Questions about the Kremlin’s relationships with these groups remain. But researchers are finally getting some answers.

Russia-based ransomware gangs are some of the most prolific and aggressive, in part thanks to an apparent safe harbor the Russian government extends to them. The Kremlin doesn't cooperate with international ransomware investigations and typically declines to prosecute cybercriminals operating in the country so long as they don't attack domestic targets. A long-standing question, though, is whether these financially motivated hackers ever receive directives from the Russian government and to what extent the gangs are connected to the Kremlin's offensive hacking. The answer is starting to become clearer.

New research presented at the Cyberwarcon security conference in Arlington, Virginia, today looks at the frequency and targeting of ransomware attacks against organizations based in the United States, Canada, the United Kingdom, Germany, Italy, and France in the lead-up to these countries' national elections. The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.

The project analyzed a data set of over 4,000 ransomware attacks perpetrated against victims in 102 countries between May 2019 and May 2022. Led by Karen Nershi, a researcher at the Stanford Internet Observatory and the Center for International Security and Cooperation, the analysis showed a statistically significant increase in ransomware attacks from Russia-based gangs against organizations in the six victim countries ahead of their national elections. These nations suffered the most total ransomware attacks per year in the data set, about three-quarters of all the attacks.

“We used the data to compare the timing of attacks for groups we think are based out of Russia and groups based everywhere else,” Nershi told WIRED ahead of her talk. “Our model looked at the number of attacks on any given day, and what we find is this interesting relationship where for these Russia-based groups, we see an increase in the number of attacks starting four months before an election and moving three, two, one month in, up to the event.”

The data set was culled from the dark-web sites that ransomware gangs maintain to name and shame victims and pressure them to pay up. Nershi and fellow researcher Shelby Grossman, a scholar at the Stanford Internet Observatory, focused on popular so-called “double extortion” attacks in which hackers breach a target network and exfiltrate data before planting ransomware to encrypt systems. Then the attackers demand a ransom not only for the decryption key but to keep the stolen data secret instead of selling it. The researchers may not have captured data from every single double-extortion actor out there, and attackers may not post about all of their targets, but Nershi says the data collection was thorough and that the groups typically have an interest in publicizing their attacks.

The findings showed broadly that non-Russian ransomware gangs didn't have a statistically significant increase in attacks in the lead-up to elections. Whereas two months out from a national election, for example, the researchers found that organizations in the six top victim countries were at a 41 percent greater chance of having a ransomware attack from a Russia-based gang on a given day, compared to the baseline. 

The increase wasn't visible in every sector, though. Russia-based ransomware gangs did seem to target government organizations and infrastructure at a slightly elevated rate two months out from a country's national election, but Nershi says the total number of attacks on government entities in the data set was small to begin with. The analysis didn't find a statistically significant increase in the number of attacks against organizations in the communications, finance, energy, and utility sectors leading up to elections. But because of the overall increase in attacks across all types of organizations, the researchers theorize that there may be a spillover effect that the Russian government's general increase of cyber activity in the lead-up to an election in one of the six countries indirectly fuels ransomware attacks.

“We are theorizing that there seems to be some level of loose ties between these ransomware groups based in Russia and the Russian government,” Nershi said, "In that they are criminal organizations, they’re in it for profit, but it seems like occasionally the Russian government will ask them for favors, and they’ll agree to operate on this sort of ad hoc basis."

The research aligns with other recent analyses and information, including details from a massive trove of chat logs leaked earlier this year that showed how the notorious Conti ransomware group operates. The data indicated that Conti members very likely have connections within Russia's FSB intelligence agency and knowledge of Russian military hacking operations, painting a picture of loose and ad hoc cooperation. 

“What the groups get out of it is generally not being prosecuted. And for the Russian government, it can allow them to outsource to some degree certain tasks in a way that gives them plausible deniability,” Nershi says. "As I perceive it, it's a strange, nebulous, ambiguous relationship."

Russia’s Sway Over Criminal Ransomware Gangs Is Coming Into Focus

Anyone can get a blue tick on Twitter without proving who they are. And it’s already causing a ton of problems.

At the end of August, Sean Murphy was trying to book a flight between Nairobi, Kenya, and Entebbe, Uganda, with Kenya Airways. “The information on the booking page was ambiguous,” says Murphy, the cofounder of Web3 company ImpactScope. So he fired off a quick direct message to the verified Kenya Airways account on Twitter, asking it to confirm baggage allowances for the flight. A day later, when the account didn’t reply, he sent the company a public tweet reminding it about the question. Then the replies started.

Within minutes, multiple Twitter accounts claiming to be Kenya Airways tweeted him. All of them offered help, but none of them appeared official. The accounts used Kenya Airways’ logo and slogan, but clicking on their profiles raised red flags. “Most of their messages were well crafted,” Murphy says. “However, the low number of followers coupled with the spelling errors or odd choice of characters in their actual Twitter handles was the main giveaway.” The accounts included “@\_1KenyaAirways” and “@kenyaairways23.”

It’s now easier for Twitter accounts to appear official. In the chaotic days since Elon Musk completed his $44 billion takeover of Twitter and subsequently fired thousands of staff, the social network has revamped how its account verification works. The new Twitter Blue subscription, which has started rolling out to some users, allows anyone to pay $8 per month and get a blue check mark showing they are “verified.” The tick appears almost instantly once someone stumps up the cash, and no questions are asked—people do not have to prove their identity.

The verification symbol is a stark difference from Twitter’s previous approach to verification when only accounts belonging to brands, public figures, and governments were provided with blue ticks next to their name. In all those instances, verification was approved by Twitter staff. The new verification process—or lack of it—is likely to make it easier for scammers, cybercriminals, and peddlers of disinformation to hone their craft and appear legitimate.

“Cybercriminals very easily use social media as the perfect vehicle to target unbeknown victims, but when there is no clear and genuine way to check identities, you open up a path to impersonated accounts, which will no doubt be abused by threat actors in the search of a con,” says Jake Moore, global cybersecurity advisor at security firm ESET.

Things are already messy. Straight after Twitter Blue’s verification started rolling out, accounts impersonating people and brands appeared. Some people appeared to be testing the system; others were causing trouble. In some cases, new accounts were used, and in others, years-old Twitter accounts had been converted to blue-tick status. One account called Nintendo of America (handle: @nIntendoofus) tweeted a picture of Mario giving people the finger. Apple TV+ was impersonated along with gaming firm Valve, Donald Trump, and basketball star LeBron James. A post from an account pretending to be an ESPN analyst gained more than 10,000 engagements before it was deleted, fact-checking organization Snopes reported. The account had “NOT” in its handle, and its bio described it as a parody. As of yesterday, amid a surge of impersonation accounts, Twitter had paused allowing new accounts to purchase verification.

