RISKS-LIST: Risks-Forum Digest Friday 31 January 2020 Volume 31 : Issue 55

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.55>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents: [USENET connection was broken for a while. NOW FIXED]
Georgia election systems could have been hacked before 2016 vote (Politico) U.S. will look at sudden acceleration complaints involving 500,000 Tesla
vehicles (Reuters)
Alleged MSFT mega breach (Comparitech)
How the Internet helped crack the Astros' sign-stealing case (ESPN)
Australian General Practice Medical Data Aggregation Software
(outcomehealth)
Microsoft Warns of Unpatched IE Browser Zero-Day That's Under Active Attacks
(The Hacker News)
Is LongFi the Next Wireless Revolution? (LifeWire)
Elaborate Honeypot 'Factory' Network Hit with Ransomware, RAT, and
Cryptojacking (Darkreading)
Recent paychecks are smaller for some feds due to National Finance Center
error (Federal News Network)
The Secretive Company That Might End Privacy as We Know It (NYTimes)
London police to roll out live facial recognition across the city
(Janosch Delcker, Politico Europe)
The world's 2,153 billionaires are richer than 4.6 billion people combined,
Oxfam says (Business Insider)
Hospitals Give Tech Giants Access to Detailed Medical Records (WSJ)
The Navy cryptically says it has top-secret UFO briefings that would cause
'exceptionally grave damage' to US national security if published
(NYTimes)
Panicking About Your Kids' Phones: New Research Says Don't
(Nathaniel Popper)
Singapore updates AI governance model with real-world cases
(The Straits Times)
Clearview app lets strangers find your name, info with snap of a photo,
report says (CNET)
College career centers teach job applicants how to impress AI systems (CNN) Banning Facial Recognition Isn't Enough (Bruce Schneier, NYTimes)
It May Be the Biggest Tax Heist Ever. And Europe Wants Justice
(The New York Times)
India Restores Some Internet Access in Kashmir After Long Shutdown (NYTimes) Y2038 is here (Twitter)
Yikes, friend's LinkedIn account hacked and spamming (Google)

From a car dealer (PGN)

Re: "Don't expect a return to the browser wars" (Chris Drewe)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 17 Jan 2020 15:25:56 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Georgia election systems could have been hacked before 2016 vote
(Politico)

"[W]hat Logan's findings show us is that vulnerabilities were not just hypothetical as the state had been claiming. Now we know that it was a very real risk, but what we don't know is just how bad did it get. And the public deserves to know," she said.

Georgia used the server to distribute critical election and voter
registration files to counties throughout the state. However, the state has insisted that it never distributed files to program voting machines through
the server. Instead, it delivered these files to counties physically. But if the server was compromised, it could have been a vehicle to distribute
malware to any county election worker who connected to it.

Georgia's secretary of state, Brad Raffensperger, did not respond
immediately to a request for comment. Kemp served as secretary of state at
the time of the 2016 election, before being elected governor in 2018.

The Center for Election Systems at Kennesaw State University, which was responsible for programming all of the voting machines in Georgia before
every election, owned and operated the server in question. That server was already known to have security issues.

As POLITICO first reported, months before the 2016 election, Lamb discovered that the KSU server was improperly secured so that anyone could access sensitive election data stored on it, and it also had an unpatched vulnerability in so-called Drupal software the server used, which would have allowed attackers to take control of the server and alter or delete data on
it, or to post malware that could have infected the computers of election officials accessing the server.

Logan made the discovery by chance when he visited the Center for Election Services website to learn more about their role in programming voting
machines for Georgia.

After the POLITICO story published in June 2017, the plaintiffs filed their lawsuit and sought to obtain the server for evidence supporting their contention that Georgia's election systems are not secure and could have
been tampered with in the 2016 election.

But officials at Kennesaw wiped the server clean shortly after the
plaintiffs filed their suit. The FBI had a mirror image of the server, which had been made in March 2017, but state officials fought to prevent the plaintiffs from obtaining it to examine. They lost that fight last year.

Only recently was Lamb able to examine the server for evidence of tampering.
In his affidavit, Lamb said the server appears to have been compromised in December 2014, using an unpatched vulnerability called *Shellshock* that had been publicly revealed and widely reported three months earlier.

