Deep fakes are digitally manipulated videos that have been created using deep learning technology to make the subject of the video (often a famous person) say anything the video maker wants them to say, even incorporating the style and facial expressions of another person.

Example

An example here is a video that demonstrates the technique, and features a fake video of Barack Obama saying things that he would never normally (publicly) say. Example : https://www.youtube.com/watch?v=AmUC4m6w1wo

Improving Fast

The technique, which had its less than auspicious first uses in pornography, where porn actors were made to look and sound like famous people, has much improved and become arguably more convincing as deep learning and AI have led to more seamless and convincing results.

Style Transfer

The development of the technology used in deep fake videos has improved to the point where even a person’s style can be superimposed and incorporated. An example of this can be seen in videos created by researchers at Carnegie Mellon University, who have been able to use artificial intelligence technology to transfer the facial expressions of one person in a video to another.

See this example on YouTube: https://www.youtube.com/watch?v=ehD3C60i6lw where John Oliver is made to reflect the style of Stephen Colbert, a daffodil is made to bloom (time lapse) the same way as a hibiscus, and Barack Obama is given the same facial expressions and style as Dr Martin Luther King and President Donald Trump.

What’s The Danger?

The danger, according to US lawmakers and intelligence organisations, is that videos could be made by adversarial nation states and used as another tool in disinformation campaigns. For example, at key moments, politicians and other influential figures could be made to appear to make false and /or inflammatory statements that could be believed by less politically aware recipients. In short, these videos could be used to influence opinions e.g. at election-time, and could afford a foreign power a way to interfere that relies upon human error – the same thing that many successful cyber attacks have relied upon.

What Does This Mean For Your Business?

With the US Midterm elections on the way, with allegations of Russian interference and possible collusion still hanging over President Trump’s head, and with some evidence that Facebook was used by a foreign power to try an influence the last US election result, it is understandable that the US government is worried about any tools that could be used to interfere in their democratic process. This is one of the reasons why Microsoft has seized 6 phishing domains that allegedly belong to Russian government hackers, and has introduced a pilot AccountGuard secure email service for election candidates.

If the technology behind deep fake videos keeps improving, it is possible to see it being used as another tool in other types of cyber-crime.

There is, of course, an upside and some ways that deep fake technology can be used in a positive way. For example, deep fake could be used to help film-makers to reduce costs and speed up work, make humorous videos and advertisements, and even help in corporate training.

A new kind of pilot secure email service called ‘AccountGuard’ has been launched by Microsoft, specifically for use by election candidates, and as one answer to the kind of interference that took place during the last US presidential election campaign.

Ready For The Midterm Elections

The new, free email service (which people must useOffice 365 to register for) is an off-shoot of Microsoft’s ‘Defending Democracy’ Program. This program was launched in April with the aim of protecting campaigns from hacking, through increased cyber resilience measures, enhanced account monitoring and incident response capabilities.

The AccountGuard pilot has been launched in time for the US Midterm elections which are the general elections held in November every four years, around the midpoint of a president’s four-year term of office.

Who Can Use AccountGuard?

Microsoft says that its AccountGuard service can be used by all current candidates for federal, state and local office in the United States and their campaigns; the campaign organisations of all sitting members of Congress, national and state party committees, any technology vendors who primarily serve campaigns and committees, and some non-profit organisations and non-governmental organizations. Microsoft AccountGuard is offered free of charge and is full service, coming with free email and phone support.

Three Core Offerings

AccountGuard has three core offerings. These are:

1. Unified threat detection and notification across accounts. This means providing notification about any cyber threats in a unified way across both email systems run by organisations and the personal accounts of these organizations’ leaders and staff who opt in. This part of the service will only be available only for Microsoft services including Office 365, Outlook.com and Hotmail to begin with, and Microsoft says it will draw on the expertise of the Microsoft Threat Intelligence Center (MSTIC / MSTIC).
2. Security guidance and ongoing education. Registering for Microsoft AccountGuard gives organisations best practice guidance and materials. These are in the form of off-the-shelf materials and in-depth live sessions.
3. Early adopter opportunities. This means access to private previews of the kind of security features that are usually offered by Microsoft to large corporate and government account customers.

Similar To Google

Some commentators have highlighted similarities between the AccountGuard idea and Google’s Advanced Protection Program (APP), also launched this year, although APP is open to anyone, requires log in with hardware authentication keys, and locks out third-party app access.

What Does This Mean For Your Business?

When you think about it, what Microsoft appears to be admitting is that its everyday email programs are simply not secure enough to counter many of the threats that now look likely to come from other states when elections are underway. Microsoft’s other, non-political business customers who are also at risk from common cyber attacks e.g. phishing, may feel a little left out that they are apparently not being offered the same level of security.

