AI expert Gus Fraser takes us from the 1950s checkers AI to today’s transformer-driven Generative AI, showing why it is the fastest-adopted technology in history and how it’s poised to rewrite every job that involves a computer. With vivid stories from ride-hailing drivers managed by algorithms to his inspirational 97-year-old grandmother programming her sewing machine, he unpacks self-attention, AI agents, and the looming power-and-skills gap. Gus issues a call-to-action for employers, students, teachers, and parents: assign AI a real task that you need to do but don’t enjoy or that takes you longer than you would like, evaluate the approach and results, and share what you learn, with a friend, a colleague, a family member. Adapt now and we can ride the wave together, eyes wide open! Gus is a seasoned technologist with over 25 years of experience as a software engineer, CTO, and technology start-up CEO. Most recently, he led the AI Engineering team at a global consultancy, working at the forefront of AI adoption and witnessing its transformative impact across industries. Now, as the founder and CEO of Helix Technologies, he helps organisations navigate AI strategy, governance, and transformation. Beyond business, Gus is passionate about building AI solutions for positive impact, including “It’s OK”, a mental health support service designed to complement professional care. His work sits at the intersection of innovation and responsibility, shaping a future where AI empowers rather than replaces human potential.

With one look at (or picture of) somebody, imagine if you knew everything that had ever been posted about them (with or without their consent). Name, job, address, ALL their photos… in an instant… a stalker’s paradise… very scary!

Th Meta / RayBan collab, for example… a potential match made in hell… one that is covered briefly in the book…

I’ve long been interested in privacy and biometrics (developed biometric ID verification for Revoke to facilitate exercising DSARs, Atam Kiosks typically use biometric ID verification for electronic visas or verifying ID prior to SIM issuance or top-up). It’s not the one-to-one “are these two faces the same person?” questions that are a problem, it’s the “find all faces the same as this one” with eery accuracy that scares me. It’s only made possible by virtue of the fact that billions of faces have been scraped and processed… possibly legally in some jurisdictions, but in my view, definitely unethically!

In March 2020, when Clearview was still available in the UK, I issued a DSAR of my own… 1st page of results below (2nd page was similar). All photos were relatively recent, nothing I didn’t expect. The algorithms must have improved since then… based on this evidence if you want to be a “new person” in Clearview terms, shave your head and grow a bit of a beard – as no matches for me from before this time were discovered (there are definitely some online!). This approach may not work for everybody…

Strongly recommend the book if you have an interest in privacy: https://www.penguinrandomhouse.com/books/691288/your-face-belongs-to-us-by-kashmir-hill/

There is no doubt that *some* good could be achieved with Clearview (and/or others providing a similar service) in terms of law enforcement and finding actual criminals, but there is such a high risk of privacy infringement, abuse, false positives… many real examples in the book.

Clearview had a £7.5 million fine by the UK ICO overturned this month… the story is on-going… https://www.bbc.co.uk/news/technology-67133157

What do you think? Are you looking forward to Minority Report? It’s happening sooner than you think…

I get contacted on a regular basis about hacked accounts and how to recover them. This particular case had me stumped for a while; ingenious hackers were able to re-gain access to an account after it was reset by Meta, after they even had completed facial verification and ID checks… with multi-factor authentication switched on!

The Short Version (TL;DR)

• Ensure you have multi-factor authentication (MFA) on all accounts, where available. Where MFA is unavailable, use a strong password and a password manager
• NEVER click on a link or send a screenshot of a message to “a friend”
• If you have been hacked and are able to recover your account, reset your backup codes immediately and turn on multi-factor afterwards (do not assume that just because you have recovered your account, that the hackers no longer have access!) – details below
• Use an authenticator app (vs SMS) for multi-factor authentication

The Full Version – What Actually Happened?

I was contacted by a friend who tried to get their Instagram account back.

He had accidentally shared information with one of his supposed friends (also a hacked account) that allowed the hackers to take control of his own account.

After he eventually recovered his account, I was amazed and honestly quite impressed that the hackers managed to re-gain access, even though he had multi-factor authentication turned on. At first I thought they might have access to his email account, but they didn’t.

I like to try and work out how sophisticated hackers really are; engage in some conversation and work out how they did it.

I pretended I didn’t know my friend had been hacked (again!) to see how long it might take for them to target me:

Sure enough, later that day…

Obviously I didn’t click on a password reset link or copy anything and send it back to them.

If I had done so, they’d have likely taken control of my account too if I wasn’t careful.

