Author Archives: Michael Froomkin

What Are they Hiding? (Turkish Edition)

Marcy Wheeler is very smart. And while she’s not giving to mincing words, she is also not a wild-eye conspiracist. So I sat up when I saw Meanwhile, Over In Turkey . . ., her blog post on Secretary of State Tillerson’s super-secret meeting with Turkish President Erdogan–the only other person in the room being the Turkish Prime Minister, who personally translated.

This is a huge breach of not just protocol, but standard and very sensible operating procedures at the US State Department (not that Tillerson cares).

Let’s go back to that no-staff-allowed element of the meeting once more. In general, it is in the interests of both parties to a conversation like that to have interpreters and notetakers present, so that in the public discussions that follow (like the one above), everyone agrees on the basic facts of what was said and you don’t getting into a “but you said . . .” and “no I didn’t” back-and-forth. For the meeting to exclude such staffers means that there is something else that overrides this interest.

In this case, the Turks had to have demanded that Tillerson not bring anyone with him to this meeting. There’s no way he would have told his staff “I got this – you take a break while I talk with Erdogan” on his own. The question is why, and all the possible answers I can come up after reading the Turkish Foreign Minister’s reply to that last question involve Vladimir Putin wanting Erdogan to pass on some kind of message to Trump — a message that he did not wish to be delivered within earshot of interpreters and notetakers.

It reminds me very much of that May 2017 Oval Office meeting that Trump had with Russian Foreign Minister Sergey Lavrov and outgoing Ambassador to the US Sergey Kislyak. That was the meeting where we later learned that Trump revealed Israeli intelligence to the Russians about their source inside ISIS and told them that he just fired “that nut job” James Comey which took the pressure off of him because of Russia.

Oh, and the US press were kept out of that meeting as well, with the only reports of it coming after the Russians told us about it. As Politico’s Susan Glasser noted about that Oval Office meeting, it came at the specific request of Putin

But like we say in blogland, read the whole thing.

Posted in Politics: International, The Scandals | Leave a comment

Micropayments of a New and Pernicious Type

Many of us predicted long ago that the future of journalism was online micropayments – pay fractions of a cent an article instead of being bombarded with ads.

What we didn’t see coming was this strategy by Salon: if you want to keep your ad blocker, let us use your computing cycles to mine for cryptocurrencies.

The security issues are left as an exercise for the reader.

Posted in Uncategorized | 3 Comments

10 Things You Can Do to Protect e-Privacy & Autonomy

At UM’s Data Privacy Day event I made 10 suggestions about what you can do to protect your e-privacy and autonomy.  Here they are:

  1. Trust cyber-civil liberties NGOs like EFF to recommend things to use and to do. If you take away nothing else, remember this URL: Eff.org.
    1. Use EFF’s Privacy Badger browser plugin.
    2. Take their audit – Panopticlick – of how unique your browser fingerprint is.  Unique fingerprints are a way you can be tracked. Block cookies and super-cookies.
    3. Use their Https Everywhere tool
    4. Find the EFF surveillance self-defense guide. It offers advice tailored for different groups that might have greater / lesser needs for privacy/defense (e.g. LGBTQ, activists, journalists, lawyers, activists).
  2. Use VPNs — virtual private networks.  And only use good ones – be careful about jurisdiction and policies:
    1. The UM off-campus VPN is a valuable service, and good to protect against third parties … but not against UM. Does UM log your usage? Do they record your originating IP#? The sites you visit? Despite some frantic Google searches, I can’t tell — it seems they don’t say. I think therefore you have to assume they do. And if were the UM General Counsel my first instinct would probably be to say they need to do the logging to protect themselves.
    2. Is your VPN service dirt-cheap or free? Does the service cost only a few dollars for a lifetime service? There’s probably a reason for that and your browsing history may be the actual product that the company is selling to others.
        1. Look for establishment in a democratic country with a strong commitment to the rule of law.  Without that, even the best promises in the Terms of Service (ToS) to not log web page access OR IP# and access times is meaningless.  Note that many, probably most, VPNs in most other countries are required to do some logging.https://it.miami.edu/a-z-listing/virtual-private-network/index.html
        2. Does the VPN promise to prevent DNS leakage to your ISP?
        3. Ideally, the VPN should support IPv6 as well as IPv4 to prevent leakage when the remote site is on IPv6. This will become more important in the future as more and more sites move to IPv6.
  3. Use Tor as much as possible.  (But see #8 below.)
  4. Inspect your browser settings on your phone and computer to set max privacy options (including blocking 3rd party cookies and enabling Do Not Track).  Use a privacy hardened browser on your phone such as the Warp browser.  On both computer and phone always use a search engine such as Duckduckgo that will not track you.
  5. Encrypt every drive, every email (when possible), and especially all cloud-stored data before uploading it.
  6. Get a password manager and use it – never re-use a password. Use 2-factor authentication for google, other services that support it. (Only 10% of google users do!)
  7. Don’t put any apps on your phone that connect to anything financial (due to risk of ID theft if phone stolen).
  8. Lobby UM to make it easier to use VPNs and Tor, on both the wired and wireless networks.  Ask UM to be more transparent about what cookies its web pages set and what they track and record.  And, importantly, ask UM to not require you take every single UM cookie in order to use the “remember me for 30 days” feature of its authentication app DUO.  Also, ask UM to promise that it has your back, and that it will challenge any request for your data to the maximum extent the law allows (right now it makes no such promises at all; even National Security letters are sometimes withdrawn if the data-holding entity says it will go to court to ask for it to be reviewed).
  9. Lobby for privacy laws that limit data collection – once data are collected major First Amendment issues come into play, making it hard to limit use and re-use of accurate data. Also lobby to stop the US government secretly introducing vulnerabilities into fundamental crypto standards.
  10. Resist the frame: understand that the true definition of the ‘greater good’ is one in which the individual is able to flourish. Remember that ‘terrorist’ is a label that fits best after conviction – before that what we have is a ‘suspect’; conceivably any of us can be a suspect. So arguments that we should control crypto or prevent privacy in order to give law enforcement access to all our data when they decide they need it should be viewed with great caution and a firm eye on how the powers they want could be misused by them or by others who get hold of their tools. And even if we someday find ourselves in a world where things have gone badly wrong, and we do find ourselves subject to pervasive surveillance, follow Vaclav Havel, who in his great work ‘Living in Truth’ reminded us that so long as we choose not to self-censor we have chosen not to surrender a key part of our freedom.

