Are we all RoboCops in the future?

7457645618_1c7dcd0523_oInternet together with small and inexpensive digital cameras have made us aware of the potential privacy concerns of sharing digital photos. The mobile phone cameras have escalated this development even further. Many people are today carrying a camera with ability to publish photos and videos on the net almost in real-time. Some people can handle that and act in a responsible way, some can’t. Defamatory pictures are constantly posted on the net, either by mistake or intentionally. But that’s not enough. Now it looks like the next revolution that will rock the privacy scene is around the corner, Google Glass.

Having a camera in your phone has lowered the threshold to take photos tremendously. It’s always with you and ready to snap. But you still have to take it out of the pocket and aim it at your object. The “victim” has a fair chance to notice that you are taking photos, especially if you are working at close distance.

Google Glass is a smartphone-like device that is integrated in a piece of headgear. You wear it all the time just like ordinary glasses. The screen is a transparent piece in your field of view that show output as an overlay layer on top of what’s in front of you. No keyboard, mouse or touchscreen. You control it by voice commands. Cool, but here comes the privacy concern. Two of the voice commands are “ok, glass, take a picture” and “ok, glass, record a video”. Yes, that’s right. It has a camera too.

Imagine a world where Google Glasses are as common as mobile phones today. You know that every time you talk to someone, you have a camera and microphone pointed at you. You have no way of knowing if it is recording or not. You have to take this into account when deciding what you say, or run the risk of having an embarrassing video on YouTube in minutes. A little bit like in the old movie RoboCop, where the metallic law enforcement officer was recording constantly and the material was good to use as evidence in court. Do we want a world like that? A world where we all are RoboCops?

We have a fairly clear and good legislation about the rules for taking photos. It is in most countries OK to take photos in public places, and people who show up there must accept to be photographed. Private places have more strict rules and there are also separate rules about publishing and commercial use of a photo. This is all fine and it applies to any device, also the Google Glass. The other side of the coin is peoples’ awareness of these laws, or actually lack thereof. In practice we have a law that very few care about, and a varying degree of common sense. People’s common sense do indeed prevent many problems, but not all. It may work fairly OK today, but will it be enough if the glasses become common?

I think that if Google Glass become a hit, then it will force us to rethink our relationship to photo privacy. Both as individuals and as a society. There will certainly be problems if 90% of the population have glasses and still walk around with only a rudimentary understanding about how the law restricts photography. Some would suffer because they broke the law unintentionally, and many would suffer because of the published content.

I hope that our final way to deal with the glasses isn’t the solution that 5 Point Cafe in Seattle came up with. They became the first to ban the Google Glass. It is just the same old primitive reaction that has followed so many new technologies. Needless to say, much fine technology would be unavailable if that was our only way to deal with new things.

But what will happen? That is no doubt an interesting question. My guess is that there will be a compromise. Camera users will gradually become more aware of what boundaries the law sets. Many people also need to redefine their privacy expectation, as we have to adopt to a world with more cameras. That might be a good thing if the fear of being recorded makes us more thoughtful and polite against others. It’s very bad if it makes it harder to mingle in a relaxed way. Many questions remain to be answered, but one thing is clear. Google Glass will definitively be a hot topic when discussing privacy.

Micke

PS. I have an app idea for the Glass. You remember the meteorite in Russia in February 2013? It was captured by numerous car cameras, as drivers in Russia commonly use constantly recording cameras as measure against fraudulent accusations. What if you had the same functionality on your head all the time? There would always be a video with the last hour of your life. Automatically on all the time and ready to get you out of tricky situations. Or to make sure you don’t miss any juicy moments…

Photo by zugaldia @ Flickr

 