It transpires when they gained access to my friend’s account, they copied the MFA backup codes, and used them to get back in.

After Meta had completed ID checks including facial verification (this in itself was problematic – ensure you send them a video wearing similar clothing to some of your posts, with similar background if possible… may sound silly but it was necessary!) – they didn’t reset the backup recovery codes for MFA! Which was madness, as it left his account wide open!

Recovery codes are in the Instagram app under Security > Two-factor authentication > Additional methods

If you have the Backup codes, you can get back into an account even after the password has been changed… even with two-factor authentication on!

I raised this as an issue with Meta but they claimed that it’s not a security flaw, it’s “by design” – which to me seems ridiculous, that they would confirm 100% that an account is owned by a user who’s been hacked (ID & facial verification etc.) but leave the backdoor open…

Whatever you do, keep your backup / recovery codes in a very safe and protected place. All (if not all) services that have a multi-factor authentication option should provide these codes.

Use an authenticator app instead of SMS where it is available, and turn off SMS as a multi-factor authentication method. It’s a tiny bit more work (debatable) for a lot more security!

When we launched BLOKK it seemed like an obvious feature for us to build, to protect users from social engineering attempts such as this one, by blocking typical password reset URLs and flagging to the user they maybe under attack.

The password reset URL is blocked by default. The user may have been trying to reset their own password, but most likely to be a victim of social engineering. This should highlight to them that there may be a problem.

We will be improving the messaging to reference specific risks of social engineering; however, the protection is there already and will prevent others from falling into the same trap.

Whether you use BLOKK or not, I hope this story helps to highlight an issue that I’ve since seen many times and helps to prevent it from happening again.

Feedback welcome in the comments!

The Financial Times originally published the article with this insightful map in January 2018 (ahead of GDPR) about John Lewis, a supposedly ethical retailer (to be fair, their privacy policy is well-written) as an example of data capture & sharing – the article is titled “Customer data sharing comes out of the shadows”. The quote at the bottom of the article makes me laugh…

“Nothing on these tracker maps is necessarily bad. Just because companies are collecting your information it is highly unlikely it is being shipped all over the internet.”

So naïve; if I didn’t laugh I’d cry! If this is an ethical retailer imagine what the others are doing. This isn’t just a scare story, it’s actually happening with nearly every website you visit and every app you use, unless you take precautions e.g. a browser like Brave, or use BLOKK (works for apps AND websites).

If you’re thinking “it’s no big deal…” then just ask yourself: “Do you really want companies to know about every website you visited, product or service you searched for, app you have installed?”

If not… you know what to do!

Original FT article: https://www.ft.com/content/9d741ea6-e73f-11e7-8b99-0191e45377ec

Facebook / Meta has long been abusing data.

These posters surfaced in 2018, around the time of Mark Zuckerberg’s congressional hearing. A PR stunt to balance the negative press that backfired somewhat…

Unfortunately at the time of writing, not much has changed (nor do I expect it to!)

This week’s case is brought to you by The Guardian:

Facebook sued for collecting personal data to target adverts

In high court case that could set precedent for millions, Tanya O’Carroll alleges owner Meta is breaking UK data laws

Read the full story: https://www.theguardian.com/technology/2022/nov/21/woman-launches-high-court-challenge-of-facebook-use-of-personal-data-for-ads

This isn’t an isolated case, it’s happening again and again.

Last week it was Google:

Google to pay record $391m privacy settlement

The technology giant tracked the location of users who opted out of location services on their devices, 40 US states said.

Google has been told to be transparent about location tracking in the future and develop a web page telling people about the data it collects…

I don’t believe this is sufficient at all! A WEB PAGE? Users should be informed in easy-to-understand language about what Google is doing, and have the opportunity to opt out!

One positive major difference in this fine (as opposed to the numerous previous fines) is that it was in the USA; maybe the wild west of data is finally waking up to the issues!

More at https://www.bbc.co.uk/news/technology-63635380

Meta, Alphabet, Pinterest shares shudder

It’s no surprise that the AdTech world is suffering:

A Change Is Gonna Come

The advertising world is changing. It’s no longer acceptable to misuse people’s data, or to act without transparency.

New means of helping retailers to reach consumers will emerge, that are transparent, privacy-preserving, and that give individuals choice and control.

Attention is the new battleground!

Did you know that nearly all of your apps are leaking data?

At Revoke, we recently launched a new app: BLOKK.

Without BLOKK, your phone is leaking data and you have no visibility or control over what is happening!

