Start Up: the Tory hacker, the fake Facebook BLMer, the ARM Mac puzzle, Pandora’s (quiz) Box, and more

How would you get this lot to encourage a child to have an X-ray? Photo by Ken Lee on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 11 links for you. Not privileged communication. I’m @charlesarthur on Twitter. Observations and links welcome.

Bafflement over Tory MP’s admission she hacked Harriet Harman’s website • The Guardian

Alex Hern, after Conservative MP Kemi Badenoch said she “hacked” Harriet Harman’s site in 2008:


“Considering others have been prosecuted for similar, juvenile attacks on websites, I’ll be curious to see if the law will be applied equally in this case,” said Mustafa Al-Bassam, a former member of the hacking collective LulzSec. When he was 16, Bassam was given a 20-month suspended sentence for breaching the CMA [UK Computer Misuse Act] as part of the group’s campaign.

“This is a situation where someone has straight-up admitted to a crime on TV, the police have an easy job. If a Conservative MP can admit to a computer crime on television and get away with it, then that says the law is not being enforced equally in the UK,” he said. Bassam, who is now a computer scientist at UCL, filed a crime report to the national cyber crime reporting centre on Sunday.

Others expressed hope that Badenoch’s ability to shrug off the incident might herald a change in the enforcement of the CMA, which covers hacking offences. “I’m hoping this results in useful discussions around updating the Computer Misuse Act to more accurately and fairly deal with hackers of all levels,” said Jake Davis, another former LulzSec member.

Badenoch gained access to Harman’s website by guessing the credentials (she later gave an anonymous interview revealing that Harman’s username and password were “harriet” and “harman”), and posted a hoax blogpost claiming the then Labour minister for women and equality was supporting Boris Johnson in the London mayoral race.


Eh, LulzSec went just a bit further than Badenoch. Personally, I think it’s good that there are at least two MPs now – Badenoch and Harman – who know how easy “hacking” can be. And this was akin to very mild trespass, which police tend not to prosecute. Badenoch might get a caution at worst.
link to this extract

Disney: X-Ray Story • Adeevee


To help make kids less afraid of getting an X-ray, we put the entire cast of Toy Story through the process – and put the results all over the walls of the waiting areas.

(A collaboration between BBDO Dublin, Disney Ireland and the National Children’s Hospital.)


link to this extract

The biggest Black Lives Matter page on Facebook is fake • CNN

Donie O’Sullivan:


For at least a year, the biggest page on Facebook purporting to be part of the Black Lives Matter movement was a scam with ties to a middle-aged white man in Australia, a review of the page and associated accounts and websites conducted by CNN shows.

The page, titled simply “Black Lives Matter,” had almost 700,000 followers on Facebook, more than twice as many as the official Black Lives Matter page. It was tied to online fundraisers that brought in at least $100,000 that supposedly went to Black Lives Matter causes in the U.S. At least some of the money, however, was transferred to Australian bank accounts, CNN has learned.

Fundraising campaigns associated with the Facebook page were suspended by PayPal, Donorbox, Classy, and Patreon after CNN contacted each of the companies for comment.
The discovery raises new questions about the integrity of Facebook’s platform and the content hosted there. In the run-up to Facebook CEO Mark Zuckerberg’s testimony before Congress this week, Facebook has announced plans to make the people running large pages verify their identity and location. But it’s not clear that the change would affect this page: Facebook has not said what information about page owners it will disclose to the public – and, presented with CNN’s findings, Facebook initially said the page didn’t violate its “Community Standards.”


It’s that last sentence that’s the killer. Hope Mark Zuckerberg’s prep for his Congressional hearing is going well.
link to this extract

ARM Mac: piece of cake or gas refinery? • Monday Note

Joean-Louis Gassée:


For Mac app developers, this isn’t a great picture. A new processor, better battery life, lower weight perhaps, might not make a huge difference. Instead, with an iOS-compatible processor running inside new-generation Macs, why not build a new world where the same app would run on both Mac and iOS devices?

This is a dangerous topic. We know what happened with previous attempts to build environments where one app would run on different operating systems. Often referred to as Write Once Run Everywhere (WORE), these superficially pleasing constructs didn’t please the people who actually use and pay for the products. In reality, for an app to be competitive on a given platform, details, details and details need to be attended to under the surface. Such very OS-specific optimizations do not translate to the other platform and thus defeat the WORE theory. Speaking of translations and looking more specifically at Mac OS X versus iOS, one would be facing two languages where words in one have no equivalent in the other. Consider the trouble with wabi-sabi, dépaysement, fingerspitzengefühl or, if you’re really in the mood, Donaudampfschifffahrtsgesellschaftskapitänsmützennadel: the feather on the hat of the captain of a Danube steamship, obviously. You might get the translation by googling segments of the word one at time… Back to bits and bytes, consider iOS having no notion of a cursor, or the Mac not having a touch-screen, or a stylus, to name but a few transaltion challenges.

