Machine Learning Damaging Our Privacy

In order to build any model based in Machine Learning and Artificial Intelligence, it is required to collect a lot of data and to get accurate model, we need accurate data. For this reason, companies force to collect a lot of data from users and they send it to their big model for process and then hand it over to machine learning and AI experts to create model for prediction. The main problem is to satisfy the model, we need a lot of data and these data is being stored somewhere. We might say, it is being processed automatically and no human has access to them, but when researchers want to verify something, then they might force to read those personal information, authorities force to take a look at suspicious content and this collection, would put our privacy at risk. Because models relays on AI and Machine Learning, normally, they won’t delete data. For these reasons, I call Machine Learning and AI, one of the biggest enemy of privacy. It force researchers to collect a lot of data, but there is no sufficient information, about protecting those data. Many people argue, we are doing this to protect users, for example in spamming, we need to collect big set of email (but we won’t read them) and mark which email is spam and which is not and we are leaving this to users to classify it and we only care about text and count of words and structure of text. For those who are expert in security, will know that easily we could bypass any email spam, with our tricks, which I don’t want to explain here, because people might abuse it. Anti-Spam could block known spams and those create with semi-professional security guys, but it is helpless for experts. We are collecting a lot of data, spending so much money on servers to collect and process these data, spend so much money on universities and researchers to play around with complex math formula, just to come up with a system, which is helpless in front of experts. Some people argue, that well we have other methods, other protection ways and not everything is based on AI and Machine Learning which is true. But what, we would like to argue is why we are spending so much on this? We might deal with problem of Spam through criminal intelligence analysis, policy data center and monitoring and response team. These methods are a lot cheaper and more efficient. Of course we need spend some money to enhance them, but once we reach to the right place, we could use them to combat against cybercrimes. When we discuss with those who call themselves security experts in university, they always say, sorry we are only care about Machine Learning (because they only care about publication and not national or international security in cyberspace). When we talk with experts in criminology, they say it is interesting topic, but we are only care about law and legal issues. So we are collecting so much data, spending so much money, for unreliable systems.

There is no need to collect so much information and even, if there is a need to collect them, there is no need to keep those information forever. These problems with privacy raised, because everyone force themselves into Machine Learning and AI. If they think about something else or they let others to investigate in these areas, we could protect privacy of our users and enhance their security. As it already been mentioned, policy management, is the recommended solution and there is no need to collect so much data and even if we do, we could delete them later or let users to control their data, instead of collecting them. For these reason, I am requesting cybersecurity experts, to move away from Machine Learning and AI (I don’t say everyone should leave it, but we need people to think in different direction). Universities should open doors to young people who love cybersecurity but they prefer methods without mathematic and AI. Professors don’t understand these methods and they force everyone to follow AI direction and this put our privacy at risk. We need to open new doors to develop expertise in policy management, rather than unreliable math formulas and forcing people to use AI.

 

Why Data is being Collected in Windows 10?

There are many discussions about privacy issue with Windows 10 and people claiming by installing Windows 10, Microsoft steals your data and hand them over to national security agency and the U.S. government. It also gives opportunity to Linux fans and they posting articles saying that if you want privacy, you better use Linux. In this post, these issues will be analyzed. I would like to start with story why companies or governments need to collect data. Let’s go back to the time when computer and internet doesn’t exist. During those time governments still collect data on paper. When new baby born into hospital, his or her parent need to fill up some form including the place of birth, parents, given name, national id number and so on. All of these was inside a piece of paper (before computer and IT come to picture). And our government would have access to these data. So, they will know who are citizens of a country, so they would grand them special benefits which wasn’t available to people who aren’t citizen and if someone born into a country but doesn’t have any national card, then they would ask for one and at some point, of life, people must share some data with governments. Then another scenario come into picture when people would want to travel to travel to other country and stay there for longer time. In this time diplomacy come into picture and passports created. In this case, when you wanted to enter to another country, you should share some details about yourself, like place of birth, date of birth, passport number and so on. If you required to get visa, you need to share more data with the embassy of foreign country. It makes like a bit difficult for many citizens (and still people are suffering because of diplomatic conflicts). Therefore, new systems come into place, where governments could share data easily through fast and secure diplomacy protocols. Consider Schengen system for example, countries under Schengen agreement would get special carts for their citizens and they could use it to travel in other countries borders. No one asking you any question or ask you to submit tons of documents to embassies so they could figure out whether grand you a visa or not. Why? Because, whenever there is problem, they just get your ID Card and insert through IT system, they will know whether you are legal traveler and in case of crime, they could quickly investigate the all your crime activities across Schengen areas. Europol doing great job with providing powerful IT infrastructure. And if you are able to travel across countries without staying in long lines for interview and visa, because your governments doing great job in diplomacy by protecting national security and sharing data when needed and it is all thanks to IT.