Also, protecting democracy sounds like quite a grand aim for a service provider offering an email service. Microsoft does, however, accept that it can’t solve the threat to US democracy on its own and that it believes this will require technology companies, government, civil society, the academic community and researchers working together. Microsoft also acknowledges that AccountGuard is limited to protecting those using enterprise and consumer services, and that attacks can actually reach campaigns through a variety of other ways. Microsoft also appears to be hinting that it may be thinking of expanding AccountGuard to industry as well as government depending on how the pilot works.

A bi-annual study by FireEye has found that less than a third of over half a billion emails analysed were considered clean enough not to be blocked from entering our inboxes.

Phishing Problem Evident

The study found that even though 9 out of 10 emails that are blocked by email security / anti-virus didn’t actually contain malware, 81% of the blocked emails were phishing attacks. This figure is double that of the previous 6 months.

Webroot’s Quarterly Threat Trends Report data, for example, shows that 1.39 million new phishing sites are created each month, and that this figure was even as high as 2.3 million in May last year. It is likely that phishing attacks have increased so much because organisations have been focusing too much of their security efforts on detecting malware. Also, human error is likely to be a weak link in any company, and phishing has proven to be very successful, sometimes delivering results in a second wave as well as the first attack. For example, in the wake of the TSB bank system meltdown, phishing attacks on TSB customers increased by 843% in May compared with April.

A recent KnowBe4 study involved sending phishing test emails to 6 million people, and the study found that recipients were most likely to click on phishing emails when they promised money or threatened the loss of money. This highlights a classic human weakness that always provides hope to cyber-criminals, and the same criminals know that the most effective templates for phishing are the ones that cause a knee-jerk reaction in the recipient i.e. the alarming or urgent nature of the subject makes the recipient react without thinking.

Increase In Malicious Intent Emails

The FireEye study also highlighted the fact that there has been an increase over the last 6 months in the emails sent to us that have malicious intent. For example, the latest study showed that one in every 101 emails had malicious intent, whereas this figure was one in every 131 in the previous 6 months.

Biggest Vulnerability

As FireEye noted after seeing the findings of their research, email is the most popular vector for cyber attacks, and it is this that makes email the biggest vulnerability for every organisation.

What Does This Mean For Your Business?

It is very worrying that we can only really trust less than one third of emails being sent to businesses as being ‘clean’ enough and free enough of obvious criminal intent to be allowed through to the company inbox. It is, of course, important to have effective anti-virus / anti-malware protection in place on email programs, but phishing emails are able to get past this kind of protection, along with other methods such as impersonation attacks like CEO fraud. Organisations, therefore, need to focus on making sure that staff are sufficiently trained and educated about the threats and the warning signs, and that there are clear procedures and lines of responsibility in place to be followed when emails relating to e.g. transfer of money (even to what appears to be the CEO) are concerned.

Cyber-criminals are getting bolder and more sophisticated, and companies need to ensure that there is no room for weak ‘human error’ links of the front line.

The Information Commissioner’s Office (ICO) has reported taking 500+ calls per week reporting GDPR data breaches, but one-third of the calls appear to be based on myths and misunderstandings or over-reporting about GDPR matters.

Update After Freedom of Information Request

The update by the ICO about how things appear to be going just three months after the introduction of GDPR came shortly after a Freedom of Information (FOI) by law firm EMW yielded figures that showed that the number of complaints between 25th May and 3rd July 2018 rose to 6,281 versus 2,417 during the same period in 2017.

Over-Reporting

A key problem highlighted by the ICO is that many companies feel that in order to achieve compliance and avoid being penalised, they have to be transparent to the degree that they “over-report” by reporting everything. Also, many of the reports are incomplete.

One common misconception highlighted by the ICO that is leading to unnecessary calls is that instead of reporting suspected data breaches to the ICO within 72 hours ‘from the point of discovery’, many companies appear to believe that the mandatory reporting period is 72 ‘working’ hours.

Fine Fears Unfounded

Another key point that the ICO was keen to make was that even though there have been some high profile cases that have involved big companies receiving big fines since the introduction of GDPR, many thousands of incidents are closed each year without financial penalty but with advice, guidance and reassurance offered instead. Another point that the ICO would like to make known is that the real norm of the work they do is simply audits, advisory visits and guidance sessions.

In fact, ICO Deputy Commissioner James Dipple-Johnstone has been quoted as saying that businesses that take their data protection responsibilities seriously “have nothing to fear from an ICO inspection or investigation”.

Cyber Crime Reports

The ICO has said that almost half of the calls that it received weekly involve some cyber element, and around one-third of calls relate to phishing attacks.

