Information Technology

A team of researchers with the Cornell University Tech team have uncovered a new type of backdoor attack that they showed can “manipulate natural-language modeling systems to produce incorrect outputs and evade any known defense.”

The Cornell Tech team said they believe the attacks would be able to compromise algorithmic trading, email accounts and more. The research was supported with a Google Faculty Research Award as well as backing from the NSF and the Schmidt Futures program.According to a study released on Thursday, the backdoor can manipulate natural-language modeling systems without “any access to the original code or model by uploading malicious code to open-source sites that are frequently used by many companies and programmers.”The researchers named the attacks “code poisoning” during a presentation at the USENIX Security conference on Thursday. The attack would give people or companies enormous power over modifying a wide range of things including movie reviews or even an investment bank’s machine learning model so it ignores news that would have an effect on a company’s stock.”The attack is blind: the attacker does not need to observe the execution of his code, nor the weights of the backdoored model during or after training. The attack synthesizes poisoning inputs ‘on the fly,’ as the model is training, and uses multi-objective optimization to achieve high accuracy simultaneously on the main and backdoor tasks,” the report said. “We showed how this attack can be used to inject single-pixel and physical backdoors into ImageNet models, backdoors that switch the model to a covert functionality, and backdoors that do not require the attacker to modify the input at inference time. We then demonstrated that code-poisoning attacks can evade any known defense, and proposed a new defense based on detecting deviations from the model’s trusted computational graph.”

Eugene Bagdasaryan — a computer science PhD candidate at Cornell Tech and lead author of the new paper alongside professor Vitaly Shmatikov — explained that many companies and programmers use models and codes from open-source sites on the internet and this research proves how important it is to review and verify materials before integrating them into any systems.”If hackers are able to implement code poisoning, they could manipulate models that automate supply chains and propaganda, as well as resume-screening and toxic comment deletion,” Bagdasaryan said. Shmatikov added that with previous attacks, the hacker must access the model or data during training or deployment, which requires penetrating the victim’s machine learning infrastructure.

“With this new attack, the attack can be done in advance, before the model even exists or before the data is even collected — and a single attack can actually target multiple victims,” Shmatikov said. The paper does an in-depth investigation into the attack methods for “injecting backdoors into machine learning models, based on compromising the loss-value computation in the model-training code.”Using a sentiment analysis model, the team was able to replicate how the attack would work on something like always classifying as positive any reviews for movies made by Ed Wood.”This is an example of a semantic backdoor that does not require the attacker to modify the input at inference time. The backdoor is triggered by unmodified reviews written by anyone, as long as they mention the attacker-chosen name,” the paper found. “Machine learning pipelines include code from open-source and proprietary repositories, managed via build and integration tools. Code management platforms are known vectors for malicious code injection, enabling attackers to directly modify source and binary code.”The study notes that popular ML repositories, which have thousands of forks, “are accompanied only by rudimentary tests (such as testing the shape of the output).”To defend against the attack, the researchers suggested a system that could detect deviations from the model’s original code. But Shmatikov said that because of how popular AI and machine learning technologies have become, many non-expert users are building their models using code they barely understand.”We’ve shown that this can have devastating security consequences,” Shmatikov said.  He added that more work will need to be done on how the attack could be used to automate propaganda and other damaging efforts. The goal of the effort is to now create a defense system that will be able to “eliminate this entire class of attacks and make AI/ML safe even for non-expert users,” Shmatikov said.  More

Microsoft’s Windows 10 Print Spooler security is turning into a headache for the company and its customers.Branded bugs like Heartbleed from 2014 are a bit passé but the Windows 10 PrintNightmare bugs appear to be an apt choice: Microsoft released fixes in July and August and, just after its August 10 Patch Tuesday change to the Print Spooler service, it’s disclosed yet another print spooler bug. 

ZDNet Recommends

This one concerns a Windows Print Spooler remote code execution vulnerability, tagged as CVE-2021-36958. “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The workaround for this vulnerability is stopping and disabling the Print Spooler service,” Microsoft’s advisory said.The previously disclosed bug CVE-2021-34481 in the Windows Print Spooler service allows a local attacker to escalate privileges to the level of ‘system’, letting the attacker install malware and create new accounts on Windows 10 machines. To mitigate potential threats, Microsoft this week released an update that changes default behavior for Point and Print features in Windows which will prevent an average user from adding or updating printers. After installation, Windows 10 requires admin privileges to install these driver changes.While it will cause extra work for admins, Microsoft says it “strongly” believes that the security risk justifies this change.

