Podcasts
Caveat
Ep 242
Caveat 12.5.24
Ep 242 | 12.5.24

The intersection of gender, control, and harm.

Show Notes
Transcript

 

Pavlina Pavlova: I'd say it's universal, and it's getting worse because with better protection on one hand, and the more awareness about [inaudible 00:00:14] somewhere and how do deal [inaudible 00:00:16] somewhere, the threat actors are also devising tactics which specifically inflict harm on the targets, and they try to extort them more efficiently.

 

Dave Bittner: Hello everyone, and welcome to "Caveat," N2K Cyberwire's privacy surveillance law and policy podcast. I'm Dave Bittner. And joining me is my cohost Ben Yelin, from the University of Maryland's Center for Health and Homeland Security. Hey there, Ben.

 

Ben Yelin: Hello, Dave.

 

Dave Bittner: On today's show, Ben has the story of the Consumer Financial Protection Bureau trying to cut down on predatory data brokers. I've got the story of the FTC's new rule on fake consumer reviews and testimonials. And later in the show, my conversation with Pavlina Pavlova. She's a cybercrime expert at the UN Office on Drugs and Crime. We're discussing her research calling for a shift in the tech conversation to address gender-specific harms and promote safer, more inclusive digital environments. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice, or official advice on any of the topics we cover. Please contact your attorney. [ Music ] Alright, Ben. We've got a lot to cover this week. You want to start things off for us here?

 

Ben Yelin: Sure. So my article comes from Wired, frequent source of ours.

 

Dave Bittner: Yes.

 

Ben Yelin: And an article written by Andrew Couts and Dell Cameron. As you may have noticed, Joe Biden is still the president of the United States for at least the next -- as we record this -- 50 days or so.

 

Dave Bittner: But who's counting [laughs]?

 

Ben Yelin: Yes. And he and his government are trying to put their final stamp on agency policies.

 

Dave Bittner: Right.

 

Ben Yelin: Without Congress, that's basically all they can do. And one of the actions that his administration has taken comes out of the Consumer Financial Protection Bureau. I don't know if you remember this, but after the financial crisis of 2008, Congress passed the Dodd-Frank Act, and one of the provisions of that bill was the creation of the Consumer Financial Protection Bureau, housed under the Federal Reserve. It was a big kind of hobby horse of Senator Elizabeth Warren.

 

Dave Bittner: I was going to say, this was Elizabeth Warren's thing, right?

 

Ben Yelin: It was her idea, and she kind of led an informal version of this in the early years of the Obama administration, before this was codified into law. This is her baby.

 

Dave Bittner: Right.

 

Ben Yelin: And the CFPB is proposing a rule that would allow regulators themselves to police data brokers under the Fair Credit Reporting Act, which is a really interesting device that they're using here to police predatory data brokers. So Fair Credit Reporting Act dates back to 1970, signed under President Richard Nixon, who signed a surprising amount of progressive legislation.

 

Dave Bittner: Yes. I guess -- yes [laughs].

 

Ben Yelin: He was kind of forced to do it, because he had a very Democratic Congress.

 

Dave Bittner: He was. I guess what I'm going for is just, like, it's an interesting window back onto how different things were in terms of what was considered, you know, very progressive, and you know, the possibilities that were available back then. It was bipartisan stuff, yes.

 

Ben Yelin: It was a different time. I mean, he signed the act that created the Environment Protection Agency.

 

Dave Bittner: Right. Right.

 

Ben Yelin: I'm not sure you would see a Republican president do that these days.

 

Dave Bittner: Right. Yes. Interesting.

 

Ben Yelin: I digress.

 

Dave Bittner: Yes.

 

Ben Yelin: So this proposal would treat data brokers like credit reporting agencies. So there are all these restrictions on what credit reporting agencies can do with sensitive data. So for example, credit reporting agencies are required to obtain separate explicit authorization for acquiring or sharing people's credit information rather than buying permissions in expansive legal documents. These types of legal documents are the kinds that nobody reads. An average person is unable to parse those. So basically you'd be taking that standard where credit reporting agencies have to get explicit authorization to obtain certain types of personal data. So Social Security numbers. Basically any type of PII. Phone numbers, financial data and credit scores. They have to get separate authorization to sell that on the open market.