More posts from this topic

browser security, business security, banking trojan

The Devil’s in… the browser

This is the fourth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. It was only just past 1 pm, but Magda was already exhausted. She had recently fired her assistant, so she was now having to personally handle all of the work at her law office. With the aching pain in her head and monstrous hunger mounting in her stomach, Magda thought it was time for a break. She sat at her desk with a salad she had bought earlier that morning and decided she’d watch a short online video her friends had recently told her about. She typed the title in the browser and clicked on a link that took her to the site. A message popped up that the recording couldn’t be played because of a missing plugin. Magda didn’t have much of an idea what the “plugin” was, which wasn’t surprising considering that her computer knowledge was basic at best – she knew enough to use one at work, but that was pretty much all. It was the recently sacked assistant, supported by an outsourced IT firm, who took care of all things related to computers and software. A post-it stuck to Magda’s desk had been unsuccessfully begging her to install an antivirus program. “What was this about?”, Magda tried to remember. At moments like this, she regretted letting the girl go. After some time, she recalled that her assistant had mentioned something about a monthly subscription plan for some antivirus software to protect the computers, tablets and mobile phones. This solution, flexible and affordable for small businesses like Magda’s firm, had also been also recommended by the outsourced IT provider. Despite a nagging feeling that something wasn’t right, she clicked “install”. After a few seconds, the video actually played. Magda was very proud of herself: she had made the plugin thing work! A few days later, she logged into her internet banking system to pay her firm’s bills. As she looked at the balance of the account, she couldn’t believe her eyes. The money was gone! The transaction history showed transfers to accounts that were completely unknown to her. She couldn’t understand how somebody was able to break in and steal her money. The bank login page was encrypted, and besides that, she was the only person who knew the login credentials... At the bank she learnt that they had recorded a user login and transfer orders. Everything had been according to protocol, so the bank had no reason to be suspicious. The bank’s security manager suggested to Magda that she may have been the victim of a hacker’s attack. The IT firm confirmed this suspicion after inspecting Magda’s computer. Experts discovered that the plugin Magda had downloaded to watch the video online was actually malware that stole the login credentials of email accounts, social networking sites and online banking services. Magda immediately changed her passwords and decided to secure them better. She finally had good antivirus software installed, which is now protecting all of the data stored on her computer. She recalled that her bank had long been advising to do that, but she had disregarded their advice. If only she hadn’t... Her omission cost her a lot of money. She was happy, though, that money was all she lost. She didn’t even want to imagine what might have happened if any of her case or clients information had been compromised. That would have been the end of her legal career. "This is why you should always use different browsers for different sorts of tasks," F-Secure Security Advisor Sean Sullivan explains. "Any browser you use for sensitive financial transactions should be used just for that, especially at work." To get an inside look at business security, be sure to follow our Business Insider blog.

July 28, 2015
cyber war, cyber warfare, cyber pearl harbor

What would real ‘cyber war’ look like?

In response to news that the secret records of more than 22 million Americans have been breached, possibly by attackers from China, you may have heard the loaded term being used to describe the unprecedented attack. "Why are we ignoring a cyber Pearl Harbor?" a conservative columnist asked. F-Secure Security Advisor Sean Sullivan joined other experts in explaining that while the Office of Personnel Management hack was a very big deal, it's hyperbole to call it an act of war. Sean argues that the term cyber war should be limited to cyber weapons that cause actual physical damage. It would have to break the so-called "kinetic barrier". There is no international treaty that defines online rules of engagement but he points to NATO's Tallinn Manual on the International Law Applicable to Cyber Warfare, which attempts to apply existing laws to cyber warfare. Cyber attacks present an even more vexing challenge in attributing the author of an attack than stateless terrorism. But regardless the author, any cyber attacks on a hospital, for instance, would be illegal under existing law. Sullivan sees the OPM hack as more likely to be part of another governmental activity that predates the internet: espionage. "Espionage can be a part of warfare, if you think they’re gathering that information for military defense purposes," he said. "Or it can be counterintelligence." He suggests the OPM hack data could be used to find which Americans are, for instance, not working on diplomatic mission and thus might be intelligence. He notes that former NSA contractor Edward Snowden briefly worked at a U.S. embassy. The lack of a background check in that instance could suggest that he was working as a spy under a false identity. There’s a difference between war and warfare, Sean notes. "It could be China is interested in defensive capabilities," he said. "It’s an aspect of warfare. It’s not war." If it were to transgress to the level of war, the results would be severe. "We can assume that China is a rational actor," Sean said. "It wants world power without wrecking the world economy. Military posturing is more likely." He suggests that the U.S. should be much more concerned about the protection of all of its digital data. “I guarantee you that the IRS’ records are just as vulnerable," he said, suggesting that the one thing that may be keeping taxpayers' records safe is the government's tendency to rely upon dated technology like magnetic tape. And at least some powerful U.S. officials agree that more must be done to secure America's private information. But don't expect them to be satisfied with the same sort of restricted networks the private sector relies upon. A bipartisan coalition of senators are backing new legislation that would give the Homeland Security secretary the authority "to detect intrusions on .gov domains and take steps similar to what the National Security Agency can do with the Pentagon," according to Roll Call. Ah, so more powers for the NSA. Isn't that always the endgame these days when the language of war being tossed around? [Image by U.S. Naval War College | Flickr]  

