304 research outputs found

    Multidisciplinary perspectives on Artificial Intelligence and the law

    Get PDF
    This open access book presents an interdisciplinary, multi-authored, edited collection of chapters on Artificial Intelligence (‘AI’) and the Law. AI technology has come to play a central role in the modern data economy. Through a combination of increased computing power, the growing availability of data and the advancement of algorithms, AI has now become an umbrella term for some of the most transformational technological breakthroughs of this age. The importance of AI stems from both the opportunities that it offers and the challenges that it entails. While AI applications hold the promise of economic growth and efficiency gains, they also create significant risks and uncertainty. The potential and perils of AI have thus come to dominate modern discussions of technology and ethics – and although AI was initially allowed to largely develop without guidelines or rules, few would deny that the law is set to play a fundamental role in shaping the future of AI. As the debate over AI is far from over, the need for rigorous analysis has never been greater. This book thus brings together contributors from different fields and backgrounds to explore how the law might provide answers to some of the most pressing questions raised by AI. An outcome of the Católica Research Centre for the Future of Law and its interdisciplinary working group on Law and Artificial Intelligence, it includes contributions by leading scholars in the fields of technology, ethics and the law.info:eu-repo/semantics/publishedVersio

    Hardening Tor Hidden Services

    Get PDF
    Tor is an overlay anonymization network that provides anonymity for clients surfing the web but also allows hosting anonymous services called hidden services. These enable whistleblowers and political activists to express their opinion and resist censorship. Administrating a hidden service is not trivial and requires extensive knowledge because Tor uses a comprehensive protocol and relies on volunteers. Meanwhile, attackers can spend significant resources to decloak them. This thesis aims to improve the security of hidden services by providing practical guidelines and a theoretical architecture. First, vulnerabilities specific to hidden services are analyzed by conducting an academic literature review. To model realistic real-world attackers, court documents are analyzed to determine their procedures. Both literature reviews classify the identified vulnerabilities into general categories. Afterward, a risk assessment process is introduced, and existing risks for hidden services and their operators are determined. The main contributions of this thesis are practical guidelines for hidden service operators and a theoretical architecture. The former provides operators with a good overview of practices to mitigate attacks. The latter is a comprehensive infrastructure that significantly increases the security of hidden services and alleviates problems in the Tor protocol. Afterward, limitations and the transfer into practice are analyzed. Finally, future research possibilities are determined

    Security considerations in the open source software ecosystem

    Get PDF
    Open source software plays an important role in the software supply chain, allowing stakeholders to utilize open source components as building blocks in their software, tooling, and infrastructure. But relying on the open source ecosystem introduces unique challenges, both in terms of security and trust, as well as in terms of supply chain reliability. In this dissertation, I investigate approaches, considerations, and encountered challenges of stakeholders in the context of security, privacy, and trustworthiness of the open source software supply chain. Overall, my research aims to empower and support software experts with the knowledge and resources necessary to achieve a more secure and trustworthy open source software ecosystem. In the first part of this dissertation, I describe a research study investigating the security and trust practices in open source projects by interviewing 27 owners, maintainers, and contributors from a diverse set of projects to explore their behind-the-scenes processes, guidance and policies, incident handling, and encountered challenges, finding that participants’ projects are highly diverse in terms of their deployed security measures and trust processes, as well as their underlying motivations. More on the consumer side of the open source software supply chain, I investigated the use of open source components in industry projects by interviewing 25 software developers, architects, and engineers to understand their projects’ processes, decisions, and considerations in the context of external open source code, finding that open source components play an important role in many of the industry projects, and that most projects have some form of company policy or best practice for including external code. On the side of end-user focused software, I present a study investigating the use of software obfuscation in Android applications, which is a recommended practice to protect against plagiarism and repackaging. The study leveraged a multi-pronged approach including a large-scale measurement, a developer survey, and a programming experiment, finding that only 24.92% of apps are obfuscated by their developer, that developers do not fear theft of their own apps, and have difficulties obfuscating their own apps. Lastly, to involve end users themselves, I describe a survey with 200 users of cloud office suites to investigate their security and privacy perceptions and expectations, with findings suggesting that users are generally aware of basic security implications, but lack technical knowledge for envisioning some threat models. The key findings of this dissertation include that open source projects have highly diverse security measures, trust processes, and underlying motivations. That the projects’ security and trust needs are likely best met in ways that consider their individual strengths, limitations, and project stage, especially for smaller projects with limited access to resources. That open source components play an important role in industry projects, and that those projects often have some form of company policy or best practice for including external code, but developers wish for more resources to better audit included components. This dissertation emphasizes the importance of collaboration and shared responsibility in building and maintaining the open source software ecosystem, with developers, maintainers, end users, researchers, and other stakeholders alike ensuring that the ecosystem remains a secure, trustworthy, and healthy resource for everyone to rely on

