Yesterday I attended an online panel organized by the Atlantic Council with government (Matt Masterson of CISA), think-tank (Alicia Wanless of the Carnegie Endowment for International Peace and Clara Tsao of the AC’s DFRLab) and industry figures (Nathaniel Gleicher of FB and Yoel Roth of Twitter) on steps being taken to guarantee the integrity of the electoral process in the US this Fall. The general sense was that the current ecosystem is much less vulnerable to disinformation than the last presidential cycle, four years ago, and this despite the unprecedented challenges of the current election. However, the most interesting panelist, Wanless, was also the least bullish about the process.
Back in the Spring, digital contact tracing was heralded as the hi-tech path out of the pandemic. With the benefit of six months of hindsight, the limitations of the approach have become clear [see Schneier for a concise summing-up of its shortcomings].
While digital contact tracing’s notional benefits seem to belong squarely in the realm of security theater (i.e., showing the public that Something Is Being Done), its potential for justifying intrusive surveillance remains intact. Two recent news items illustrate this dynamic. A small liberal arts college in Michigan is forcing its students to download a contact-tracing app (and apparently a security vulnerability-riddled one, at that) as a condition for being allowed on campus. Meanwhile, the delegates to the Republican National Convention reportedly are to wear “smart badges” (originally developed for tracking pallets) to record their movements through the convention venue in Charlotte. While higher education has long been a laboratory of choice for surveillance technology experimentation, I would have expected the libertarian wing of the GOP to kick up more of a fuss over this kind of intrusion.
A couple of scholarly articles read today on cyberwarfare. The first, a long piece by James Shires in the Texas National Security Review, speaks to a long-term thread of interest for me, namely the (imperfect) mapping of real-world alliances with operations in the cyber domain: the UAE, Qatar, and Saudi Arabia, although strategic partners of the US in the Gulf region, nonetheless targeted Hack-and-leak (HLO) operations at the US.
Shires underscores the patina of authenticity that leaks hold, and does a good job of showing how HLOs connect them with Bruce Schneier’s concept of “organizational doxxing”. In describing these HLOs as “simulations of scandal “, he leverages theoretical understandings of the phenomenon such as that of Jean Baudrillard. Standards of truth emerge as a major object of manipulation, but the key stake is whether the public will focus on the hack or the leak as the essence of the story.
The second article, by Kristen Eichensehr at justsecurity.org, reflects on the technical and legal process of attribution of cyberattacks. It argues in favor of the creation of a norm of customary international law obliging States to provide evidence when they attribute acts of cyberwarfare to a State or non-State actor. How to guarantee the credibility of the evidence and of the entity providing it (whether a centralized international body, a government agency, or a think-tank, academic institution, or private company) remains somewhat vague under her proposal.
I am catching up on some background reading by (and listening to a podcast interviewing) Elizabeth Renieris, a fellow at Harvard’s BKC and consultant on law and policy engineering. It is rather fiery stuff on privacy as an inalienable right and the scourge of personal data commodification. I think she comes across better in the audio interview, which is also long-form. But, in any case, food for thought on where the bounds for current legal discourse on these topics fall.
An interesting project (via Slashdot) to track and report the deployment of surveillance technology by property owners. This type of granular, individual surveillance relationship sometimes gets lost in the broader debates about surveillance, where we tend to focus on Nation-States and giant corporations, but it is far more pervasive and potentially insidious (as I discuss in I Labirinti). Unsurprisingly, it is showing up at a social and economic flashpoint in these pandemic times, the residential rental market. The Landlord Tech Watch mapping project is still in its infancy: whether doxxing is an effective counter-strategy to surveillance in this context remains to be seen.