When we talk about privacy, it means we are sharing data, so a system give us certain benefits and they are protecting our data and there are certain rules there and if we break those rules, then we are in trouble. For example, when you are communicating through your mobile phone, then your telecommunication company would have ability to trace your location but they never do it unless if you are wanted by police or legal authorities or you are threat to your country. If you are not breaking any law or you are not in watch list, then nobody would trace you. Even if you are living in no digital environment, so you don’t have any phone or communication devices, governments still could collect data through your friends or by sending someone to watch you over. They will do they job but with different methods.

Microsoft like all other companies does collect some data and all these have been discussed in Privacy Statement. And all data there are being collected to help users. For example, consider case of Windows Update, they need to collect data like what version of Windows you are using and what updates has been installed so far. If this mechanism is not in place, then Microsoft need to release all updates for Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and so on. And whether you got your PC today and need to install tons of updates and someone who just check for update yesterday both would have get gigs of update and many of those updates would have been failed. Therefore, you need to share these data to automated server and it will offer you updates which you will need. In government agency and when privacy is their main concern, they have local deployment of update, so when new update released, they will test it to make sure it is safe and they IT admin check systems to see what version of Windows are there and what updates do they need and then deploy those updates. So, they won’t share data with Microsoft and these data shared with their internal server. If they need their private email server, they won’t setup Office365 but they create their own email storage and use Exchange Server, OneDrive for Business and other private cloud services.

In higher level governments also get involve, so for example in European Union, data from citizen of these countries will be kept inside a server inside the EU, so even if U.S. government want to access data of any European citizen, they need to ask permission from EU government and those governments protect privacy of people. Same scenario is applicable for Linux, it also collects data for example to check for update and there are several things which it won’t collect, because it doesn’t private services where Microsoft provide to users. For example, when error detect in Windows, it asks users to send more data anonymously, so people in Windows team investigate the problem and release a fix for it. And you could disable this feature. In Linux, you need to share your error to public forum and keep share them to everyone and maybe you find some fix or you force to reinstall it. I addition, if U.S. government want to access your Linux PC, do you think, is that difficult task for them? Several security features in Windows are not available in Linux and someone with basic hacking knowledge could break into Linux system easily and collect all data. Even if you are not connecting to internet, they could send someone to steal your device. You just make things harder for them and yourself but you won’t stop them.

When it comes to privacy, governments must build powerful regulation to collect and protect data and build trust between people and government. People should have right to complain when their privacy broken and get response from government. It is job of government to create law so data protection and privacy is in place for their people like Privacy Shield in EU which did a great job. Switching to different operating system and spreading groundless rumor about companies stealing data won’t solve problem with privacy. We need to come up with some evidence and propose solutions to protect our people’s privacy. If you have knowledge of using Windows, you could take complete control of your privacy and create your own private cloud where no date being shared with Microsoft but for this you need to purchase your own data center and tools and spend more time on it. You actually, should do a job which Microsoft is doing for you as part of Windows warranty.

 

Privacy in Windows 10

Some people complain about privacy in Windows 10 and some even claim Microsoft steal data and abuse them. What is really interesting, those who claiming just talk based on assumptions and their feeling rather than tangible evidence or proof and they never read the Microsoft Privacy Statement even once. Microsoft has a dedicated site contains detail description of privacy statements which is Microsoft Privacy Statement. It contains information related to all Microsoft products. However, if are looking for privacy statement specifically for Windows 10, take a look at Windows 10 Privacy.

This how it works, you have control over your privacy, you could set whether share information with Microsoft or not. Sharing information is not a bad thing, for example, when your location is being share, it is automatic service which could suggest services around your location. So when you travel to another country, it won’t display restaurant in your home country. But you could disable this if you want. You may also choose to use Microsoft Account for login or use Local Account. So if you are using Microsoft Account, you have ability to share your setting across devices. In this case, you are sharing settings but you are getting services for that. However, you have option to set Windows to share nothing or share some of your data and everything which is being share will be store and process automatically.

However, in sensitive cases like military, government agency, they might consider share nothing but get receive some services. For example, instead of using Microsoft Account to share setting, they could login to their local Domain Account and do the same thing but their data being store and process locally in their data center. Instead of using OneDrive to share their data in Microsoft data center, they may share their data locally in their own data center and manage by OneDrive for Business.

Therefore, in area of privacy in Windows 10, you have transparency to see what information are being share, why they are being shared and benefit of sharing data. You also have control, so you may choose not to use specific service and don’t share your data. Or you may go for private cloud scenario where a trusted administrator would have power over control and manage your data.