Phishing attacks are still such a popular method of cyber-crime because many companies have been focusing on malware detection and may not have trained and educated their staff about the risks, how to spot phishing attacks, and what to do about them.

What Does This Mean For Your Business?

Of course, organisations need to take their data protection responsibilities seriously to protect customers and the company itself, but part of dealing with that responsibility correctly is being clear on what GDPR actually requires a company to do; how and when. This is why GDPR requires (via mandatory appointment under Article 37) organisations / companies to have a data protection officer (DPO) i.e. someone tasked with the responsibility and security leadership role to oversee data protection strategy and implementation, and to ensure proper compliance with GDPR requirements. Part of the responsibilities of a DPO are to educate the company and train employees about GDPR and how it applies to them and their work. A DPO is required to have expert knowledge of data protection law and practices, and having a person on hand to consult about GDPR matters would be a good way to prevent unnecessary calls and complaints being made to the ICO, and to prevent unnecessary concerns, misunderstandings and mistaken beliefs prevailing within the company that could lead to other problems.

The European Court of Human Rights in Strasbourg has found the UK government guilty of violating the right to privacy of citizens under the European convention because the safeguards within the government’s system for bulk interception of communications were not strong enough to provide guarantees against abuse.

The Case

The case which led to the verdict, was brought against the UK government by 14 human rights groups, journalism organisations, and privacy organisations such as Amnesty International, Big Brother Watch and Liberty in the wake of the 2013 revelations by Edward Snowden, specifically that GCHQ was secretly intercepting communications traffic via fibre-optic undersea cables.

In essence, although the court, which voted by a majority of five to two votes against the UK government, accepted that police and intelligence agencies need covert surveillance powers to tackle threats, those threats do not justify spying on every citizen without adequate protections.

Three Main Points

The ruling against the UK government in this case centred on three points – firstly the regime for bulk interception of communications (under section 8(4) of RIPA), secondly the system for collection communications data (under Chapter II of RIPA), and finally the intelligence sharing programme.

The UK government was found to breach the convention on the first 2 points, but the ECHR didn’t find a legal problem with GCHQ’s regime for sharing sensitive digital intelligence with foreign governments. Also, the court decided that bulk interception with tighter safeguards was permissible.

Key Points

Some of the key points highlighted by the rulings against the UK government, in this case, are that:

• Bulk interception is not unlawful in itself, but the oversight of that apparatus was not up to scratch in this case.
• The system governing the bulk interception of communications is not capable of keeping interference to what is strictly necessary for a democratic society.
• There was concern that the government could examine the who, when and where of a communication, apparently without restriction i.e. problems with safeguards around ‘related data’. The worry is that related communications data is capable of painting an intimate picture of a person e.g. through mapping social networks, location tracking and insights into who they interacted with.
• There had been a violation of Article 10 relating to the right to freedom of expression for two of the parties (journalists), because of the lack of sufficient safeguards in respect of confidential journalist material.

Privacy Groups Triumphant

Privacy groups were clearly very pleased with the outcome. For example, the Director of Big Brother Watch is reported as saying that the judgement was a step towards protecting millions of law-abiding citizens from unjustified intrusion.

What Does This Mean For Your Business?

Like the courts, we are all aware that we face threats of terrorism, online sexual abuse and other crimes, and that advancements in technology have made it easier for terrorists and criminals to evade detection, and that surveillance is likely to be a useful technique to help protect us all, our families and our businesses.

However, we should have a right to privacy, particularly if we feel strongly that there is no reason for the government to be collecting and sharing information about us that, with the addition of related data, could identify us not just to the government but to any other parties who come into contact with that data.

The reality of 2018 is that we now live in a country where in addition to CCTV surveillance, we have the right to surveillance set in law. The UK ‘Snooper’s Charter’ / Investigatory Powers Act became law in November 2016 and was designed to extend the reach of state surveillance in Britain. The Charter requires web and phone companies (by law) to store everyone’s web browsing histories for 12 months, and also to give the police, security services and official agencies unprecedented access to that data. The Charter also means that security services and police can hack into computers and phones and collect communications data in bulk, and that judges can sign off police requests to view journalists’ call and web records.

Although businesses and many citizens prefer to operate in a safe and predictable environment, and trust governments to operate surveillance just for this purpose and with the right safeguards in place, many are not prepared to blindly accept the situation. Many people and businesses (communications companies, social media, and web companies) are uneasy with the extent of the legislation and what it forces companies to do, how necessary it is, and what effect it will have on businesses publicly known to be snooping on their customers on behalf of the state.

This latest ruling against the government won’t stop bulk surveillance or the sharing of data with intelligence partners, but many see it as a blow against a law that makes them uneasy in a time when GDPR is supposed to have given us power over what happens to our data.