Admins have an option to disable Microsoft’s mitigation, but emphasized that it “will expose your environment to the publicly known vulnerabilities in the Windows Print Spooler service.”The issues affecting the Print Spooler service have escalated over the summer as a result of researchers finding different avenues to attack the set of flaws. CVE-2021-36958 and another PrintNightmare bug, tracked as CVE-2021-34483, were reported to Microsoft by an Accenture security researcher, Victor Mata, who says he reported the issues in December. Other related Print Spooler bugs include CVE-2021-1675 and CVE-2021-34527. Will Dormann, a vulnerability analyst at the CERT/CC, pointed out the apparently incomplete fixes in the August 2021 Patch Tuesday updates. As he notes, security researcher Benjamin Delpy released a proof of concept for one of the PrintNightmare bugs in July. Dormann informed Microsoft that Delpy’s PoC still worked on August 11, a day after August’s Patch Tuesday. Delpy’s proof of concept is what prompted Microsoft’s latest disclosure about CVE-2021-36958, according to Dormann.    “Microsoft did fix *something* related to your attack in their update for CVE-2021-36936, which describes nothing about what it fixes. For example, my PoC for VU#131152 now prompts for admin creds. However, @gentilkiwi’s PoC still works fine. Time for MS to issue a new CVE?,” wrote Dormann.  More

(Image: Shutterstock)Private Internet Access is a powerful, flexible VPN that does a good job of keeping your data and location safe.

Servers: 29,311Countries: 78Simultaneous connections: 10Kill switch: yesLogging: noBest deal: $2.19/mo or $79 for three yearsTrial: 7-day free trial and 30-day refund guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux

Definitely read through the details below. There’s a lot to like with this product, and the price is good as well as the performance. Just don’t try using it to connect to India. Read on, and you’ll see those results as well. Ugh.Initiating a connectionInitiating a connection with Private Internet Access (PIA) was quite straightforward. I’m going to demonstrate this on Windows, but the interfaces are somewhat similar for Mac, iOS, and Android.Upon install, an app was placed in the system tray. As you can see, starting with the default connection is a matter of just pressing the amber power button:There’s a lot you can do from this interface, even before initiating a connection. For example, you can choose what server you want to use for your connection. You can get to that list by clicking on the greater-than sign to the right of the pre-selected server location. Special featuresPIA offers a good selection of extra features and options. You can get to this by right-clicking on the tray icon or tapping the three-dot menu at the upper right and then selecting Settings. The General preferences are relatively straightforward. You can decide whether to launch on startup and connect on launch, plus there are a few appearance options. I prefer the dark theme.Anti-malware and tracker disablingThe Account tab simply reflects your account and plan data. But the Privacy tab is interesting. Here you can enable the VPN kill switch as well as MACE, PIA’s anti-malware and tracking feature. Split-tunnelling

A very useful feature is the comprehensive split-tunneling feature PIA offers. As you can see, you can choose whether to use the VPN or not based on both applications and IP addresses. This is powerful, for example, if you must visit a site or service without using the PIA VPN. Some banks won’t allow access if they detect you’re using a VPN. Another benefit is that you could use the PIA VPN for personal surfing, and then if you use the corporate VPN app, you could turn off PIA, so you’re on your company’s provided connection.Protocol choicePIA protocol choice is somewhat limited, giving you the option of OpenVPN or WireGuard. Honestly, both are quite good, so we have no complaints that some of the older, weaker, and fussier protocols aren’t provided. I’m showing OpenVPN selected here, but all the testing we will do later will be with the often-faster WireGuard, a more modern protocol for this type of application.Connection automationPIA’s connection automation feature is interesting, but I do wish it was more feature-rich. As it stands, you can configure PIA to automatically connect or disconnect based on whether you’re connected to an open Wi-Fi channel, an encrypted Wi-Fi link, or a wired connection.That’s all well and good, but we’d like to see the ability to turn on and off the malware environment based on a connection, modify which apps use the VPN connection, and change settings based on IP address or block of IP address. That way, for example, when you bring your laptop to work, one full set of profiles would activate. When you’re at home, another set might activate, and so on. This is a good first step, but it’s an area where PIA can certainly benefit from additional work.Dedicated IPFinally, you can choose to upgrade your account with one or more dedicated IP addresses. Dedicated IP addresses are available for connections via the US, Australia, Canada, Germany, and the UK. The additional cost is $5/mo per dedicated IP address purchased. That IP remains yours throughout the duration of your dedicated IP subscription.Performance and leak testingI installed the Private Internet Access application on a fresh, fully-updated Windows 10 install. I always use a fresh install to do this kind of testing, so some other company’s VPN leftovers aren’t clogging up the system and possibly influencing results. I have a 1GB fiber feed, so my baseline network speed is rockin’ fast.