 

Dave Bittner: The data brokers.

 

Ben Yelin: The data brokers.

 

Dave Bittner: Yes.

 

Ben Yelin: So this comes as very bad news for the data brokers, because this data is very valuable. They make a lot of money off of it, selling it to companies, in some cases to governments. So there has been some pushback, and we're going to go through a notice and comment period where the industry is going to have an opportunity to complain about this rule through the notice and comment process for the agency. The head of the Consumer Financial Protection Bureau, Rohit Chopra, says that this will curtail practices that threaten our personal safety and undermine America's national security. So there is kind of an interesting national security angle to this. So Chopra has pointed to recent attacks on our telecommunications system, which had been attributed to China, which kind of emphasizes the need to enhance the protection of our personal data from getting into the hands of foreign rivals, because our adversaries, even though they're pretty good at hacking our data, may not even need to do that. Data brokers, if they are allowed to obtain this personal data, could just sell them to the highest bidder and oftentimes the highest bidder are our foreign adversaries. So it would be a good regulation to have to prevent our personal data from being given to these malign foreign entities. So I guess the natural question here is what happens post-January 20th when we have a change in administration?

 

Dave Bittner: Yes.

 

Ben Yelin: How does this survive DOGE, the Department of Government Efficiency, which will be co-chaired, as any efficient commission is done, by two people: Elon Musk and Vivek Ramaswamy.

 

Dave Bittner: I might point out I saw someone comment this past week that this is the committee that is designed to eliminate unelected bureaucrats which is being run by a pair of unelected bureaucrats.

 

Ben Yelin: Exactly. I think you can list the hypocrisy here. But let's play ball! I mean, he won a role in government, and he was a major participant in president-elect Trump's campaign, and Trump has rewarded him with this kind of weird position that he's taking. I don't know how much DOGE is actually going to do. Whether Congress is going to have their say in addressing the recommendations. I mean, they are not a government agency.

 

Dave Bittner: Right.

 

Ben Yelin: There are ways that Trump could try to implement portions of their findings without congressional approval, but ultimately, all this will have to go through Congress.

 

Dave Bittner: It will be easy to see that members of Congress could have resentment towards this group, right? Like who the heck are you?

 

Ben Yelin: Sort of.

 

Dave Bittner: [laughs] -- yes.

 

Ben Yelin: I think that would have been true in the past, but members of Congress are more loyal to their own party these days than they are to their own institution. And that's true in both parties, and it's kind of the sad reality. It used to be that there were major battles over regulatory authority between Congress and the executive branch. And there still are, to some extent. But even just looking at some of these Trump nominees, you get quotes from Republican senators being like, I don't know. I don't really know what he's doing, or who this person is. But if President Trump says it's a good idea, it's a good idea. And so I think that's more of the attitude than let's try to reclaim our authority. Now there are some people who genuinely care about congressional authority over regulatory affairs. I don't want to disparage those people, but I think they constitute a minority. All this is to say that Elon Musk has complained publicly that the Consumer Financial Protection Bureau is wasteful and should be on the chopping block. And there are a lot of his allies on both Wall Street and Silicon Valley who believe that this agency shouldn't exist. That it's corrupt, that it improperly interferes in the free marketplace, and that it should be on the chopping block. So we don't only have to deal with the threat that eventually the Trump administration could reverse this regulation. And we'll talk about ways that they could do that, but also that this entire agency may not exist. And I think that's within the realm of possibility. Republicans will have an opportunity when they assume control to pass some type of reconciliation bill, which is not subject to the filibuster in the Senate. And if there are federal agencies that they want to eliminate, that would be the opportunity to eliminate them. And I certainly see the Consumer Financial Protection Bureau being on that list. The other thing to take note of here is the late date of this regulation. So this regulation at best will be finalized just as President Biden is leaving office. And there's this thing called the Congressional Review Act, where within a certain number, I think it's 50 legislative days, Congress by a majority vote can vote to overturn a recently passed regulation. This is rarely used, because the president could always just veto it. So if this happened in any other time period, Biden would say no, I passed this regulation. I'm going to veto your resolution seeking to overturn this regulation. Can't happen once Trump is president. He would sign a Congressional Review Act resolution.