    Connected World:Insights from 100 academics on how to build better connections

    Get PDF

    Enforcing C++ type integrity with fast dynamic casting, member function protections and an exploration of C++ beneath the surface

    Get PDF
    The C++ type system provides a programmer with modular class features and inheritance capabilities. Upholding the integrity of all class types, known as type-safety, is paramount in preventing type vulnerabilities and exploitation. However, type confusion vulnerabilities are all too common in C++ programs. The lack of low-level type-awareness creates an environment where advanced exploits, like counterfeit object-orientated programming (COOP), can flourish. Although type confusion and COOP exist in different research fields, they both take advantage of inadequate enforcement of type-safety. Most type confusion defence research has focused on type inclusion testing, with varying degrees of coverage and performance overheads. COOP defences, on the other hand, have predominantly featured control flow integrity (CFI) defence measures, which until very recently, were thought to be sound. We investigate both of these topics and challenge prevailing wisdom, arguing that: 1. optimised dynamic casting is better suited to preventing type confusion and 2. enforcing type integrity may be the only defence against COOP. Type confusion vulnerabilities are often the result of substituting dynamic casting with an inappropriate static casting method. Dynamic casting is often avoided due to memory consumption and run-time overheads, with some developers turning off run-time type information (RTTI) altogether. However, without RTTI, developers lose not only secure casting but virtual inheritance as well. We argue that improving the performance of dynamic casting can make it a viable option for preventing type confusion vulnerabilities. In this thesis, we present MemCast, a memoising wrapper for the dynamic cast operator that increases its speed to that of a dynamic dispatch. A new variant of the COOP exploit (COOPLUS) has identified a weakness in almost all modern, C++-semantic-aware CFI defences. The weakness is that they allow derived class functions to be invoked using corrupted base class instances, specifically where an attacker replaces the object's virtual pointer with one from a derived type object. A CFI defence overestimates the set of target functions at a dispatch site to cover all possible control-flow paths of a polymorphic object. Thus COOPLUS takes advantage of the lack of type integrity between related types at dispatch sites. In this thesis, we argue that CFI is an unsuitable defence against COOPLUS, and type integrity must be applied. Hence we propose a type integrity defence called Member Function Integrity (MFI) that brings type awareness to member functions and prevents any member function from operating on an invalid object type. To understand the low-level techniques deployed in MemCast and our MFI defence policy, one has to appreciate the memory layout of the objects themselves and the conventions used by member functions that operate on them. However, in our research, we did not find adequate introductory literature specific to modern compilers. For this reason, we supplied our own self-contained introduction to low-level object-orientation. This thesis has three contributions: a primer on C++ object layouts, an optimised dynamic casting technique that reduces the casting cost to that of a dynamic dispatch, and a new defence policy proposal (MFI) to mitigate all known COOP exploits

    Evaluating the use of user content feed swapping for counteracting filter bubbles