ZDNet Recommends

The best internet service providers

When you’re comparing internet providers for your business, don’t just look at speed and price. More than anything else, you want the most reliable connection to keep your business running.

Read More

To provide a fair US performance comparison, rather than comparing to my local fiber broadband provider, I used speedtest.net and picked a Comcast server in Chicago to test download speed.For each test, I connected to each server three times. The number shown below is the average result of the three connections.In looking at these numbers, it’s possible to get carried away by the difference in the baseline speed compared to the VPN speed. That’s not the best measurement, mostly because I have broadband over fiber, so my connection speed is extremely high.Also, if you look at the baseline speeds between my reviews, you may notice that they differ considerably going to the same cities. Keep in mind that speed tests are entirely dependent on the performance of all the links between the two locations, including the time of day, how active those servers are, and how slow or fast the Internet is on a given day.I used to commute to work from Berkeley to Mountain View in Silicon Valley. At midnight, that was a 35-minute drive. During rush hour, it was a two-hour drive. The same kinds of traffic jams can hit the Internet. All this is to go to the recommendation I have in all my reviews; test for yourself. More on that later.

Beyond the US, I tested connections to Sweden, Taiwan, Australia, and India. For each test, I connected to each server three times. The number shown below is the average result of all three connections. I could not test a connection to Russia because PIA doesn’t appear to have a Russian presence.While I was connected, I also ran DNS and WebRTC leak tests (to make sure that DNS and IP are secure) using DNSLeak.com, ipleak.net, and dnsleaktest.com. These tests are basic security tests and not much more. If you’re planning on using NordVPN (or any VPN service) to hide your identity for life and death reasons, be sure to do far more extensive testing.Here are the results of my tests:Speed Test ServerBaseline download speed without VPN (higher is better)Ping speed without VPN (lower is better)Time to connect to VPNDownload speed with VPN (higher is better)Ping speed with VPN (lower is better)LeaksChicago – Comcast236.97Mbps59ms3 sec77.43Mbps61msNoStockholm, Sweden – SUNET151.37Mbps178ms4 sec65.95Mbps164msNoTaipei, Taiwan – TAIFO240.64Mbps148ms5 sec81.17Mbps232msNoPerth, Australia – Optus246.79Mbps230ms5 sec100.80Mbps193msNoHyderabad, India – I-ON170.66Mbps248ms5 sec0.67Mbps276msNo66.Mumbai, India – Sky Broadband66.83Mbps247ms5 sec1.92Mbps1,128msNoIn looking at these numbers, it’s possible to get carried away by the difference in the baseline speed compared to the VPN speed. That’s not the best measurement, mostly because I have broadband over fiber, so my connection speed is extremely high.There’s a little too much promo here for me to feel comfortable.When you use a VPN service, it’s natural for performance to drop. After all, you’re running all your packets through an entirely artificial infrastructure designed to hide your path. The real numbers you should look at are the download speed and the ping speed. Are they high enough to do the work you need to do?Ping speed is an indication of how quickly a response gets back after a network request is sent from your computer. Some of the limitations here are due to actual physics. If you’re sending a packet across the planet, it will take longer to hear back than if you’re sending a packet across town.The leak tests were interesting in that they showed no leaks whatsoever. The only thing that slightly concerned me was that dnsleak.com was plastered with promotions for Private Internet Access. Since the other sites reported the same leak-free results, I’m comfortable passing it along. It just seemed to embed the PIA promotions too tightly into the test results.For all connections, with the exception of India, PIA download performance was quite good. Since you don’t really need more than about 6Mbps to 8Mbps to stream HD video from sites like YouTube, the PIA connections were certainly fast enough. For years, most of us would have been thrilled to have the broadband download speeds reported after this VPN was enabled.Then there’s India. My non-VPN performance was adequate. Yet, my VPN performance was terrible. I first tried a Hyderabad connection, and the resulting 0.69Mbps was essentially unusable. Connecting to Mumbai resulted in barely better results. I retried these tests six times each, and they were consistently terrible. The only bright side to the India tests is that other VPNs I tested, most notably NordVPN, also had abysmal VPN results, so PIA isn’t alone in this performance phenomenon.The bottom line of my basic performance tests is that you can clearly get the job done unless it involves India. If you have a specific country you want to connect to, it’s a good idea to take advantage of the company’s full 30-day refund policy and just try it out.The bottom lineThere are three really important things to know when choosing a VPN:Does it log any of your data?Does it hide you while online?Is it fast enough to get done what you need to get done?I can’t independently verify the first question, but PIA does say they don’t log any data. That question is probably the hardest to answer definitively because few of the VPN vendors we’ve looked at have independent audits to verify their claims.As for the second question, PIA does hide your data, it does hide your originating location, and it appears to hide the fact that you’re using a VPN. That’s a solid result.As for the third question, for the locations I was able to test (with the exception of India), the answer is a clear “yes.” You can easily move files, stream YouTube, and do all your basic work while active VPN connection. It might be faster to walk there if you’re trying to connect to India, at least from the Pacific Northwest in the United States.Overall, though, I was quite impressed with PIA. At $2.19 per month for three years, it’s one of the more inexpensive plans we’ve looked at, and yet it’s very full-featured. We liked the setup and configuration options, although seeing the automations turn into full-on profiles would be nice. We also like that PIA offers its client software in open source on Github.As always, I recommend you take advantage of PIA’s 30-day money-back guarantee and give it a complete test. The only way you can truly know if it’ll work for you is if you put it to work and find out for yourself.

