Don't trust Facebook's Libra cryptocurrency, boffins warn: Zuck & Co know that hash is king

It's not about the money, it's about the identifiers

Analysis Facebook's proposed digital currency Libra, and its accompanying digital wallet Calibra, should be scrutinized not only by financial regulators – as lawmakers in the US and Europe have already started to do – but by national entities concerned with law, public safety and defense.

The reason for that, argue Valerie Khan, VP of the Digital Equity Association, and Geoffrey Goodell, senior research associate at University College London's Centre for Blockchain Technologies, is that Facebook is interested not in finance but identity.

Their opinion paper, "Libra: Is It Really About Money?", answers the question posed by its title with the assertion that Facebook's ulterior motive is to become the world's digital identity provider.

Pointing to the classic 1993 New Yorker cartoon captioned, "On the internet, no one knows you're a dog," the two authors contend that being able to accurately identity people online would have enormous financial consequences and would be particularly interesting to an advertising company like Facebook.

Facebook has positioned Libra as solely a financial endeavor, but the project has implications in every aspect of civil and social life where reputation matters, the academics argue. Digital identity currently tends to be fragmented, distributed across different websites and embodied by separate sets of login names, HTTP cookies, and tokens.

Advertising and data companies like Facebook strive to unite these identities to track people across websites by correlating different data, though such efforts can be undermined by technological countermeasures and actions taken in the pursuit of privacy. Libra, or more specifically Calibra – the wallet tied to the individual – represents a way for Facebook to dissolve public and private boundaries to create "transparent citizens."

"Allowing Facebook to become a crucial player in digital identity for the financial sector will enable it to tighten the knot on the ‘transparent citizen’ (Reidenberg, 2015) by accessing a strong bastion of meaningful data," they write. "It will also allow everyone else to purchase the means to manipulate Facebook users, perhaps in pursuit of their respective advertising ideas – some harmless, some of corrupting influence."

Such transparency – seeing everything – challenges democratic institutions and norms, argued Joel Reidenberg, a Fordham University law professor, in his 2015 paper, "The Transparent Citizen." China's social credit system and its role as a political control mechanism offers an example of how such transparency can be exploited.

Khan and Goodell note that there's no expectation Libra transactions would be private – blockchain transactions are public, after all – and to appease regulators and lawmakers, Facebook can be expected make its platform a robust surveillance system.

They point to Facebook's 2010 acquisition of a Friendster patent, which covers giving creditors access to social media profiles to assess loans, as a sign of where the company is headed.

Illustration of terrorists

Facebook's Libra is a terrorist's best friend, thunders US Treasury: Crypto-coins dubbed 'national security risk'


Parallel efforts to define digital identity are underway. The authors point to the past initiatives of the founding members of the Libra consortium, like Mastercard, Visa and PayPal. They note that Microsoft is launching a decentralized identity infrastructure called ION (to say nothing of its failed Hailstorm project), in conjunction with a separate consortium called DIF, the Digital Identity Foundation. The W3C is exploring this too in its Decentralized Identifiers (DIDs) spec.

The authors worry that Facebook plans to assure Libra's success by relying on the distribution power it has to reach 2.5 billion users across its various social media and messaging properties. And they insist that if regulators allow a private advertising company to become the gatekeeper for most online services - using standards and policies it has written for its own benefit - the results will be disastrous.

"Handing this right over to a handful of selected private partners with a revenue-driven target could lead to biased decision-making and illegitimate gatekeepers for the sharing of information, a mechanism for using incentives, punishments, temptation, and fear to control the behaviours of populations, cheaply and at scale: a mix of Huxley’s Brave New World and Orwell’s 1984," they write.

An association of 100 or so members beholden to Facebook, a company with "a shady history of securing people's data," they say, "sounds like a charade." ®

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Oracle sued by one of its own gold-level Partners of the Year over government IT contract
    We want $56 million, systems integrator tells court

    Oracle has been sued by Plexada System Integrators in Nigeria for alleged breach of contract and failure to pay millions of dollars said to be owed for assisting with a Lagos State Government IT contract.

    Plexada is seeking almost $56 million in denied revenue, damages, and legal costs for work that occurred from 2015 through 2020.

    A partner at Plexada, filed a statement with the Lagos State High Court describing the dispute. The document, provided to The Register, accuses Oracle of retaliating against Plexada and trying to ruin the firm's business for seeking to be paid.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Governments opt for XaaS, dump datacenters in droves
    Outsource all the things! To whom? The lowest bidder of course, says Gartner

    The world's governments are eager to let someone else handle their IT headaches, according to a recent Gartner report, which found a healthy appetite for "anything-as-a-service" (XaaS) platforms to cut the costs of bureaucracy.

    These trends will push government IT spending to $565 billion in 2022, up 5 percent from last year, the analyst house claims. Gartner believes the majority of new government IT investments will be on service platforms by 2026.

    "The pandemic sped up public-sector adoption of cloud solutions and the XaaS model for accelerated legacy modernization and new service implementations," Gartner analyst Daniel Snyder said in a release. "Fifty-four percent of government CIOs responding to the 2022 Gartner CIO survey indicated that they expect to allocate additional funding to cloud platforms in 2022, while 35 percent will decrease investments in legacy infrastructure and datacenter technologies."

    Continue reading

Biting the hand that feeds IT © 1998–2022