Re: Deep Fakes, Phishing & Epistemological War - how we can help combat these.

> On 5 Jun 2019, at 10:54, Graham Klyne <gk@ninebynine.org> wrote:
> 
> On 04/06/2019 09:37, Henry Story wrote:
>> In a recent article on Deep Fakes in the Washington Post,
>> Assistant Prof. of Global Politics Dr. Brian Klaas, University
>> College London, wrote
>> "You thought 2016 was a mess? You ain't seen nothing yet.”
>> https://www.washingtonpost.com/opinions/2019/05/14/deepfakes-are-coming-were-not-ready/
>> 
>> Deep fakes are produced by new technological breakthroughs that allows one to
>> realistically create live videos of real people, to make them say whatever one
>> wants them to say with the right tone of voice too. There is no turning back
>> this technology, and this will bring us back to a pre-photographic world,
>> where trust in the coherence and authorship of a story is all we have to go
>> by for believability.
> 
> This, from Tim Bray?:
> 
> "How about camera companies install a signed cert on each device, and the device signs each photo/video-clip before saving? #TruthTech"
> 
> -- https://twitter.com/timbray/status/942176960632971264
> 
> (There's some discussion in replies about extracting signing keys from the device, but I think that presumes physical access to the device.)

Yes, there are many good remarks in that discussion.

Note that if one can fake images one can then also fake live voice. Imagine 
a tool where with enough recording of someone’s voice you can completely 
fake their intonation, accent, and mannerisms.  With this and a bit of extra
information a scammer could call someone and get important information
from them or even get them to transfer money.

(You actually don’t even need voice manipulation software as faking the
caller ID is already so easy in the US. There are demos of this online.
Most people seeing the caller ID don’t even pay that much attention to
voice changes, which can also be faked to sound like a bad quality line.)

So if you follow this ”not fake” certification idea, you’d need this 
signature to sign phone conversations too.

So say telephone companies or device manufacturers start signing voice calls
as ”NotFake”. How would a client device know that the telephone call
is signed by  a real phone device company?   Similarly how would I know that 
the ”NotFake” photo were signed by a camera company?
Or that a video were signed by a real video camera company?  Clearly we don’t
want to limit competition and innovation by enforcing a closed list of
such companies. We need that list to be open.

But then we again need the Institutional Web of Trust, tied into a Web of
nations.  For our client verification software would need to know what the
signing institution is, that the key is really theirs, where the company
is registerd, under which legal framework, and what the diplomatic relations
our country entertained with that country. 

We can extend this to all the use cases of the Verifiable Credentials WG [1].
If someone shows a credential that they can drive, how would your verifier
know that the insitution signing it is in that country enabled to make such claims?
Of if someone shows a Verifiable Credential about their need for medication, how
does software built for global use decide that the signing institutions is a hospital
or a pharmacy? ...

The institutional Web of Trust [2] is a prerequisite for a globally smoothly functioning
 verifiable credentials system to be deployed.

Henry

[1] https://www.w3.org/TR/verifiable-claims-use-cases/
[2] https://medium.com/cybersoton/stopping-https-phishing-42226ca9e7d9

> #g
> 

Received on Wednesday, 5 June 2019 09:49:18 UTC