Apple claims to be privacy-centric… Google makes no such claims… many app developers do not inform you properly that, for example, they may send all your location data to a 3rd party!

So what’s the problem? It’s not just location data, and it’s been long proven that location data is not anonymous…

Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret

Fundamentally, we believe that there is a serious lack of transparency about how apps and websites capture and share your data, so we created BLOKK to address the problem.

It’s on Android only for now, but will be coming to iOS soon.

Happy Data Protection Day 2022!

I was invited by Santander Work Café to give a talk today (thank you for the invitation!) on Data Protection Day.

My talk was initially inspired by two main events;

1.      A recent hack and compromise of an account (twice!) despite having 2FA on (also known as two factor, two-step or multi-factor authentication). An exciting account of sophisticated Nigerian hackers!

2.      The Covid-19 pandemic that continues to present risks to our privacy

I was intending to talk about the dystopian future we all face. Cautionary tales of sorts and tips to protect yourself.

However, in responding to some of the questions I was asked, it was evident that we are already living in “Data Dystopia”!

Judging from the gasps and surprise to the answers to the questions (and impromptu demonstrations) I think it is important to share the issues we face today, on Data Protection Day!

 Q1: Why Brave? (instead of Chrome)?

A fair question.

Exhibit A:

The above shows Brave’s “Shields UP” report; the default protection against trackers & ads when visiting the Daily Mail website (for demonstration purposes only!).

59 items blocked on loading the Daily Mail homepage. FIFTY NINE?

Astounding!

Q2: Why does this matter and where are they sending the data?

Trackers and cross-site cookies monitor your online behaviour across sites so that Big Tech can benefit by profiling you.

This could be used for advertising, or in some cases… even preventing access to finance (the EU advises against but does not prohibit use of social media as a source of evidence for creditworthiness; this definitely happens!).

This is such a big problem in general that both the Austrian and Norwegian authorities are banning Google Analytics (tools for developers to easily track user behaviour and activity; Brave blocks by default).

To give a better insight into what websites and apps are doing with your online activity, a great example is “Off Facebook Activity”.

Q3: What is Off Facebook Activity?

What many people don’t realise is that Facebook (Meta) and Google (and to a lesser extent, Amazon) track your online activities as much as possible. Even if you’re not on Facebook or Google (or Chrome), they are tracking you.

In the case of the Daily Mail example, the searches and types of articles I read could be shared with Facebook, adding to my existing profile (not just that I could be a Daily Mail reader! But my interests, as inferred from the content I consume).

This may seem innocuous… “So what?”… even though Facebook/Meta has no business knowing what I’m reading… I certainly don’t think that’s appropriate!  

On checking my Off Facebook Activity as I did during the talk, to demonstrate the extent of this problem…

Exhibit B:

Uh-oh… 457 different apps & websites are sending Facebook details about my activity… Wow! Let’s take a closer look!

What does Facebook say they do with this information?

·       Show you ads that you might be interested in, which introduce you to new products and services. For example, you may see ads for hotel deals if you visit travel websites.

·       Create a more personalised experience for you by suggesting things that you might be interested in, such as events that you may want to go to. For example, you may see events for fitness classes if you’ve recently bought athletic clothing.

I really don’t really want all my online activity to be known by Facebook! They already know enough about me!

According to Facebook businesses can also use these tools to:

·       Understand and measure how their website, app or ads are performing and whether they’re reaching the right people.

·       Connect to new customers who might be interested in their products and services.

So further profiling me based on ALL my online activity? No thank you!

I love music. I listen to a lot of music. Maybe the fact that Spotify has sent 402 activities to Facebook is nothing to worry about…

Exhibit C:

What are the activities that Spotify is sharing? Should I care?

Actually, having downloaded this data from Facebook, it is allegedly just basic information about me using the Spotify app (yes, apps share just as much data, if not more than websites, with Big Tech!).

Perhaps the fact I use Spotify several times a day isn’t a secret and I don’t care if Facebook knows about it.

But what if it isn’t Spotify? What if it is a controversial website or something sensitive?

Facebook states:

·       We prohibit businesses or organisations from sharing sensitive information with us, such as health and financial information, your date of birth and passwords. If we determine that a business or an organisation is violating our terms, we’ll take action against that business or organisation.

Ok, great. Although it’s a bit subjective. The way that Facebook typically tracks “Off Facebook Activity” is using a Facebook pixel (just ONE of the trackers Brave blocks!).