Twitter’s new approach to verified accounts is focused on the Twitter Blue subscription. Once a user pays, the blue tick appears next to an account’s name. If someone clicks on the tick, a message explains it is there because it has been purchased. In Twitter’s timeline, a user’s blue tick is shown prominently next to the name they give their account (which can easily be changed), rather than their username handle.

Cybercriminals have, of course, tried to scam people or impersonate them on social media for years, and they are always trying to stay one step ahead of the people hunting them down. Many scams involve convincing people that an account is authentic and then manipulating them via social engineering to hand over credit card details or personal information. These kinds of scams persist as criminals get results from them.

Support account scams—where a bad actor impersonates a company’s customer service team, as with Sean Murphy’s experience with Kenya Airways—are common. Kenya Airways’ official Twitter account has previously warned about accounts that impersonate it (one of these is not verified). Rachel Tobac, the cofounder of SocialProof security, which focuses on social engineering, says these support account scams will be easier to conduct on Twitter as there are fewer steps scammers need to take before they start impersonating official accounts.

“Previously, cybercriminals needed to procure a verified Twitter page by phishing the verified user to steal their credentials, buy stolen credentials online, or find the reused credentials in a password repository post data breach,” Tobac says. “Now the scammers can just use a stolen credit card to purchase a verified account and begin their scamming.” Millions of people’s credit card details can be purchased online and a single stolen card can cost just $1.

Musk has claimed that the $8 Twitter subscription fee will discourage bad actors from creating accounts, particularly at scale. The CEO has also said that accounts subscribing to Twitter Blue will have their tweets shown above non-verified accounts in search results. In a Twitter Space aimed at advertisers this week, Musk said he wanted to stop fake accounts and that bad actors “don’t have a million credit cards and phones.” (In one incident in February, Ukrainian officials shut down an alleged Russian-linked bot operation that used 3,000 SIM cards and had created more than 18,000 online accounts.)

Twitter also briefly launched and removed an “official” label that was placed on some public accounts. “Please note that Twitter will do lots of dumb things in coming months,” Musk tweeted this week. “We will keep what works & change what doesn’t.” (Twitter did not immediately respond to a request for comment, although it is believed many of its press office team were let go in the recent Twitter layoffs.)

Beyond allowing scammers to appear genuine, multiple experts believe that the verification changes could erode what it means for legitimate accounts to be verified on social media. “The shift to purchasing verified accounts will likely greatly reduce the trust that users, emergency services, public utilities, journalists, and brands have in Twitter verified accounts, as it’s unlikely that Twitter will quickly catch and shut down every new Twitter Blue verified account that is impersonating others,” Tobac says.

In addition to scams, the ability to quickly create genuine-looking verified accounts is also likely to aid disinformation campaigns. For years, Russian, Chinese, and Iranian state-supported actors have tried to manipulate many conversations online. They can create thousands of fake accounts in attempts to amplify disinformation. “We know that disinformation actors, particularly those that are linked to governments, have budgets,” says Elise Thomas, a senior OSINT analyst at the Institute for Strategic Dialogue who has focused on misinformation and disinformation. “We’ve already seen many disinformation campaigns buy web domains, spend thousands or tens of thousands on advertising, purchase bot accounts in bulk, and employ trolls.”

As noted by Eliot Higgins, the founder of the investigative unit Bellingcat, which among other things has uncovered Russian disinformation and exposed its network of international spies, it would be trivial for a government to pay for verified accounts. In 2018, Russia’s Internet Research Agency, which has consistently pumped out disinformation, had a budget of around $10 million. “Beyond impersonation of real people and organizations, it could also allow disinformation operations to create new personas—for example, journalists or government agencies that don’t exist—and make that fake persona seem more credible with a check mark,” Thomas says.

And state-backed actors haven’t needed verified marks to sow information chaos in the past. “Many state-backed disinformation campaigns use fake accounts to amplify user-generated content that is divisive and polarizing in order to get topics to trend, and to make voices at the fringe appear louder than they are,” says Samantha Bradshaw, an assistant professor in new technology and security at American University. “It is therefore unclear whether this policy will raise the cost of influence operations in a meaningful way.” Russian state-backed Twitter accounts have previously managed to be quoted in the press hundreds of times, without any verification at all.

As the rollout of Twitter Blue continues, staff at the newly cut Twitter may face an uphill battle in determining whether accounts are part of coordinated efforts to influence discourse online or are indeed authentic. Twitter’s own staff have hinted that verification without identity checks may have to change in the future. Yoel Roth, Twitter’s head of trust and safety, said that in the short term the company will “ramp up” proactive reviews of accounts that appear to be impersonating other people. “I think we need to invest more in identity verification as a complement to proof-of-humanness,” Roth tweeted. “Paid Verification is a strong (not perfect) signal of humanness, which helps fight bots and spam. But that’s not the same thing as identity verification.”

Elon Musk's Twitter Blue Verification Is a Gift to Scammers

Security researchers see updated tactics and tools—and a tempo change—in the cyberattacks Russia’s GRU military intelligence agency is inflicting on Ukraine.

Since Russia launched its catastrophic full-scale invasion of Ukraine in February, the cyberwar that it has long waged against its neighbor has entered a new era too—one in which Russia has at times seemed to be trying to determine the role of its hacking operations in the midst of a brutal, physical ground war. Now, according to the findings of a team of cybersecurity analysts and first responders, at least one Russian intelligence agency seems to have settled into a new set of cyberwarfare tactics: ones that allow for quicker intrusions, often breaching the same target multiple times within just months, and sometimes even maintaining stealthy access to Ukrainian networks while destroying as many as possible of the computers within them.

At the CyberwarCon security conference in Arlington, Virginia, today, analysts from the security firm Mandiant laid out a new set of tools and techniques that they say Russia’s GRU military intelligence agency is using against targets in Ukraine, where the GRU’s hackers have for years carried out many of the most aggressive and destructive cyberattacks in history. According to Mandiant analysts Gabby Roncone and John Wolfram, who say their findings are based on months of Mandiant’s Ukrainian incident response cases, the GRU has shifted in particular to what they call “living on the edge.” Instead of the phishing attacks that GRU hackers typically used in the past to steal victims’ credentials or plant backdoors on unwitting users’ computers inside target organizations, they're now targeting “edge” devices like firewalls, routers, and email servers, often exploiting vulnerabilities in those machines that give them more immediate access.

