Deepfakes are Literally Security Theater

Source: Mashable “The bizarre world of Queen Elizabeth impersonators… LONDON — It’s tough making a living as a Queen Elizabeth impersonator. Not only do you have to master the dress, the wave and the pursed lips, but you also get thrown into endless ridiculous scenarios.”

Have you been to a theater lately? Probably not because of the pandemic, but if you remember when we all used to go (including movie theaters, of course) we would watch performance art and… like it (assuming it was well done and believable, of course).

However, I sure see a lot of people getting very upset about something they call Deepfakes.

Source: The Sun, which you definitely should trust.

Why is there such a disconnect between all the people paying money and spending time to be entertained by the performing arts (the act of information deception) and the people decrying our future will be ruined by Deepfakes (the act of information deception)?

I call this the chasm of information security, which I’ve been sounding the alarm on here and in my presentations around the world since at least 2012. It is the foundation of my new book, which I started writing at that time and has expanded greatly from just a warning call to tangible solutions.

We are long past the time when security professionals should have been talking about the dangers and controls of integrity risks. It is evidence of failure that people can both be entertained by information deception without any worry on one hand and on the other hand decry it as a dangerous future if we allow it to continue.

Is the court jester the end of the kingdom? Obviously not. Is the satirist or political comedian the end of the future? Obviously not.

When an actor changes their voice is it more or less concerning than when they change their appearance to look like the person they are attempting to represent accurately?

Watching a Deepfake for me is like going to the theater or watching a movie and I fear it very little, perhaps because I study intensely all the ways we can protect ourselves against willful harm.

Integrity is a problem, a HUGE problem. Yet let me ask instead why are people so worried that performance art, let alone all art, is being artistic?

A headline like this one is not concerning for me any more than usual:

A college kid’s fake, AI-generated blog fooled tens of thousands. This is how he made it.

“It was super easy actually,” he says, “which was the scary part.”

Yes, a college kid’s fake blog is called Wikipedia. Lots of people with free time on their hands generate fake content there and fool millions. This should not surprise anyone. Using technology to generate the content makes it faster and easier, sure, but it’s not far from the original problem.

The bigger problem is that people don’t often enough describe GPT-3 as a fire-spewing dumpster fire that was created without any sense of fire suppression. It’s a disaster.

Philosophers know this. They write academic papers about the kind of obvious classes of vulnerabilities that engineers should have been modeling from day one if not earlier. Here’s a good example of the kind of thing every security team needs to stick in their quiver:

Source: “Recommender systems and their ethical challenges”, Silvia Milano, Mariarosaria Taddeo & Luciano Floridi. AI and Society (4):957-967 (2020)

When I was in Japan trying to solve for information system risks I couldn’t raise insider attacks using the old and usual talking points because everyone there told me dryly that no such thing existed.

Their culture was explained to me as deeply ingrained trust and honor systems such that they confidently believed they could detect any deviations (and hard to argue given how they marched into the room and sat by rank and respect from middle to end of the table, only spoke when allowed).

So instead I watched a history documentary about how Osaka castles had been destroyed by invaders and the next meeting I brought up the dangers of fakes and imposters, deceptive identities inside their organization.

This hit a big nerve.

Suddenly everyone was waving money at me saying take it and help them protect against such imminent dangers. Why was a deep fake so motivating?

It is a massive failing of the security industry how people worry about data integrity and feel afraid like they have no tangible answers, yet they surround themselves with art all day every day and “like” it.

We may in fact have the answers to this failing, and right in front of us.

Again, that’s the chasm of information security today. I hope to explain in great detail what needs to be done about this fear of theater, in my upcoming book.

One thought on “Deepfakes are Literally Security Theater”

  1. This is a really interesting take. I’ve included it in my most recent list of “Noteworthy” postings at the OSIRIS Codex. The Codex explains online issues to strategic planners, including corporate, military, and government strategists. I included this because it pokes at an issue that I don’t think people think enough about. Planners and strategists often have a visceral reaction to something without situating it in the larger strategic environment, and what it means. Thanks for writing this, and feel free to drop me a line.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.