting the government copyright over the public domain, orphaned works (which remain in copyright though the creator of the work cannot be located), and extending copyright protections in perpetuity. Though the country might also adopt Fair Use, the proposal contains a number of carve-outs that make it difficult to claim in practice. Consultation on the law is open through Aug. 27.
Google Lost Customer Data Because of Repeated Lightning Strikes
Spilling coffee on your laptop is one way to mess up a hard drive. Sustaining repeated lightning strikes is quite another.
Data centers take extensive precautions to protect against lightning, because if there aren't safeguards in place, a single strike could cause power surges that damage cables and take out servers. But Thursday a Google Cloud Platform center in Belgium was pushed to its limits and ultimately lost some data after four consecutive lightning strikes.
Five percent of disks in Google's Europe-west1-b cloud zone had at least one issue with reading or writing data in the aftermath of the lightning hits. Engineers did data recovery (everything from complicated protocols to simply rebooting servers) and ended up restoring everything except 0.000001 percent of disk space. "In these cases, full recovery is not possible," Google wrote in a status update.
James Wilman, an engineering sales director at the data center firm Future-Tech, told BBC News, "Everything in the data centre is connected one way or another. ... If you get four large strikes it wouldn't surprise me that it has affected the facility."
Google called the situation an "exceptional incident," but also admitted that, "This outage is wholly Google's responsibility." The company conducted audits to determine what went wrong in its lightning protections and backup power systems and says it plans to upgrade its equipment.
When I asked Slate's meteorology expert Eric Holthaus whether it's normal for lightning to strike a building four times, he said, "Yes. Well, not normal, but not unusual. The Empire State Building gets hit 100 times per year."