 

Dave Bittner: Right.

 

Ben Yelin: Overturning this regulation.

 

Dave Bittner: So there's a timing element here.

 

Ben Yelin: Exactly. Yes. And so this would certainly fall within that time period. So to use a Simpsons meme, I think of Ralph Wiggum saying, I'm in danger. [ Laughter ] And picture the Consumer Financial Protection Bureau and Rohit Chopra saying that same thing in reference to this regulation.

 

Dave Bittner: It's interesting to me as I was reading through this, that the Consumer Financial Protection Bureau, the way that they have phrased this is that these data brokers are evading the authority of the Consumer Financial Protection Bureau. That they don't seem to think that they fall under the jurisdiction of the CFPB, and a point of this rule is to clarify that and say no, you actually do. You are under our jurisdiction. I found that was an interesting, I don't know, nuance?

 

Ben Yelin: Yes. I mean I think it is -- I don't want to say a strained interpretation of the Fair Credit Reporting Act. This would apply to data brokers. But it's a novel interpretation of that act.

 

Dave Bittner: Okay.

 

Ben Yelin: If it were not for kind of these other avenues to throw this potential regulation in the trash can, mainly the Congressional Review Act, or just eliminating the entire agency, I think you would see litigation here, where you'd see a challenge of the CFPB's authority to regulate data brokers in this manner. And I don't want to get into this, but then we run into Chevron problems.

 

Dave Bittner: Oh yes.

 

Ben Yelin: Now that the Chevron case has been overturned, the agency doesn't have deference to give it's own interpretation to past statutes. So for the court, they would have to fully adjudicate whether the Fair Credit Reporting Act extended to cover data brokers. And depending on which judge you draw, or where the lawsuit is filed, it could be a chance that a judge would say absolutely not. This doesn't conform with the original purpose of the Fair Credit Reporting Act. These are not credit reporting agencies; there's no real valid analogy there. So again, another reason why this regulation which seems good to me. I mean, I think we need a way to regulate data brokers. They've gotten out of control over the past several years. It seems like the regulation's in a lot of trouble from a lot of different directions.

 

Dave Bittner: It does seem common sense that your Social Security number should not be for sale.

 

Ben Yelin: One would think so.

 

Dave Bittner: [laughs] and yet --

 

Ben Yelin: And yet it is.

 

Dave Bittner: [laughs] right. I suppose it's --

 

Ben Yelin: It's not just your Social Security numbers too. It's -- you could really build a dossier on a person. And one of the things they note in this article is sometimes this is anonymized data. So you just collect a bunch of numbers, and you can't, at least on first blush, connect those numbers to a person. But this is becoming, as technology improves, becoming a lot easier to de-mask people, and we've talked about this a million times. If we see somebody who's gone from Dave's house to Dave's office, and obtained their location, I think we can pretty safely say it's Dave.

 

Dave Bittner: Yes. I wonder how much also there's a valid -- the horse has left the barn argument here. That because -- I think it's fair to see that you or me or anybody, you know, with probably a half an hour sitting down with Google, could find just about anybody's Social Security number if we really wanted to. So if that information is out there, and so widely available, and so ubiquitously duplicated here there and everywhere, is there any hope of reigning it back in in a meaningful way? I don't know the answer to that.

 

Ben Yelin: I don't know the answer to that either. I think there would be a way to do it. I don't think -- maybe this is just my pessimism at the moment. I don't think this is the regulation that's going to have that effect, just based on the timing of it all, and the fact that this is being proposed by an outgoing administration at ideological odds with the incoming administration.