 

 

Privacy Rules for Software Engineers

Privacy plays important rule in software development. When building a software system, we should consider privacy as one of the key features of our requirements during requirement engineering process. There are several rules which should take into consideration to implement privacy in software system and they are as follow:

  1. No Admin Rule: Administrator has the full control over a software system, however there should be definition and areas in the system which administrator won’t have a direct access to a system. For example, one administer should be able to reset the password for an account but he or she shouldn’t see the new password and shouldn’t be able to access to the account.
  2. Identity Verification Rule: Many of you have a mean to identify yourself through legal documents issued by authorities, it could be your national ID card, passport, etc. This is your identity in the physical world. There should be a mean or ways to identify you as authenticate user in virtual word. There must be a mean to verify your physical identity with virtual identify, so no one could use your identity in your place. 
  3. Storage Box Rule: In most systems, there are many information being stored in storage, commonly it is a database. The database should be designed in a way when information for users store in places and it is not accessible by the database administrator.  
  4. Create/Delete Rule: When something is being created, it should be removable. So if a user register for an account, it should be closable too. When installing an application and it is in the history, it should be removed from the history too. In case of audit and when such actions need to be monitor or information should remain for certain period, these should be clearly state in the privacy statement. 
  5. Warrant Rule: When government need to look into certain information for purpose of investigation. There should be a process to verify the warrant and it has to be for individuals and defined group of people who involved and not the whole people. When the case involved people who are citizen of other countries or data belongs to people from other countries, then additional warrant required from the respective country and data should never disclosed without permission of their respective countries. 
  6. Private Cloud Rule: Everything which is possible in public cloud, should be done in private cloud too. For example, if someone request for a public cloud service using one specific email, the email service should available as private cloud too.
  7. Government Identity Control: Information related to identity of individual should be stored within the government of citizenship or resident. Government of the respective person should be the place to store personal information. Information storage should be handle the way which passport system is being implement and with direct control of the respective government within international law.

Should We Trust Cortana?

If you are Windows Phone user, you might already know about Cortana. It is personal assistance for Windows Phone and in upcoming version of Windows, which is Windows 10, it integrate inside Windows to help and assist you. Cortana is really powerful and it helps you to be more productive and it actually work as your personal assistance. However, the big question remains which is how much could we trust Cortana (In term of privacy)?

Cortana associated with your Microsoft Account and there is no way to use it without sign-in with your Microsoft Account. The more you use it, it will get smarter and it create a personality of you in the cloud. To understand this let see a simple scenario with Cortana. I booked a flight and let Cortana remind me about it, I have my calendar there so Cortana could see my schedule and remind me about my meetings. I could add my favorite restaurants, place to visit, news, etc. In the other word, you will share whatever you like with Cortana and it associate with your Microsoft Account. The good part is when you are in different device , let say you put your phone somewhere else and you are using your Windows 10 PC, Cortana is there to remind you and show things which you are interested on your PC. So what you like associate with your Microsoft Account. Where are these data? They are located in Microsoft data center or Microsoft cloud and they are follow Microsoft privacy statements and with restrictions of access and in secure area. But information itself is very sensitive, they are more sensitive than your emails or your share data. They are your personalities. It is a version of you on the cloud and if someone access it without authorization, he or she would know a lot about you. For example, teams which you support, political parties in your interest, area of interest, job, location and your personality. With such information, you could control people because you know what they like and you could highlight them to gain their favor and it is interesting trick for governments to gain vote. Government agencies could also use these data to find out if anyone interested in doing something against the government or national security. It is a lot easier to find your location and see your plans. When police investigating someone, his or her secretary is the best one and is the first person which is being questioned, because he or she would know a lot about the suspect and has complete data of all meetings, travels and others. Of course secretary is human and might or might not collaborate or try to protect his or her boss. But Cortana is not human, she doesn’t have feeling, conscience or human value and will do just what has been told. This is what makes thing more complicated about Cortana. What if one of government authority show up in Microsoft data center with warrant to check your Cortana data? In the other word, question your digital secretary? Does Microsoft provide sufficient mean to protect your privacy? This not only question for Cortana, this is the same question should be asked from all other companies who provide digital assistance like Apple’s Siri. There are many problems with privacy in the cloud which hasn’t been solved yet. Data being stored outside countries or data center, so it would be interesting if there was possibility to store Cortana’s data as private cloud within a country or within internal servers. Another issue is related to data access, systems should be designed in such a way that no one could have any form of access to those data. Even administrators shouldn’t have capability to view data, so when authorities request check data, we could allow them but they couldn’t do anything and they won’t access it. Another issue is there should be transparency over what is being monitored. For one example, if certain words which might associate with terrorism activities being used in Cortana, are they being recorded and reported to authorities? If yes, this should be explained.

Cortana is great application and it demonstrates the power of cloud. But there are many privacy issues remains unanswered. This open up opportunities for researchers to come up with new privacy model for cloud.

