December 17, 2019

Deepfake Bot Submissions to Federal Public Comment Websites Cannot Be Distinguished from Human Submissions

Max Weiss

Publicly available artificial intelligence methods can generate an enormous volume of original, human speech-like topical text "Deepfake Text") that is not based on conventional search-and-replace patterns
I created a computer program (a bot) that generated and submitted 1,001 deepfake comments regarding a Medicaid reform waiver to a federal public comment website, stopping submission when these comments comprised more than half of all submitted comments. I then formally withdrew the bot comments
When humans were asked to classify a subset of the deepfake comments as human or bot submissions, the results were no better than would have been gotten by random guessing
Federal public comment websites currently are unable to detect Deepfake Text once submitted, but technological reforms (e.g., CAPTCHAs) can be implemented to help prevent massive numbers of submissions by bots

December 17, 2019

Describes the TwitterTrails tool that enables the investigation of rumors on Twitter
Using TwitterTrails, analyzes Pizzagate, an infamous conspiracy theory that gained prominence during the 2016 US Presidential election
Reveals several previously unknown facts about the story, including the role that a Turkish journalist played in internationalizing the rumor, visualizes the echo chamber of those who promoted it, and describes their identities and connections

November 12, 2018

Leading data privacy experts produced four protocols that they said were popular ways to render personal information anonymous so it could be shared or sold publicly
Experts relied on the HIPAA Safe Harbor, a flawed use of k-anonymity, an enclave, randomization, and standardized statistical values
None of their protocols achieved the privacy protection they promised
We were able to put names to the records in all of their protocols.

November 12, 2018

Examines the spread of two competing narratives on Twitter following the sarin gas attack in Syria in April 2017
Finds that false narratives tend to spread via widely networked distribution nodes, many of which are amplifier accounts created for the express purpose of increasing activity around a particular hashtag
Russian digital disinformation efforts are the result of new methods applied to old tactics, and tend to target online communities which have the greatest latent potential for agitation
Future research would do well to explore the actual impact of such disinformation efforts on either popular opinion or leader decision-making

October 08, 2018

We used newspaper data to match names to anonymized patient records in statewide hospital data from Maine and Vermont
We found that 28.3 percent of names from Maine news stories and 34 percent of names from Vermont news stories uniquely matched to one hospitalization in the Maine and Vermont hospital data.
When redacted to the HIPAA Safe Harbor standard, the Maine data allowed for a 3.2 percent re-identification rate and Vermont data allowed for a 10.6 percent re-identification rate.
Our results suggest that states should revisit de-identification practices and reassess risks to patient privacy when determining data sharing protocol

October 08, 2018

Presents a curated list of 44 historically noteworthy incidents in which individuals suffered privacy harms that were not the result of data breaches (theft of personal information).
Shows application of Solove’s Taxonomy of Privacy to recent privacy incidents.

October 08, 2018

We randomly sampled 693 Airbnb listings from Wisconsin from urban, suburban, and rural areas with varying population densities
We introduced a method to probabilistically re-identify Airbnb hosts using public voter files from Wisconsin and the fuzzed location of Airbnb listings
Despite Airbnb’s efforts to protect personal data, we re-identified 94% of cases using the first name and town of resident living closest to the location provided by a listing

August 31, 2018

Compete in <a class=MsoNormal href="https://thedatamap.org/contests/"><b>theDataMap Visualization Contest</b></a> and create unique visualizations to represent the sharing of personal health and mobile data.
Win a free trip to the Patient Privacy Rights Foundation (PPR) Health Privacy Summit in Washington D.C.
Submissions will be accepted until December 28, 2018 at 11:59PM (EST), and the winning team will be announced on January 7th, 2019.

September 05, 2017

Websites for 35 states and DC in 2016 were vulnerable to voter identity theft attacks: an imposter could submit changes to voter registration information
An imposter needed a combination of voter’s name, date of birth, gender, address, Social Security Number, or Driver’s License Number
Relevant data can be acquired from government, data brokers, or darknet markets. Total cost of an automated attack against 1% of all vulnerable voter registrations nationwide ranged from $10,081 to $24,926 depending on the data source used. States cost less, e.g., $1 for Alaska and $1,020 for Illinois
A voter identity theft attack could disrupt an election by imposters submitting address changes, deleting voter registrations, or requesting absentee ballots.

August 28, 2017

India has a widespread national ID system, Aadhar, that uses biometrics to verify identity before accessing many essential state and social services
Aadhar lacks significant privacy and data protections and has significant failure to match rates of up to 49%
India should consider greater privacy protections for Aadhar that follow ethical data practices including privacy by design
EU in 2018 will implement GDPR which will generally require explicit consent from individuals to use sensitive biometric data
The US has a sectoral approach where most activities with biometrics are generally allowed unless directly regulated by federal or state laws