 

Dave Bittner: Right; right. So it's like, nice regulation. Isn't that adorable?

 

Ben Yelin: Look at this beautiful trash can. I'd hate to see this regulation being shredded and put right in that recycling bin. But sometimes that has to happen; so.

 

Dave Bittner: Yes. I guess it's the way of things. I mean, you know, the new administration gets to do their thing.

 

Ben Yelin: As they say, elections have consequences.

 

Dave Bittner: Yes. There you go.

 

Ben Yelin: And the winner gets the spoils. So this is part of that. You get to control the regulatory state for four years.

 

Dave Bittner: Right, right. Alright. Interesting. Well, we'll have a link to that story in the show notes. My story is similarly about regulatory actions from a federal agency. This one is from the Federal Trade Commission. And they have a new rule on fake consumer reviews and testimonials. So I don't know, Ben, how much shopping you do online. I think it's fair to say as we're coming into the holiday season here that certainly in my family, the vast majority of the holiday shopping is done via Amazon and other online [inaudible 00:15:31].

 

Ben Yelin: Yes, we're recording this the day after Cyber Monday, and let's just says some dollars were spent.

 

Dave Bittner: Yes.

 

Ben Yelin: I'll leave it at that.

 

Dave Bittner: Right; right. But you know, one of the ways that you can look to see if something is worth buying is to look at the reviews. But more and more, those reviews are either fake or paid for, or these days, generated by AI. And this rule from the FTC is looking to tamp down on that, basically they're saying that you cannot do this. You cannot have fake reviews. You can't have fake testimonials. You can't have incentivized sentiment. So paying someone to have a five-star review, that sort of thing. You have to disclose any relationships for insider reviews or testimonials. And you can't have your -- the people in your company solicit undisclosed reviews from employees or relatives. You can't have your family -- you know here's the review. Five-stars on the "Caveat" podcast from Dave's mom, right? You can't do that. And then also --

 

Ben Yelin: I'll take any five-star review, even if they're fake, so. Maybe we have an exception [inaudible 00:16:50] just for this podcast.

 

Dave Bittner: Sure. I understand. Our egos are fragile enough. We'll take it. It doesn't matter. We'll take it, whatever it is, right? Right. And then sort of the flip side of that, you're not allowed to suppress negative reviews, you know, through intimidation or even legal threats and things like that. So interesting move from the FTC. What do you make of this, Ben?

 

Ben Yelin: One area at least in my own life that I've really seen this become a problem is short-term rentals. Things like AirBnb, VRBO, that sort of thing where all the reviews are positive. And I've had experiences where the owner of that property will reach out after you stay there and say, if you've had any problems with this, with this house or this apartment, please let me know privately, and we will address those problems. We might even give you some money back. Do not put it in a public review. Give us a five-star review. Like, we will address your concerns in another way.

 

Dave Bittner: Yes.

 

Ben Yelin: And then you look at all the reviews prior to staying at a place, and they're all five-star reviews. And you get there, and it's like oh. The toilet doesn't work. And the rooms are much smaller than they appeared to be in the picture. So this is a real problem. I'm really glad the FTC is trying to address this with penalties to deter this type of misconduct. I'm curious to see how this will work in practice. there are a lot of edge cases. Like what if we went and convinced our friends who had not listened to this podcast to give us a five-star review.

 

Dave Bittner: Right.

 

Ben Yelin: They're not being paid to do so necessarily, but they also -- it isn't a genuine review. They haven't actually listened to our podcast. What if they did so without disclosing the relationship. Would that be a violation? Are you going to fine people's friends for leaving positive reviews on their friends' businesses, podcasts, et cetera?

 

Dave Bittner: Yes.