That shift, according to Roncone and Wolfram, has offered multiple advantages to the GRU. It's allowed the Russian military hackers to have far faster, more immediate effects, sometimes penetrating a target network, spreading their access to other machines on the network, and deploying data-destroying wiper malware just weeks later, compared to months in earlier operations. In some cases, it's enabled the hackers to penetrate the same small group of Ukrainian targets multiple times in quick succession for both wiper attacks and cyberespionage. And because the edge devices that give the GRU their footholds inside these networks aren't necessarily wiped in the agency's cyberattacks, hacking them has sometimes allowed the GRU to keep their access to a victim network even after carrying out a data-destroying operation.

"Strategically, the GRU needs to balance disruptive events and espionage," Roncone told WIRED ahead of her and Wolfram's CyberwarCon talk. "They want to continue imposing pain in every single domain, but they are also a military intelligence apparatus and have to keep collecting more real-time intelligence. So they've started 'living on the edge' of target networks to have this constant ready-made access and enable these fast-paced operations, both for disruption and spying."

In a timeline included in their presentation, Roncone and Wolfram point to no fewer than 19 destructive cyberattacks Russia has carried out in Ukraine since the beginning of this year, with targets across the country's energy, media, telecom, and finance industries, as well as government agencies. But within that sustained cyberwarfare barrage, the Mandiant analysts point to four distinct examples of intrusions where they say the GRU's focus on hacking edge devices enabled its new tempo and tactics.

In one instance, they say, GRU hackers exploited the vulnerability in Microsoft Exchange servers known as ProxyShell to get a foothold on a target network in January, then hit that organization with a wiper just the next month, at the start of the war. In another case, the GRU intruders gained access by compromising an organization's firewall in April of 2021. When the war began in February, the hackers used that access to launch a wiper attack on the victim network's machines—and then maintained access through the firewall that allowed them to launch _another_ wiper attack on the organization just a month later. In June 2021, Mandiant observed the GRU return to an organization it had already hit with a wiper attack in February, exploiting stolen credentials to log into its Zimbra mail server and regain access, apparently for espionage. And in a fourth case, last spring, the hackers targeted an organization's routers through a technique known as GRE tunneling that allowed them to create a stealthy backdoor into its network—just months after hitting that network with wiper malware at the start of the war.

Separately, Microsoft’s Threat Intelligence Center, known as MSTIC, revealed today yet another example of the GRU launching repeated cyberattacks on the same Ukrainian targets. According to MSTIC, the hacker group it calls Iridium, more widely known as the GRU hacking unit Sandworm, was responsible for Prestige ransomware attacks that hit transportation and logistics targets in Ukraine and Poland from March to October of this year. MSTIC notes that many of the victims of that ransomware had earlier been hit with the wiper tool HermeticWiper just before Russia’s February invasion—another piece of data-destroying malware linked to the GRU.

The GRU, Roncone and Wolfram point out, have certainly targeted "edge" devices before this new phase of the agency cyberwar in Ukraine. In 2018, the agency's hackers infected more than half a million routers worldwide with malware known as VPNFilter, and they similarly attempted to create a botnet of hacked firewall devices that was discovered just ahead of Russia's Ukraine invasion in February.

But the Mandiant analysts argue that only now are they seeing that hacking of edge devices used to accelerate the agency's pace of operations and to achieve persistence inside networks that lets the GRU pull off repeated intrusions against the same victims. That's meant that instead of having to choose between stealthy cyberespionage and disruptive cyberattacks that destroy the very systems they're spying on, the agency has been able to "have their cake and eat it too," as Roncone puts it.

Ukraine's own cybersecurity agency, known as the State Services for Special Communications and Information Protection, or SSSCIP, agrees with Mandiant's conclusion that Russia has quickened its pace of cyber-operations since the start of the war in February, according to Viktor Zhora, a senior SSSCIP official. He confirms that the GRU, in particular, has come to favor targeting edge devices while other Russian intelligence agencies, such as the FSB, continue to use phishing emails as a common tactic. But he argues that the examples of repeated wiping of the same organization in quick succession, or a wiping attack followed by an espionage operation against the same target, remain relatively rare.

Instead, Zhora contends that the GRU's switch to a faster operating rhythm shows how the agency's hackers are racing—struggling, even—to keep up with the speed of physical war.

“Operating in a covert mode over the last eight years, having unlimited financial resources, widely available human resources, gave them a lot of opportunities. They used that time to test, to probe and develop new technologies. Now, they’ve needed to increase the density of their attacks, and they require much more resources," says Zhora. "They still try to carry out their expected role, to be Russia's most active and destructive agency. But with sanctions, with the intellectual flow out of Russia, with difficulties in human resources and infrastructure, their operational limits are significantly greater. But we can see in the tactics they use that they're still seeking new opportunities for intelligence and wiping options."

At times, Roncone and Wolfram say, GRU hackers do seem to be struggling to keep up with the new pace they've set. In one case, they saw the hackers backdoor an email server but set up their command-and-control server incorrectly, so that they failed to control it. In another case, they sent the wrong commands to a wiper tool, so that it failed to wipe the systems it had infected. "It's just the tempo and probably a bit of human error and burnout that leads to these sort of 'oopsies,'" says Roncone.

Another shift in the GRU's hacking to "quick and dirty" methods can be seen in the specific wiper malware that it uses, according to Roncone and Wolfram. Since May, Mandiant has observed GRU hackers deploying the relatively simple, targeted wiper malware known as CaddyWiper in nine different operations targeting Ukrainian organizations—five attacks in May and June, then another four last month.

The decision to make that small, straightforward wiper code its sabotage payload of choice represents a stark contrast with years past. In 2017 and 2018, the GRU group Sandworm unleashed complex destructive worms inside of target networks that took months to hone and deploy: automated, self-replicating, multi-featured code such as the Olympic Destroyer malware designed to cripple the Pyeongchang Winter Olympics and the NotPetya malware that hit Ukrainian networks and spread worldwide, causing an unprecedented $10 billion in damage.

In the early days of Russia's invasion, for reasons that aren't quite clear, Kremlin hackers targeting Ukraine appear to have used a grab bag of at least half a dozen wiping tools of varying quality inside of victim networks, such as HermeticWiper, WhisperGate, and AcidRain. But in more recent months, the GRU appears to have deployed mainly CaddyWiper, again and again, Mandiant found, though in modified forms, changed just enough to evade detection. (Ukraine's SSSCIP, for its part, declined to confirm whether it has seen the same nine CaddyWiper attacks Mandiant had tracked.

