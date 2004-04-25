from the more-than-just-OpenPGP-signing dept.
Bruce Schneier and Davi Ottenheimer have co-authored an essay about the essential nature of data integrity in the future of the WWW. (There is an alternative link to the essay published in the Communications of the ACM hosted at the ACM's digital library.) The ability to verify the origin of data and that it has remained unchanged and unmanipulated is becoming increasingly important. Basically they call for a verifiable chain of trust for data production and usage.
The risks of deploying AI without proper integrity control measures are severe and often underappreciated. When AI systems operate without sufficient security measures to handle corrupted or manipulated data, they can produce subtly flawed outputs that appear valid on the surface. The failures can cascade through interconnected systems, amplifying errors and biases. Without proper integrity controls, an AI system might train on polluted data, make decisions based on misleading assumptions, or have outputs altered without detection. The results of this can range from degraded performance to catastrophic failures.
We see four areas where integrity is paramount in this Web 3.0 world. The first is granular access, which allows users and organizations to maintain precise control over who can access and modify what information and for what purposes. The second is authentication—much more nuanced than the simple "Who are you?" authentication mechanisms of today—which ensures that data access is properly verified and authorized at every step. The third is transparent data ownership, which allows data owners to know when and how their data is used and creates an auditable trail of data providence. Finally, the fourth is access standardization: common interfaces and protocols that enable consistent data access while maintaining security.
Although they focus on the ability to prove the origin of data, an obvious risk is that the chain of trust becomes a chain of surveillance. In some ways this essay overlaps with a few of the topics brought up in Bruce Schneier's 2016 post on thoughts about integrity and availability threats.
In a shocking story on the German site Tagesschau (Google translate), Lena Kampf, Jacob Appelbaum and John Goetz report on the rules used by the NSA to decide who is a "target" for surveillance.
According to the story, the NSA targets anyone who searches for online articles about Tails like this one that we published in April, or this article for teens that I wrote in May or Tor (The Onion Router, which we've been posted about since 2004). Anyone who is determined to be using Tor is also targeted for long-term surveillance and retention.
Bruce Schneier is also covering the news. There appears to be no checks in the program to determine whether the user is in the United States. These captures are also being stored as permanent records. In other words, if you feel you might have something to hide, NSA does not care whether it is supposed to have jurisdiction, it will copy and store everything it can about you across the board, forever.
Then again, perhaps everyone should visit these sites. If too many false hits are detected, this particular program may at least partially overwhelm the system. Anyone want to crowd-fund a banner ad campaign?
There's also a good chance you've been tagged for simply reading news articles about these services published by Wired and other sites.
On his blog 'Schneier on Security', security expert and privacy advocate Bruce Schneier has some interesting thoughts about the IoT and legislative reaction resulting from it, and worries about what might happen if we rushed headlong into the "World Sized Web", as he calls it:
Cyberthreats are changing. We're worried about hackers crashing airplanes by hacking into computer networks. We're worried about hackers remotely disabling cars. We're worried about manipulated counts from electronic voting booths, remote murder through hacked medical devices and someone hacking an Internet thermostat to turn off the heat and freeze the pipes.
The traditional academic way of thinking about information security is as a triad: confidentiality, integrity,e (sic) and availability. For years, the security industry has been trying to prevent data theft. Stolen data is used for identity theft and other frauds. It can be embarrassing, as in the Ashley Madison breach. It can be damaging, as in the Sony data theft. It can even be a national security threat, as in the case of the Office of Personal Management data breach. These are all breaches of privacy and confidentiality.
As bad as these threats are, they seem abstract. It's been hard to craft public policy around them. But this is all changing. Threats to integrity and availability are much more visceral and much more devastating. And they will spur legislative action in a way that privacy risks never have.
Snowden Ten Years Later - Schneier on Security:
Snowden Ten Years Later
In 2013 and 2014, I wrote extensively about new revelations regarding NSA surveillance based on the documents provided by Edward Snowden. But I had a more personal involvement as well.
I wrote the essay below in September 2013. The New Yorker agreed to publish it, but the Guardian asked me not to. It was scared of UK law enforcement, and worried that this essay would reflect badly on it. And given that the UK police would raid its offices in July 2014, it had legitimate cause to be worried.
