All posts by Nicole Kobie

Facebook lets users port photos and videos to Google

Nicole Kobie

2 Dec, 2019

Facebook is letting users move uploaded photos and videos to Google Photos as part of a project enabling data portability. 

The new tool lets Facebook users bulk export all of their photos and videos to Google’s photo hosting service. So far, the tool is only available in Ireland, but is set to be rolled out more widely in the first half of next year. 

“At Facebook, we believe that if you share data with one service, you should be able to move it to another,” said Steve Satterfield, Director of Privacy and Public Policy at Facebook, in a blog post. “That’s the principle of data portability, which gives people control and choice while also encouraging innovation.”

Data portability is required under laws such as GDPR and the California Consumer Privacy Act; the data portability rules in the latter come into play next year, just as this tool arrives more widely. 

Transferring the data to Google Photos does not appear to delete it from Facebook, but you can move the images over to the rival digital provider and then delete your account. It’s worth noting that Facebook has long allowed users to download everything from their account, photos and videos included, and then they can, of course, be uploaded again to your digital host of choice, Google Photos or otherwise. 

Facebook said the photo transfer tool is just the first step, and its release is designed to be assessed by policymakers, academics and regulators, in order to help decide what data should be portable and how to keep it private and secure.

“We’ve learned from our conversations with policymakers, regulators, academics, advocates and others that real-world use cases and tools will help drive policy discussions forward,” said Satterfield. 

He added: “We are currently testing this tool, so we will continue refining it based on feedback from people using it as well as from our conversations with stakeholders.”

The photo tool is based on code developed at the Data Transfer Project, an effort launched in 2018 that includes leading tech companies including Microsoft, Twitter, Google and Apple. The aim is to develop an open-source data portability platform to make it easier for individuals using their products to shift to a new provider if desired. 

The tool will eventually be available via the settings section of “Your Facebook Information.” “We’ve kept privacy and security as top priorities, so all data transferred will be encrypted and people will be asked to enter their password before a transfer is initiated,” said Satterfield. 

Satterfield saying Facebook hoped to “advance conversations” on the privacy questions identified in the white paper, which included the need to make users aware of privacy terms at the destination service, the types of data being transferred, and to ensure it’s encrypted to avoid it being diverted by hackers. For example, should contact list data be portable, given it’s private information of other people? Satterfield called on more companies to join the Data Transfer Project to further such efforts, which will be welcome to everyone as, after a string of security and privacy concerns, Facebook might not be the most trusted service on such issues. 

Cisco WebEx and Zoom video hit by security flaw

Nicole Kobie

1 Oct, 2019

Security researchers have uncovered a way for attackers to snoop on video conferences run on the Cisco WebEx and Zoom platforms.

Dubbed “Prying Eye”, the flaw spotted by Cequence Security is a weakness in web conferencing APIs that would allow attackers to use an enumeration attack to find open calls or meetings.

Enumeration attacks refer to the practice of using brute force to guess ID numbers – in this case, for meetings or calls. If the attacker guesses the right meeting ID number, and it isn’t password-protected, they have instant access.

That attack technique could work on any application that uses numbers as identifiers, but Cequence notes that it’s common practice to disable basic security such as passwords for web conferences in order to reduce friction for meeting participants. The flaw could be particularly troublesome for anyone who reuses meeting IDs, letting an attacker snoop on all future calls or conferences.

“In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community,” said Shreyans Mehta, Cequence Security CTO and co-founder. “In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web conferencing vendors’ security features to not only protect their meetings but also take the extra step of confirming the attendee identities.”

Cequence alerted both companies to the vulnerability in July before taking it public today, giving Cisco and Zoom time to address the flaw. Cisco and Zoom have responded by altering default security settings and issuing advice to customers to help them avoid the vulnerability.

“Notably, the most effective step to strengthen the security of all meetings is to require a password – which is enabled by default for all WebEx meetings,” Cisco’s security team said in a statement provided by Cequence.

Richard Farley, CISO of Zoom Video Communications, said: “Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings.”

Farley added that passwords are now enabled by default, but stressed it was still possible to lighten such security settings to whatever is appropriate for different users. He said that, “as is true of other security options, meeting hosts are free to choose security settings that are most appropriate to the sensitivity of their meetings.”

Cequence Security added that it had not tested all other web conference vendors, so others may be at risk as well. The flaw can be avoided by requiring a password on sensitive conference calls or videos, and by confirming the identity of all attendees on a call.

