Apple's Masterplan 🍏Meta's Mega GDPR Fine 💶AI Wins Art Contest 🎨

🧔Personal News

I've been told my life would make a funny YouTube series. I guess it's worth sharing!

I wish I had funny anecdotes to share this week! Rather, I felt more or less exhausted, a glass-half-empty type of week. To top it off, I was diagnosed with a sleep disorder which will require expensive and inconvenient treatments. One thing that surprised me was seeing how all communications were carried over e-mails. If I was in the US, everybody's mailboxes would be full of HIPAA-protected information. What could go wrong? Stolen laptop, stolen mobile device, phishing, ransomware. We should remove e-mail from most customer relationships. Set up a secure portal, enroll users in a mobile app, and share files in ephemeral encrypted storage. Let the 11.8% of people without a smartphone use paper.

🔦This week's spotlight: Apple's Annual Hardware Conference Gave Me a Revelation

I spent my first 11 years using smartphones as an Android owner. Apple always had rubbed me the wrong way: its closed system did not appeal to my "tinkerer" mindset and the marketing felt like the worst case of Kool-Aid. Apple's hardware events' extensive coverage, the latest of which happened last week, was the worst example of such overhype.

I decided last year to switch to iPhone. I spend 3 hours a day on my mobile. I figured it was worth paying for the most expensive piece of equipment. Overall I enjoy it. As a side effect, I gained interest in the company as a whole. Last week's event was therefore my first real foray into the announcements.

News outlets love a good quote to stir the Android vs Apple pot up. Tim Cook's reluctance to make the iPhone interoperable with the Android messaging convention (RCS) made headlines due to Apple's CEO's suggestion to "buy your mom an iPhone" if she did not want a "green screen".

This was not the Tim Cook quote that caught my attention. In his keynote, he mentioned the iPhone, Apple Watch and AirPods were an essential part of our lives: "They’re always with you". I felt aghast. The Apple I knew gave us the iPod and iTunes. Both are retired. The Apple event did not feature Apple TV, much less its streaming service Apple+. Apple abandoned its spotlight on media and entertainment. Where were the iPad's announcements? Certainly not in the news.

"They're always with you": they collect your heartbeats, your sleep patterns, your screen time habits. No better personal journal exists. It dawned on me: Apple does not want to be your buddy that you have fun with, it wants to be your digital assistant.

I remain skeptical over Apple's privacy marketing. The "Ask Not to Track" initiative was a Machiavellian move against Meta to allow Apple to build its own ad business. The fact remains: all activity happens on the iPhone, not in remote servers in other jurisdictions, not in data brokers' unsecured databases.  

Apple's next step will involve partnerships to leverage instant data collection into extremely targeted lifestyle apps. AI-powered apps will recommend you better habits and, of course, products tailored to your routine, all while executing the code on solely your machine, in compliance with privacy laws.

Apple's full control over the device could even empower users to cut data collection "at the source". The Apple Store could show you apps that only comply with your privacy settings.  Imagine a simple "workflow" where your iPhone walks you through your "data sharing profile", just like everybody does with your "shopper profile" and "investor profile".

The iPhone's power could usher in a new era in how we design applications, with a focus on "the edge" (a.k.a. the device). The future of the Internet is decentralization: applications that are decoupled from the data they produce. Apple possesses the device where the data will inevitably be stored, they will happily reap the benefits.

Long story short: Apple will stay a force in the upcoming decades.

🥑Legal Log

🌊EU AI Act Making Waves

A new study by Brookings deems the EU's new AI Act's attempt to regulate general purpose open source AI "counterproductive". General-purpose AI is commonly seen as models trained on massive datasets, such as language generator GPT-3 and image generator DALL-E. Other models could include GitHub's coding assistant copilot and deep fake technologies.

GDPR's article 35 already requires Data Controllers to carry a Data Privacy Impact Assessment (DPIA) whenever automated decision-making can affect an individual. The core notion is algorithmic transparency: users subject to an AI's rejection for their college or job application, for example, should be able to review and challenge an AI's assessment.