(Some links added after original posting)

Posted in Cryptography, Internet, Law: Privacy, Surveillance, Talks & Conferences | 1 Comment

Speaking at Two Local Events This Week

Wednesday morning I’ll be one of the panelists at UM’s Data Privacy Day event. Among the incendiary things I plan to say is that the University should be more open to the use of Tor and VPNs on its network. (Update: to be clear, the current openness is almost zero.) Further, the VPN service UM provides for off-campus use needs to make much fuller disclosures about what it logs, how long it keeps logs, and whether it will undertake to oppose private and/or governmental attempts to access those logs. (At present, as far as I can tell, there are no representations at all on any of these topics.)

Friday afternoon, I’ll be speaking on AI and Medicine at the first panel of the University of Miami Law Review‘s 2018 Symposium, Hack to the Future: How Technology is Disrupting the Legal Profession. Why am I speaking about AI and medicine, even on a panel entitled “Emerging Technologies: Artificial Intelligence”, when the conference is about AI and Law? Well you might ask. When the organizers invited me, I protested that I didn’t know enough about AI’s effects on the legal profession to give a good talk — but I did know a few things about AI and Medicine. And they called my bluff…

Posted in Talks & Conferences, U.Miami | Leave a comment

New Paper ‘When AIs Outperform Doctors’

My latest (draft!) paper, When AIs Outperform Doctors: The dangers of a tort-induced over-reliance on machine learning and what (not) to do about it is, I hope, special. I had the good fortune to co-author it with Canadian polymath Ian Kerr, and with Joëlle Pineau, one of the world’s leading machine learning experts.

Here’s the abstract:

Someday, perhaps soon, diagnostics generated by machine learning (ML) will have demonstrably better success rates than those generated by human doctors. What will the dominance of ML diagnostics mean for medical malpractice law, for the future of medical service provision, for the demand for certain kinds of doctors, and—in the longer run—for the quality of medical diagnostics itself?

This article argues that once ML diagnosticians, such as those based on neural networks, are shown to be superior, existing medical malpractice law will require superior ML-generated medical diagnostics as the standard of care in clinical settings. Further, unless implemented carefully, a physician’s duty to use ML systems in medical diagnostics could, paradoxically, undermine the very safety standard that malpractice law set out to achieve. In time, effective machine learning could create overwhelming legal and ethical pressure to delegate the diagnostic process to the machine. Ultimately, a similar dynamic might extend to treatment also. If we reach the point where the bulk of clinical outcomes collected in databases are ML-generated diagnoses, this may result in future decision scenarios that are not easily audited or understood by human doctors. Given the well-documented fact that treatment strategies are often not as effective when deployed in real clinical practice compared to preliminary evaluation, the lack of transparency introduced by the ML algorithms could lead to a decrease in quality of care. The article describes salient technical aspects of this scenario particularly as it relates to diagnosis and canvasses various possible technical and legal solutions that would allow us to avoid these unintended consequences of medical malpractice law. Ultimately, we suggest there is a strong case for altering existing medical liability rules in order to avoid a machine-only diagnostic regime. We argue that the appropriate revision to the standard of care requires the maintenance of meaningful participation by physicians in the loop.

I hope that it will be of interest to to lawyers, doctors, computer scientists, and a range of medical service providers and policy-makers. Comments welcome!

Posted in AI, Sufficiently Advanced Technology, Writings | 1 Comment

Net Neutrality a la King

Never in my life did I imagine I would be saying a good thing about a Burger King product, but this video explaining net neutrality is actually….good:

Posted in Law: Internet Law | Leave a comment