"It's like they've said, ‘We're not gonna build out a fancy multifaceted wiper like NotPetya that can worm on its own. What we need is just something that's really lightweight and easily modifiable and easily deployable,'" says Roncone. "So they're using this not-that-great, does-the-job wiper, which seems like part of shifting their entire tactical strategy to accommodate these fast-paced operations." And while those quick-and-dirty methods may not be as flashy or as innovative as the GRU cyberattacks of the past, they can nonetheless inflict serious digital chaos in a country that needs every resource it has to fend off Russia's invaders.

_Update 12:10 pm EST 11-10-22: Added MSTIC's attribution of the Prestige ransomware attacks on Ukraine and Poland to the GRU's Sandworm group._

Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless

Cash is safe—for now. Contactless payment methods, like Apple Pay or Google Wallet, are more of a threat to the existence of physical cards.

The proliferation of contactless payment options shifts how businesses interact with customers at the moment of purchase, from international retailers to local pop-up shops. But there’s no need to fret just yet if you enjoy buying stuff with cold, hard cash. Plastic cards are first on the chopping block.

“I’d suggest that the time is ripe to plan for plastic (and metal) cards to be sent to Shady Pines Retirement Home for the Tragically Overstayed Welcome,” wrote Nick Holland, global head of insights and networks at Money 20/20. During the group’s 2022 conference in October in Las Vegas, financial technology companies touting efficiency and seamless experiences were front and center, as plastic cards faded into the background.

Anyone who is on the fence about using their smartphone for contactless payments should check out Whitson Gordon’s case for adopting the technology. Convinced and need guidance setting up Apple Pay or Google Wallet? Apple and Google offer step-by-step instructions to guide you through that initial setup. After you link your cards to the mobile device and practice the necessary steps to complete purchases, here are a few tips to help you get the most out of smartphone wallets.

Don’t Forget About Phone-to-Phone Payments

You may be comfortable tapping your phone against a checkout terminal, but it might feel like a surprise the first time a business asks you to tap your phone to their phone. Smaller merchants, delivery companies, and take-out restaurants may continue to forgo traditional card terminals altogether as companies like Mastercard and Visa introduce features that use near-field communication chip technology to enable phone-to-phone payments. Similar to the lightning port on the iPhone, the era of credit card readers plugged into smartphones is likely to come to an end.

Make Use of Virtual Card Numbers

Always look to see what your options are when it comes to virtual card numbers. For example, if you choose to get an Apple Card on your iPhone and the number leaks, it can be changed with just a couple of taps. Open your **Wallet** and tap on the **Apple Card**. In the top-right corner, select the **card icon** and choose the button that reads **Request New Card Number**. Virtual card numbers are not only useful for smartphone payments. Google added the option to use the security feature easily in your web browser.

Add More Than Just Payment Methods

Your debit card and credit card are likely the very first items you connect to your digital wallet. It doesn’t need to stop there! From boarding passes to proof-of-vaccine cards, digital wallets can hold so much more than just payments. It’s even possible to connect your health insurance card for easy access. (The main aspect of a physical wallet that a digital one can never replicate is providing me with a secret receptacle to hoard ancient receipts and scraps of paper.)

Keep a Little Cash on Hand

Even if you choose to use your mobile device instead of a plastic card for most in-person transactions, it still makes sense to keep a few dollar bills in your wallet. Just in case. Your smartphone might get wet and stop functioning. Also, not every store is set up to accept Apple Pay or Google Wallet. Some retailers even offer a small discount to customers who pay with cash.

How to Use Apple Pay or Google Wallet Instead of Plastic Cards

True the Vote’s IV3 app is meant to catch election cheaters. But it has a fundamental flaw.

Ten days before Georgia’s Senate runoff election in 2021, Gamaliel Warren Turner Sr., a 69-year-old veteran, found out that someone in his county had challenged his eligibility to vote. Turner, a retired major in the US Army, had requested an absentee ballot, and when it didn’t arrive in the mail, he got nervous and called the Muscogee County registrar’s office to figure out where it was. According to court records, a clerk informed Turner that his name was on a list of thousands of voters in the county whose registrations were under investigation.

“I was beyond irate. I was hollering,” Turner says. “I didn’t know what the hell a voter challenge was. I just wanted to know, am I going to be able to vote or not?”

Turner has lived in Georgia for his entire life and voted there in nearly every election for the past 50 years. He owns a home there and the utility bills are under his name. He has a Georgia driver’s license that he uses to drive his two cars, both registered in Muscogee County. But in 2019, his job required that he temporarily relocate to Camarillo, California. In order to avoid missing packages while away on his temporary work assignment, he did what millions of Americans do every year and notified the United States Postal Service (USPS) that he wanted his mail forwarded to a new address.

What Turner didn’t know at the time was that this simple notification to the USPS would enmesh him in a scheme dreamed up by a right-wing activist group called True the Vote that ended up challenging the voter registrations of 364,000 Georgians.

Best known for its work on the widely debunked film _2,000 Mules_, True the Vote had developed an algorithm that matched names in voter rolls with data kept by the USPS about individuals who changed addresses. The group’s goal was to aggressively cull voter rolls, under the suspicion that inaccurate registrations lead to voter fraud, which is extremely rare in the US.

Along with Turner’s, True the Vote sent the names of approximately 4,000 supposedly ineligible voters to the leader of the Republican Party in Muscogee County, Alton Russell, a toilet paper salesman, who in turn submitted them to the county Board of Elections to challenge their voter registrations. But the scheme didn’t work: Most of the counties in Georgia rejected True the Vote’s challenges, and Turner successfully sued the Muscogee County Board of Elections to ensure his ballot would be counted in the 2021 runoff election.

Undeterred, True the Vote has quietly rolled out a web app called IV3 to replicate this process around the country. The browser-based application has led to the challenges of hundreds of thousands of voter registrations, the group claims. Yet little is known about IV3. The app is not active in most states, and to get access, you need to provide True the Vote with a valid form of identification. But by analyzing the code IV3 uses for its frontend, WIRED has been able to piece together how the tool likely functions. Our review found that the app ultimately uses an ineffective and unreliable methodology to determine who should remain on the rolls. Experts say that the app weaponizes public data and is more likely to remove eligible voters from the rolls than it is to catch rampant fraud that doesn’t exist in this country.