The Shellshock vulnerability is different from the Drupal one Lamb
discovered when he visited the Center's website in 2016. Both the Shellshock and Drupal vulnerabilities had been publicly exposed around the same time,
but despite both receiving extensive media coverage and even a Department of Homeland Security alert in the case of Shellshock, officials at the Center
for Election Systems failed to apply a patch to close either of them when
the patches were released.

------------------------------

Date: Fri, 17 Jan 2020 23:43:39 -0500
From: Monty Solomon <monty@roscom.com>
Subject: U.S. will look at sudden acceleration complaints involving
500,000 Tesla vehicles (Reuters)

WASHINGTON (Reuters) - The National Highway Traffic Safety Administration (NHTSA) said Friday it will review a petition asking the agency to formally investigate and recall 500,000 Tesla Inc vehicles over sudden unintended acceleration reports.

https://www.reuters.com/article/us-tesla-probe-idUSKBN1ZG1IL

------------------------------

Date: Fri, 24 Jan 2020 4:49:32 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Alleged MSFT mega breach (Comparitech)

https://www.comparitech.com/blog/information-security/microsoft-customer-service-data-leak/

"Over the New Year, Microsoft exposed nearly 250 million Customer Service
and Support (CSS) records on the web. The records contained logs of conversations between Microsoft support agents and customers from all over
the world, spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed."

------------------------------

Date: Sat, 18 Jan 2020 19:38:00 -0500
From: Monty Solomon <monty@roscom.com>
Subject: How the Internet helped crack the Astros' sign-stealing case (ESPN)

https://www.espn.com/mlb/story/_/id/28476354/how-internet-helped-crack-astros-sign-stealing-case

------------------------------

Date: Sun, 19 Jan 2020 21:28:37 +1100
From: "Geoffrey Sinclair" <gsinclair@froggy.com.au>
Subject: Australian General Practice Medical Data Aggregation Software
(outcomehealth)

The Australian Government has spent the last few years rolling out MyHealthRecord, a centralised personal electronic health record for every citizen which they and relevant medical staff can access. It has a widely publicised opt out mechanism and around 15% of the population have done so.
The latest report indicates it is underutilised due to a variety of factors including the usual software incompatibilities.

However a much quieter data gathering is going on. A software product
called Polar GP (and/or other suites like PEN Cat, this is about Polar GP)
is being offered free to General Practitioners as a way for big data to come
to them, enabling detailed data analysis of their practice and patients, and has been around since early 2018 at least and went live on 1 August 2019.
Polar also installs a program called Hummingbird to copy data offsite.

This is part of an Australian Government initiative to upload GP data, encouraged with incentive payments, all practices have a 12 month window to comply to relevant standards. Privacy is covered by the anonymity and
public benefit parts of the privacy act. Patient records are given an ID
and practice number as part of the process of deleting individual
identifying material, but birth date and complete medical histories are
being exchanged and this is coupled with the relatively limited number of patients at each practice.

Since the practice is considered to own the data it is they who consent to
its sharing, the patient needs to request an opt out.

Data is nominally sent via the government funded local, not for profit,
Primary Health Network company which then claims ownership of the records
and is expected to be a main user of the uploaded data, which is ultimately copied to the Australian Institute of Health and Welfare.

The uploaded data, less the individual identifying material, is sent to a central repository, managed/maintained by a private company called Outcome Health, the practice sends hourly updates of the medical data, while holding the key to link it to the local records.

The intention is to allow a number of organisations, including the practice,
to look at the aggregated data for the benefits that can bring to health services. This idea is supported by the Royal Australian College of General Practitioners. Reports can be generated with medical and/or financial
details.

To quote one of the websites,

"POLAR is suitable for use by all general practice staff, including
practice principals, general practitioners, nurses, practice managers,
business managers and admin staff.

POLAR performs a data collection (extracts changed data) from the practice
software every five minutes. The identified and de-identified practice
data is encrypted using industry endorsed algorithms similar as those used
in the health, banking and e-commerce sectors. The encrypted identified
data is stored locally with the POLAR software.

The encrypted de-identified data is uploaded directly to the POLAR data
warehouse (located in Australia). Overnight the accumulated de-identified
data is build into POLAR Reports and made available for the viewing by the
practice the following morning. When POLAR is opened at the practice the
locally stored identified data and the de-identified data drawn from the
POLAR Data Warehouse are unencrypted locally and matched enabling reports
to be viewed and analysed.