    Get PDF
    Abstract. The term filter bubble refers to a phenomenon in which a recommendation system fails to offer diverse or novel content, and instead offers content that reinforces particular belief systems. Filter bubbles are considered harmful when they restrict users’ exposure to diverse content and thereby reinforce potentially harmful or misinformed ideologies, contribute to the spread of misinformation, and foster the creation of echo chambers. This thesis proposes a solution to counteract the effects of filter bubbles by providing users with the option to switch content feeds with their least similar users’ feed. The solution was achieved by substituting the correlation coefficient used in collaborative filtering recommendation systems. An application was developed to simulate post recommendations for users, initially employing a traditional collaborative filtering system. This was then followed by a collaborative filtering system that recommended posts based on the likes of the least similar user to the current user. User engagement metrics and cognitive mapping metrics were used to evaluate this solution. If the solution did not negatively affect user engagement and demonstrated an ability to increase the diversity of users’ bias perception and promote a more nuanced understanding of bias within the social media application, it met the requirements of these metrics. There was an overall increase in user engagement after the users’ feed was swapped. Moreover, the users’ perception of bias became more diversified, indicating that the solution prompted a broader awareness of bias within the social media application users were engaging with. Based on these results, the proposed solution was deemed as potentially effective in addressing the filter bubble problem. The solution’s viability was established solely within a simulated environment. To determine its real-world applicability, it requires further testing in a naturalistic environment with more participants

    Mapping the Supply of Surveillance Technologies to Africa: Case Studies from Nigeria, Ghana, Morocco, Malawi, and Zambia

    Get PDF
    African governments are spending over 1US$bn per year on digital surveillance technologies which are being used without adequate legal protections in ways that regularly violate citizens’ fundamental human rights. This report documents which companies, from which countries, are supplying which types of surveillance technology to African governments. Without this missing detail, it is impossible to adequately design measures to mitigate and overcome illegal surveillance and violations of human rights. Since the turn of the century, we have witnessed a digitalisation of surveillance that has enabled the algorithmic automation of surveillance at a scale not previously imaginable. Surveillance of citizens was once a labour and time-intensive process. This provided a practical limit to the scope and depth of state surveillance. The digitalisation of telephony has made it possible to automate the search for keywords across all mobile and internet communications. For the first time, state surveillance agencies can do two things: (a) conduct mass surveillance of all citizens’ communications, and (b) micro-target individuals for in-depth surveillance that draws together in real-time data from mobile calls, short message service (SMS), internet messaging, global positioning system (GPS) location, and financial transactions. This report was produced by qualitative analysis of open-source data in the public domain. The information presented is drawn from a diverse range of sources, including open government data sets, export licence portals, procurement notices, civil society databases of surveillance contracts, press releases from surveillance companies, academic articles, reports, and media coverage. The research is organised using a typology of five categories of surveillance technology. We did not set out to detail every technology available, every company, or every supply contract. Instead, we document the main companies and countries selling digital surveillance technologies to African governments. Rather than focus on the technical functionality distinguishing each product offering, we highlight five of the most important types of surveillance technology: internet interception, mobile interception, social media surveillance, ‘safe city’ technologies for the surveillance of public spaces, and biometric identification technologies.Civic Future