 

Ben Yelin: I don't know how that's going to work in practice. I think it's a really good idea. It is imported for consumers to have accurate information. In order to get that, you need to have rules in place that don't punish people for leaving neg reviews, don't provide financial incentives for positive reviews. Don't use fake people, artificial intelligence to generate positive reviews. It would be better for all of us. So I hope this regulation survives. I hope they can figure out a way to make it workable. Kind of just like our previous story, you could foresee a circumstance where the Trump administration came in and said yes, this should be on the chopping block. Like this is not -- this is too much of a burden on businesses. This doesn't align with our goal to reduce federal regulation. So who knows whether this survives? I think it's a valuable rule. I'm curious to see how it works in practice.

 

Dave Bittner: Yes. I had a thing recently where there was something I purchased on Amazon that failed, you know, just a few weeks after my purchasing it. It was an electronic device. And so I left a review, and immediately the seller reached out and said, we're going to refund your money. We're going to send you a replacement, and sort of alluded to we hope you'll do the right thing here.

 

Ben Yelin: Yes [laughs].

 

Dave Bittner: [laughs] right?

 

Ben Yelin: I'd hate to see what would happen if that review stayed up. Yes.

 

Dave Bittner: Right. But you know, hey, that is a way to get on my good side, right? Give me my money back. Essentially make the thing free. Send me another one, and wish me well.

 

Ben Yelin: Not to name names here, but Amazon basically does that on a large scale. Like you could say this shirt I bought, it's like -- doesn't quite fit right. You can give them literally any reason.

 

Dave Bittner: Yes.

 

Ben Yelin: It's not soft enough. It's not coarse enough. And they will accept a return. They will refund you money no questions asked.

 

Dave Bittner: Yes.

 

Ben Yelin: Yes. I think that's in part good customer service. But in part a way to avoid the harm of negative reviews, which all these companies are justifiably scared of.

 

Dave Bittner: It's interesting to me that reading through the regulation from the FTC, certainly I guess the press release on the regulation, which I pretty detailed, it doesn't appear as though they're going after the platforms at all. So it doesn't seem like Amazon's on the hook for hosting the fake reviews. It's the actual writers of the reviews, and the solicitors of the reviews that are in peril here.

 

Ben Yelin: Yes. I mean, I think that makes sense. If you take the kind of Section 230 view here that these are just platforms. This is just a venue for writing reviews. They don't have any sort of regulatory responsibility here. I think that makes sense.

 

Dave Bittner: Yes. One thing I'll note before we wrap this part up, it struck me that the press release from the FTC is written in a decidedly non-governmental way. It's refreshing, actually. I think we've been seeing more and more of this lately.

 

Ben Yelin: Agencies should do that more. I mean, it's like it's a way to get attention, to not just -- the way press releases are written. It's like they're not even in English. Normal people can't understand them.It's al jargon.

 

Dave Bittner: Right.

 

Ben Yelin: So it's nice to see somebody writing as if they're an actual human being.

 

Dave Bittner: So I'm going to read the last two paragraphs of this press release. It says this; it says, we mentioned generative AI earlier, and you may be thinking, to paraphrase Tina Turner, what's AI got to do with it? The rule doesn't specifically refer to AI, so do these prohibitions cover situations when someone uses an AI tool to generative the deceptive content of an issue? Of course they do. To paraphrase ourselves, there's no AI defense to the regulations on the books. One last rhetorical question, is this new rule going to sit on the proverbial bookshelf and collect dust? You better believe it won't. The FTC will look to use it when applicable to go after those who employ these prohibited practices to hoodwink consumers and get an unfair leg up on their competitors. No honest business should be worried about the rule, as it only reflects what we believe is already illegal under Section 5 of the FTC Act. If you're a dishonest business and don't want to give our new rule five stars, that's okay. We guarantee you won't be getting a good review from us either. Little less snark from the FTC.

 

Ben Yelin: Maybe they hired some writers. Maybe during last year's writer's strike in Hollywood, the FTC was like hey, we can't write this out, and you're looking for a different job, come join our fun federal agency.

 

Dave Bittner: Right.

 

Ben Yelin: And work out your writing talents here.

 

Dave Bittner: Could also be a bunch of regulators who know that they're on their way out.

 

Ben Yelin: Yes. So what the heck. They're in eff it mode.