POLAR software is developed by Outcome Health. Outcome Health are the
custodians of the POLAR Data Warehouse. De-identified patient data is
securely stored in the POLAR Data Warehouse (in Australia) for population
health planning ....

Support for POLAR is provided free by the individual Primary Health
Networks (PHNs)."

Posters put up in the GP offices appears to be about the limit of the publicity, the sign-up documentation list includes,

"Step 5: A3 GP Poster (option 1 for reception area) or A3 GP Poster (option
2 for reception area) documents - download, print and display in your
reception area - option 1 or option 2 - your choice. Call us and we can send you a printed version."

The posters indicate you need to ask at reception if you do not want your
data included. The local GP practice had two posters displayed.

Despite the software being in use for over 5 months no one at the practice
had any idea of what Polar was or did, confusing it with MyHealthRecord, contending it really did not matter and trying the "put it in writing" approach. Even though the agreement to use the software requires the signatures of an authorised person plus witness and appoints a nominated administrator. In the end the practice called one of the relevant Primary Health Network IT people who clarified the situation. The person was
acutely aware of the risk/reward equation along with the progress in re-identifying data and agreed to send written confirmation my existing data record had been deleted plus that no further uploads would be done. The written confirmation was supplied promptly.

https://polarexplorer.org.au Log in page uses Javascript. https://outcomehealth.org.au/

The GP practice also has a new booking system which uses, and staff trained
to ask for, your birth date as the primary identifier when making an appointment, and has the booking software on the same system as email. If
you do not supply a birth date the staff generally call it out "to confirm"
it is you.

------------------------------

Date: Sat, 18 Jan 2020 09:17:27 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Microsoft Warns of Unpatched IE Browser Zero-Day That's Under
Active Attacks (The Hacker News)

EXCERPT:

Internet Explorer is dead, but not the mess it left behind.

Microsoft earlier today issued an emergency security advisory warning
millions of Windows users of a new zero-day vulnerability in Internet
Explorer (IE) browser that attackers are actively exploiting in the wild --
and there is no patch yet available for it.

The vulnerability, tracked as CVE-2020-0674 and rated moderated, is a remote code execution issue that exists in the way the scripting engine handles objects in memory of Internet Explorer and triggers through JScript.dll library. <https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001>

A remote attacker can execute arbitrary code on targeted computers and take full control over them just by convincing victims into opening a
maliciously crafted web page on the vulnerable Microsoft browser.

"The vulnerability could corrupt memory in such a way that an attacker
could execute arbitrary code in the context of the current user. An
attacker who successfully exploited the vulnerability could gain the same
user rights as the current user," the advisory says.

"If the current user is logged on with administrative user rights, an
attacker who successfully exploited the vulnerability could take control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights."

Microsoft is aware of `limited targeted attacks' in the wild and working on
a fix, but until a patch is released, affected users have been provided
with workarounds and mitigation to prevent their vulnerable systems from cyberattacks.

The affected web browsing software includes -- Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 running on all versions of Windows 10, Windows 8.1, and the recently-discontinued Windows 7.

Workarounds: Defend Against Attacks Until A Patch Arrives. [...]

https://thehackernews.com/2020/01/internet-explorer-zero-day-attack.html https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001

------------------------------

From: Gabe Goldberg <gabe@gabegold.com>
Date: Tue, 21 Jan 2020 14:47:38 -0500
Subject: Is LongFi the Next Wireless Revolution? (LifeWire)

Author writes:

 IoT and Our Low-Powered Sensor Future

There are, by some measures, more than 30 billion Internet of Things (IoT) devices in use around the world. Virtually all of them live on Wi-Fi and cellular networks, but a small number, mostly tracking devices, are communicating in essentially a third way, on a LongFi network powered by Helium's small, consumer hot spots. And if Helium has its way, the LongFi network will change the way millions of low-powered devices communicate and
how widely-distributed networks are built.

Even though Helium has been around for 6 years, I’d never heard of it and hesitated to accept a CES meeting with CEO and Co-Founder Amir Haleem. The concept, though -- a peer-to-peer wide-area wireless network with a crypto-currency angle -- was intriguing. Plus, the company was co-founded by Napster founder Shawn Fanning. [...]

Building such a network, even without the infrastructure overhead of LTE or
5G is not easy, but Helium cooked up an unusual solution. The company encourages consumers to put a Helium Hotspot in their home by making them a participant in the economics of the network, which is where Blockchain comes in.

In addition to helping create the LongFi network, the Helium Hotspots are cryptocurrency mining systems and, depending on how third parties use the encrypted network, their hotspots may mine cryptocurrency in the form of
Helium Tokens. The cryptocurrency collection is tracked in the Helium
app. Granted, a Helium Token currently has no value, but someday, possibly depending on the scale of the Helium LongFi network, it may.

That pitch was, somewhat surprisingly, enough to attract a couple hundred crypto enthusiasts in Austin, Texas (the network went live last
summer). Haleem told me they also had no trouble finding takers enmeshed in
the IoT world.

https://www.lifewire.com/is-longfi-the-next-wireless-revolution-4782141

Risk? IoT + blockchain?

------------------------------

Date: Fri, 24 Jan 2020 11:40:14 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Elaborate Honeypot 'Factory' Network Hit with Ransomware, RAT, and
Cryptojacking (Darkreading)

A fictitious industrial company with phony employees personas, website, and PLCs sitting on a simulated factory network fooled malicious hackers -- and raised alarms for at least one white-hat researcher who stumbled upon it.

EXCERPT:

For seven months, researchers at Trend Micro ran a legitimate-looking phony industrial prototyping company with an advanced interactive honeypot network
to attract would-be attackers.

The goal was to create a convincing-looking network that attackers wouldn't recognize as a honeypot so the researchers could track and study attacks against the phony factory in order to gather intel on the real threats to
the industrial control system (ICS) sector today.

The faux company's factory network, which they purposely configured with
some ports exposed to the Internet from May through December of last year,
was mostly hit with the same types of threats that IT networks face: ransomware, remote access Trojans (RATs), malicious cryptojacking, and
online fraud, as well as botnet-style beaconing malware that infected its robotics workstation for possible lateral movement.

But there also were a few more alarming incidents with shades of more
targeted intent. In one attack on 25 Aug 2019, for instance, an attacker
worked its way around the robotics system, closed the HMI application, and
then powered down the system. Later that month, an attacker was able to
start up the factory network, stop the phony conveyer belt - and then shut
down the factory network. Attackers via the HMI shut down the factory and locked the screen, while another opened the log view of the robot's optical eye. [...] https://www.darkreading.com/threat-intelligence/elaborate-honeypot-factory-network-hit-with-ransomware-rat-and-cryptojacking/

------------------------------

Date: Tue, 21 Jan 2020 20:53:30 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Recent paychecks are smaller for some feds due to National Finance
Center error (Federal News Network)

/This story has been updated on Friday, Jan. 17 at 9:30 a.m. to indicate
that some NFC employees have received larger paychecks than usual./

https://federalnewsnetwork.com/pay/2020/01/recent-paychecks-are-smaller-for-some-feds-due-to-national-finance-center-error/

...well, then it's OK, that balances things.

------------------------------

Date: January 19, 2020 6:03:03 JST
From: Ellen Ullman <ullman@well.com>
Subject: The Secretive Company That Might End Privacy as We Know It (NYTimes)

A little-known start-up helps law enforcement match photos of unknown people
to their online images -- and "might lead to a dystopian future or
something," a backer says."

This application scraps social media for its database of images,
approximately 3 billion photographs. It claims it can recognize individuals wearing hats and glasses, also faces in profile. Its efficacy and accuracy
have not been independently tested, yet it is in increasing use by police departments nationally.

https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html

------------------------------

Date: Fri, 24 Jan 2020 10:42:48 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: London police to roll out live facial recognition across the city
(Janosch Delcker, Politico Europe)

Police in the British capital are set to deploy automated facial recognition technology across the city, it was announced today.

``The use of live facial recognition technology will be intelligence-led and deployed to specific locations in London,'' the Metropolitan Police Service said in a statement, arguing that this ``will help tackle serious crime, including serious violence, gun and knife crime, child sexual exploitation
and help protect the vulnerable.'' <http://news.met.police.uk/news/met-begins-operational-use-of-live-facial-recognition-lfr-technology-392451>

Democratic governments in the West are increasingly following the example of authoritarian regimes in deploying the technology, which allows them to scan faces in crowds, compare the results with stored data and identify
individuals in real time.

Civil rights advocates have warned that such *live* or *automated* facial recognition systems pave the way for mass surveillance on an unprecedented scale, but in a landmark case earlier this year, a U.K. court ruled that
South Wales Police had used similar technology lawfully. <https://www.politico.eu/article/uk-court-backs-police-in-facial-recognition-lawsuit/>

Earlier today, German news wire DPA reported that the German interior
ministry dropped plans to roll out similar technology at over a hundred
train stations across the country, following warnings by legal experts that
the use would likely infringe the country's constitution.

------------------------------

Date: Mon, 20 Jan 2020 10:54:13 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: The world's 2,153 billionaires are richer than 4.6 billion people
combined, Oxfam says (Business Insider)

- The world's 2,153 billionaires have more wealth than 4.6 billion
people combined, Oxfam's latest report on inequality found.
- The richest 1% are more than twice as wealthy as 6.9 billion people,
or nearly 90% of the human population, the report estimated.
- A key driver of the wealth gap is that women and girls put in 12.5
billion hours of unpaid care work every day, the Oxfam researchers argued.
- Their recommendations include investing in national care, passing laws
to protect and pay care workers, and ending extreme wealth.

EXCERPT:

The world's 2,153 billionaires are richer than 4.6 billion people -- 60% of
the global population -- combined, according to "Time to Care <https://oxfamilibrary.openrepository.com/bitstream/handle/10546/620928/bp-time-to-care-inequality-200120-en.pdf>,"
Oxfam's latest report on inequality.

"Our broken economies are lining the pockets of billionaires and big
business at the expense of ordinary men and women," Oxfam India CEO Amitabh Behar said in a press release <https://www.oxfam.org/en/press-releases/worlds-billionaires-have-more-wealth-46-billion-people>
ahead
of this week's World Economic Forum in Davos, an annual gathering of
business, academic, and political leaders.

"No wonder people are starting to question whether billionaires should even exist," Behar added.

The richest 1% are more than twice as wealthy as 6.9 billion people, or
nearly 90% of the human population, the report's authors found. The 22 wealthiest men in the world, led by Amazon CEO Jeff Bezos and Microsoft cofounder Bill Gates, possess more wealth than all the women in Africa put together, they added.

The Oxfam researchers highlighted a key driver of the issue: women and
girls put in 12.5 billion hours of unpaid care work every day, contributing $10.8 trillion to the global economy each year -- more than triple the size
of the global tech industry, by their estimates.

"This great divide is based on a flawed and sexist economic system that
values the wealth of the privileged few, mostly men, more than the billions
of hours of the most essential work -- the unpaid and underpaid care work
done primarily by women and girls around the world," they said.
The authors made several recommendations to narrow the gap: Invest in
national care to lessen the burden of care work shouldered by women and
girls, pass laws to protect carers' rights and pay care workers a living
wage, give carers a say in relevant decisions, challenge regressive and
sexist norms, and ensure businesses value care work...

[...] https://markets.businessinsider.com/news/stocks/2153-billionaires-richer-than-4-6-billion-people-combined-oxfam-2020-1-1028829249

------------------------------

Date: Mon, 20 Jan 2020 11:14:51 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Hospitals Give Tech Giants Access to Detailed Medical Records (WSJ)

Deals with Microsoft, IBM and Google reveal the power medical providers have
in deciding how patients' sensitive health data is shared

Melanie Evans, *WSJ*, 20 Jan 2020

https://www.wsj.com/articles/hospitals-give-tech-giants-access-to-detailed-medical-records-11579516200

------------------------------

Date: Sat, 18 Jan 2020 15:53:46 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: The Navy cryptically says it has top-secret UFO briefings that would
cause 'exceptionally grave damage' to US national security if published
(NYTimes)

[PGNed Via Geoff Goodfellow]

- The Navy says it has material about UFOs that, if released, "would cause
exceptionally grave damage to the National Security of the United
States."

- The Navy said it "discovered certain briefing slides that are classified
TOP SECRET" in response to a freedom-of-information request, which asked
about a series of videos that showed pilots baffled by mysterious, fast
objects in the sky.