True the Vote is a Texas–based nonprofit whose founder, Catherine Engelbrecht, has played a crucial role in mainstreaming the voter fraud movement. The organization has set itself apart by using technology to legitimize their dubious claims of massive voter fraud, but it has consistently refused to provide any empirical evidence. IV3 is part of a growing strategy by right-wing activists to leverage state laws that allow a private citizen to dispute a voter's eligibility to toss out tens of thousands of voter registrations and ballots in battleground states. According to _The New York Times_, activists in Michigan tried to challenge 22,000 voter registrations for the state’s August primary. In Texas, residents challenged the eligibility of more than 6,000 voters in Harris County.

While it’s unclear how many voter challenges were facilitated using True the Vote’s app, Facebook posts from groups organizing some of the country’s largest voter challenges suggest that people are actively using IV3. For instance, in September, a group called VoterGA challenged the registrations of 37,500 voters in Georgia. On its Facebook page, one member encouraged her colleagues to use IV3, claiming that she had used the app to challenge nearly 6,000 people in Georgia’s Fayette County.

According to the True the Votes tax filings obtained by _Reveal_ from the Center for Investigative Reporting, True the Vote spent more than $500,000 on app development in 2020, using some of those funds to build a “proprietary organizing web app” that leverages its “national voter roll database” to “notify counties of voter role inaccuracies”. The app, which is not named but whose description mirrors IV3, was likely built by OPSEC Group LLC, whose founder, Gregg Phillips, was a former board member of True the Vote who has worked closely with Engelbrecht for years. OPSEC also performed the debunked data analysis behind _2,000 Mules_.

Court marshals arrested Engelbrecht and Phillips last week after they refused a court order to turn over alleged evidence of voter fraud that’s central to a defamation case brought by software company Konnech against True the Vote. Representatives for True the Vote did not respond to WIRED’s request for comment.

Access to IV3 is limited only to verified individuals who reside in one of the seven states where the app is active. However, WIRED was able to analyze the app’s public-facing code to get a better understanding of how it works. This was possible because upon loading the app’s login page, the browser automatically requests all the code needed to render the frontend components of the entire tool, even if a user is unauthenticated. By saving these HTML, JavaScript, and CSS files and running a web mock server, WIRED was able to explore some of the core features of the app, albeit without live data sent from True the Vote’s servers.

In a help page WIRED found bundled in the app’s code, True the Vote claims that IV3 cross-references state databases of voter registrations with the USPS NCOALink database, a dataset of approximately 160 million permanent change-of-address records that can be licensed for a fee. If True the Vote’s algorithm finds a “substantive discrepancy” between the two records, it will flag the registration for manual review by individuals who sign up to use the app. These records then show up in a page on the app called “IV3 Identified Records for Review.” After a volunteer submits a challenge, True the Vote claims to “prepare that challenge for filing based on your state’s specific requirements.” Network requests made by the app suggest that individuals who sign up for IV3 are only able to see and vet registered voters in their own county, as many state laws only allow other voters within the county to submit challenges.

When we rendered the frontend components in IV3, we found that the tool also gives vetted users the ability to look up the registrations of any voter in their county in order to determine whether or not the registration looks suspicious enough to challenge. While this voter registration data is technically public, its distribution by a partisan group can feel intimidating. “I feared that I could—or my family could—become the next target of harassment from True the Vote and their supporters for having voted, especially because my name and address had been published online and I had been publicly identified as a challenged voter,” a woman who had their registration challenged by True the Vote said in court records.

While WIRED was unable to use the app with live data, court records suggest that the way True the Vote matches individuals from voter rolls to those in the USPS database appears broken. Ken Mayer, a political scientist who analyzed a file of challenged voters for a lawsuit that Fair Fight filed against True the Vote, said in an expert report that True the Vote’s file of challenged voters was “riddled with errors” and “almost certainly mismatches voters with NCOA records.” He added, “The results do not come anywhere close to what would be required for valid practices in academic studies of election administration.” True the Vote did not respond to questions about Mayer’s assessment.

Moreover, experts say that the entire premise of using USPS data alone to invalidate voter registrations is flawed. Andrew Garber, a counsel within the Brennan Center’s Voting Rights and Elections Program, says that there are dozens of reasons why people might want their mail forwarded and all are insufficient alone to cancel a voter’s registration. “The use of this app is really concerning because it seems to be an effort to automate and take onto a mass scale a process that’s supposed to be local and individualized,” Garber says.

USPS did not immediately respond to WIRED’s request to comment on True the Vote’s use of its address-change data.

The voter challenges facilitated by IV3 have already run into problems. In an email IV3 sent to its users in August that WIRED obtained, True the Vote has run into hurdles in Georgia, Ohio, and Pennsylvania. The email states that in Pennsylvania, election officials told True the Vote each challenge requires a notarized and signed affidavit, at a cost of $5 to $7 each. “Think about that for those of you who completed 20, or 50, or 100, or several hundred challenges,” the August email reads. “It was never our intent for this process to cost our volunteers any money, much less hundreds to thousands of dollars just to ask your county to check and verify the rolls. We will be talking to election attorneys and Pennsylvania officials about this statute. It needs to be changed.”

While IV3 makes it possible to file a large number of challenges, it’s highly unlikely that any of them would be sufficient to remove anyone from voter rolls. Nevertheless, the challenges are likely to burden election officials as they may have to research and adjudicate each challenge brought. According to Garber, “even if the challenges don’t result in people being removed from the roles, they are gumming up the works and slowing down other vital election processes.”

Turner says he already voted by absentee ballot for the 2022 US midterms, which conclude today. But that doesn’t mean he’s not concerned with what True the Vote has been up to around the country. “It’s dangerous,” he says. “They are just throwing everything up against the wall and seeing what sticks. All of their strategies to disenfranchise voters are just sowing distrust about elections and it’s frustrating. I just don’t know where all of this is heading.”

Inside the ‘Election Integrity App’ Built to Purge US Voter Rolls

Voter intimidation has cropped up in places across the nation, but the voting booth remains the one place where nobody can get to you.

Though foreign Disinformation campaigns have targeted the 2022 United States midterm elections to a degree, most of the pressure on US voting infrastructure has come from inside the house. Violent domestic threats against election officials have soared around the country in the past couple of years, endangering workers and, increasingly, driving them from the profession altogether. And as early voting began around the US in recent days, scattered incidents at ballot drop boxes and polling places have put voters on edge. Last week, a federal judge in Arizona notably ordered armed members of a group called Clean Elections USA to stop visibly carrying guns and wearing body armor within 250 feet of ballot drop boxes.