Future applications will use AI models as we today use software libraries. The question then becomes who is ultimately responsible for such transparency. If, for example, your recruiting app uses an open source version of GPT-3, GPT-J, as a baseline to evaluate writing skills, are the maintainers of GPT-J responsible to ensure compliance? Open source technologies are offered for free and maintained by volunteers: one can imagine how legislation could discourage initiatives. Brookings argues exactly that: extensive regulation on open source models would favour "Big Tech".

Big stakes, no clear choices, only tradeoffs: this is the type of problem I live for!

📸Huge Database of China's Surveillance Systems Leaks Online

A mere two months after a Shanghai police database spilled 1 billion records, a security researcher now reports to TechCrunch a massive breach of 800 million faces and vehicle license plates belonging to private government contractor Xinai Electronics. Government and law enforcement are exempted from China's privacy laws.

Goerge Orwell's 1984 left a mark on me as a teenager. I recommend the dystopian novel to anyone who wishes to experience China's authoritarian practices from an insider's perspective. But even the visionary writer did not imagine data breaches occurring to negligent sub-contractors...

🎯InfoSec Stories

🙅‍♂️Patreon's Entire Security Team Laid Off

Several former employees of Patreon report the entire security team has been laid off. The company's official response cites a "strategic shift" and claims to have parted ways with only "five employees". The CyberScoop story suggests Patreon will rely on a security vendor.

I would recommend security vendors to lawyer cabinets, engineering firms, or consulting agencies. Such companies rely on the usual office suites and a less than a dozen other apps and cannot afford a full-time IT security employee. In that case, a managed security center could make sense. But Patreon is a tech company with a platform used by millions. Only in-house expertise can offer a sufficient level of visibility and responsiveness.

🤺AWS CISO's Recommendation: Guardrails

CJ Moses, AWS Chief Information Security Officer, spoke with Protocol about his role and duties. What caught my attention is Moses' use of "guardrails". Guardrails are automated "limits" put on certain configurations that are either forbidden or, more interestingly, rendered inconvenient. For example, if your organization lets developers create storage units at will, a guardrail could block any "public" configuration. Developers are free to use their own container images, but a guardrail forces security quarantine.  

Guardrails are also the answer to this viral blog post about what questions developers should ask future employers. Short summary: how much red tape is there to innovation? The guardrails allow developers to move freely in well-identified zones. The key, of course, lies in the segmentation of your AWS accounts, your code repositories, your corporate network, etc.

🏆Supply Chain Attacks are InfoSec's Biggest Challenge

The NSA is going hard against supply chain attacks in its latest guide to developers. The data is staggering: attacks have tripled between 2019 and 2020. NSA's guidance hits the usual spots of relentless vulnerability testing before release (see aforementioned container image quarantine example), software composition analysis and, more interestingly, explicit cooperation with customers' risk management activities. Not only do organizations have to test more, but they must also produce artifacts of testing activities. Software Package Data Exchange (SPDX)-compliant Software Bill of Materials (SBOM) will become as inevitable as SOC2 reports within 3 years. Mark my words.

As a symptom of the times, Google expanded the scope of its bug bounty to all the open source components under its responsibility. We should pressure open source hubs, such as GitHub, to take into consideration similar efforts to report repositories' trustworthiness.

🗣️Social Media Chronicles

🎶Listening to The Winds of Change

🥶Meta's Privacy Nightmare Continues

Last week, Instagram was fined €405M in EU due to having an "insecure default" setting for children's data collection. This is Meta's second GDPR sanction after WhatsApp's $267 million penalty last year.

To make things worse, a transcript of Facebook engineering director Eugene Zarashow's testimony as part of the Cambridge Analytica lawsuit was unsealed. The suit has been settled for an undisclosed amount two weeks ago. The director admits no personal data mapping exists, software documentation is scarce at best, and nobody has any idea where personal data is stored. This echoes Peiter Zatko's incendiary allegations against Twitter.