- The Navy previously confirmed it was treating these objects as UFOs --
which means they are being treated as unexplained but not necessarily
extraterrestrial.
- One of the videos was published by published by The New York Times in
2017, and pilots told *The Times* they saw the objects accelerate, stop,
and turn in ways that went beyond known aerospace technology. <https://www.nytimes.com/2019/05/26/us/politics/ufo-sightings-navy-pilots.html>,

EXCERPT:

The Navy has said it has top-secret information about unidentified flying objects that could cause "exceptionally grave damage to the National
Security of the United States" if released.

A Navy representative responded to a Freedom of Information Act request sent
by a researcher named Christian Lambright by saying the Navy had "discovered certain briefing slides that are classified TOP SECRET," Vice reported last week. <https://www.vice.com/en_us/article/wxe54z/the-navy-has-secret-classified-video-of-an-infamous-ufo-incident>

But the representative from the Navy's Office of Naval Intelligence said
"the Original Classification Authority has determined that the release of
these materials would cause exceptionally grave damage to the National
Security of the United States."

The person also said the Navy had at least one related video classified as "SECRET."

Vice said it independently verified the response to Lambright's request with the Navy. <https://www.vice.com/en_us/article/wxe54z/the-navy-has-secret-classified-video-of-an-infamous-ufo-incident>

Lambright's request for information was related to a series of videos
showing Navy pilots baffled by mysterious, fast objects in the sky. <https://ufos-documenting-the-evidence.blogspot.com/2020/01/office-of-naval-intelligence-oni-admits.html>

The Navy previously confirmed it was treating these objects as UFOs...

https://www.businessinsider.com/navy-says-release-files-into-ufo-sightings-would-damage-security-2020-1

------------------------------

Date: Sun, 26 Jan 2020 10:21:01 -0700
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Panicking About Your Kids' Phones: New Research Says Don't
(Nathaniel Popper)

*The New York Times*, 17 Jan 2020

SAN FRANCISCO — It has become common wisdom that too much time spent on
smartphones and social media is responsible for a recent spike in anxiety,
depression and other mental health problems, especially among teenagers.

But a growing number of academic researchers have produced studies that
suggest the common wisdom is wrong.

The latest research, published on Friday by two psychology professors,
combs through about 40 studies that have examined the link between social
media use and both depression and anxiety among adolescents. That link,
according to the professors, is small and inconsistent.

"There doesn't seem to be an evidence base that would explain the level of
panic and consternation around these issues," said Candice L. Odgers, a
professor at the University of California, Irvine, and the lead author of
the paper, which was published in the Journal of Child Psychology and
Psychiatry.

https://www.nytimes.com/2020/01/17/technology/kids-smartphones-depression.html

------------------------------

Date: Wed, 22 Jan 2020 18:34:23 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Singapore updates AI governance model with real-world
cases (The Straits Times)

https://www.straitstimes.com/world/spore-updates-ai-governance-model-with-real-world-cases

The voluntary framework can be found here: https://www.imda.gov.sg/AI. It establishes fundamentally aspirational guidelines for organizations that
adopt AI-based technology into their operations and/or products. The
framework emphasizes these two key values:

1) "Decisions made by AI should be EXPLAINABLE, TRANSPARENT & FAIR"
2) "AI systems should be HUMAN-CENTRIC"

That the framework conditionally expresses these progressive values reveals their portentous consequence were they applied as law and regulation. AI capabilities subject to demonstrate "EXPLAINABLE, TRANSPARENT & FAIR"
operation and outcome, without exemption, would likely impose undue
commercial liability and risk burden.

Imagine if the AI capability was investigated, and shown (via logfile, transaction stream, sequence structures, judicial review proceedings, etc.)
to render biased data processing results that a business uses for human
capital management and hiring decisions, or performs loan approval, or authorizes medical expense payment? The consequences would likely be costly
to both brand and valuation -- a result that strongly resonates with
for-profit organizations.

Some forms of bias are benign -- product material choice affects color-blind individuals, but might be unavoidable. If the product label clearly
discloses this fact (not fit for use if color-blind, in black-and-white),
the manufacturer is likely free from liability.

Employment bias attributed to age, gender, ethnicity, etc. is not benign. AI-hiring bots need to transparently disclose their justification for
candidate employment approval or rejection. Automatic trust is not merited
in this case. Human review and oversight of AI conclusions are required to double-check machine outcome.

Malcolm Gladwell's "Talking to Strangers: What We Should Know about the
People We Don't Know," teaches that human trust between humans hinges on the

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)