TechLetters #39 - Apple's Private Set Intersection & photo-scanning of user images; post-quantum cryptography migration a challenge; ICRC on Lethal Autonomous Weapons Systems; 746M GDPR fine details
Security
Post-quantum cybersecurity migration. Assessment by NIST. “There is currently no inventory that can guide updates to standards, guidelines, regulations, hardware, firmware, operating systems, communication protocols, cryptographic libraries, and applications that employ cryptography that meets the need to accelerate migration to quantum-resistant cryptography”
we need to start worrying about the impact of quantum computers when the amount of time that we wish our data to be secure for (X), added to the time it will take for our computer systems to transition from classical to post-quantum (Y), is greater than the time it will take for quantum computers to start breaking existing quantum-susceptible encryption protocols—or when X + Y > Z.
So, what is Z?
Russia wants US help in cybercrime. Apparently there were 35 requests for “help” in 2021. “For our part, we fully satisfied ten requests from the United States last year and two appeals in the first half of the current year”. We haven’t heard any details of it in public.
APT31 vs Russia. Apparently for the first time, the advanced persistent threat group APT31 (‘attributed’ to China, working “… at the behest of the Chinese Government”) is conducting cyber operations vs Russian targets. More details here (the campaign is broader, and includes also targets in USA).
On Russian proposal for a cybersecurity/cybercrime treaty. Cybersecurity tops the domestic and international policy agenda. But some of the proposed points may be very controversial to Western countries, for example the prohibition of malware, or the apparent clauses that would allow/require technical surveillance, backdoors, and technical censorship, as well as regulating content of information. Is it even wise to engage? That’s up to country Ministries of Foreign Affairs.
Privacy
Bad cookie-replacement. Google Chrome is planning on phasing out third party cookies in 2023. So some ad industry players work on solutions that would maybe ‘replace’ it. One of the such are UID2.0, which are tracking identifiers based on user’s email addresses. For months now I’m saying that this is a bad idea. Mozilla agrees in their privacy analysis of the proposals.
Amazon GDPR fine: why. Amazon got a huge GDPR fine. But for what? We don’t know because this is not a public information. Some of it is revealed by the French DPA CNIL. Amazon allegedly did not comply with few GDPR items, tracked users (targeted ads without consent), not sufficient transparency, not respected rights to access, erase, rectify personal data.
Apple photo scanning service applied to user’s data. In iOS15 and macOS Monterey, Apple plans to ship a system that’s advertised as a one that would protect children from abuse. It uses a neat technology employing Private Set Intersection. It’s also vetted by professional cryptographers. All is great. However (1) it is a surprise, (2) it is unclear how secure or private the system is, (3) it is unclear whether - and under what circumstances - the system may or may not be used to verify images of (unknown/arbitrary?) nature. The policy/governance system - the overall system, not just the cryptographic protocols - are a complex issue. We do not know how this may or may not work. According to Apple, the false positive rate (after which the targeted user is presumably notified to authorities?) is said to be “one trillionth per year”. Fine, but the exact way this claimed number is obtained - is unknown. So in other words, the mismatch rate is actually unknown. The service is supposed to be working on individual devices. So, whose device are these, anyway?
“After that, your guess is as good as mine. Depending on where you are, you might find your photos scanned for dissidents, religious leaders or the FBI’s most wanted. It also reminds me of the Rasterfahndung in 1970s Germany – the dragnet search of all digital data in the country for clues to the Baader-Meinhof gang. Only now it can be done at scale, and not just for the most serious crimes either.”, says Ross Anderson. “Expect to see pictures of cats (and of Tim Cook) that get flagged as abuse”
Technology Policy
Lethal Autonomous Weapons systems. International Committee of the Red Cross recommends that states adopt new, legally binding rules to regulate autonomous weapon systems to ensure that sufficient human control and judgement is retained in the use of force. “It is the ICRC's understanding that these weapons, after initial activation, select and apply force to targets without human intervention”
Other
In case you feel it's worth it to forward this letter further, I leave this thingy below:
You may also share here: