Subject Level

I Saw It On the Internet So It Must Be True

I Saw It On the Internet So It Must Be True

Understanding Confirmation Bias

When you see a story on the Internet that matches what you already believe, it feels true. Right. Everything you’d expect to see in the world. And when you see a story that doesn’t match your beliefs, you’re more likely to be skeptical and doubt the veracity of the information. That’s what confirmation bias is all about. It’s about confirming what you believe, whether or not it’s actually true.

According to Psychology Today, confirmation bias “occurs from the direct influence of desire on beliefs.” It makes sense, really. Who goes around thinking, “I’m wrong! I’m wrong!”? If you think you’re right, you’ll naturally tend towards information confirming your beliefs. Technology LOVES to enable that for you!

How Technology Makes Confirmation Bias Worse

Confirmation bias isn’t new, but technology today makes it easier to experience. Content providers like YouTube and Instagram want you to spend time on their sites. The more time you spend with them, the more money they make. And they encourage you to spend that time by feeding you stories or posts related to what you’ve viewed and spent time on in the past. (We talked about this in our post on Information Silos.) The more times you see posts that align with your beliefs, the more confirmation you’ll receive that your beliefs are true.

Technology does more than just guide us towards material it thinks we’ll want to see. The sheer amount of information out there means people have to make pretty hard choices about what they pay attention to. The World Economic Forum recently reported that people spend an average of 2.5 hours a day on social media. Expand that to just surfing the web, and that goes up to an average of 7 hours a day! With that much information flowing through our devices into our heads, is it any wonder people will key into what makes them feel better about what they think they know?

So what, though? Why is it a problem that the Internet confirms my belief that cats are gods and rule the world? As long as that’s as far as it goes, it isn’t. Unfortunately, there is a lot of evidence that confirmation bias feeds more than viral memes. It also feeds extremist viewpoints and scary organizations. 

What Can You Do About Confirmation Bias in 5 Minutes

  • Rather than searching for information that matches what you know, try looking for information to refute the idea. For example, don’t just search for the “best.” Also, try the corresponding search for the “worst.”
  • Before you share a post or an idea online, stop for a second and ask yourself whether you’d still believe and share this information if the opposite was published by the same experts and sources?

What Can You Do About Confirmation Bias in 15 Minutes

  • Rather than trying to prove something to be true, spend a few minutes trying to prove it false, either by searching for different terms or becoming your own “devil’s advocate.’
  • Spend time looking through the sites listed on Media Bias/Fact Check and pick at least one news source outside your usual preference. 

What Can You Do About Confirmation Bias in 30 Minutes (or more)

  • You can do this one by yourself or with a team. Try running your belief through an exercise called the Six Thinking Hats. This technique takes a while to work through, but the idea is that you approach solving a problem or thinking through an idea in six different ways: structured, creative, positive, emotional, critical, and factual. The point is to do all six because they’ll each allow for exploration of a different facet of the topic. By the time you’ve gone through all six, you’ll be closer to a more well-rounded truth than you were before.

Wrap Up

Confirmation bias isn’t a technology problem, though technology definitely offers the perfect environment to feed this way of thinking. As long as you’re aware of it and willing to step back when needed, you can go on being quite certain that cats are gods. After all, you saw that truth on the Internet – it must be true!

Posted by heather in Communication, Line Dancing, 0 comments
Your Digital Body: Bias and Biometrics in Tech

Your Digital Body: Bias and Biometrics in Tech

What can possibly be more uniquely you than your physical body? Fingerprints, iris patterns, voice… These (and more) are what biometrics is all about. Biometrics are generally used in two ways: to determine if a person is who they claim to be or to find out who a person is by searching a database.

Believe it or not, the use of biometrics as a means of identification has been documented back nearly 4,000 years ago, when Babylonians used fingerprints to sign contracts. Since then, fingerprints and other forms of unique physiological data have been used to identify individuals for a variety of reasons, such as to identify criminals or to authorize access to a resource like a document or a physical location. With modern computers (including smartphones and tablets), it is easier than ever to automatically take a complex image and compare it in detail to an image on record. Sounds pretty much perfect… or does it?

Bias in Biometrics

True story: a friend of mine tried to use one of the automated passport scanners to get through customs. It kept telling him that it didn’t see his face for a photo, even though he could clearly see himself on the screen. The officer minding the queue walked over and put a piece of paper over my friend’s head to add just a bit of shade, and suddenly everything worked. My friend is white and bald, and the glare from the overhead lighting on his head tricked the software into thinking his face wasn’t there. 

There are lots of stories out there about biometric-based services unable to handle dark skin tones, light skin tones, congenital disabilities, transgender faces, and so on. Much of the earlier modern bias resulted from the use of very limited datasets that contained more of one type of image than any other. For example, a database might have thousands of fingerprints to use for testing purposes, but they would include just one skin tone for the hands. Or a database might have a million faces, but mostly from middle-aged white males. Anyone that fell outside the parameters of what the developer tested for might be identified as “not white,” but uniquely identifying them would fail. 

The good news is that, at least when it comes to biased datasets causing havoc, there are efforts to improve the space. This has been a particularly important area of research for Artificial Intelligence and Machine Learning (AI/ML) and organizations like the Organisation for Economic Cooperation and Development (more commonly known as the OECD; think high-powered, treaty-based, international organization) have guidance for how these types of systems should be designed. Microsoft, a company that does quite a bit with AI, has some pretty extensive guidelines and governance as well. So there is hope and some established guidelines out there. These guidelines, if followed by everyone, would greatly improve the computer bias in this space.

Other weaknesses of biometrics

If everything works as intended, biometrics are a great way to uniquely identify yourself to a computer. As long as no one does something gruesome to steal a body part, it’s all you, right? Well, sort of. The problem is that yes, your fingerprint (or face print, or iris pattern, or whatever) is on your physical body, but as soon as you scan it to be used for identification and access, it becomes an electronic asset. And as we all know, electronic assets can be hacked and stolen. Some call this the ‘fatal flaw’ of biometrics.

Back in 2019, a data breach of a company called Suprema exposed records affecting 1 million people, including fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, and more. And when those kinds of records are stolen, it’s not like you can actually change the information. You can change a password or PIN code, but you can’t (practically speaking) change your fingerprints. In those cases, all you can do is participate in identity theft prevention programs that will at least prevent new accounts that involve things like credit checks from happening without lots of hoops to jump through. All credit agencies have these kinds of programs (here’s one from Experian, and they’ll communicate things like fraud alerts to the other big credit agencies like TransUnion), as do some government agencies.

What you can do in 5 minutes

  • Make sure that the devices that are using biometrics have an alternative way to access the device, like setting a passcode for when facial recognition doesn’t work.
  • Use that passcode every once in a while so you don’t forget it!

What you can do in 15 minutes

  • Sign up for a credit monitoring service that will keep an eye out for when and where your information might be exposed in a data breach so that you’ll know when to take further action to prevent accounts from being opened with your information.

What you can do in 30 minutes

  • Interested in really learning more about the challenges of biometrics? Read this fascinating pre-print study submitted to the IEEE Transactions on Technology and Society to learn more!

Wrap Up

Biometrics are pretty cool, and if your accounts are using them as part of your login process, that means you’re using multi-factor authentication (MFA). You get a gold star! But, alas, biometrics are not perfect and while your physical attributes are yours, once they have been turned into bits and bytes on a computer, they can be stolen and used. 

If you have a choice between biometric MFA or no MFA, go ahead with the biometrics. If you have a choice between some other factor–like an authenticator app–and biometrics, go with the authenticator app. No technology is perfect, so the goal is to make it harder for hackers to get to your accounts rather than impossible.

Good luck! It’s a crazy world out there.

Posted by heather in Data Security, Topic, Line Dancing, Subject Level, 0 comments
Identifying Deceptive Communication: Deepfakes

Identifying Deceptive Communication: Deepfakes

From the cute visuals of the first full-length CGI animated movie (Toy Story in 1995) to special effects so realistic (I’m looking at you, Ex Machina, an Academy Award winner for Best Visual Effects Movies), it can sometimes be nearly impossible to knowwhat’s real and what isn’t. But that’s the unfortunate reality of modern technology: we create powerful tools that can be used for both good and bad. Welcome to the shady world of deepfakes.

What is a Deepfake?

Currently on Merriam-Webster’s Words We’re Watching list, deepfakes are described as: “a video that has been edited using an algorithm to replace the person in the original video with someone else (especially a public figure) in a way that makes the video look authentic.”

Gee, what possibly could go wrong?!

Sometimes, deepfakes are created purely out of fun, like the whole TikTok channel dedicated to Tom Cruise deepfakes. But sometimes, there is an agenda behind deepfakes to sow confusion, distrust, and doubt. For example, there are deepfake videos on both sides of the Ukrainian conflict that fall in that category. Because of real-life threats like this, schools like the University of Washington have developed entire courses dedicated to identifying all sorts of misinformation in online sources. It’s definitely not as easy as it used to be. 

Is It a Deepfake?

Norton, maker of a very popular antivirus software, has a fifteen point list around how to identify deepfakes. Unnatural body motion and weird postures are on the list, but so are things like:

  • Teeth that don’t look real. (Are individual teeth visible?)
  • Unnatural eye movement. (Did they blink?)
  • Misalignment of audio and video. (Does it look like a poorly dubbed old spaghetti western movie?)

Interestingly enough, the technology behind NFTs is something that could help clear up whether an image or video is a deep fake by keeping an immutable record of the origin of the files in question. When the image and all its metadata are stored in a blockchain, any further changes will be explicitly stored such that anyone can see the history of who, what, where, and when the image file was created and added to the blockchain.

Artificial Intelligence (AI) is another area that’s being explored to help control the deepfake problem. Several of the big tech giants are working on having AI identify deepfakes. Ironically, it’s AI and its sibling, Machine Learning, are what often generate the deepfakes in the first place. This adds a whole new dimension to cyberwarfare and computers fighting computers.

Pop Quiz!

So, think you can figure out which images are deepfakes and which aren’t? Microsoft has a fun online quiz you can take to see how well you do in identifying these types of images. Or, for even more fun, you and your friends can work through an escape room game called the Euphorigen Investigation, a project co-developed by the CIP, the Technology & Social Change Group at the UW Information School, and other partners.

Why We Care

The existence and growing prevalence of deepfakes is a huge problem. When it becomes too hard to figure out what’s real and what’s not, the safest choice is to assume it’s all not real and nothing can be trusted. People cannot make informed decisions when there are no trusted sources of information. Even where deepfakes are relatively obvious, their existence sows general distrust in the information available. 

There are a variety of fact-checking sites out there (here’s a good list) that can help, and it’s worth taking a moment both to find a reputable fact-checking service AND to make sure it has solid ratings with regards to political neutrality.

Good luck out there, and don’t forget to check your sources!

Posted by heather in Communication, Line Dancing, 0 comments
Information Silos – the First Click Down a Rabbit Hole

Information Silos – the First Click Down a Rabbit Hole

Human behavior, at a grand level, is often fairly predictable. While you’ll find exceptions for every single rule out there, for the most part, people want to be comfortable. They want a decent place to sleep (for their definition of decent). They want enough to eat (for their definition of enough). They want to feel safe (for their definition of safe). There’s an interesting theory called Maslow’s Hierarchy of Needs that touches on all of this, but what we’re going to focus on here is how people prefer to engage with other people like them. 

There are so many examples to point to of this kind of behavior. Ethnic neighborhoods in cities. University fraternities and sororities. Hobby groups like book clubs or knitting circles. People find comfort in being with people they feel like they understand. They like hearing messages that affirm what they believe. And that’s not always wrong. It’s not always right, either, but right and wrong aren’t the point. The point is, people LOVE this kind of thing. Not just in physical reality, but also in virtual reality. Media companies, advertising services, political parties, lobbyist organizations, they love it, too. They find this basic human tendency to want to be with like-minded people and have like-minded ideas validated absolutely the Best Thing Ever.

In previous posts, we’ve talked at a high level about how tracking happens on the web. And tracking is a part of building information silos. Tracking, however, doesn’t necessarily mean following you as you surf the web. It can also be a single company, following what you choose to see on their own site. The purpose of these platforms is to get you to spend lots of time there. The more time you spend, the more money they make. And they get you to spend time there by showing you what you, comfort-loving human that you are, what you want to see.

It’s not always about money, though. China is probably the most common example of when and how governments can get involved in building information silos. In those cases where censorship is a real and pervasive problem, the information silos are about explicitly controlling behavior by controlling information. 

But let’s get back to the drive of capitalism; government control and censorship is a topic for another time. When we’re talking about Western Culture and capitalism, it all boils down to making money. And keeping you on a single platform means that platform shows you all the advertisements, gets all the subscriptions, and generally makes out like a bandit.

YouTube has been studied quite a bit when it comes to how they tweak their services to show you what you (probably) want to see. Of course, a human isn’t on the other side of your screen, quickly flipping through content and deciding that you, Alice, would really like this cat video. They have a computer figure all that out, and computers make decisions using algorithms. Think of it like a whole lot of “if this, then that” decisions. A digital image is a bunch of dots. Where the dots are located, what colors they represent, all of that can be turned into numbers. Those numbers are then matched to say “this is like that” – that’s how pattern matching works. A computer can get pretty darn good (though not perfect) at matching cats to more cats. A digital image is also more than a bunch of dots. It also has information that says who uploaded the image, how they described the image, when the image was taken, and quite possibly. All that information is fed to the algorithms so it knows what it has to work with.

So, you have a big database of information about content. What other kinds of information can be added to this data soup? Ah, yes! Who has actually looked at the content in the past! Just like an image is more than dots – it’s the wide variety of information about what, when, where, and who uploaded the image – a visitor to the site is more than a single statistic. A visitor quickly builds a profile about themselves, starting with the information of what brought them there. 

I’m pretty sure my first visit to YouTube was to find bird videos for my cats, and to this day, the first thing YouTube shows me when I follow a link back to their platform is another video of birds for cats. In an effort to keep me on the site, there will always be bird videos for cats. And, hey, since I like cats, I will probably like videos about cats, too. I’ll probably also like videos about people who train cats to do tricks. Hours later, I am thoroughly enjoying all things cat, I have a cat on my lap watching the screen with me, and I have suffered through countless pet food commercials.

Which, for me, is pretty harmless. But it isn’t always. There has been some interesting research about how this kind of algorithmic content matching takes people down really ugly rabbit holes. These rabbit holes are extremely disturbing to me, but can be so validating to someone else. I have my silo of liberal, cat-loving people. They have their silo of conservative, end-of-world preppers. And without research, I’ll never have any idea of what kind of information they are hearing over and over and over again, because that’s not going to show up in any of my online content feeds. 

Information silos are good for business. Think about it: why on earth would a content platform want to make you uncomfortable? You won’t ever visit them again! You’re here for entertainment and comfort, not to be constantly challenged by stuff you think is absolutely insane (and not in a good way). 

Information silos are not, however, good for societal empathy. It’s a lot harder to understand the other side of the story if you never see it. And if you’re in a silo, anyone from outside who challenges the information that you’ve already decided makes you happy and comfortable has an uphill battle to get you to change your mind.

It almost sounds like an unwinnable scenario, but at least in this case there are a few easy, actionable things you can do.

  • Easy step: Follow a service like Ground.News that explicitly shows a variety of news stories and what political leanings those stories come from. More than once I’ve said “huh. If that’s what the people in that other information silo are reading, no wonder they’re making those bizarre decisions!”
  • Less easy step: Regularly watch the news of your least favorite popular news source. I’ll admit, I struggle with this one because it makes me crazy. But it’s very effective in helping understand other viewpoints (even when I vehemently disagree with them).
  • Hard step: Go international. If you see a news article on war in some foreign country, go look for how the news is being reported elsewhere. Are you getting the same information in the U.S. that is being shown in France? What’s being reported in the English language version of the newspapers in Malaysia? It’s fascinating what’s considered important outside your silo.

Information silos are absolutely a thing. They are a comfortable thing. They make day-to-day living a lot simpler. They give you what you want. And there’s nothing wrong with that… as long as you realize that a) you are in a silo and b) you really need to leave that silo every once in a while.

Good luck! It’s a big world out there.

Photo by Jim Witkowski on Unsplash

Posted by heather in Communication, Line Dancing, 0 comments
All About Memes: Origin, NFTs, Identity Theft, and More

All About Memes: Origin, NFTs, Identity Theft, and More

Ahhh, memes. Those funny images that go viral on social media. Would you be surprised to learn that the concept of a meme predates the Internet? It’s true. So then, just what is a meme?

The word “meme,” according to Dictionary.com, was coined in 1976 by the evolutionary biologist Richard Dawkins to describe the cultural transmission of ideas. The latest definition is as follows:

  1. an element of a culture or system of behavior that may be considered to be passed from one individual to another by nongenetic means, especially imitation.
  • a humorous image, video, piece of text, etc., that is copied (often with slight variations) and spread rapidly by internet users.

You could argue that memes are actually a concept far older than the word itself. Case in point: folklore. The main purpose of folklore is to share ideas across generational and social boundaries, very much like memes, and that activity can be documented as far back as 6,000 years ago. WAY older than the Internet!

The First Modern-Day Meme

Enter the first modern Internet meme:  Baby Cha-Cha-Cha

Now whether it’s actually the first is open to debate, but the Dancing Baby is most commonly known to be the first viral video on the Internet. Since memes are an expression of culture, exactly what you might think of as a meme will vary as culture evolves. Baby Cha-Cha-Cha is a great example. In its day, it was absolutely a meme, a resounding new idea that spread everywhere and expressed the crazy design possibilities of the Internet. Today? Eh. Where are the catchy words to go along with it? The phrase that will make it the perfect amount of snark?

Memes, Copyright, and NFTs

If you create a meme, and it goes viral, you become rich, right? Nope. You probably won’t get bragging rights either since people will have no idea where the meme came from once it spreads fast enough through the interwebs. 

Memes generally fall under the heading of “fair use” when it comes to things like copyright protection. Public Knowledge has a great article that describes the whys and wherefores of that, but at the end of the day, creative expression that takes an image and turns it into something new (new meaning, new interpretation, new insight) will almost always fall under fair use.

This is a good moment to point out how owning a meme and NFTs can overlap: 

Artists create things, but once their thing is sold (and sometimes even before that), they lose all control over that asset. If the asset is resold, the original artist usually doesn’t see any commission. An NFT can serve as a receipt that makes sure that every future transaction gives the artist some additional compensation for their creation. This is a potential game-changer for artists, but it’s not perfect. (Learn more about NFTs in this post.)

Artists (and let’s assume that people who create memes count as artists) have already started exploring selling their memes as NFTs. The idea of owning the original digital file of a meme is compelling to some. One of the challenges here, though, is that owning the original digital file does not necessarily give you copyright ownership of it, and it doesn’t mean you own any of the copies. The idea of NFTs as a way to give artists more control over their work has merit, but the idea hasn’t quite worked the bugs out. 

Memes and…Identity Theft?

And what about memes and identity theft? As cute as they are to see in your media stream, those little image files can contain malware—code that can help a hacker compromise your computer or mobile device. They can also encourage you to respond with personal information. How many times have you seen a meme like “Porn star name generator!” with a list of crazy names next to various dates? It is hilarious and absurd. It is also data harvesting with an eye toward identity theft.

Some memes build on a picture of a person who will forever be associated with that one image. Decades later, when a potential hiring manager does a search on their name, it’s still that one image that somehow defines them for the rest of their lives. The image of Disaster Girl is a perfect example of that. Zoë Roth was a child when that photo was taken over twenty years ago, and yet, that’s her legacy as far as the Internet is concerned. 

So, Why Should You Care?

Memes aren’t going to go away, nor should they! They are hilarious and they express information in ways words can’t. They’re fun to see, fun to use in presentations, and fun to have as shorthand to express agreement, disgust, sarcasm, and support; they are just that powerful a form of expression.

But this wouldn’t be the Identity Flash Mob blog if we didn’t have a few suggestions for you to keep yourself safe online, even where memes are concerned.

  • If someone sends you a file that you don’t expect, don’t open it. If it’s someone you know, ask them to send you the link where they got it, or at least where they created it (if they’re the originator).
  • If you are posting photos of yourself online, either lock down the permissions as to who can see them or accept that someone might pick up that image and run with it in ways you never imagined. 
  • If you are posting photos of your children online, really, really lock down those permissions. Please. Your child will thank you when they’re older. If you can’t resist sharing the cute, listen to or read the transcript of this excellent Vox podcast.

With that, it’s time to go see what new creative memes have been created. Catch you on the flip side! 

Photo by Brooke Cagle on Unsplash

Posted by heather, 0 comments
Security in the Metaverse: What You Need to Know Now

Security in the Metaverse: What You Need to Know Now

Ahh, the metaverse. Depending on who you ask, it is either an impressive evolution of the online experience or a poorly defined marketing ploy. And, at least for now, there isn’t just one metaverse, which has lots of implications for how to protect yourself from one to another  Regardless of how many there are or what side you take on whether any of them will succeed, you can sum up the idea like this:

The metaverse is almost like a parallel dimension—it blurs the lines between the physical world that you and I know and the virtual world…like artificial reality and cryptocurrency. –  from IFM’s metaverse blog post

Wouldn’t it be fantastic if we could plan for digital identity and security in the metaverse even while the metaverse is still being figured out? When the Internet was first designed, it missed the boat when it came to building in digital identity and security. Everything we know about how to verify someone’s identity online was added long after the bones of the Internet were set. 

Owning your security in the metaverse

The old saying is, “On the Internet, no one knows you’re a dog.” In the metaverse, no one will know if the “person” they are interacting with is really a person or a computer simulation. Creating digital accounts is really pretty easy. Making them realistic is just as easy, as humans don’t do a good job of protecting their personal information. Birthdates, location data in photographs, responses to Internet memes—it’s all out there waiting to be used to either hack existing accounts or create new ones that look like a real person for the purposes of fraud or harassment

Several of the companies working on their version of the metaverse hope to include identity and security by using Web3 technologies like blockchains that guarantee the uniqueness and ownership of a piece of information online. Which is good as far as it goes, but it doesn’t go far enough (yet). NFTs, built on supposedly secure Web3 and blockchain technologies, have already seen their fair share of fraud despite the technology. Still, we’re in the early days of figuring out how to make NFTs and Web3 long-term useful ideas, so there may be something there. Or not. We’ll see.

Regardless of whether fancy new technology will try to come in and save the day, you as the human actually have a lot you can do to help make your experience more secure. The good news is that what you can do to secure yourself in the metaverse are the same things you should do to protect yourself online today:

  • Control the information you share online (and don’t respond to silly memes, no matter how much you want to know what your name should be on the next royal wedding invitation).
  • Use good passwords. (We have a post about that.)
  • Never assume that the new person you’re talking to is who (or what) they say they are. 

Authenticating when you’re already there

Let’s look at where the metaverse is closer to reality: virtual reality! Those companies already branching out into metaverse products, like VR meetings or immersive games, now have to figure out how to authenticate users in VR (remember, use good passwords!). They could try and go old-school and have someone type on a virtual keyboard…except most users will only be using the VR headset. So, what are they supposed to do? A laser pointer at a virtual keyboard, hunting and pecking for each key? Uh, no. There are always biometrics, of course. Retinal scans, voice scans, fingerprints…But each of those needs a fallback for when the physical reality means biometrics aren’t feasible

No problem! Let’s make the VR device itself be your password! That actually has some promise and is an area already being explored, but there are still issues with how to handle shared devices (as anyone with more than one kid can tell you when it comes time to share the game controllers) as well as the reality that gamers rarely sign in as themselves. Also, the idea of moving away from traditional passwords is not without its challenges. Hacks are still possible (drat those hackers!), and there are questions as to whether it’s even a good idea to tell users to just “trust the magic” of what they don’t see.

At the end of the day, there’s just a lot that needs to be explored to make the metaverse a more safe and secure experience for everyone. 

Conclusion

The metaverse is expected to be THE online experience of the future. Right now, it seems like it is not only inheriting the security flaws of the Internet, but it’s coming up with new ones all on its own. CNBC has a great article on what kind of dangers are being introduced, which is scary, but it’s also an opportunity. We know the dangers (at least, we know some of them) which means we can plan for them. 

Posted by heather in Web3, Data Security, Line Dancing, 0 comments
A Very Useful Article About Online Passwords

A Very Useful Article About Online Passwords

Is there anything more likely to make a non-techie yawn than a lecture about passwords? “Make them hard!” “Don’t put them on sticky notes!” “Change your passwords like you change your underwear!” So much lecturing when people just want to get into their online accounts! Well, guess what, my friends. That advice is actually pretty outdated. Let’s talk about real-world, up-to-date dos and dont’s for passwords!

Passwords: So Last Decade

Quite a bit of the old advice out there is either based on old technical limitations or a lack of understanding about how people actually think. For example, requiring frequent password changes—this is NOT necessary.

Passwords Are Not Underwear

According to the National Institute of Standards and Technology (NIST)—the US government department that provides some of the most well-recognized, current advice on digital identity—websites that require users to reset their passwords every few weeks or months are just causing people to use (and reuse) easily cracked passwords. Should users change their passwords after a breach? Yes, definitely. Should they change their passwords every month? No. The way NIST puts it, “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future.” So, yeah, requiring frequent changes does not have the effect people think it should.

Hard for a Computer, Not for a Human

Did you ever see someone stuck with a password like “$*&fas09iur3jfsk#” that they created because of requirements to use letters, numbers, and certain other characters? Yes, that’s a fine password if a site allows for it, but you know what else really works? “My cowlick speaks batteries.” Or “My cat paw no tail!” Those are passphrases, and a nice long passphrase is actually better for most people than a random character generator. (The smart folks at NIST said that, too.) Just make sure the passphrase isn’t actually a grammatical sentence and you’re golden.

Reality of Recording

It’s been a long-standing tradition to mock people who write their passwords on sticky notes and put them on their computers. But that said, if I had to choose between a person who is more comfortable with writing their passwords in a little black book they keep in a drawer at home near their computer or someone that uses a single password for all their accounts because technology is hard, then by all means! Bring out the book! This really boils down to a question of what risk are you trying to manage—someone physically breaking into your house and stealing your passwords, or someone hacking accounts online. 

The Brave New Password World

If frequent password changes, gobbley-gook passwords, and physically recording passwords somewhere is the old guidance, is there anything new? Why yes, yes there is! Well, relatively new. Let’s start with my personal favorite, multifactor authentication.

Multifactor or Second Factor Authentication (MFA or 2FA)

If a website or service is doing The Right Thing, then just asking you for your password isn’t going to be enough to get you in. It should also ask you for another piece of information, either a one-time code it sends you, a scan of your fingerprint, or even a code from an authenticator app like Google Authenticator or Authy. This is called either second-factor authentication or multifactor authentication (2FA is a subset of MFA; there are Super Top Secret Secure sites out there that will require a third or even fourth factor. Multiple factors are a thing.)  

There’s a really good reason for requiring at least one additional factor.

Let’s say that your username and password were hacked. If the hacker has that, and MFA wasn’t enabled, then they can just waltz in and do whatever they want. If it’s your banking password, then there goes your money as they transfer it away. If it’s your language learning app, there goes your progress as they delete your account. And so on.

But if MFA has been enabled, then even with the password, the hacker is kinda stuck. There is a short-lived piece of information they don’t have, and that’s a way harder nut to crack. Can it be done? Yes, there are techniques that will help a hacker work around MFA security. But that has to be very targeted to an individual; wide-scale account compromises become way harder.

Screening Your Own Passwords

The moment has come. It’s time to set a password. For some reason, you aren’t using a passphrase (probably because outdated sites are limiting the number of characters you can use for your password. Bad site! Bad! No biscuit!) You might want to just do a quick check that you aren’t using one of the really super common passwords out there. 

Wait, you’re not a hacker! How are you supposed to know what other people’s passwords are? As it turns out, lots of people tend to use the same passwords. There are websites dedicated to sharing the top 10, 20, or even top 100 common passwords out there on the Internet. Even baby hackers can pick up that list and have a decent chance at hacking into a bunch of accounts. It won’t take but a moment for you to do a quick scan of those lists to see if the password you set your heart on (don’t say ‘qwerty,’ don’t say ‘qwerty’) is on the short list of common passwords out there.

Password Managers

Password managers are MY FAVORITE THING, at least when it comes to basic Internet security hygiene. This is the electronic version of the Little Black Password Book mentioned earlier. Even with the use of passphrases and MFA, it’s still a really good idea to use different passwords for different sites. The thing is, that really adds up! One study out there says that the average person these days has around 100 passwords to worry about. That’s just too many to remember.

Some mobile devices have a built-in password manager. Some web browsers do, too. The trick is to find a password manager that actually lets you work across platforms and devices. Probably the top-rated one out there right now is LastPass (which has both a free and a premium version), and 1Password (which is entirely subscription-based, and is rated pretty highly, too). 

One bonus to a good password manager is that they’ll actually do the password screening described earlier for you.

The Future of Passwords

If you talk to people who actually work in the digital identity and cybersecurity space, they will tell you how much they want passwords to just not be a ‘thing’ anymore. The good news is that there is a LOT of work underway to make that dream a reality. One particular effort coming out of the FIDO Alliance really looks brilliant. In that brave new world, a user can unlock the security by “swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.”

Technology is constantly evolving. The guidance you may have learned when you first started surfing the web is probably out of date. For that matter, the guidance you learn today might eventually become obsolete thanks to efforts like FIDO making passwords entirely a thing of the past. Keep your eyes open!

Posted by heather in Data Security, Mosh Pit, 0 comments
A Call Made Round the World…And More On Internet Resiliency

A Call Made Round the World…And More On Internet Resiliency

If you look at a map of the world, you see lines around cities, states, and countries that mark the boundaries of those regions. Those lines seem so tidy when looking at a map of the world. Of course, that assumes you’re looking at a well-surveyed area with a stable political infrastructure. 

The Internet is nowhere near that tidy; its boundaries are not well defined. Maps of the Internet don’t look like anything in the physical world. There’s an interesting map based on all known websites and where their domains are registered as of  2011 called The Internet map. There’s a super-fun map called The Map of the Internet that maps out the World Wide Web and gives you a sense of scale. Heck, you can go to Vox and look at “40 maps that explain the Internet,” but none of those map out the Internet itself. When it comes right down to it, there is no single authoritative map of the Internet.

Why is it this way, and why does it matter? Read on!

Why the Internet is Resilient

Did you know the Internet started as a US military defense project? Think about the mindset that would result in: any military would want a computer system to stand up to anything and everything. It would need to be resilient if some pieces went offline. It would need to allow lots of different types of computers to talk to each other any time, day or night. Think of those requirements as the DNA of the Internet. Technical implementations build from there.

But wait, if the Internet started as a military project, how did the rest of us get to use it??? That kind of exchange, from government to private sector and back, is pretty common. That’s a post for another time.

Back to the Internet. The way things work, it’s a lot like a postal letter. Someone writes a letter and it includes the address of where it’s trying to go. And at every step, the delivery system asks, “what’s the best next step from here?” These systems are always chatting with each other, sharing the best path to get from anywhere to everywhere. If one path goes down because a computer broke, that’s ok, because the systems will tell each other a new way to get there. And that happens fast. And it is one part of what makes the Internet so resilient. There is always a path forward.

A while back, I videoconferenced with my mother in Chicago from a hotel in Taipei. I opened an app, clicked on her face, let it ring a few times, and voilá, there she was. WOW, seriously, how cool is it that within a second, the computer I was on in Taipei figured out how to get to my mom’s computer in Chicago? We were nearly 7500 miles apart. I was on a hotel network in Taiwan. She was on a mobile network in Chicago. I opened my app, which itself has the addresses of the computer used by that video service. The network I was on said, ‘ahHA! You’re trying to get way over there! Let’s start routing you through lots of different countries, under the ocean, or maybe into space via satellite.’ 

It is possible for a local region or country to cut itself off from the rest of the Internet, but to do it, it has to get into that delivery system and take its information out of the network. Then any system trying to get there from here won’t know how to do that anymore. (It’s obviously a bit more complicated than that, especially when you throw satellites into the mix, but you get the idea.)

Controlling (Mis)Information

The Internet is resilient, which means it can route information around many different kinds of interruptions like broken computers or weird human error. Yay! That means that cat videos can be available day and night! Well, true, but not everyone is a fan of this level of resiliency, and there are reasons for that. 

The thing about technology is that technology itself is neutral. It’s like a bunch of bricks—you can build houses or you can vandalize windows. It’s not the brick that’s an issue, it’s how the brick is used. But if you’re in a situation where people are using bricks to break things, then you almost certainly want to do something to prevent that. One of those preventative measures is likely to be controlling access to the bricks. Same goes for technology like the Internet—if you use it to harm, someone is going to want to prevent that by controlling what gets posted.

Now more than ever, we are seeing people and their governments demand ways to prevent the spread of information they don’t like on the Internet. From addressing “fake news” that attempts to skew democratic elections to reactions to cyberwarfare, controlling information is considered by many to be necessary for a safe society.

Some governments go so far as to demand restrictions between the Internet within their country and everyone else. This has been top of the news when it comes to Russia, but Russia is just the latest example. China has its Great Firewall, which had its start in 1997. Several other countries in Asia and Africa censor the Internet to various extents. In the US, free speech laws prevent much government censorship, which has many people turning to the social media platforms themselves and demanding action, either to restrict content or to stop restricting content, depending on their point of view.

Why Does This Matter?

Identity Flash Mob is a passion project led by two women who want people to have a better understanding of how the Internet works and why it really matters to know more about it. So, if you take away anything from this article, it should be two things:

  1. The Internet is incredibly resilient, but it’s not invincible. While individuals will always be able to build connectivity to the Internet (if they have the technical know-how and access to satellite networks) that’s not the case for most everyone. Governments may well be able to control big chunks of it, and through that, they control the information people have access to.

Which leads to the second thing:

  1. Not everyone sees the same thing on the Internet. What seems obvious to you based on what you’re reading in the news or social media might not be obvious to others who are not seeing the same thing. 

The resiliency of the Internet that lets me call my mom from halfway around the world is an incredible thing. Hopefully, we’ll still keep in mind all the good things that resilience as a foundational principle allows us in today’s online society.

Posted by heather in Data Security, Mosh Pit, 0 comments
Playing the “Yet Another Vulnerability” Game

Playing the “Yet Another Vulnerability” Game

Last month, technology news was all about Apple’s “OMG Patch Right Now Or Hacker’s Can Mess With Your Stuff!” (You saw the news about that, right? Like our short and sweet Twitter thread, or one of the longer articles about it.) Anyway, right before Apple’s moment, it was all about some new issues with infec

One day, technology news is all about Apple’s “OMG Patch Right Now Or Hacker’s Can Mess With Your Stuff!” Another day, it’s more “Chrome Zero-Day Vulnerability! ACK!” Or even “Cyberwar is going to impact us all!” 

Who else is exhausted?

It just gets too hard to be worried about All. The. Things. All. The. Time. Computers are just going to break again tomorrow, right? Yes, but let’s make it fun and do something about it! Even if it’s just a chore like … grocery shopping. Besides, in life, there’s always SOMETHING, right?