 

Dave Bittner: [laughs] right. We'll go down in a blaze of glory.

 

Ben Yelin: Yes.

 

Dave Bittner: That's funny. What do you think of that, Ben? Do you -- I mean, like, what do we think the FTC's odds are of success?

 

Ben Yelin: There isn't any explicit opposition to this that I've seen. Unlike our first story where Elon Musk is -- who's going to have a prominent role in the administration -- has already said the entire agency shouldn't exist. We don't see that here.

 

Dave Bittner: Alright.

 

Ben Yelin: Is this the kind of thing that's going to get on Donald Trump's radar himself? Probably not.

 

Dave Bittner: Yes.

 

Ben Yelin: So I think the prospects are a little bit better. On the other hand, you will have an administration that's generally hostile to consumer protection regulations. Just because they are a more business-friendly administration. At least that's what they were the first time they were in office. So I'd say if I had to give odds, this one's more of a 50-50 where our previous story was more of a 90-10 against that regulation surviving.

 

Dave Bittner: Yes. I just wonder about the scale of it. I mean, you just think about all the reviews in places like Amazon and how do you even come at that, you know?

 

Ben Yelin: Yes.

 

Dave Bittner: At that scale.

 

Ben Yelin: It's hard, because they're going to be like review police.

 

Dave Bittner: Right.

 

Ben Yelin: And I'm sure it's going to be done based on complaints.

 

Dave Bittner: Yes, okay. That makes sense.

 

Ben Yelin: But then there could be complaint trolling, right? You could get rivals companies, just like they do with the patent process, going in and saying, like, look what my rival did! He's soliciting positive comments. And it's like you're doing the same thing. I don't know [inaudible 00:25:26] potential for that type of abuse.

 

Dave Bittner: See folks who masterfully come up with ways to skirt the line, right?

 

Ben Yelin: Yes.

 

Dave Bittner: Walk right up to the edge of the line of what the FTC [inaudible 00:25:37].

 

Ben Yelin: Figure out where the line is --

 

Dave Bittner: Yes.

 

Ben Yelin: Yes. Don't cross it, but get right up there on the edge.

 

Dave Bittner: Yes. Yes. Alright, well, we will have a link to that press release from the FTC in our show notes. And of course we would love to hear from you if there's something you'd lie us to consider for the show. You can email us. It's caveat@N2K.com. [ Music ] Ben, I recently had the pleasure of speaking with Pavlina Pavlova. She is a 2024 New American Share the Mic in Cyber Fellow and she is also a cybercrime expert at the UN Office on Drugs and Crime. We're discussing some of her research that calls for a shift tin the tech conversation to address gender-specific harms and also promote safer, more inclusive digital environments. Here's my conversation with Pavlina Pavlova.

 

Pavlina Pavlova: First of all, thank you very much for having me. And for me, this research is very close to my heart, because as a practitioner, I've been covering a [inaudible 00:26:50] range of [inaudible 00:26:51] cybersecurity efforts and policy. And also cybercrime initiatives. And what I've seen is how gender can be a very strong factor in how [inaudible 00:27:03] impacts is to harm [inaudible 00:27:06] inflicted on people. And at the same time, I saw that while there is better recognition of this problem, there is still -- what is still happening in policies and in practice is the very bare minimum, which is not enough for the victims who are targets who are being impacted by these crimes and threats online. So we need bolder actions [inaudible 00:27:32] prevention and remedy. And this inspired the research.

 

Dave Bittner: Well then, let's talk about the range of crimes that we're talking about here. What sort of things did you look into?

 

Pavlina Pavlova: I looked into a whole range of crimes. And this makes the research very unique, because it covers both data weaponization and it covers -- the key question is why some impacts are gendered. So I look on gender data, gender control, [inaudible 00:28:05] and access. And it goes to very different crimes, from ransomware against parts of critical infrastructure, especially healthcare services, to the use of surveillance by individuals and by states. And also image-based offenses such as non-consensual sharing of intimate images. But also organized defamation and disinformation against women online.