Officials and researchers say that casting a ballot will be safe and uneventful for the vast majority of US voters. They also emphasize, as was the case in 2020, that US elections are in fact the most secure and rigorous they've ever been thanks to a number of initiatives, including efforts to phase out voting machines that do not produce a paper backup and the expanded use of postelection audits, including gold standard “risk-limiting" audits. Yet erosion of public trust in any election system is as big a threat to the democracy it underpins as real-world meddling. With so much at stake, the 2022 US midterms are highlighting the criticality of one core US voting protection: the secret ballot.

“The secret ballot is really profound—it’s critical to capturing the true will of the people,” says Ben Adida, the executive director of VotingWorks, a nonprofit maker of open source voting equipment. “People who would break your kneecaps or physically threaten you at the polls represent one extreme, but there are also much more subtle ways that undue influence could affect the outcome of an election. Think about people who support a candidate but don’t feel that strongly about it. They might think, ‘Well, do I really want to fight with my spouse or my employer? It's just one vote.’”

Until the 1890s, US voting was a local, public event, conducted either orally or using paper tickets. And efforts to institute private voting using the now-familiar “Australian ballot” method were controversial at first because the spectacle and transparency of public voting were embedded in US democratic culture. 

Being able to cast your vote secretly, though, provides two core democratic protections. The first and perhaps more intuitive benefit relates to individual privacy. Whether using a voting machine or filling out a scannable form, US voters cast their ballots at the polls in privacy booths. And while they must be registered to vote in databases that are often public, the votes they actually cast are totally disconnected from their identities. This means that even if a family member, acquaintance, or political operative is voting with you at the same time, they shouldn't be able to actually know for sure how you voted, leaving you the opportunity to vote however you choose.

“There’s a challenge when you can’t connect the vote to the person, but we've largely solved that problem with audits after elections and checking that we’re recording votes accurately,” says Lawrence Norden, senior director of the elections and government program at the Brennan Center at New York University School of Law. “For a majority of American history, elections were held in public, and there was a reason we moved to the secret ballot. Part of it was that people were subject to violence and intimidation, and actually polling places could become violent.”

In recent weeks, some voters have been alarmed to realize that volunteers who work at local polling places for early voting and on Election Day rarely undergo extensive vetting or screening. This is because the role is considered a community contribution and is typically only modestly compensated. But in Miami-Dade County, Florida, for example, three people who claim to be former members of the Proud Boys domestic terrorist group planned to work at polling sites on Election Day. One was put on a standby list after information surfaced that he participated in the January 6, 2021, attack on the US Capitol. For people who might feel uncomfortable voting in increasingly politicized and charged environments, the privacy booth is a last-line defense.

The second societal benefit of secret voting, though, is not about the right to individual privacy, but instead about undercutting the ability of any entity, foreign or domestic, to buy votes. If you can't be sure that someone voted a certain way, there's no clear benefit to paying, blackmailing, or otherwise pressuring someone over how they vote. This relates in part to ongoing discussions over whether people should be allowed to take selfies in voting booths or otherwise document their trips to the polls. The US voting system is designed, though, so that even a photo captured in the privacy booth doesn't definitively prove how someone voted.

“You should be able to lie convincingly about how you voted, but not just because you choose not to tell someone," VotingWorks' Adida says. “In fact, you shouldn’t be able to show evidence. There is a stronger secrecy property these systems strive for known as ‘receipt-free.’ We as a society don’t want you to be able to sell your vote, even if you want to. It is actually not your right to sell your vote. There’s a greater democracy goal at stake here."

With career election workers leaving their positions in droves, and fears about voter intimidation on the rise, US election infrastructure is at a fraught inflection point. As more and more challenges encroach, the privacy booth is a refuge—and increasingly, perhaps, a bunker.

The Secret Ballot Is US Democracy’s Last Line of Defense

A year after a billion-dollar seizure of the dark web market's crypto, the same agency found a giant trove hidden under a different hacker's floorboards.

The legendary dark-web market for drugs known as the Silk Road was designed to be an anarchic underworld economy that evaded all government control. Instead, years after it was torn offline, it's proven to be the IRS’s gift that keeps on giving.

On Monday, the US Department of Justice announced that a Georgia man named James Zhong has pleaded guilty to wire fraud nine years after stealing more than 50,000 bitcoins from the Silk Road. As part of his plea agreement, Zhong has forfeited that massive stash of bitcoins to the DOJ—a sum that, at the time of the coins' seizure in late 2021, would have been the biggest-ever Justice Department seizure not only of cryptocurrency but of currency of any kind. The bitcoins were ultimately found stored on what’s described in court records as a “single-board computer” hidden in a popcorn can, along with more than $600,000 in cash and precious metals, all held in a safe under the floorboards of a bathroom closet in Zhong’s home.

The newly revealed case represents yet another notch in the belt for IRS Criminal Investigations, or IRS-CI, which over the past several years has used—very often in partnership with blockchain analysis firm Chainalysis—cryptocurrency tracing techniques that have led to record-breaking troves of ill-gotten bitcoins and to the alleged hackers and money launderers who amassed them. In fact, Zhong is the _second_ Silk Road hacker to turn over a billion-dollar cache of coins to the IRS-CI, after another unnamed individual agreed the previous year to forfeit nearly 70,000 bitcoins he'd stolen from the drug market—a record-breaking, even larger collection of coins that was worth $1 billion at Bitcoin's lower exchange rate at the time. Both those records were again broken earlier this year by IRS-CI's case against two alleged money launderers in New York accused of pocketing $4.5 billion in cryptocurrency stolen from the Bitfinex exchange.

"Thanks to state-of-the-art cryptocurrency tracing and good old-fashioned police work, law enforcement located and recovered this impressive cache of crime proceeds," wrote US Attorney Damian Williams, a prosecutor for the Southern District of New York, in a statement about the latest indictment and 10-figure seizure. "This case shows that we won’t stop following the money, no matter how expertly hidden, even to a circuit board in the bottom of a popcorn tin.”

The hidden safe where investigators found a popcorn tin containing a storage device with Zhong’s $3.36 billion in Bitcoin.