July 24, 2015
BY 
Jeep

3 important questions raised by Wired’s car hack

Wired.com broke a shocking but hardly surprising story on July 21st. The reporter was driving his Jeep on the highway when strange things started to happen. First the fan and radio went on and later the whole car came to a stop. On the highway! Andy Greenburg was not in control of the car anymore. It was controlled remotely by two hackers, Charlie Miller and Chris Valasek, from miles away. They had not tampered with the car, and as a matter of fact never even touched it. All was done by connecting remotely to the vehicle and utilizing a vulnerability in its own software. A highway is not the safest place for this kind of demonstration so they continued with the brakes and steering manipulation in a parking place. Yes, that’s right. Brakes and steering! Scary? Hell yes! This is a great demonstration of security issues with the Internet of Things trend (IoT).  Anything connected to the net can in theory be hacked and misused remotely. IoT is typically associated with “smart” appliances like toasters and fridges, but a car connected to the net is very much IoT as well. And a hacked car is a lot scarier than a hacked fridge. So let’s look at the tree fundamental questions this hack raises. How can this be possible? Car manufacturers were taken with their pants down. They have for decades been thinking deformation zones and airbags when you say security. Now they need to become aware of digital security too. I’m confident that they already have some level of awareness in this field, but the recent Jeep-incident shows that they still have a lot to learn. I’m not only thinking about preventing this from happening in the first place. No system is perfect, and they must also be able to deal with discovered vulnerabilities. A fix for the problem was created, but patching vehicles required a visit to the car dealer. Like taking your computer to the store to have Windows updates applied. No way! This underlines that digital security is about more than just design and quality control. It’s also about incident response and maintenance processes. Good morning car manufacturers and welcome to the world of digital security. You have a lot to learn.   Ok, it can be done, but why? We are now at the “Wow! This is really possible!” –stage. The next stage will be “Ok, but how can this be utilized?” There’s a lot of headlines about how we could be killed by hacked cars. That may be technically possible, but has so far never happened. Hackers and virus writers used to work out of curiosity and do pranks just because it was possible. But that was in the eighties and nineties. Earning money and collecting information are the motives for today’s cyber criminals and spies. Killing you by driving your car off a cliff will not support either of those objectives, but it does make juicy headlines. Locking your car and asking for a ransom to unlock it is however a plausible scenario. Turning on the hands-free microphone to spy on your conversations is another. Or just unlocking it so that it can be stolen. Anyway, the moral of the story is that scary headlines about what car hackers can do are mostly hype. The threat will look very different when or if it becomes reality in the future. Let’s just hope that the car manufacturers get their act together before this becomes a real problem.   Should I be worried? No. Not unless your job is to design software for vehicles. The current headlines are very important wake-up calls for the car industry, but have very little impact on ordinary consumers. Some early incidents, like this Jeep case, will be handled by calling cars to the dealer for an update. But it is clear that this isn’t a sustainable process in the long run. Cars are like appliances, any update process must be fully automatic. And the update process must be much faster than applying the latest software once a year when the car is in for routine maintenance. So any car hooked up to the net also needs an automatic update process. But what about the hackers driving me off a cliff? You said it could be possible, and I don’t want to die. First, does anyone have a motive to kill you? Luckily most of us don't have that kind of enemies. But more important. Doing that may or may not be possible. Car manufacturers may be inexperienced with hacking and IT security, but they understand that any technical system can fail. This is why cars are built with safeguards at the hardware level. The Jeep-hackers could steer the car remotely, but only at low speed. This is natural as the electronically controlled steering is needed for parking assistance, not for highway cruising. Disabling this feature above a certain speed threshold makes perfect sense from safety perspective. But, on the other hand. I can think of several scenarios that could be lethal despite low speed. And the hackers could fool the speedometer to show the wrong speed. What if they can feed an incorrect speed reading into the system that turns off electronic steering? Ok, never say never. But hiring a traditional contract killer is still a better option if someone want's you gone. And there’s naturally no safeguards between software and hardware when the self-driving cars take over. Widespread self-driving cars are still sci-fi, and hacking them is even further away. But we are clearly on a path that leads in that direction. A few wrong turns and we may end up with that problem becoming reality. The good news is on the other hand that all publicity today contribute to improved digital security awareness among vehicle manufacturers. But finally back to today’s reality. It is still a lot more likely for you to be killed by a falling meteorite than by a hacker taking over your car. Not to talk about all the ordinary traffic accidents!   Safe cruising, Micke    

July 23, 2015
BY