 

Dave Bittner: And so tell us about the research itself. What was the methodology that you went here and what were you hoping to establish?

 

Pavlina Pavlova: Absolutely. The methodology is about looking into the cases which are available through the lenses of the [inaudible 00:28:54] practice. And this methodology has been used because we still don't have enough of quantitative data to see the large-scale findings. So what we can do is to look into specific cases and testimonies of the targeted organizations and victims to see what were the impacts and how was the tactics behind the attacks? Who were the attackers? How the harm unfolded, and how it also extended through different extortions and multiple extortions.

 

Dave Bittner: Well, can you share any specific stories with us?

 

Pavlina Pavlova: Absolutely. There are so many. I must say that what surprised me the most is definitely how vicious the attackers can be. I recall especially a very illustrative case which was disclosed in February 2023, when [inaudible 00:29:53] speaking on [inaudible 00:29:54] group known as Black Cat, attempted to extort a healthcare network in Pennsylvania. And how did they do it? By publishing photographs of [inaudible 00:30:05] cancer patients taken during radiation therapy. And there was another attack, again healthcare facilities with another actions [inaudible 00:30:15] similar group [inaudible 00:30:16] leaked sensitive medical data [inaudible 00:30:19]. And this sensitive data included a spreadsheet listing hundreds of patients alongside a billing code, related to [inaudible 00:30:29] terminations as non-viable pregnancies, miscarriages. And the data sorted patients into good and naughty based on the trimester during which the abortion occurred. So this case has totally shaken me.

 

Dave Bittner: Yes. I mean, it's horrible. What do you take away from this in terms of the operators themselves? I mean, how universal is this level of -- I don't know, coldness, this lack of empathy?

 

Pavlina Pavlova: I think it's universal, and it starts to -- it's getting worse, because with better protection on one hand, and with more awareness about ransomware and how to deal with ransomware, the threat actors are also devising tactics which specifically inflict harm on the targets. And they tried to extort them more efficiently, which means like, [inaudible 00:31:35] harm. And at the same time, we also see from going from traditionally financially motivated [inaudible 00:31:45], we see that the attackers now have many motivations. They can be ideological motivations. They are oftentimes state-affiliated. So it's becoming a very blurred line between cybercriminal groups and state-affiliated actors and what are their motivations? And these can intersect and be multiple at the same time.

 

Dave Bittner: You know, there are rules of armed conflict and you know, just even thinking about simple things like, you know, you're not supposed to -- or you agree not to attack hospitals for example. We're not supposed to attack civilians and civilian infrastructure and so on. It seems to me like when it comes to the folks who are harboring these cybercriminals, they're not putting any pressure on them to stay away from these sorts of tactics. Is that an accurate perception on my part?

 

Pavlina Pavlova: I would say it's not only about staying away from tactics. I think they are supporting these tactics by not [inaudible 00:32:53] measures, at least. So it's definitely -- the problem is definitely growing. And we see that while there are norms of behavior, and there are cybercrime -- there is cybercrime legislation in place, it's still not enough. The cooperation is not enough, and also importantly political will of the countries which are harboring cybercriminal groups is simply not there.

 

Dave Bittner: How much of this is an issue of there not being enough women or affected individuals -- I know for example, your research also looks into the experience of LGBTIQ-plus people. That they're not represented at the table to raise the flag, to turn on that warning light to say these things are happening and we need to be aware of it.

 

Pavlina Pavlova: I think on one side, there's a growing recognition. But what is happening when it comes to practice, and I've seen -- I am participating both in international cybersecurity negotiations and the United Nations, and cybercrime negotiations. And what we observe is that while there is [inaudible 00:34:12] regional recognition of gender as important factor, it comes down to federal states which block the consensus documents. So they block the recognition on gender equality comes into these documents fully. But also at the same time, when it comes to specific impacts, as I also speak about [inaudible 00:34:35] critical infrastructure, how they intersect with gender norms, and how this gender-specific data is being misused. When it comes to this part of evidence, and we are now coming back to what was intimidation for [inaudible 00:34:50] in the first place, I see there is not enough evidence yet. There is not yet enough strong evidence, and understanding also how these groups [inaudible 00:35:00] groups are targeting women and [inaudible 00:35:07] online, and to what consequences. So my aim is with this report to start growing this recognition of this is the problem. This is the first evidence. And this is what we need to do next. Especially aggregate more data so we understand the problem, and we could also measure what is the factor of gender in these crimes and these attacks?