Photograph: Department of Justice

According to an IRS-CI affidavit detailing Zhong's theft of the 50,000-plus bitcoins from the Silk Road, he appears to have found a vulnerability in that dark-web market that in 2012 allowed him to somehow pull more coins out of accounts he created there than he had deposited. The affidavit describes how he registered a succession of accounts on the site with names like "thetormentor" and "dubba," deposited a sum of coins into the Bitcoin wallets for each account, and then made repeated withdrawals of the entire sums held there within a single second to multiply his money several times over. This apparently exploited a bug in the Silk Road that allowed those rapid-fire withdrawals without first confirming that the requested money still existed in a user's account. "In this fashion, \[Zhong\], using each of the fraud accounts, moved at least approximately 50,000 Bitcoin out of Silk Road in just a few days," reads the affidavit, which was signed by IRS-CI special agent Trevor McAleenan.

Over the nine years that followed, Zhong appears to have left that massive windfall almost entirely unspent—perhaps for fear that cashing it out into traditional currency would attract the attention of law enforcement. But even that epic restraint appears to have been in vain, as IRS-CI investigators nonetheless traced Zhong's coins to his accounts on an unnamed cryptocurrency exchange, which revealed his identity. Zhong's case closely mirrors the story of the earlier Silk Road hacker, referred to in court documents only as Individual X, who similarly exploited a vulnerability in the Silk Road to take nearly 70,000 bitcoins from the site and hold them for more than seven years. But, perhaps due to the vagaries of negotiations over massive cryptocurrency fortunes, no charges against Individual X have been publicly revealed. Zhong, by contrast, now faces a wire fraud conviction that carries as much as 20 years in prison.

The Silk Road was torn down by a massive law enforcement operation in late 2013, leading to the arrest of Ross Ulbricht, the site's creator, who was sentenced to life in prison and ordered to pay $183 million in restitution. In yet another bizarre twist, however, a portion of the seized 70,000 bitcoins taken from the Silk Road by Individual X were applied toward Ulbricht's debt, paying it off in full in exchange for his agreement not to lay any claim to the remaining money.

Using bitcoins stolen from the Silk Road to pay off the restitution of that site's creator may seem like a strange turn of events. But in an era when IRS-CI cryptocurrency seizures regularly pours billions of dollars into the US Treasury, there seems to be plenty to go around.

IRS Seizes Another Silk Road Hacker’s $3.36 Billion Bitcoin Stash

Edward Perez says that “manufactured chaos” by bad actors will be even riskier thanks to Elon Musk’s own mayhem.

The staff shortages worry those monitoring the elections too. “I spoke to Elon Musk,” Jessica González, co-CEO of US media advocacy group Free Press, said at a press conference on Friday. “He promised to retain and enforce the election integrity measures that were on Twitter's books before his takeover. With today's mass layoffs, it's clear that Musk's actions betray his words."

González said that Free Press had been pressing Twitter since the summer to fully enforce its election integrity plan—and that showing staff the door undermines that plan. (Twitter did not respond immediately to a request for comment; Musk did not respond immediately to an email.)

Even small actions like preventing staff members from accessing physical offices on Friday as Musk and his coterie of advisers carried out their layoffs can have a significant impact, Perez says. “This is an utterly chaotic environment a few days away from an election to allow these very talented, very thoughtful, very dedicated people to do this important work,” he says.

Never mind getting the mind-space to do their work amid a maelstrom, there’s also the simple issue of whether there are enough staff there to handle what the election may bring.

One former Twitter employee, who asked for anonymity to speak freely, tells WIRED that the company prepared for the election months in advance. “This close to the vote, the materials are there,” they say. “It’s whether anyone left knows how to or wants to deploy it.” Perez points out that Twitter was well prepared with institutional structures and threat models to assess election risk. “But it would be a mistake to simply assume in the midst of these layoffs, and that amount of change, that the work can continue as it has before.”

Perez asks whether there are enough people with institutional expertise to analyze what Twitter’s machine-learning models that monitor speech on the platform are detecting; whether the models will still work to identify harmful keywords; and if the models will still surface questionable content for human moderators to review. “I don't know the answer to all of that,” he admits. “But it certainly doesn't look good when you're cutting 50 percent of very talented employees.”

Speaking on Friday afternoon, Perez didn’t know how many people in Twitter’s election integrity team were still at their post. His product team was only one part of Twitter’s election organization. The civic integrity team in all, including product and engineering staff, alongside policy experts in different regions, was more than 100 strong. Likewise, he’s uncertain what impact Musk’s seeming total abandonment of Twitter’s curation team will have on how the election plays out.

“For all the talk of algorithms and automation, a lot of the good of Twitter was humans being experts in interests and the platform,” says the former Twitter employee. Buckley believes that Musk might feel a degree of separation from the issue of election integrity. “His actions won’t threaten democracy and civic decency directly,” he says, “but they certainly will allow those wishing to undermine these things to do so.”

Nor is it just November 8 that Twitter—and the world—has to worry about. Perez is concerned that even if the elections implausibly go off without a hitch on Twitter, there will be weeks, if not months, of disinformation-filled aftermath.

“We're likely to have some candidates that, without any evidence of facts, will allege irregularities in the election,” says Perez. “I think it's reasonable to assume there will probably be some candidates that refuse to concede the results, and we will almost certainly have false and baseless allegations about so-called problems with voting technology.”

The sum of that is what Perez calls “manufactured chaos”: coordinated attempts to sow chaos by partisan political actors, including seeding disinformation through social media like Twitter. We know it’s coming this week, and we know from past experience its potential impact. The question is whether Musk’s public square is prepared to handle it.

“It is a very, very challenging and complex problem to try to mitigate the harmful effects of all that disinformation,” says Perez. “And I cannot think of a worse time for Elon Musk to cut off Twitter's resources at the knees.”

Twitter’s Ex-Election Chief Is Worried About the US Midterms

Plus: Liz Truss’ phone-hacking trouble, Cash App’s sex-trafficking problem, and the rising cost of ransomware.

Open internet proponents were relieved last month when an American candidate beat a Russian challenger in an election to run the International Telecommunications Union, an important international standards body tasked with cross-boundary communications. Meanwhile, though, we took a look at the fragility of the world’s internet infrastructure and the vulnerability of crucial undersea cables.

Researchers see evidence that the US’s new legal climate for abortion access is promoting a culture of community surveillance, a hallmark of authoritarian states in which neighbors and friends are encouraged to report possible wrongdoing. And surveillance is on the rise in soccer stadiums around the world as well. The eight stadiums in use during the 2022 World Cup in Qatar, for example, will be packed with more than 15,000 cameras to monitor spectators and to conduct biometric scanning.