Verse 1: Managing Your Devices is like Grocery Shopping

If you want to eat, you have to do your chores. For most of us, that means going to the grocery store. Every week. It’s just one of those things you have to do as an adult. And as the world goes increasingly digital, managing your devices—keeping them patched, upgrading so you keep getting those security patches, and making sure access to your devices is controlled—is necessary. 

So let’s talk about how to make it easy! With grocery shopping, it’s all about the list. With device management, ok, it’s a little bit more complicated. (What did you expect? 😉) But we’re on top of this with you! Identity Flash Mob has the choreography to teach you what steps to follow. 

Verse 2: There are Tricks To Doing It Well

What you can do in five minutes: 

  • Unless you have a REALLY GOOD reason not to (like, your employer controls what you can do with your device) then do a quick web search on how to make sure that your apps and your operating systems update automatically. (Like this page for Apple devices, or this one for Android, or this one for Microsoft.)
  • For bonus points, go ahead and do a quick manual check before you go to bed so you know if you need to leave your device on a charger so it can update while you sleep.

What you can do in thirty minutes:

  • Not only do your apps and operating systems need to be secured; you also need to make sure your passwords are secure. We have lots of guidance coming up in one of our Patreon pages, but here’s a sneak preview: go to your phone’s password management settings and see if it gives you any warnings about your passwords. If it does, you have your next item to check off your list: change that password.

What you can do to feed your inner geek:

  • Install anti-virus software. Which is considered best practice by all, but it is also kind of tricky to do, and it doesn’t prevent every security vulnerability from impacting your digital world. But! If nothing else, it can let you know if something is changing on your device that you didn’t expect, and you’ll probably get newsletters that tell you when something crazy is going on in the digital world that you need to worry about. 

Verse 3: Play to Win the Vulnerability Game

Avocados have a season. So does security support. It would be too easy to say “All devices end security support after this very specific number of years” because of course different vendors have different schedules. You can, however, be on top of this by preparing to replace your device every few years and upgrading your systems as needed. If your device is so old it can no longer accept a new operating system update, that’s what’s known as a Subtle Clue (kind of like how dropping an anvil on your foot is a Little Painful) that you waited too long. 

Coda (wrap up)

There will be another important vulnerability announced next week. And the week after. And the week after that, too. I don’t know what they will be, but they will absolutely happen. And just like how you have to get food in your house, you get to be in control of making sure you have secure devices in your house. Don’t be afraid to learn a little more and DO a little more to secure your digital world. Your online shopping, gaming, and socializing will thank you for it later.

If you got through this blog post and are STILL scratching your head, we’d love to hear from you. Feel free to leave a comment below or send us a message right here on LinkedIn! We’re committed to empowering EVERYBODY to understand how to navigate this digital world of ours. 

(Originally published in October 2021; updated for April 2022)

Photo by Matthew Henry on Unsplash

Posted by heather in Mosh Pit, 0 comments

The Anatomy of a ‘Persona’

What is your persona? Well, before you can even answer that question, we’d need to assume that you understand what exactly we’re even talking about—because it’s certainly a lot more than a person’s personality. Rather, in the digital context, personas are little bundles of information that are gathered about you and grouped together to create a ‘you-shaped’ digital representation that is used to try and predict what you will do in certain situations. The goal, of course, being to influence that outcome. Some version of this happens in real life too. (Have you ever been sized up by a really good salesperson?) However, the breadth and depth of creating these digital personas can have long-standing implications to nearly every aspect of our lives.

Image extracted from an interactive session conducted by Identity Flash Mob in March of 2022. It contains several overlapping rectangular areas, each labeled with roles such as sibling, parent, friend, volunteer, provider, learning, and so on. within the boxes are small round avatars (that look like playful monsters) that were used by participants to indicate the roles that they play.
IN REAL LIFE (IRL) ROLES – Mozilla Festival 2022, The Context of You – The Many Facets of Your Digital Identity

In real life (IRL) we each assume different roles as we go through our days. At an interactive session during the 2022 Mozilla Festival, we asked participants to note the roles that they play.  For example, in the image above, the person using the orange avatar to represent themselves selected five different roles that they identify with:

  • Sibling
  • Mentor
  • Volunteer
  • Consumer
  • Provider

These roles are examples of the “faces” that we wear in specific situations—we assume these roles to help us adapt to and be successful in these situations. They ensure that we are acting appropriately, assuming the right level of assertiveness, “looking the part” that we are assuming, and much more. You’re not a different person in these cases; you are just being selective in the moment about how you are presenting yourself. 

In real life being selective about what you present works pretty well. That information might be interpreted in a continuum between two extremes: 

  • THE FIRST TIME MEETING: When someone is meeting you for the first time, the information that you present to them at that moment becomes their whole picture of you. Each new piece of information helps to fill in the gaps to form a more complete picture. Things that they particularly like or dislike are more likely to be remembered more strongly. As a result, you often are able to influence others’ impressions of you based on what you present, particularly when you take into account what reactions you perceive from the receiver of this information.
  • THE LONGER TERM RELATIONSHIP: If someone has known you for a long time, they will take the information that you are presenting at the moment and compare it to all of the other things that they know about you. If it matches their current ideas about who you are, those ideas are reinforced, otherwise it is discounted.  It would take quite a bit of unmatching information to change what they already think about you.

But, the digital world is different in two significant ways. First, you usually have limited choice in what you present in a digital transaction. And second, the information that you provide can be combined with information from other sources to try and influence your behavior in the moment. Consider the difference between buying something in person vs online.

