June 23, 2021

AI Nation podcast, from CITP and WHYY

I’m excited to introduce AI Nation: a podcast about AI, everyday life, and what happens when we delegate vital decisions to machines. It’s a collaboration, born at CITP, between Princeton University and WHYY, Philadelphia’s famous NPR station. The first episode drops on April 1.

Tune in, and you’ll hear a variety of voices. You’ll hear my co-host, Malcolm Burnley, a journalist who reports on culture and social justice, a non-scientist sci-fi enthusiast who is much hipper than me. (A low bar, I know, but you get my point.) You’ll hear voices of people who have been impacted by AI problems, such as being arrested due to bad facial recognition. And you’ll hear from a diverse group of experts on the tech and its implications.

We spent a long time figuring out how to make a podcast that is compelling without being superficial, and connects everyday life to the deep and important issues raised by the AI and computing revolution. There were several false starts and some pilots that got progressively closer to the vision. Then we connected to the team at WHYY, and found the recipe.

I hope you like it. Whatever you think, let us know!

Huge thanks to everyone who has made this possible. At Princeton, that starts with Olga Russakovsky who helped to hatch the original vision, Tithi Chattopadhyay who shepherded the process from beginning to end, Margaret Koval who advised us and made vital connections, and Daniel Kearns for his peerless audio engineering. At WHYY, the thanks start with our producer Alex Stern (now I know and more importantly appreciate everything a producer does!), John Sheehan, and of course my co-host Malcolm Burnley.

Enhancing the Security of Data Breach Notifications and Settlement Notices

[This post was jointly written by Ryan Amos, Mihir Kshirsagar, Ed Felten, and Arvind Narayanan.]

We couldn’t help noticing that the recent Yahoo and Equifax data breach settlement notifications look a lot like phishing emails. The notifications make it hard for users to distinguish real settlement notifications from scams. For example, they direct users to URLs on unfamiliar domains that are not clearly owned by the company that was breached nor any other trusted entity. Practices like this lower the bar for scammers to create fake phishing emails, potentially victimizing users twice. To illustrate the severity of this problem, Equifax mixed up domain names and posted a link to a phishing website to their Twitter account. Our discussion paper presents two recommendations to stakeholders to address this issue.

First, we recommend creating a centralized database of settlements and breaches, with an authoritative URL for each one, so that users have a way to verify the notices distributed. Such a database has precedent in the Consumer Product Safety Commission (CPSC) consumer recall list. When users receive notice of a data breach, this database would serve as a reliable authority to verify the information included in the notice. A centralized database has additional value outside the data breach context as courts and government agencies increasingly turn to electronic notices to inform the public, and scammers (predictably) respond by creating false notices.

Second, we recommend that no settlement or breach notice include a URL to a new domain. Instead, such notices should include a URL to a page on a trusted, recognizable domain, such as a government-run domain or the breached party’s domain. That page, in turn, can redirect users to a dedicated domain for breach information, if desired. This helps users avoid phishing by allowing them to safely ignore links to unrecognized domains. After the settlement period is over, any redirections should be automatically removed to avoid abandoned domains from being reused by scammers.

CITP to Launch Tech Policy Clinic; Hiring Clinic Lead

We’re excited to announce the CITP technology policy clinic, a first-of-its-kind interdisciplinary project to engage students and scholars directly in the policy process. The clinic will be supported by a generous alumni gift.

The technology policy clinic will adapt the law school clinic model to involve scholars at all levels in real-world policy activities related to technology—preparing written comments and briefs, working with startup companies, and collaborating with public-interest law groups. As an outgrowth of this work, CITP could provide federal, state and local policy makers with briefings on emerging technologies and could also create simple non-partisan guides to action for citizens and small businesses.

We’re looking to hire a Clinic Lead, an experienced policy professional to lead the clinic. For more information, go to https://citp.princeton.edu/clinic-lead/

CITP was founded as Princeton’s initiative to support research and education on technology policy issues. Over the years, CITP’s voice grew stronger as it uniquely leveraged its strength of world class computer scientists and engineers, to work alongside leading policy experts at the Woodrow Wilson School of Public Policy. The center has now established a recognized national voice in areas including AI policy, privacy and security, technology for governance and civil liberties, broadband policy, big data, cryptocurrencies, and the internet of things. As the national debate over technology and its impact on democracy has come to the forefront in recent times, the demand for technology policy experts has surged. CITP recognizes a need to take on a larger role in tackling some of these technology policy problems by providing on-the-ground training to Princeton’s extraordinary students. We’re eager to hire a Clinic Lead and get started!