Leggo qui che

HTML5 added a “feature” to the web called hyperlink auditing. You can read the specification from the Web Hypertext Application Technology Working Group (WHATWG). Hyperlink auditing is added to a web page via
the ping attribute on an HTML anchor element (<a>), i.e., a link.

Notice that when you hover over the “Ping Me” link, you only see the href URL, you don’t see the ping URL, so you don’t even know that the attribute exists unless you look at the HTML page source. When you click the link, it loads the page http://lapcatsoftware.com/ as expected. But it also sends an HTTP POST request to http://underpassapp.com/ without any visible indication to the user.
You can only see it if you do a packet trace. It should come as no surprise that the primary usage of hyperlink auditing is for tracking of link clicks.

Firefox disables hyperlink auditing by default, as explained in a knowledge base article. You can see this if you open about:config and look at browser:send_pings.

Prior to Safari 12.1, you could disable hyperlink auditing with a hidden preference:

defaults write com.apple.Safari
com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled
-bool false

Unfortunately, this no longer works in Safari 12.1. […]

I’ve been informed that chrome://flags#disable-hyperlink-auditing is now missing from the Google Chrome betas, even though it still exists in the current non-beta version. The flag was removed from the source code a little over a month ago.

In sintesi: quando clicchi su un link in pratica è come se cliccassi anche su un altro, senza poterlo sapere, a meno di non guardare il codice sorgente della pagina. In questo modo stai dicendo – a tua insaputa – ad un altro cosa stai facendo.

Firefox disabilita questa funzione per default; in Safari si poteva disabilitare ma adesso non più; in Chrome (e derivati, come Brave), per adesso si può disabilitare ma pare non si potrà più.

Bottom line: meno male che Mozilla c’è.

Share now →

This is a point I raised today at the HLEG on AI of the EC (High-level Expert Group on AI of the European Commission)

Like we have the principle of “privacy by design” for systems managing personal data, we should have a principle of “redress by design” for systems based on AI which take decisions that can affect people’s lives.

The basic consideration is that a perfectly functioning AI system will make wrong decisions. For example, a person could be denied a service because of a decision by an AI system.

Such a system is not deterministic like, for example, a speeding  camera can be: if you exceed the speed limit with your car, the speeding camera detects it and you get a ticket. You can appeal the ticket, but you’re guilty until proven innocent because a perfectly working (properly configured, certified and audited) deterministic system “decides” that you are guilty.

But with a perfectly working AI system,  as it is a statistical engine that necessarily produces probabilistic results, this decision might be right 98% of the times and wrong 2% of the times (it would be inappropriate to classify these wrong decisions as mistakes), meaning that in these 2%, the person is detemined to be guilty even when she is not (or cannot obtain a service, even if she has full right of obtaining it).

For the person, the wrong decision can generate spillovers, exceeding the scope of the decision itself, for example by generating social reproach, negative feedbacks online and other consequences that may spread online and become impossible to remove.

In these wrong cases (they can be false positives or false negatives), the appeal procedure may not exist or, if it exist, it may be ineffective, its cost may be excessive, it will not be accessible to all, it may require an excessive time or it will not rectify the above mentioned spillovers.

Redress by design relates to the idea of establishing, from the design phase, mechanisms to ensure redundancy, alternative systems, alternative procedures, etc. in order to  be able to effectively detect, audit, rectify the wrong decisions taken by a perfectly functioning system and, if possible, improve the system.

As an example of redress-by-design implementation, consider the recent EU Directive on copyright: an AI system will decide if a content is purportedly legitimate or is in violation of someone’s copyright.

A perfectly working filtering system will make mistakes and block the publication of some contents. Although overall the number of false positives may be small, the damage caused to these persons’ right to freedom of speech, for those persons will be total.

The details of the appeal procedure in the Directive are very scarce and it is likely that it will be implemented by member states in such a way that (willingly or unwillingly) will inhibit actual appeals. We are therefore not going to have an effective way of timely and freely correct wrong decisions and, even more, we will not gain a precise view of the actual precision of the systems.

A Redress-by-design alternative, for example, could have been granting uploading users the possibility of immediately oppose a decision to block a publication of a content, forcing its publication upon provision by the user of an indirect verification mechanism usable by a court. (pretty much like phone number verification by a messaging app or wifi splash page).

Share now →

Grazie Dr. Augias.

A giudicare dalla quantità di sottolineature e dal numero di giallini attaccati alle pagine, pare che abbia trovato un bel po’ di spunti interessanti…

🙂

Share now →

Riguardavo questo manifesto:

Era il 1990.

Nel 1987 si era tenuto a Milano l’IJCAI (International Joint Conference on Artificial Intelligence)

Mi sembrava che questo manifesto fosse dell’IJCAI ed invece era del Computational Intelligence del 1990.

Degno di nota il tutorial numero 6.

Ho poi notato una cosa che pare incredibile: Era il settembre 1990, erano tutti tecnologi internazionali di alto livello in un settore altamente innovativo (AI). Nel manifesto c’era un solo indirizzo email (il mio). E, nota nella nota, non c’erano i top level domains.

Un’era geologica fa.

Share now →

Secondo questo report citato da The Information.

In estrema sintesi dice che i dati su cui si basava l’affermazione erano inconsistenti ed insufficienti e che, se proprio, ci sarebbe una riduzione del 13% delle denuncie alle assicurazioni di danni per incidenti, ma…

had no statistically significant effect on other types of insurance claims, including property damage liability, bodily injury liability, claims under medical payment coverage, or personal injury protection claims

e che quindi, non si può affermare nulla con certezza.