The more secure, “memory safe” programming language Rust is making inroads across the tech industry, offering hope that a massive swath of common vulnerabilities could eventually be preempted and eliminated. In the meantime, we’ve got a roundup of the most important vulnerabilities that you can—and should!—patch right now.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

There’s no longer a question about whether TikTok staff in China can access Europeans’ data. The company this week announced that it plans to update its privacy policy to explicitly list China as one of the countries where workers can access data from users in the European Union, such as location data that users opt to share. TikTok’s policy update comes amid a yearlong investigation by Ireland’s Data Protection Commission, which is looking into its data-transfer policies under the EU’s General Data Protection Regulation. The inquiry is part of Western governments’ increased scrutiny of the video-sharing platform, which some US officials have characterized as a national security threat due to frequently close relationships between Chinese companies and the government in Beijing. TikTok, which is owned by China-based ByteDance, says in its announcement that its privacy policy update is meant to “include greater transparency into how we share user information outside of Europe and how we collect user location information.” The new policy goes into effect on December 2.

Liz Truss is having a rough time. Soon after her historically brief stint as the UK prime minister, the _Mail on Sunday_ reported that agents working on behalf of Russia had hacked her personal cell phone when she was foreign minister. The breach allegedly allowed these Russian operatives to intercept messages between Truss and officials in other countries, including messages about Ukraine. The _Mail_ report further claims that former prime minister Boris Johnson and cabinet secretary Simon Case suppressed the breach. While the breach remains unconfirmed, Labor Party officials are calling for an “urgent investigation” into their Conservative opponents. "There are immensely important national security issues raised by an attack like this by a hostile state which will have been taken extremely seriously by our intelligence and security agencies," Labor Party shadow home secretary Yvette Cooper said last weekend. "There are also serious security questions around why and how this information has been leaked or released right now, which must also be urgently investigated."

Another of Jack Dorsey’s corporate creations is facing new heat this week. According to a _Forbes_ investigation, the Cash App is helping fuel sex trafficking in the US and elsewhere. Based on police records, “hundreds of court filings,” and claims by former Cash App employees, the investigation found rampant use of the Cash App in sex trafficking and other crimes. The company, which is owned by Dorsey-led Block Inc., maintains that it “does not tolerate illegal activity on Cash App” and has staff dedicated to working with law enforcement. Meanwhile, the National Center for Missing and Exploited Children says that although rival payment platforms like PayPal provide the the center with tips about potential child abuse facilitated by their services, _Forbes_ writes, “Block hasn’t provided any tips, ever.”

The US Treasury Department this week said US financial institutions facilitated ransomware payments totaling nearly $1.2 billion in 2021—a 200 percent increase since 2020. The report landed amid an international White House summit aiming to combat the rise of ransomware, a type of malware that allows attackers to encrypt a target’s files and hold them for ransom until the victim pays. Himamauli Das, acting director of the Treasury Department’s Financial Crimes Enforcement Network, said in a statement that “ransomware—including attacks perpetrated by Russian-linked actors—remain a serious threat to our national and economic security. While $1.2 billion in payments is already painful enough, the number does not take into account the costs and other financial consequences that come with a ransomware attack outside of the payment itself.

TikTok Admits Staff in China Can Access Europeans’ Data

Stadiums around the world, including at the 2022 World Cup in Qatar, are subjecting spectators to invasive biometric surveillance tech.

“Public safety is a longstanding justification for the spread of biometric surveillance systems, while Covid-19 introduced a health dimension through body-temperature monitoring,” Hutchins says. “Marketing speaks to a seamless consumer experience for attendees at high-profile and high-cost events and encompasses everything from ease of movement in and out of the stadium through to minimizing queues for toilets and food and drinks.”

Is the deployment of such systems inevitable? “The problem here is the idea that the rollout of such technologies and infrastructures are unavoidable and an increasingly ‘natural’ part of the stadium experience,” says Hutchins. He stresses the importance of “clear and visible notifications for spectators that such technologies are in use.” Most importantly, he advocates for the introduction of “strong legislative and regulatory safeguards governing the introduction and use of these systems and the control and use of data.”

Indeed, European lawmakers have been attempting to regulate biometric mass surveillance. In April 2021, the European Commission submitted a proposal for an EU regulatory framework on artificial intelligence. Currently, the European Parliament is forming its opinion on the proposal, while the European Council is due to discuss the file in early December.

“The European Commission’s draft AI Act recognized that biometric identification is an inherently risky technology but bizarrely put forward a prohibition in Article 5 that is so weak, if anything it amounts to more of a blueprint for how to conduct biometric mass surveillance than a genuine ban,” explains EDRi’s Jakubowska.

Although there hasn’t been a final vote yet, members of the European Parliament have supported a full ban on remote biometric identification in publicly accessible spaces, by both public and private actors, and are likely to adopt that final position. However, such a ban would not include emotion-recognition uses of biometric systems, nor biometric categorization (e.g. profiling people based on their age, gender, or ethnicity). “We think that those urgently need to be banned in the AI Act. Shockingly, in the vast majority of cases, the Commission’s text did not even make those uses high-risk,” says Jakubowska.

“There should be no exceptions to the ban, as even a supposedly narrow exception would mean that mass facial recognition infrastructure would be rolled out and primed to be switched on whenever it is deemed necessary,” she adds. By definition, these systems scan the faces or bodies of every person who passes by, so it is not technically possible to limit them to, for example, suspects or perpetrators of serious crime.

In the US, the Biden administration has proposed a blueprint for an AI Bill of Rights, which commentators consider toothless, as it does not contain clear prohibitions on AI deployments that have been most controversial, like the use of facial recognition for mass surveillance.

As Qatar prepares to roll out the red carpet, fresh reports suggest everyone traveling to the country during the World Cup will be asked to download two apps that, according to experts, essentially hand over all the information on your phone. They say this highlights the urgent need for privacy regulation in global sporting events.

“Without regulation, there is a tendency to hoover up all available data and hold on to it indefinitely—this creates ‘honey pots’ for hackers and also contributes to function creep: the temptation to find other uses for the data,_”_ says Hutchins.

“Law enforcement agencies should pursue the many other tools and techniques at their disposal and that are compliant with the rule of law and human rights, rather than resorting to the use of technologies that have been widely condemned by civil society, human rights lawyers, and even UN human rights authorities,” says Jakubowska.

“Once these tools are out there, governments will argue that they should be used widely,” she summarizes. “It’s a gateway to mass surveillance.”

Source

Wired