ZDNet Recommends More

An official with Japanese electronic components manufacturer Murata has released an apology for the leak of thousands of files in June that contained bank account information for employees and business partners of the company.Norio Nakajima, CEO of Murata Manufacturing, released a statement apologizing for an incident on June 28 when a subcontractor downloaded a project management data file containing 72 460 pieces of information. More than 30,000 documents contained business partner information like company name, address, associated names, phone numbers, email addresses and bank account numbers. The companies are based in Japan, China, the Philippines, Malaysia, Singapore, the US and the EU, but the enterprises “subject to customer information are only China and the Philippines.”Over 41,00 documents about employees were in the leak as well, similarly containing names, addresses and bank account numbers. The employees were based in the company’s offices in Japan, China, the Philippines, Singapore, the US and the EU.”On July 20, 2021, it was confirmed that an employee downloaded the project management data including our business partner information and personal information to a business computer without permission and uploaded it to the personal account of an external cloud service in China,” Nakajima said in a statement, adding that there is evidence that no one other than the subcontractor accessed the data.”In addition, we have received reports from a survey of external cloud service providers that it was confirmed that the information taken out was never copied or downloaded by a third party. The uploaded data has already been deleted from the business PC and external cloud storage service. No virus infection or cyberattack has been confirmed in this matter.”Nakajima goes on to explain that the unnamed subcontractor was involved in the company’s accounting system update project.

The notice included a timeline that tracked the incident from its inception on June 28 through its verification in August. Two days after the subcontractor downloaded the files, the company got a security alert, and by July 4, their security team had confirmed what happened. The company said it interviewed the subcontractor on July 8, who admitted to downloading the information and then uploading it to a private cloud account. “On the same day, the uploaded data was deleted under the supervision of the subcontractor,” Nakajima said. By August, the company internally confirmed what happened and had an outside security firm also take a look at the situation. Japanese news outlet ITMedia spoke to the subcontractor, who said, “I was uploading my know-how to a personal cloud and organizing it in order to learn system design, etc. It happened to contain sensitive information about customers.”A Japanese blog confirmed that the subcontractor was an engineer for IBM Dalian Global Delivery, a subcontractor of IBM China. Murata’s accounting system update project was outsourced to IBM Japan, which subcontracted it to IBM China. The system is used to pay both employees and partners. Murata told ITMedia that it was considering cancelling the contract and potentially seeking damages. Murata dominates the research, production and sale of electronic devices made from fine ceramics. With over 70 000 employees, it plans to bring in more than $2 billion this year.  More

It’s time to update your Mac… again. macOS Big Sur gets what might be its final update before macOS Monterey is released. And it’s a biggie. Clocking in at over 2.5GB, Apple describes Big Sur 11.5.2 as “bug fixes for your Mac.” Do you need to rush out to install this, and are there any gotchas or catches to installing it? macOS Big Sur 11.5.2Must read: Apple broke the bad news to iPhone fans I’ve been running this since its release, and to be honest, apart from the change of version number, I can’t see any difference. Performance is the same, battery life is the same, and reliability is the same. On the “how much of a hurry should I be to install this?” front, according to Apple “, this update has no published CVE entries,” which means that unless you’re being plagued by some bug or other that you’re awaiting a fix on, you could hold off updating for a while (as long as you’re up to date on Big Sur 11.5.1, which contained some pretty important security updates).