The latest vulnerability comes just under a year after the discovery of a remote code execution flaw in WebEx’s update service, in which hackers could invoke a Windows update service tool which grants the ability to execute commands with system-level privileges.

Automating the end of discrimination

Nicole Kobie

14 Feb, 2019

AI and automation stand accused of embedding existing biases and furthering discrimination – but it doesn’t have to be that way. We can build machines that make us better, helping us recognise and push back against our assumptions, confirmation bias, and other flaws that lead to discrimination.

That’s the idea behind a multitude of HR and work-themed bots and AI systems, all hoping to machine discrimination out of existence and encourage diversity at work. One prominent example has been the Financial Times’ sourcing bot, which skims through journalists’ copy, making note of the gender of people mentioned, helping the newspaper track its own tendency to interview and feature men rather than women.

In recruitment, LinkedIn has added diversity data to its recruitment tools, while startup Textio will read your job ads and advise changes to encourage a wider range of applicants.

“Recruitment and HR is our fastest growing area, where HR directors are coming to us saying we want to build unbiased systems,” said Tabitha Goldstaub, co-founder of AI advice platform CognitionX.

Like tools such as Grammarly, Textio pop-ups help improve the language recruiters use

Diversity at work has both a moral impetus and legal ramifications: discrimination on the grounds of gender, race or religion is already illegal in the UK. However, companies are starting to realise that choosing from a wider range of applicants and creating an inclusive workplace can be good for profit margins, too.

Indeed, consultancy McKinsey & Co analysed more than 1,000 companies across a dozen countries, revealing that those with the most diverse staff saw higher than average profits.

No wonder then that building diverse and inclusive teams is the number one talent priority for HR departments, according to a LinkedIn report on recruiting trends, with 78% of respondents saying it was “very or extremely important” to their hiring plans. Why? They think it’s good for business and creates a better working culture. (Rarely is it listed as being “the right thing to do” or “a legal requirement”, but we’ll take what we can get.)

Tracking talent

Tracking diversity is a challenge: 42% of HR departments said in the LinkedIn survey that they lack the data quality necessary to address such challenges. With that in mind, the professional social network has added gender-tracking tools to its Talent Insights platform, a data reporting tool that helps recruiters.

“When it comes to gender diversity, using tools such as LinkedIn Talent Insights will help organisations understand their own overall workforce composition, as well as within different functions, and see how they benchmark against the industry at large and spot areas of opportunities to address,” said Jerome Leclercq, senior manager of product marketing at LinkedIn UK. “This avoids manual processes that deliver insights that is often outdated by the time you get it in your hands.”

LinkedIn’s Talent Pool Report helps recruiters access more diverse talent pools by including gender insights

In LinkedIn Talent Insights, companies will be able to see the gender representation of their own workforce, compare that to industry benchmarks, set recruiting objectives, and find out where to find more diverse applicants for roles – more colloquially, where the ladies are.

“The Linkedin Talent Insights Talent Pool Report now includes gender insights to help talent teams identify industries, locations, titles and skills where the gender representation is more favourable,” said Leclercq.

“Using these insights, recruiters can refine and expand their sourcing to tap into more diverse talent pools.”

In the LinkedIn Recruiter platform, HR departments will still see all qualified candidates, but more attention is paid to distribution in search results, with each page reflecting the gender mix of the available talent pool, Leclercq explained.

“As a very simple example, if the available talent pool for programmers with C and C++ skills in the Philadelphia area that you identified in Talent Insights is 42% women and 58% men, you’ll see that same basic proportion on each page of results to make sure your recruiting team is seeing candidates that best reflect the gender distribution of the marketplace,” he said.

Tweaking job adverts with Textio

Textio is similar to Grammarly or a spellchecker in Word, but rather than looking for typos, it considers the response you’ll get from the words and phrases you choose. Textio Hire is its first application, a tool to analyse job posts and recruitment emails to make suggestions to speed up hiring times, candidate quality, and diversity of applicants.

Textio Hire analyses the tone of job adverts, giving a score and suggesting improvements

“Textio’s predictive engine uses a combination of natural-language processing and data mining to find the words that have an impact on your hiring pipeline and bring them to your attention while you are writing,” explained CEO and cofounder Kieran Snyder. “In the example of unconscious gender bias in your writing, the predictive engine finds the words and phrases that are statistically likely to create an imbalance between the number of men and women who are inspired to respond to your job ad today.”