United Nation for Cloud

Cloud Computing is a new opportunity for everyone and it opens new possibilities for us to grow our business and improve productivity. However one main question is how about my privacy in the cloud? With current cloud computing law we are some problems related to privacy and some of them are:

  • You might subject to law of another country: Let say you are requesting a cloud service from a company which is outside your home country. For example most of famous cloud providers including Microsoft, Google, Amazon, etc. are based in U.S. and when you want to request a cloud service you are subject to law of U.S. government. It raised some problems such as you might not be able to request for a cloud service, if your country is not in a good political relations with U.S. government (consider you are requesting service from a U.S. based company). In addition, if the government of the country which is cloud provider located there (in our case is U.S.), request to enforce law such as request search your data using search warrant , the company has no power to stop it.

 

  • Your won’t get notify when your data is being search: When legal authority want to search your home, they have to request for search warrant and then they will come over your house and tell you we are from police, national security, etc. and they will show you their identity card and search warrant and then, they will start searching you place. When your place is being search, you will know. However I cloud is different story. You won’t get notice when your data is being search and you won’t see any search warrant or notice that you are being searched.

 

 

  • International law won’t enforce properly: Let say, legal authority of country A want to search you place and you are living in country B. Normally, they are not allowed to just fly over to your place and start searching. Instead they have to go through a proper diplomacy protocol like first they need permission from government of country B (which is country which you are staying in) and then after they check and verify everything, then they are allowed to search your place. In cloud computing there is no such a case and if your data hosted in country A, without getting approval from country B, they could just search your data.

 

Above are some of privacy concerns about privacy in cloud and there are more. To resolve privacy problems in cloud we should adapt new law. A special law for cloud when governments won’t have a power to search data. A team should be formed from member of all countries over the world and they should have a power to enforce laws and legal related to cloud. There is a need to an organization like United Nation for Cloud which no country would have superior power over enforcing law on data and if there is a case of illegal activities, they have to submit their request to this group and when they approved based on international protocols, then they will enforce it and search data.

 

Governments are Spying !!!

Governments have ability to find everything about their citizens and non-citizens who are staying in their countries. They have ability to find information about citizen of people in another countries in many cases. Government spying backs to thousands years ago, when there wasn’t any internet, electricity, computer or phone. The main different is the way and method of spying been changed. In the past, the head of government would send spy over his or her country or other countries to gather information. Since they were supported by government and they were highly train people, it was very difficult or almost impossible to stop them. If government officials visits you and ask you that we have to search your place, you couldn’t do anything about it. The communication between people have been done using posting service, it was either by sending a letter by birds or by hand it over to people to carry them to other location. Of course those people have to pass through inspection in cities gate and if government looking for specific letter, they could find it through inspection or by capture birds that deliver letters.  Later on, telephone been invented, which people could pick it up and call someone else who has a phone. The phone operate by government or under control of private company that are being control by government. In this case, government could listen to your conversation anytime that they want. Similar principle applies for internet, if you are connecting to internet, you either subscribe to Internet Service Provider (ISP) or you own ISP. If you are subscribe , your internet provider is either directly under government control (public company) or indirectly in way that have to fully collaborate with government so government would give permission for them to operate (private company). If you own Internet Service, you still have to collaborate with government, otherwise, government could close down your business. Similar scenario applies to multinational companies such as Microsoft, Google, Intel, IBM, etc. Even though, these companies are multinational companies, they must follow law of U.S. Government and if they don’t follow such regulation, the government could close down their business or stop supporting them and so on. This is apply for other multinational companies such as Samsung and LG, that should collaborate with government of South Korea or Toshiba that should collaborate with Japanese government and other companies.

That’s why governments, create their own product and they are using different encryptions and security mechanisms to hide transform of information. But for individual, it is very difficult to completely protect your privacy. If you want to do that, you have to stop using internet, mobile phone and other means of communication. You shouldn’t write or store anything and everything should store and kept in your mind and you have to fully disconnect from the world, which is not a proper way. In order to protect privacy, people and government should work together and government should clarify what they collect and why they do so. Of course government might collect many data but doesn’t have resources to check them all. Just imagine number of people who are using internet or number of phone calls, SMS in your country. Government is busy with several tasks and only uses information that they needed. For example, they might develop a software to record all conversations over the phone in a country, but they will refer to it only when you are suspect of activity that put national or international security at risk.

Governments should define a privacy model for their people and give them chance to protect their privacy. Multinational companies need another protocol, since they are producing product for all people around the world, they shouldn’t be enforced to a specific government and they should take international seat which benefit everyone, not specific government. Those companies need international desk, something like United Nation, which benefits to all members countries. There is a need for an international organization that multinational companies follow their rule and regulations, instead of solely obey rule of one country, they have to obey rule that is benefit to everyone.