Why are these stories not surprising? Facebook and Twitter are both "early" social media platforms, built before online privacy became a concern. Ironically, it is exactly their "data nonchalance" that leads to privacy awareness growth! I am certain Meta and Twitter have top-notch privacy experts. They are faced with a technology mammoth on which they must bolt on privacy. Hard to steer the ship, especially with TikTok's headwinds! (I really am nailing that winds metaphor, ain't I?)

🤖AI Almanac

🥇AI-Generated Image Wins Prize

The Vice reports Jason Allen won a state fair with his Midjourney-prompted piece "Théâtre d'Opéra Spatial". You can see the gorgeous painting in the tweet below. The news comes as Stable Diffusion announces its Photoshop integration and professional prompt marketplaces blossom, as this interview with PromptBase in The Verge highlights. While artists are furious, it's worth pointing out that the prompter spent weeks iterating on the visuals. Contests will inevitably require "AI labelling" to distinguish both types of work. In the end, "traditional" art will probably end where craftsmanship today is: a niche, high-end product. Meanwhile the vast majority of pictures we will see every day will emerge from AI.

📕Stories By AI

Literary arts will not be spared! Stories by AI explain how GPT-3 assists a short story writer. As a Ph.D in literature, I feel entitled to an expert opinion on this matter: the writing process here is as valuable as any other creative writing process. The use of AI to generate serendipitous twists or to find new images, curated by an expert human, corresponds to creation. What matters is art's ability to touch the readers and expand their perceptions. As Alfred Musset said: "What matters the jug, if drunkeness be within?"

👾Code by AI

GitHub recently published a survey touting its AI coding assistant Copilot. Copilot's ability to automate repetitive tasks provided the most satisfaction to developers. Concerns remain over intellectual property and security, though I expect both to be smoothed out in the upcoming months. If your enterprise relies on GitHub, you must think right now about how Copilot will be used. Developers will not stand for AI-less code, just like they will not accept being forced to use a corporate Windows workstation without admin rights. In a world of extreme engineering talent scarcity, a successful business cannot afford to have developers writing code that an AI could.

🚗Uber Eats Launches AI Delivery Vehicles

Uber announced a partnership with autonomous EV developer Nuro to bring driverless delivery to Houston and Mountain View. The rise of machines threatens 1.3 million delivery jobs in the US. Providing options to these people will be an extremely hard challenge in the upcoming decades. 83.3% of drivers are male, yet most of the jobs we need the most and that cannot be done by AI (nurses, teachers, child care services) are traditionally "female" jobs.

This matters! I remember during the worst phase of the Covid first wave Quebec had to call in the army to neglected nursing homes. Radio pundits were screaming their lungs out at how "humiliating" this was to the troops to "change old people's diapers" instead of fighting foreign terrorists. How do we turn truckers into nurses within a generation? The only answer I see is money.

🐶This week's rant: Silicon Valley Showing Us The Way To Build Teams

It is the story of a pentester tasked to write a company-wide email to invite everybody to participate in the annual security awareness training. Guess how this ends? The pentester did not end up writing that email. Why? Because creating engaging content to trigger action is a skill. A skill that has nothing to do with finding exploitable bugs in applications!

Look at your IT or engineering teams. Identify how much work beyond their skillsets they must endure. We cannot fault management. Team is overloaded. Need more teammates. What type? Same as us! DevOps requires jack-of-all-trades anyway! I dare you to suggest a director hire a communications specialist and see how much clear documentation can change a Helpdesk's life.

The Economist reports the same happy marriage happening between product management and economists, whose cohorts have almost tripled in tech. Amazon now employs more economics PhDs than any single university. Economists have been able to design better pricing strategies for the drive-sharing app Lyft.

Such collaborations will distinguish the best from the rest. Numerous high-end talents bounce around in academia. Tech can offer high-paying, steady jobs.    

Software Engineers are the best in the world to answer questions such as: "how can we retrieve data out of storage in the most efficient way imaginable?", "how can we scale this query to a billion requests per day?" Pentesters are the best in the world to find vulnerabilities. Maximize their talent, and build multi-faceted teams.