The app not only highlights problematic language, but makes suggestions, too. “Textio Hire uses its massive analytical power to not only improve what’s been written, but it also imagines the things that haven’t been written,” said Snyder. “It can tell which one of those alternate phrases will create the best version of the job post.”

While we humans can watch for biased language in our own writing, automation can make it easier to spot patterns and see outcomes that aren’t obvious to us.

“Most of the patterns that emerge are truly things you just cannot theorise or guess, which is why a platform like Textio needs so much data to uncover the real patterns that change hiring outcomes,” said Snyder, noting that “exhaustive” is a word that attracts more male applications, “loves learning” attracts more women, and “synergy” is a turn-off to people of colour. “You can’t guess what works without massive data sets and the machine learning technology to find the hidden patterns,” she said. “Intuition fails us.”

Can tweaking a few words in a job ad work? Textio Hire claims that it helped Johnson & Johnson increase applications from underrepresented candidates by 22%, while Cisco gets 10% more female candidates and fills positions more quickly.

Using the right data

Another way to boost inclusivity in hiring is using automation to sift through applications, but train a system on flawed or skewed data and it will mirror your previous mistakes, notes Goldstaub. Look at Amazon: according to reports, the tech giant used AI to sift through CVs, but as the system was trained on skewed data – its own previous hires, which were predominantly male – it tended to chuck applications from women into the bin. The machine-learning system has since been dropped, according to a Reuters report.

The Recruiter platform on LinkedIn gives the gender balance of candidates as a percentage

Getting such technology right requires three elements: feeding the correct data, training the AI appropriately, and having humans in the loop to check the results, says Goldstaub. If, as with the Amazon trial, most successful hires in the past were men, there won’t be enough data to train your system with. But if you’re trying to encourage a wider range of applicants, you can “weight the data so we can find the people we want to look for, rather than people just like the ones we already have,” said Goldstaub. As she notes, ignore anyone who blames bias on the machines – it isn’t in control, we humans are. “We are in control of this, and don’t need to just use the data we have already.”

But that raises an “ethical conundrum,” as Goldstaub puts it. “Should we have fairer data, even if it’s not accurate data? That’s a question we can ask ourselves and decide how we want to manage that.”

Artificial intelligence might give us tools to battle back against discrimination, but we still need to face the tough questions ourselves.

What is fog computing?

Nicole Kobie

15 Mar, 2018

The cloud is as ubiquitous in computing as it is in the skies over Britain, but experts have forecast a new meteorological-named IT architecture that could become just as important: fog computing.

What is fog computing?

Let’s help cut through your haze: just like cloud computing, fog computing is an architecture for remote document storage, but rather than housing it all on one server (or one company’s servers), your files are distributed. That doesn’t mean there are copies of them on multiple servers, but that the data that makes up your files is spread widely, so no-one but you can see the entire thing.

“Our proposal is based on this idea of a service that renders information completely immaterial – in the sense that, for a given period of time, there’s no place on earth that contains information complete in its entirety,” noted the researchers, Rosario Culmone and Maria Concetta De Vivo of the University of Camerino, who submitted the idea via a paper in the International Journal of Electronic Security and Digital Forensics.

If your files are always split into smaller pieces of data, they’re less useful to hackers, thus boosting security. It also means that if local authorities want to see your files, they won’t be able to access them in their entirety, with the bits spread across multiple jurisdictions.

How does it work on a technical level?

The “fog” uses standard networking protocols in a new way, using virtual buffers in routers to send packets of your data every which way, all the time – so no file ever sits in its entire, full form on a single server at any given time.

The researchers compared it to sending a letter with a tracking device in the mail, but rather than have it delivered to one place, it bounces around from post office to post office. That would make it rather hard for a snoop or thief to find, since there’s no way of knowing if it’s in transit in a postman’s bag, or which sorting office it’s sat in. But the owner of the letter need only enable the tracking device to find it immediately.

Sounds like it could go horribly wrong

There would be bandwidth pressure if we stored our entire collections of data in such a way, but fog computing could offer an alternative to cloud computing for those who need extra secure remote storage.

Isn’t fog computing to do with IoT?

Yes and no. The decentralised storage and computation of Internet of Things data at the edges of networks, rather than in data centres, uses the same weather-themed jargon, although it’s sometimes known as “edge computing”.

When will this be available?

Sorry, the Camerino researchers offered no forecast of when to expect fog computing to be ready for use. We also don’t yet know what the next meteorological IT buzzword will be. We just hope it involves sunshine, this time.