 

Dave Bittner: What do you suppose some potential solutions are? As you look towards the future, what are some of the changes you would love to see made here?

 

Pavlina Pavlova: On the policy level, what I find very important is to integrate gender considerations into cybersecurity policies and cybercrime frameworks. It's absolutely critical policymakers incorporate gender and also [inaudible 00:36:00] analyzes into legislation and into the capacities and practice to address the liabilities we are seeing on the ground. At the same time, there's definitely need to strengthen victim support and reporting mechanisms. We still don't have enough, and we don't have enough crimes which are for example very specific to women, such as non-consensual disclosure of intimate images, for example. So governments and also civil society organizations must be more robust and accessible support structures for victim of gender [inaudible 00:36:40]. And this includes establishing online reporting channels, specialized help lines, which we always see these things, but it's a patchwork of solutions, and many times, there is not enough awareness about cybercrime legislating or at least the protection. What is the remedy? And what are the organizations that we can turn to?

 

Dave Bittner: Are you sensing that there is growing political will to see these things through?

 

Pavlina Pavlova: I do believe that. I do believe that, especially from some countries. I see [inaudible 00:37:19] for example. I've been cooperating with Belgium both to the international cybersecurity negotiations. The question of victim-centered approach. So to focus the attention also on the victims, not on the infrastructure as these issues are usually handled. So over the past years, I definitely see the shift to more human-centric and victim-centric [inaudible 00:37:47] which helps to incorporate also gender-sensitive and gender-responsive policies. But at the same time, it's not enough.

 

Dave Bittner: So I know you've gathered some statistics and facts about the degree to which women are affected by this. Can you share some of those for us?

 

Pavlina Pavlova: When I came across [inaudible 00:38:08] searching is also how much by women themselves is perceived as a problem, that their data is weaponized and they're harassed online through this. So for example, [inaudible 00:38:20] of American women, according to Anti-defamation League, compared with 14% of men attributed online harassment that they experienced to their gender. And at the same time, women in Europe were 27 times more likely to face harassment online than men. So we see how much there is a problem, especially like image abuse online, because there we see compounds of harassment which is [inaudible 00:38:55] and it's way more harassment and abuse and tracks than we see on the other types of content and content related to men. And one thing when it comes to deep fakes, which also featured quite heavily in this election campaign in the US, is a study coming from 2023 by Security Hero, which says that 98% of deep fake videos online are pornographic. And 99% of those target women. So we see that we have a problem with deep fakes, and it's not a neutral technology or a neutral application, how they are being created in a sexualized way, and that they impact women specifically. So when we want to protect women online, it also means that we need to protect them proactively through technology design, and what is made available by the application, and how this content can be monetized at the same time. [ Music ] Ben, what do you think?

 

Ben Yelin: Yes, I think that's a really important topic. I think this entire space needs to be more welcoming. It's been traditionally kind of male-dominated, present company included.

 

Dave Bittner: Right.

 

Ben Yelin: So I think this is really promising, and just a really interesting conversation.

 

Dave Bittner: Yes, I really appreciate her reaching out and taking the time for us. I really enjoyed the interview. Really good stuff. So again, our thanks to Pavlina Pavlova for joining us. We do appreciate her taking the time. [ Music ] And that is "Caveat," brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to caveat@N2K.com. We're privileged that N2K's Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 400 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn how at N2K.com. This episode is produced by Liz Stokes. our executive producer is Jennifer Eiben. The show is mixed by Trey Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Ben Yelin: And I'm Ben Yelin.

 

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.