    Internet censorship in the European Union

    Get PDF
    Diese Arbeit befasst sich mit Internetzensur innnerhalb der EU, und hier insbesondere mit der technischen Umsetzung, das heißt mit den angewandten Sperrmethoden und Filterinfrastrukturen, in verschiedenen EU-Ländern. Neben einer Darstellung einiger Methoden und Infrastrukturen wird deren Nutzung zur Informationskontrolle und die Sperrung des Zugangs zu Websites und anderen im Internet verfügbaren Netzdiensten untersucht. Die Arbeit ist in drei Teile gegliedert. Zunächst werden Fälle von Internetzensur in verschiedenen EU-Ländern untersucht, insbesondere in Griechenland, Zypern und Spanien. Anschließend wird eine neue Testmethodik zur Ermittlung der Zensur mittels einiger Anwendungen, welche in mobilen Stores erhältlich sind, vorgestellt. Darüber hinaus werden alle 27 EU-Länder anhand historischer Netzwerkmessungen, die von freiwilligen Nutzern von OONI aus der ganzen Welt gesammelt wurden, öffentlich zugänglichen Blocklisten der EU-Mitgliedstaaten und Berichten von Netzwerkregulierungsbehörden im jeweiligen Land analysiert.This is a thesis on Internet censorship in the European Union (EU), specifically regarding the technical implementation of blocking methodologies and filtering infrastructure in various EU countries. The analysis examines the use of this infrastructure for information controls and the blocking of access to websites and other network services available on the Internet. The thesis follows a three-part structure. Firstly, it examines the cases of Internet censorship in various EU countries, specifically Greece, Cyprus, and Spain. Subsequently, this paper presents a new testing methodology for determining censorship of mobile store applications. Additionally, it analyzes all 27 EU countries using historical network measurements collected by Open Observatory of Network Interference (OONI) volunteers from around the world, publicly available blocklists used by EU member states, and reports issued by network regulators in each country

    Designing Critical and Practical User Interface Interventions in Uncivil Online Discussion

    Get PDF
    Miljoonat ihmiset käyttävät päivittäin verkkokeskustelujärjestelmiä jakaakseen mielipiteitään, tietojaan ja tunteitaan. Samanaikaisesti, sekä epäasiallinen käytös että sen estämiseen tähtäävät toimenpiteet voivat ehkäistä rakentavia verkkokeskusteluja. Siispä epäasialliseen keskusteluun puuttuminen tulee suunnitella huolellisesti. Tämä väitöskirja tukee epäasialliseen verkkokeskusteluun puuttuvien käyttöliittymämekanismien kriittisten ja käytännöllisten toimintojen suunnittelua. Kriittiset toiminnot viittaavat pohdinnan, keskustelun, mielikuvittelun, monimutkaisuuden havaitsemisen ja uusien näkökulmien huomioinnin herättämiseen. Tämä on hyödyllistä ongelmien esiin kaivamiseen ja ihmisten aktivoimiseen. Käytännölliset toiminnot puolestaan viittaavat ongelmien ratkomiseen, tässä tapauksessa epäasiallisen keskustelun hillitsemistoimiin. Väitöskirja lähestyy aihetta tunteita merkitsevien käyttöliittymäinterventioiden kriittisen suunnittelun kautta. Kriittinen suunnittelu on suunnittelu ja tutkimusmenetelmä, jossa herätetään keskustelua suunnittelun eettisyydestä, paljastetaan mahdollisesti piilossa olevia arvoja ja ehdotetaan vaihtoehtoisia suunnitteluarvoja. Tunteiden merkitsemisellä viitataan sisällössä olevien tunteiden nimeämiseen, jolla odotetaan psykologian tunneteorioiden perusteella olevan rauhoittava vaikutus. Tutkimus tuotti neljä tieteellistä julkaisua. Tutkimukseen sisältyi kymmenen suomalaisen journalistin haastattelu koskien neljää suunnitteluehdotusta, sekä kaksi kansainvälistä verkkokyselyä, joissa taltioitiin yhteensä 687:än verkkouutiskommentoijan reaktiot yhteensä 14:sta ehdotukseen. Väitöskirja antaa oleellisista tietoa kriittisen suunnittelun osa-alueista ja ulottuvuuksista. Esimerkiksi, “käytännöllinen—kriittinen” -ulottuvuus, joka ilmaisee, miten vahvasti intervention tulisi toimia kriittisesti. Lisäksi se antaa tietoa mitkä asiat tekevät interventiosta laadukkaan käyttäjien mielestä. Esimerkiksi, käyttäjät ajattelevat, että laadukas interventio auttaa heitä välttämään lukemasta epäasiallisia kommentteja ja olemaan kommentoimatta tavalla, joka voisi kaduttaa. Kaiken kaikkiaan väitöskirja tukee epäasialliseen verkkokeskusteluun puuttuvien käyttöliittymäratkaisujen suunnittelua kriittisellä äänellä ja tuo merkittävän lisän verkkokeskustelujärjestelmien suunnittelua käsittelevään kirjallisuuteen.Millions of people use online discussion systems daily to share their opinions, knowledge, and feelings with others. At the same time, constructive online discussions can be hindered by both uncivil conduct and efforts to suppress it. This implies that interventions in uncivil discussion should be designed carefully. This thesis supports designing for critical and practical functionality in user interface (UI) mechanisms intended to intervene in uncivil online discussion. Critical functionality refers to provoking reflection, discussion, imagination, appreciation of complexity, and consideration of new perspectives. This is useful for problem finding and nudging people to act in different ways. Practical functionality, on the other hand, refers to problem solving, here, mitigating incivility. The thesis approaches the issue by conducting Critical Design of affect labeling UI interventions in uncivil online discussion, particularly focusing on news commenting. Critical Design refers to creating designs that may not be solutions but rather provoke discussion about the ethics of design, reveal potentially hidden agendas and values, and propose alternative design values. Affect labeling is seen as a promising strategy where the emotions present in the content are explicated, which, based on psychological emotion theories, is expected to have a calming effect. The research resulted in four scientific publications. The research included ten interviews with Finnish journalists about four critical affect labeling UI intervention design proposals, as well as two international online surveys in which a total of 687 online news commenters reacted to a total of 14 intervention designs. The thesis contributes relevant design aspects and dimensions for Critical Design. For example, the “Practical—Critical” dimension, which refers to whether the intervention should encourage a simple change in behavior or trigger a deeply reflective response to the intervention design. It also contributes knowledge on the user-perceived characteristics of high-quality. For example, online news commenters believe a high-quality UI intervention helps them to avoid reading uncivil comments and posting comments that they regret. Overall, the thesis advances design of UI interventions in uncivil online discussion with a critical voice and contributes more generally to literature on design of online discussion systems