To update macOS, click on the Apple logo in the top-left corner, go to System Preferences, find Software Update and download and install any available updates. UPDATE Having set this up on a system where I was paying attention to the setup, I noticed that on first boot up users are given an option to set up accessibility features, and to set up Apple Pay on their Macs.  More

Industrial infrastructure, including electricity grids, oil and gas facilities, manufacturing plants and more, has become a tempting targets for cyber attackers, whether they’re criminal gangs attempting to make money from ransomware attacks, or nation-state-backed hacking operations out for espionage and disruption. Recent incidents – such as the Colonial Pipeline ransomware attack, and a cyber attacker attempting to modify chemical levels in the drinking water supply at a water-treatment plant in Florida – have demonstrated how industrial infrastructure is vulnerable to hackers – and that attacks against these systems can have a broader impact on the general public. 

Many industrial networks have operated on the same technology for decades and the need to secure them against attacks is well known. SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) But with additional attention on the security around industrial control systems, there’s now an opportunity to make sure networks are protected against cyberattacks. But if this opportunity is ignored, it could be costly in the long run, leaving critical infrastructure vulnerable to malicious hackers. “I think that we’re getting to the point now where we had an opportunity to get ahead of this problem, and now this problem caught up with us,” Sergio Caltagirone, VP of Threat Intelligence at Dragos, told ZDNet Security Update. “There’s very few opportunities in cybersecurity where you get the benefit of foresight and this is one of those where we still can see a little bit ahead – we’re not as far ahead as we should be – but we can see that this is going to be a bigger problem, we all know that.”

Action needs to come from the top down: “You have to start at the top level. Boards of directors and government’s policy groups need to start putting pressure on the operators – whether they’re state operators or quasi-state operations or completely private operations – they need to put pressure on organizations to do something,” said Caltagirone.  That’s already started in the United States, as President Biden has ordered CISA and NIST to develop cybersecurity performance goals for critical infrastructure.  SEE: Attacks on critical infrastructure are dangerous. Soon they could turn deadly, warn analystsIn the meantime, it’s vital that organisations running industrial systems understand their networks, the potential security vulnerabilities they might contain, and who has authorisation to access what. That’s key in order to prevent attacks from gaining access to the network in the first place, or detecting unauthorised access as quickly as possible. “As a hacker you’re going to spend months studying the operations of those facilities. And that as a defender is such a critical time where you could have found them and done something, to have prevented them from knowing enough to do what they wanted to do,” said Caltagirone. “We do have a chance to stop it – but you just you have to take the opportunity to do so,” he added. MORE ON CYBERSECURITY  More

Often lacking in resources, more small and midsize businesses (SMBs) in Singapore are seeing cyber insurance as a viable option. They view these offerings as a way to balance cost and the need to safeguard their assets, especially as data leaks remain their biggest concern. Smaller organisations often had to grapple with limited budgets and manpower, and would want certainty in how much they had to invest. This was pushing more to look at cyber insurance as a way to achieve this, said Ang Yuit, vice president of strategies development for the Association of Small & Medium Enterprises (ASME), an industry group which members comprise Singapore SMBs. Responding to ZDNet’s query about the adoption of cyber insurance amongst SMBs, Ang noted that such services provided a way for SMBs to boost their cybersecurity posture while managing their costs. Purchased at a monthly premium, cyber insurance helped these companies better determine how much they needed to put in and what they were getting back in return. 

It enabled SMBs to define the scope and investment of their cybersecurity protection, he said, in a virtual roundtable Thursday hosted by Lenovo. While it might not resolve every issue, Ang added that cyber insurance provided a viable alternative to simply purchasing security tools, which could be difficult to cost definitively. ZDNet understands that there are varying cyber insurance services encompassing packages that include some coverage of cost incurred during an attack and assistance in quantifying the attack’s impact on data and intellectual property. They also often are bundled with security assessment and incident response services, since it will be in the insurer’s interest to ensure the SMB has obtained a certain level of cybersecurity readiness and to mitigate the impact of an attack. In addition, insurers have been keen to provide more services targeted at SMBs, as these companies have much smaller infrastructure and, hence, carry less risks to assess and insure against, compared to large enterprises. 

Ease of adoption, in particular, is essential in driving greater security readiness in the SMB segment, according to Milad Aslaner, SentinelOne’s global director of cyber defence strategy and public affairs.Speaking in the roundtable, he said automation tools such as autonomous threat detection and response played a key role as they would help ease operations for smaller businesses. The ability to roll back from a security incident also was critical, Aslaner said. Getting SMBs to better safeguard their infrastructure was especially critical as many had rushed to go online amidst the global pandemic. This increased their attack surface and exposed more of their data, making them prime target for attacks, he cautioned, noting that cybercriminals would aim for companies with weaker security posture. Roy Ng, Lenovo’s central Asia-Pacific director of SMB, noted that many SMBs wrongly assumed they were too small to be targeted by hackers. Pointing to a study by Singapore’s Cyber Security Agency, Ng said the number of reported ransomware attacks last year mostly affected SMBs. While small, these companies held customer data that were of value to cybercriminals, he said. SMBs less proactive, driven by direct business impactAng noted, though, that most SMBs were not adequately prepared to address security threats and already lacked a strong foundation, even as they accelerated their digital adoption in the last 1.5 years during the pandemic. “SMBs will deal with a problem when it’s there. [They’re more] focused on operational needs,” he said. ZDNet asked if these businesses then found it challenging to fend off third-party attacks, which required regular assessment, he reiterated SMBs’ tendency not to proactively address issues unless there was an immediate threat or risk. Unless the requirement was stipulated in the service contract, they would prioritise other business operations. He noted, though, that they were particularly concerned about ensuring compliance with Singapore’s Personal Data Protection Act (PDPA).Pointing to personal data management as a good starting point to drive greater security awareness, he said SMBs were more worried about how they should secure their data, so they would not have to face ramifications of a breach under the PDPA. Aslaner said SMBs also would need to improve their security posture, as more enterprises were looking at architectural changes amidst the rise of third-party attacks, with focus mainly on zero trust frameworks.  He noted that organisations were adding cybersecurity requirements as part of their supplier and vendor agreements. SMBs then would have to ensure they met these baselines if they wanted to continue doing business with certain enterprise clients, he said.Chris Tan, client technologist for Lenovo’s central Asia-Pacific, suggested SMBs began by identifying their assets, including devices and data points. Ng also underscored the importance of user education, so employees could help their organisation avoid potential exposure and threat. According to IBM’s recent study, data breaches cost Asean companies on average $2.64 million per incident, compared to the global figure of $4.24 million. The cost of a breach, however, was $430,000 higher than the average for companies in Asean that had not undergone any digital transformation due to the COVID-19 pandemic.Organisations in the region took 307 days to detect and contain a data breach, including 223 days just to detect an incident, the IBM report revealed.RELATED COVERAGE More

Image: Asha Barbaschow/ZDNet
The Australian government reckons the internet is full of bad things and bad people, so it must therefore surveil everyone all the time in case anyone sees the badness — but someone else can figure out the details and make it work. This brain package always includes two naive and demonstrably false beliefs. One is that safe backdoors exist so that all the good guys can come and go as they please without any of the bad guys being able to do the same. The other is that everyone will be nice to each other if we know their names. This big bad box of baloney blipped up again this week as part of the government’s consultation for the Online Safety (Basic Online Safety Expectations) Determination 2021 (BOSE) — the more detailed rules for how the somewhat rushed new Online Safety Act 2021 will work. Section 8 of the draft BOSE [PDF] is based on that first belief. “If the service uses encryption, the provider of the service will take reasonable steps to develop and implement processes to detect and address material or activity on the service that is or may be unlawful or harmful,” it says.