In PersonOnline
Purchasing powerYou might pay by cash which indicates your ability to buy the item, but not much more.your choice of payment may convey if you might be able to buy more based on if you used one of those convenient payment plans or purchased with a platinum credit card
Where you liveOne can tell where you are shopping, but generally doesn’t know where you liveYour purchase must be sent to you so your address is shared. 
What you look likeHeh – it’s in person. They can see you.But, don’t think that online is blind to how you look. By combining your address information with generalized demographic information and purchase statistics available for that location for a small fee (that many retailers pay), it is likely that you are revealing plenty of information about your gender, race, age, etc even if you don’t explicitly provide it.
What you like and don’t likeIf you browse a store, someone would need to follow you around and take notes about what you considered buying before you made an actual purchase. This would be expensive and unwieldy to do.Online every search and item that you look at are captured and cataloged inexpensively and efficiently. They can be contrasted to your purchase choices, not just for this purchase, but for every purchase made at this online store and sometimes at others.
Non-purchase infoMaybe you shopped at a small local business where the store owner knows you and your family, and maybe you have chatted about pets, vacations, and more.An online store may also know this information, but not because you told them any of it. Sites that capture information about you give away, buy, and sell information with other sites and data sources to get a similar depth of knowledge of you, even if the info has nothing to do with your purchase.
THE DIFFERENCES BETWEEN BUYING SOMETHING IN PERSON VERSUS ONLINE

Why? Personas in Marketing

In the 1950s, Wendell Smith advanced the field of marketing to incorporate the economic concept of “segmentation”, the practice of dividing your target market into approachable groups based on demographics, needs, priorities, common interests, and  behavioral criteria. (Dr Smith’s paper is publicly available.) This idea took flight by the mid-1970s when an academic marketing science research group centered around Wroe Alderson started talking about market segmentation as a way of both tying marketing investments to sales revenue, and as a way of guiding approaches to target marketing strategies to specific groups of people. Today, every course on marketing includes a discussion of segmentation. 

Each market segment is expressed in terms of a “persona”, a description of a fictitious “sample” person from the segment. These descriptions are used by companies to make decisions about the needs of this persona and what marketing messages would resonate. Real people are then grouped and seen through these lenses. You can see an example of a marketing persona below.

An image of a Persona that was created by Reboot and the Wikimedia Foundation. It describes "Femi" a 35-year old Engineer from Lagos, Nigeria. He has a high awareness of Wikipedia and high access to the internet. He has high digital confidence and moderately high economic status. The devices Fermi uses are an iPhone 6, blackberry Z10, iPad, and Macbook Air. The primary use, network, apps used and other details are included for each. A 6-paragraph biography is also included. The text in the image is too small to be easily read.
EXAMPLE OF A MARKETING PERSONA – Reboot and the Wikimedia Foundation, CC BY-SA 3.0, via Wikimedia Commons

An Example: The Norah Jones Problem

There are many music services these days that will create playlists for you based on what you like to listen to. The idea is that they profile the music that you listen to, and present other music with similar profiles for your listening pleasure. Many years ago, I discovered that, no matter what I started listening to, music by Norah Jones would end up in my playlist. I have nothing against her beautiful voice – it’s just that, to me, the music profile of her songs do not match that of the songs that I was listening to. I had been assigned the “Norah Jones Persona”, and just like in middle school when you get a nickname that sticks even though your last name isn’t actually pronounced that way, I don’t seem to be able to shed this assigned persona.

When your choices are A) buy this item online because you can’t get it locally (and have the transaction be tracked), or B) do without (and avoid the tracked transaction), you really may not feel that this is a choice at all and may go ahead with the transaction. As a result, information about the transaction will be collected and stored, including things like what you bought, your credit card number or other purchase identifier, perhaps an account sign in, your computer’s IP address, maybe a history of what else you searched for during that transaction, and more. That recorded transaction may be grouped with other transactions that match similar characteristics. Sometimes that information provides insight about the object purchased such as ‘of all of the things searched, product A is the most popular.’ And, sometimes that information provides insight about you such as ‘this person usually buys blue items when there is a choice.’ A computer algorithm might assign you the “Blue Lover” persona, even if you only bought blue things because all of your favorite colors had been sold out. Alas, now you too have the Norah Jones problem.

This A Big Deal

This sticky assigned persona could just be a minor annoyance or it could have significant repercussions when used to discriminate, punish, exclude, target, surveil, or if the data are used with an unintended context or in a way that the data subject objects to.

In the 1990s, Latanya Sweeney, Ph. D. wrote and defended her PhD thesis about a then-emerging field of study, Data Privacy. (The next week she was testifying before the US congress about this topic!) Through simple experiments, she found that seemingly anonymous data that was publicly available could re-identify a person with just three pieces of general information with a high (97%) degree of certainty. If you hear Professor Sweeney speak, it’s hard to NOT want to learn more about how this significant use and aggregation of data into personas impacts civil rights, credit reporting, health privacy, equal employment, elections, and more. If you have 30 min, I highly recommend watching one of her fantastic talks.

So, what can we do?

This is another question that we posed in our interactive session during the 2022 Mozilla Festival. The participants provided GREAT answers. Look out for our “What can you do to control your persona” resources soon. In the meantime, enjoy these suggestions from the conference participants:

Question1: What strategies can we use to control our persona? Sticky Note Responses: 1. use a spammer email, and phone number; stop clicking on "like"; don't post locations and limit cookies? 2. Set boundaries on who can access your profile (e.g., reviewing who can friend/follow you, set account to private, only share limited personal info); 3. Deploy tracking systems; 4. Use tools such as browser extensions, privacy oriented apps, etc.; 5. Sandbox your browsing and use; 6. Use GDPR to understand what’s collected and why; 7. Switch devices; 8. SSI and related technology; 9. Not sharing identity
Question 2: What rules of engagement should be in place? Sticky Note Responses: 1. Consumers should have the option to opt in or out; 2. Be transparent about who else has your data 3. Obligations on consumer councils and to some extent human rights bodies; 4. Regulation that is easily understood by all members of society; 5. Genuine oversight; 6. Transparency; 7. Clear laws; 8. Modern norms; 9. Modern expectations
Question 3: Who needs to be involved to affect change? Sticky Note Responses: 1. Everyone needs to play a part in this for it to be successful but everyone needs to understand exactly what it is first so that they will participate, 2. Consumer bodies! Definitely!; 3. Everyone!!; 4. Policymakers; 5. Developers; 6. Citizens; 7. Designers; 8. Companies; 9. Public entities
MANAGING PERSONAS – Mozilla Festival 2022, The Context of You – The Many Facets of Your Digital Identity
Posted by Laura Paglione in Personas, Line Dancing, 0 comments