    Adaptive Cybersecurity Training Framework for Social Media Risks

    Get PDF
    Social media has become embedded in our everyday lives, personal activities, and the workplace. Thus, educating users on emerging cybersecurity challenges for social media has become imperative. In this project, a systematic literature review (SLR) was conducted and a mix of approach analyses to derive a framework that identifies the activities involved in adapting cybersecurity training for social media risks. I collected answers from 641 Kuwaiti employees in various sectors: education, healthcare, leadership and management, arts, entertainment, the police, and military, and interviewed 25 people who serve as policymakers, cybersecurity trainers, and those who have experienced cybersecurity training before. The study found that a one-fits-all training approach is highly ineffective, as people’s understanding and knowledge can vary greatly. Features such as gender, age, educational level, job roles, and the trainees’ training preferences and perceptions are essential considerations for developing a robust training system. Additionally, the study found that job role and age constitute the main factors associated with social media cybersecurity risks. The findings reveal that employees working in the business and financial sectors are the riskiest group, as far as cybersecurity is concerned. Female employees are more vulnerable to cyberattacks than male employees, and the youngest employees are the most risk prone, employees with less than two years of experience, and those who are 55 years old or more, need more cybersecurity training, due to their lack of awareness on the subject. This work has led to formulate a risk equation that can assist policymakers and training providers in defining countermeasures against risks and prioritize the training for those who need it the most. The framework and its process were validated through several strategies involving 38 case studies, surveys, and interviews. The novel contribution of this research is the proposal of the framework, which is a high-level, holistic framework that can support and promote organizations in mitigating social media risks
    corecore