It should go without saying that if the service provider can see whether something might be unlawful then it’s not actually encrypted, but the government seems to have trouble understanding this point. Wishing harder won’t bring you that magical decryption pony The simple fact is that if good guys can decrypt the data when they’re given some sort of authority, then so can the bad guys that use some sort of forged authority. And they will. Anyone who’s studied the theoretical innards of computing science knows that this falls into a class of unsolvable problems. It just can’t be done. It’s the mathematics, stupid. For those who don’t understand that maths is real, reality can also be understood through thoughtful observation. If there was a way to determine who is and isn’t legitimately allowed to decrypt a message, or be given any kind of access to private data, then we’d already be using it, and hacking wouldn’t exist. This does not seem to have happened. Simply wishing harder won’t get you that particular pony for Christmas. Section 9 of the draft BOSE is based on the second belief, anonymity. “If the service permits the use of anonymous accounts, the provider of the service will take reasonable steps to prevent those accounts being used to deal with material, or for activity, that is or may be unlawful or harmful,” it says. Those “reasonable steps” could include “processes that prevent the same person from repeatedly using anonymous accounts to post material, or to engage in activity, that is unlawful or harmful,” or “having processes that require verification of identity or ownership of accounts”. More than two decades of experience has shown that having people’s names doesn’t stop the abuse. Just one recent example is the online racist abuse of English football players via Twitter, where 99% of accounts suspended for sending racist abuse were not anonymous. Indeed, having people’s identities or other personal information available is itself a risk. It takes but moments to find many, many examples of police misusing their data for personal purposes. Even if we could limit access to legitimate authorities — which we can’t — we can never know if their reason for access is legitimate. Why is the online world becoming more restricted than offline? According to the government’s consultation paper [PDF]: “A key principle underlying the Act is that the rules and protections we enjoy offline should also apply online”. But that’s simply not the case. As digital rights advocate Justin Warren explained in a Twitter thread, the Online Safety Act actually requires a much greater level of safety than exists in the offline world. “The doors in my house aren’t safe because I can jam my fingers in them. Same with all the cupboards. So could any 12-year-old,” he wrote. Section 12 of the draft BOSE discusses the protection of children from harm. It proposes “reasonable steps” such as age verification systems, something the UK abandoned as impractical, and “conducting child safety risk assessments”. “I note that we don’t make newspapers or broadcast television conduct child safety risk assessments before letting overpaid columnists talk at length about ‘cultural Marxism’,” Warren wrote. “We also let [ABC TV program] Play School teach kids how to make a drum from household items while their parents are trying to work at home during lockdown and I want to see that child safety risk assessment.” Conversely, the government doesn’t make Westfield monitor the conversations of people in the shopping mall food court in case they’re planning a bank robbery, yet that’s precisely what it now expects online platforms to do. It even expects them to figure out what is and isn’t harmful, both now and into the future. “Service providers are best placed to identify these emerging forms of harmful end-user conduct or material,” says the discussion paper. Warren is unimpressed, and your correspondent agrees. “This is the government explicitly abdicating its responsibility to consult with the public on what community standards are and wrestle with the difficult question of what ‘harmful end-user conduct or material’ actually is,” he wrote. “Instead of doing its job, the government wants Facebook and Google and other private companies to define what constitutes acceptable content. And tries to claim this is treating online the same as offline.” To see how well this might work in practice, one only has to see how YouTube recently blocked video of a drinking bird toy for being 18+ content. You may click through safely, though, because it’s not. ‘What about my rights?’ While the discussion paper wants us to “enjoy” rules online — an interesting concept — it isn’t so hot on letting us enjoy our right to privacy and our right to freedom of speech and other communication. The only mention of rights in the consultation paper is when the government “reserves the right not to publish a submission”. The only mention of privacy is to tell submitters that their personal information will be handled in accordance with the Privacy Act 1988. The only mention of freedom is to say that submissions might be released under the Freedom of Information Act 1982. It’s the government’s job to protect our rights and freedoms, but in the online world they just can’t be bothered. By delegating these matters to the online platforms, with penalties if they fail to block ill-defined “harmful” conduct or material, they will of course do what is safest for them and err on the side of over-blocking. They will also err towards blocking material which causes them a publicity problem, such as public complaints from small but noisy communities. Restrictions in more authoritarian countries will continue to be propagated globally. “Online services [will] pre-emptively take down LGBT content when gronks brigade the reporting mechanism. An obvious outcome that has already happened in lots of places but that AusGov will ignore. Again,” Warren wrote. Of course this is only a consultation paper. The government has called for public submissions, and we have until October 15 to change its mind. Nine whole weeks. But given how the government has persisted with its demonstrably false beliefs no matter how many times the experts tell them otherwise, will that happen? Related Coverage More