Checklist 243: Protections, Passwords, and Kids

On this week’s Checklist:

• More on Apple’s Expanded Protections for Children
• The T-Mobile data breach
• Is your kid sharing passwords?

A “jumbled” message

On last week’s Checklist, we discussed Apple’s Expanded Protections for Children. For those who missed it, the company plans to implement a number of new features designed to keep kids safe, including on-device scanning for child sexual abuse material (CSAM). 

The goal is laudable, but not everyone is comfortable with the changes — especially privacy advocates. The biggest concern is that with CSAM scanning, Apple appears to have baked a backdoor into its own OSes (something that the U.S. government has been wanting for years).  

This week, Apple VP of Software Engineering Craig Federighi spoke about the issue with Joana Stern of the Wall Street Journal. He said that in his view, the message had been “jumbled”, and wished it “had come out a little more clearly for everyone …”.

However, some worry that Apple still isn’t addressing the real concerns of privacy advocates, which is not, and has never been, “Apple is scanning your pictures”.

How does CSAM detection work?

Before getting into specifics, let’s look in more detail at how Apple plans to spot CSAM on people’s devices. The official Apple name for the technology is NeuralHash. NeuralHash is based on cryptographic hashing, which sounds complex, but is actually pretty straightforward. In this case, all it really means is that before an on-device image is uploaded to iCloud, Apple will use a specialized algorithm to convert it into a very large number, which is known as a “hash value”. That number is then compared to a list of hash values corresponding to known CSAM files. If there’s no match, the image gets uploaded to iCloud, along with an attached “safety voucher” that stores the result of the matching test and some other data in an encrypted format.

OK, you may ask, but what if the algorithm takes an innocent, non-CSAM image, and spits out a hash value that just so happens, by sheer coincidence, to match the hash value of an image in the CSAM database? 

In cryptography, this is known as a “collision”. And in fact, one researcher claims to have produced collisions using a reverse-engineered version of NeuralHash (based on older versions of iOS).

Apple, however, has already responded to this. According to The Verge, Apple says that its CSAM scanning system was engineered “with collisions in mind”. For this reason, NeuralHash isn’t the only cryptographic tool involved. The company explained to reporters that there is also a “secondary server-side hashing algorithm, separate from NeuralHash” that will be used to double-check collisions in order to prevent false positives. 

The pushback continues

Privacy organizations, meanwhile, are continuing to push back against what Apple is doing. Fight for the Future and Electronic Frontier Foundation (EFF) have both released petitions calling on Apple to change course. Their concerns are based on the possible consequences of what Apple is doing — and certainly not on any “misunderstanding” of the technology itself.

Fight for the Future’s petition reads, in part: 

Apple is endangering children in abusive households by threatening to reveal sensitive information about a child or their friends to abusers, while simultaneously opening up a door for hackers and authoritarian governments to abuse us all.

Taking away the privacy and security of billions is not the way to combat child exploitation. Apple must immediately reverse course by dropping its plans and recommitting to never opening any sort of backdoor to monitor our communications.

And EFF says:

Mass surveillance is not an acceptable crime-fighting strategy, no matter how well-intentioned the spying. If you’re upset about Apple’s recent announcement that the next version of iOS will install surveillance software in every iPhone, we need you to speak out about it.

Interestingly, privacy organizations aren’t the only ones concerned about what Apple is doing. According to a Reuters report, Apple’s own employees are expressing their worries over company Slack channels as well! 

The T-Mobile data breach

Cellular carrier T-Mobile has suffered a data breach — and it’s a big one.

Hackers are selling the personal data of over 40 million people that was stolen from T-Mobile’s servers. The data is reported to include Social Security numbers, names and addresses, IMEI numbers, and other PII. The company says that the data belongs to current T-Mobile customers as well as “former or prospective customers who had previously applied for credit with T-Mobile”.

T-Mobile is suggesting that all of its customers change their account PINs, either online from their T-Mobile account area or by calling 611. The company has also set up a website that gives additional details about the breach and provides a number of precautions that customers can take. The site offers pretty standard post-breach advice such as changing account passwords, activating free anti-scam and anti-account takeover tools, and so on.

Beyond that, T-Mobile customers should keep an eye out for phishing emails that claim to be from someone at the company. Oftentimes, when there is a high-profile data breach like this one, the bad guys will take advantage of the situation by posing as a representative of the breached company. They send an email asking for personal details or financial information, supposedly in order to “help” the affected customer. But of course, it’s all just a scam.

In addition, T-Mobile users should take precautions against identity theft. The folks at Consumer Reports have put together a few specific suggestions. These include using credit freezes to make it harder for bad guys to open new accounts in your name, improving your password security, using two-factor authentication, and deleting old or unused accounts.

The kids are not all right

It’s almost a meme that “kids today” understand tech better than adults.

But a recent CNET piece suggests that this may not always be the case — especially when it comes to digital security and privacy.

The National Institute of Standards and Technology (NIST) conducted a survey of kids aged 8-18, and found that:

• 87% of high school students use the same password for all of their apps and accounts
• 45% of high schoolers share their passwords with their friends
• 23% of younger (elementary) students share their passwords with friends

The NIST researchers suggest that kids may share passwords as a way to build friendship and trust. But whatever the reason, it’s a very poor cybersecurity practice!

Teaching kids about password security

We reached out to past Checklist guest Robert Speciale, an award-winning educator who runs digital literacy and cybersecurity programs for elementary and high school students.

Here’s what Robert suggests for helping kids make better password choices:

You can use a tool like howsecureismypassword.net and work with the child to show them visually the dangers of a password that is too short, or that doesn’t have symbols and such. As for older students, 8-10 year olds, teach them to take phrases in English and convert them to a password to help them remember it. For instance, a student can remember “Rock and Roll All Night”. Take that and simplify it to “Rk&R0la11Nit3” Once they practice that a bit, they have a complex password…

Beyond the specifics, he also has some advice on how to communicate with young people:

Be sure to explain the “why” of it. It doesn’t help a young learner to just tell them, “Don’t write your password down!” Kids are curious, so it’s better to say, “Try and remember your password because if you write it down, someone can find it.” This is critical for younger learners, because if you build good habits early on, they’ll be fine. And this applies to all things password related. Don’t just tell a child that they need symbols and numbers. Tell them why — and make it a learning opportunity.

It isn’t always easy to keep our loved ones safe online. But one thing that we keep coming back to, whether it’s educating kids about cybersecurity or helping them deal with threats like cyberbullying, is the fundamental importance of communication. If you want to help your children improve their password security (or just about any other aspect of digital security and privacy), you really need to talk to them about it — and let them know that they can always talk to you when they have a question.

That brings us to the end of this week’s Checklist. If you have a cybersecurity or privacy question that you’d like answered, write to us and let us know — we may answer it on a future edition of the podcast!