Recently, we’ve heard rumors of a Marzipan project, an Apple effort to get iOS apps to run on a Mac. As the saying goes, It’s A Mere Matter Of Software. Still, with Apple in control of both OS X and iOS anything’s possible  —  in theory…

… Speaking of strong words, various Apple execs spoke ill of styli or toaster-fridges, and we know what happened.

Thinking of future Macs would be simpler if its putative new processors weren’t iOS-compatible, but here we are. That being said, setting aside inopportune claims of courage, Apple is a cautious company, well aware of the risks in trading a relatively simple life of separate Mac and iOS product lines for a complicated hybrid platform. This coming transition will be interesting to watch.


That last point – people would be less nervous if the processors weren’t iOS-compatible – is a subtle but good one.
link to this extract

Police use Experian marketing data for AI custody decisions • Big Brother Watch


A register of contracts obtained by Big Brother Watch reveals that Durham Police paid £45,913 to Experian, including £25,913 for the ‘Mosaic’ system.

Experian’s ‘Mosaic’ links names to stereotypes: for example, people called ‘Stacey’ are likely to fall under ‘Families with Needs’ who receive ‘a range of benefits’; ‘Abdi’ and ‘Asha’ are ‘Crowded Kaleidoscope’ described as ‘multi-cultural’ families likely to live in ‘cramped’ and ‘overcrowded flats’; whilst ‘Terrence’ and ‘Denise’ are ‘Low Income Workers’ who have ‘few qualifications’ and are ‘heavy TV viewers’.

Silkie Carlo, Director of Big Brother Watch, said: “For a credit checking company to collect millions of pieces of information about us and sell profiles to the highest bidder is chilling. But for police to feed these crude and offensive profiles through artificial intelligence to make decisions on freedom and justice in the UK is truly dystopian.

“We wouldn’t accept people going through our bins to collect information about us. Nor should we accept multi-billion pound companies like Experian scavenging for information about us online or offline, whether for profit or policing.

Parliament should urgently consider what place this big data and artificial intelligence has in our policing.”

Sheena Urwin, Head of Criminal Justice at Durham Constabulary, said: “The force entered into a contract with Experian using Mosaic Public Sector to better understand our communities and to improve our engagement – the data they provided helped us do that. Our aim is to reduce harm to the communities we serve and improve life chances for the people we come into contact with.”


A reminder that courts in the US used a similar method to determine sentences; also a bad idea.
link to this extract

Platforms, privacy and Pandora’s Box • Adweek

Kim-Mai Cutler:


What’s interesting at this moment is that there is an open question in Washington D.C. as to how legally liable platforms are for the behavior of third-party developers.

The overwhelming majority of developers produce immense value for consumers, but let’s take an extreme hypothetical example. If an unscrupulous app developer launches a “Sexual Purity Test” or “How Mentally Stable Are You?” Quiz (yes, the latter is real), gets millions of users and secretly sells that data to pharmaceutical or insurance companies, how much liability does the platform bear?

Technology companies are hoping more of that responsibility will fall to an empowered Federal Trade Commission. Momentum is also building for the Department of Commerce to create a federal office for guiding online privacy regulation.

But if the platform companies can’t entirely control their ecosystems, I sincerely doubt the FTC or any privacy czar can.

Consumer education is far from where it needs to be. On sign-up prompts, platform providers could force developers to excerpt key parts of their privacy policy and explicitly list third parties they share data with. They could also make it a lot clearer to users about who developers are (since violators often just go and set up shop under a different name if caught).


Oh, yeah, by the way – she wrote this in December 2010. That’s just over seven years ago.
link to this extract

Don’t give away historic details about yourself • Krebs on Security

Brian Krebs:


Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as “What was your first job,” or “What was your first car?” The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to “secret questions” that can be used to unlock access to a host of your online identities and accounts.

I’m willing to bet that a good percentage of regular readers here would never respond — honestly or otherwise — to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks — particularly Facebook — seem positively overrun with these data-harvesting schemes. What’s more, I’m constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.

On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.

Consider, for example, the following quiz posted to Facebook by San Benito Tire Pros, a tire and auto repair shop in California. It asks Facebook users, “What car did you learn to drive stick shift on?”

I hope this is painfully obvious, but for many people the answer will be the same as to the question, “What was the make and model of your first car?”, which is one of several “secret questions” most commonly used by banks and other companies to let customers reset their passwords or gain access to the account without knowing the password.


In many cases, probably too late.
link to this extract

Facebook Building 8 explored data sharing agreement with hospitals • CNBC

Chrissy Farr:


Facebook has asked several major U.S. hospitals to share anonymized data about their patients, such as illnesses and prescription info, for a proposed research project. Facebook was intending to match it up with user data it had collected, and help the hospitals figure out which patients might need special care or treatment.

The proposal never went past the planning phases and has been put on pause after the Cambridge Analytica data leak scandal raised public concerns over how Facebook and others collect and use detailed information about Facebook users.

“This work has not progressed past the planning phase, and we have not received, shared, or analyzed anyone’s data,” a Facebook spokesperson told CNBC.

But as recently as last month, the company was talking to several health organizations, including Stanford Medical School and American College of Cardiology, about signing the data-sharing agreement.