Now, ten years later, I offer this as a time capsule of what those early months of Snowden were like.
It’s a surreal experience, paging through hundreds of top-secret NSA documents. You’re peering into a forbidden world: strange, confusing, and fascinating all at the same time.
I had flown down to Rio de Janeiro in late August at the request of Glenn Greenwald. He had been working on the Edward Snowden archive for a couple of months, and had a pile of more technical documents that he wanted help interpreting. According to Greenwald, Snowden also thought that bringing me down was a good idea.
While I once hoped 2017 would be the year of privacy, 2024 closes on a troubling note, a likely decrease in privacy standards across the web. I was surprised by the recent Information Commissioner's Office post, which criticized Google's decision to introduce device fingerprinting for advertising purposes from February 2025. According to ICO, this change risks undermining user control and transparency in how personal data is collected and used. Could this mark the end of nearly a decade of progress in internet and web privacy? It would be unfortunate if the newly developing AI economy started from a decrease of privacy and data protection standards. Some analysts or observers might then be inclined to wonder whether this approach to privacy online might signal similar attitudes in other future Google products, like AI.
[...] What Is Fingerprinting? Device fingerprinting involves collecting information about user devices, such as smartphones or computers, to create a unique identifier, often to track people or their activities as they browse around the web. This data may include IP addresses, browser user-agent strings, screen resolution, or even details like battery discharge rate. Fingerprinting is particularly concerning because it can be passive—requiring no user interaction. Data is collected without the user's knowledge and linked to their device. Upon subsequent browsing, systems can recognize the same visitor, enabling ad tracking or uncovering private information, such as browsing habits.
This form of identification is neither transparent nor user-friendly. Users are often unaware it is happening, and when done without their consent, awareness, or other legal grounds, it breaches laws. Unlike cookies or other mechanisms, such identifiers cannot be easily "cleared," making them especially invasive. Nevertheless, websites, advertising technologies, and others have continued to use them. Remarkably, large technology companies like Apple and Google once vowed not to engage in such practices. This commitment marked a major achievement for privacy, driven by advancements in privacy research and engineering. Large platforms even began competing to enhance user privacy, benefiting users' welfare and reducing the risk of data misuse or leaks. This issue cannot simply be reduced to "Google does this, and the ICO critiques it."
The editorial goes on to describe the Google Ads policy change, discusses why it's drastic, and notes the contradictions it creates.
Originally spotted on Schneier on Security.
Previously: ICO Puts Foot Down on Google's Planned Fingerprinting Change
It has been nearly a decade since famed cryptographer and privacy expert Bruce Schneier released the book Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World - an examination of how government agencies and tech giants exploit personal data. Today, his predictions feel eerily accurate.
At stake, he argued then, was a possibly irreversible loss of privacy, and the archiving of everything. As he wrote, science fiction author Charlie Stross described the situation as the "end of prehistory," in that every facet of our lives would be on a computer somewhere and available to anyone who knew how to find them.
Since the book was published, we've seen data harvesting continue, particularly for training AI models. The battle to keep even the most basic facts about us private seems all but lost.
We sat down with Bruce Schneier for an update on his work, and what we can expect in the future.
The Register: Data and Goliath came out nearly two years after Snowden's leaks and just months before Congress finally made a few moves on the surveillance issue with the USA Freedom Act. Ten years on, how do you feel things have changed, if at all?
At the same time, the information environment has gotten worse. More of our data is in the cloud, where companies have easier access to it. We have more Internet-of-Things devices around ourselves, which keep us under constant surveillance. And every one of us carries an incredibly sophisticated surveillance device around with us wherever we go: our smartphones. Everywhere you turn, privacy is losing.
The Register: If the mass privatization of the government that's looking likely happens, what are the implications of all that data being leased out to the private sector?
And by security, I mean two things. Obviously, there's the possibility that the data will be stolen and used by foreign governments and corporations. And there is the high probability that it will end up in the hands of data brokers, and then bought and sold and combined with other data.
Surveillance in the US is largely a corporate business; this will just make it worse.