Share now →

“l’hardware si rompe, il software nasce rotto” è una massima tirata fuori in una cena dal mio amico Mauro, quello che quando gli chiedi “quale è il tuo linguaggio di programmazione preferito ?” risponde “il saldatore”.

Zcash Bug Could Have Been Used To Create Infinite Tokens

la cosa è stata sistemata 8 mesi dopo che è stata scoperta.

non oso pensare cosa sarebbe successo se una simile notizia avesse riguadato un intermediario finanziario tradizionale.

l’idea che il software aperto sia ispezionabile e quindi sicuro, è fallace.

può essere _più_ sicuro, ma il software è insicuro. punto. anche se ci guardano molte persone competenti.

la sicurezza non esiste.

come dice sempre il mio amico Gigi (la gente che si occupa di security sa bene di chi parlo), la sicurezza è una emozione. sei sicuro quando ti senti sicuro. perchè i problemi possono sempre succedere e il rischio può essere mitigato ma non annullato.

per questo la sicurezza maggiore si ottiene con tecnologie, processi e persone (con valori).

sia per i momenti in cui le cose vanno bene che per quelli in cui le cose non vanno bene. shit happens. punto.

l’assenza di uno di questi fattori riduce il livello di sicurezza complessivo.

basta esserne consci, quando vi si rinuncia.

gli approcci fideistici non sono appropriati.

Share now →

con solo 2 mesi di preavviso.

pensa se lo facesse telecom…

sono sempre stato scettico su gFiber.

ho sempre pensato fosse piu’ che altro marketing regolamentare.

adesso penso che sia un segno di pressione sui ricavi pubblicitari.

Share now →

Dice un articolo appena pubblicato dalla University of California su Transport Policy:

Autonomous vehicles (AVs) have no need to park close to their destination, or even to park at all. Instead, AVs can seek out free on-street parking, return home, or cruise (circle around). Because cruising is less costly at lower speeds, a game theoretic framework shows that AVs also have the incentive to implicitly coordinate with each other in order to generate congestion. Using a traffic microsimulation model and data from downtown San Francisco, this paper suggests that AVs could more than double vehicle travel to, from and within dense, urban cores. New vehicle trips are generated by a 90% reduction in effective parking costs, while existing trips become longer because of driving to more distant parking spaces and cruising….

Conferma ciò che scrissi sei+ mesi fa:

Parcheggi ? dove andiamo noi non servono parcheggi!

…Piu’ la città è congestionata minore è la velocità commerciale, maggiore è il numero di ore che l’auto può guidare al costo. Se la velocità commerciale scendesse a 8mi/hr (nei giorni di traffico la velocità media è 9mi/hr), un’ora di parcheggio costa come la benzina per 37 ore di guida.

1:37 !

Potete immaginare lo scenario della città paralizzata, inondata di auto.

Se voi foste il sindaco, cosa fareste ?

Non potete aumentare il prezzo della benzina.

Non potete ridurre di oltre il 90% il costo dei parcheggi (privati).

Potreste fare un’ordinanza per vietare le auto dedicate e consentire solo auto condivise. Cosa che si potrebbe fare già adesso. Ma ci sarebbe una rivolta, difficilmente passerebbe.

Potreste pensare ad un congestion charge, ma questo impatta chi entra nella zona limitata, non chi ci gira all’interno.

Potreste vietare le auto senza passeggero a bordo. Come è adesso. Non ci sarebbero grandi impatti sulla viabilità ma ci sarebbe comunque un beneficio: Non dovresti prendere la patente (forse).

Share now →

In an early morning chat at the meeting of the HLEG-AI (High level expert group on AI of the European commission), some colleagues were reporting that their job was hindered by excessively strict interpretations of the GDPR by their organizations’ legal counsels.

Fact is that many uses of AI involve personal information and that legal counsels incentives are misaligned with respect of the research&development groups (and that is generally OK) but tends to lead them to be excessively prudent and, quite often, blocking. (and they usually have an almost-veto power).

Legal counsels would benefit from a (quasi) discharge of responsibility.

With the regulation before GDPR one could turn do the privacy regulator to request a prior checking, before starting data processing. They gave guidance by often helping the organization shaping processes and technical details.

Prior chekings no longer exist (replaced by an own impact assessment) and while the whole process is conceptually easier, it may effectively raise some barriers due to a (resonable) precaution by the organization legal counsels.

So, in order to ease a blocking friction in the development of AI systems in Europe,  perhaps we ought to think to some form of prior checking by/with privacy regulators.

Share now →

[at best]

Savant (Wikipiedia)

Share now →

a modest proposal in two (plus one) provisions:

1. limit the number of friends a non-paying user can have: let’s say 100. do you want more friends ? you have to pay something: paying not only introduces friction but implies verifiability of identity of influences in case of suspicion of a crime. multiple (quasi) identical posts by different accounts (e.g. bots) would be easily spotted.
2. limit the level of posts re-sharing. let’s say friends of friends. This would limit the reach of a non paying user to maximum 10.000 persons.
3. (eventually) introduce latency in the visibility of re-shared posts. Let’s say 8 hours. This would allow up to 16 hours to react to fake news posting (content moderation)

the above proposal would not negatively impact social network revenues (nor costs) and would not imply any editorial responsibility for the social network.

just came to my mind.

I’d like to read some comments!

Share now →