While the data shared would obscure personally identifiable information, such as the patient’s name, Facebook proposed using a common computer science technique called “hashing” to match individuals who existed in both sets. Facebook says the data would have been used only for research conducted by the medical community.

The project could have raised new concerns about the massive amount of data Facebook collects about its users, and how this data can be used in ways users never expected.


When Google’s DeepMind did this with some records in the UK, the row went on for months. This one’s dead already.
link to this extract

Subprime carmageddon: specialized lenders begin to collapse • Wolf Street

Wolf Richter:


The subprime auto lending business is highly cyclical. For example, according to Bloomberg, citing Moody’s data, 41 subprime lenders filed for bankruptcy during the subprime auto loan bust between 1997 and 1999.

But unlike subprime home mortgages, subprime auto loans won’t take down the financial system. About 25% of the auto loans written are subprime. For new cars, it’s about 20%. Of the $1.11trn in total auto loans outstanding at the end of 2017, about $280bn were subprime – less than a quarter of the $1.3trn subprime mortgages before the financial crisis. Even if the total subprime portfolio produced a net loss of 50%, the losses would amount to only about $140bn.

And there are other differences: Vehicles are quickly repossessed, usually after three months of missed payments. Even in bad times, there is a liquid market for the collateral at auctions around the country, and vehicles can be shipped to auctions with the greatest demand. The results are that lenders don’t end up holding these vehicles and loans on their balance sheet for years, as mortgage lenders did with defaulted home mortgages and homes.

But subprime will take down many more of the specialized lenders. And the survivors will tighten lending standards. This will prevent more car buyers from buying a new vehicles.


Been coming for some time; it’s the effect on new vehicle sales that could have broader knock-on effects.
link to this extract

Publishers haven’t realized just how big a deal GDPR is • Baekdal Plus

THomas Baekdal:


With this box, Google is explicitly and openly asking you for consent to how Google is tracking you.

This also extends beyond Google’s own sites.

For instance, when publishers are using Google Adsense, it used to be that this interaction would track people across the web. But now, because of GDPR, Google has announced that it will no longer be based on any personally identifying data.

The reason is, again, that Google can’t be sure that publishers have obtained the correct level of consent before the ads are shown. So, Google is trying to get ahead of this by just getting rid of the problem altogether.

It’s the same with Facebook. They too are moving to a consent based baseline for how they do everything. And, they are also stopping their practice of buying personal data from data brokers.

As someone living in Europe, this has always been a huge violation of privacy. But what Facebook has now realized is that, with GDPR, doing something like this would be in direct violation of the law. Specifically, it’s a violation because people have not given their consent for their data to be used this way. And on top of this, the rule that you can only collect data relevant to the service you offer is incompatible with the practice of buying up vast amounts of random data about people from data brokers.

So Facebook is ending this instead of trying to fight it (which would only result in more negative press, loss of trust by its users, and penalties from the EU).

My point here is that the tech companies have decided to rethink the way they are doing privacy. Obviously there are a ton of things that still need to be done, neither Facebook or Google is in the clear. But when we combine what Google and Facebook are now saying with the overall trend of what the public demands, it’s pretty clear to see where this is heading.

And this brings us back to publishers.

I have yet to see any publisher who is actually changing what they are doing. Every single media site that I visit is still loading tons of 3rd party trackers. They are still not asking people for consent, in fact most seem to think they already have people’s consent, and when questioned about trackers, they can just say: “We use 3rd party services, and we refer to their privacy statements.”

This doesn’t work under GDPR, because, as a publisher you are a data-controller, whereas all the 3rd party tools you use are the data-processors.


link to this extract

In letter to EPA, top ethics officer questions Pruitt’s actions • The New York Times

Eric Lipton:


The federal government’s top ethics official has taken the unusual step of sending a letter to the Environmental Protection Agency questioning a series of actions by Administrator Scott Pruitt and asking the agency to take “appropriate actions to address any violations.”

The letter, sent to Kevin Minoli, the EPA official designated as the agency’s top ethics official, addresses questions about Mr. Pruitt’s rental for $50 a night of a condominium linked to an energy lobbyist, as well as his government-funded flights to his home state of Oklahoma. The letter also cites reporting last week in The New York Times that agency staff members who raised concerns about these and other actions found themselves transferred or demoted.

“The success of our government depends on maintaining the trust of the people we serve,” said David J. Apol, acting director of the Office of Government Ethics, in the letter sent Monday morning to the EPA. “The American public needs to have confidence that ethics violations, as well as the appearance of ethics violations, are investigated and appropriately addressed.”

The letter walks through the three areas of concern. The first is related to the Capitol Hill condo Mr. Pruitt rented early last year from the wife of an energy lobbyist whose firm had business matters before the EPA.


And there are more. I remain fascinated by how long Pruitt can survive this; he’s clearly going to fall into something else, because he can’t help himself. A FOI request for records of the “death threats” made against (which required him to fly first class) to the EPA turned up zilch. That means unjustified costs of first-class flights. In a normal government, he’d be gone.
link to this extract

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.