Perusing the Facebook pixel documentation for developers does cause some concern;

What pages did I visit on a website? Could be very sensitive! Not just which website, but what I was browsing?

Oh… just SEARCH??? If app or website developers implement this Facebook Pixel functionality… all your searches on their app or website would be shared with Facebook! Your search history can be one of the most sensitive data sets! Just think back to a time you searched for something sensitive (hopefully using DuckDuckGo, not Google!). Maybe a health-related query… are you happy with this being shared?

Facebook states that health information is prohibited from being shared. But what about an app that blatantly divulges your sexual orientation? Would you be happy with this?

The scariest thing about this is that it has been going on for years and it is default behaviour from apps, websites and Big Tech, all trying to monetise your online activity.

Q4: What is DuckDuckGo?

DuckDuckGo is a privacy-centric search engine, as simple as that!

Instead of giving up your searches to Google or storing them to monetise, give it a try, it does work!

Thanks for reading about the Data Dystopia we live in today.. relevant to everybody on the internet (including you!)

After all that, the main topics of my original agenda will have to wait for another post next week!

Thank you for reading. I hope that you are prompted to take action if you don’t already do the following:

·       Use Brave

·       Use DuckDuckGo

·       Check (clear!) your Off Facebook Activity

·       Use Revoke (it’s free!)

Delighted to have accepted this award on Friday night on behalf of the whole team at Revoke who have worked hard building and shipping an amazing product and platform in 8 languages across multiple continents!

Not only did we scoop the “Security/Privacy Award of the Year” but with my Atam hat on, we won “Product of the Year” for our kiosk project in Saudi Arabia!

Double winners!

I recently gave a talk to the PrivSec Global virtual conference about online privacy after Covid.

The coronavirus pandemic has had seismic effects across society and business as a whole and the challenges it has brought to data protection are huge. The speed of change required and the unpredictable nature of pandemics had made it a once in a lifetime experience for many practitioners. This session highlights the key takeaways and considers what the ‘new normal’ really means in practice.

Some shocking practices and discoveries during the pandemic that deserve to be highlighted so they are not repeated!

Some key slides from my talk below, and even a solution to some of the privacy and identity issues!

Thanks to all who tuned in live!

Any questions please feel free to get in touch!

Here are some simple steps to secure your accounts and dramatically mitigate the risk of this from happening to you.

Aside from the more technical steps below, be very wary of social engineering. Hackers can appear very nice and helpful to gain your trust; however a small hack can turn into a disastrous one where your identity and those of your friends and family are compromised if you let them in.

Never install anything (including Facebook apps) without fully checking them out first!

1. Multi-factor authentication (MFA)

If you have MFA enabled a hacker needs to know your password AND have access to something else (e.g. mobile phone) to get into your account.

Sometimes this is called two-factor (2FA) or two-step authentication.

This is critical for your email AND for Facebook; access to your email means hackers can reset your passwords easily!

Quick links – use each one if you have an account with that service:

• Facebook
• Instagram
• Google (including Gmail)
• Apple ID (including iCloud.com, me.com, mac.com email)
• Microsoft (including Outlook.com, Hotmail.com)

If you ever have an option to use an authentication app instead of SMS, it is worth doing so as it is more secure. I use the Microsoft Authenticator app as you can back it up (changing your mobile can be painful otherwise).

This should be enforced for ALL users across your Facebook business page.

From https://business.facebook.com/settings/security for all business pages where you are an admin, ensure the following is set to “Everyone”:

2. Check your Facebook Business Integrations

Business Integrations are setup from e.g. social media management or CRM accounts (Hootsuite, HubSpot etc.) or for advertising accounts.

However, they are often used by hackers to gain access to business pages & cause damage.

Using your desktop or laptop, visit https://www.facebook.com/settings?tab=business_tools (link does not work on mobiles).

Delete anything you don’t use or recognise;

If you have any with these settings, you should make sure you are comfortable with their Terms of Service, Privacy Policy etc. (it is always worth re-visiting ToS & other policies to ensure you’re comfortable with the level of access 3^rd parties have and who they share your data with!)

3. Check Facebook Apps on your personal page

Remember that your personal page is often a route in to your business page.

From your laptop/desktop visit:

https://www.facebook.com/settings?tab=applications

Delete anything that you don’t recognise or use.

Whilst these apps should are a low security risk of phishing (where they could ask you to re-enter your credentials) there is also a privacy consideration. Many apps will have access to more on Facebook than they need, they can use this data for social engineering and/or targeting your friends who may not have read a useful guide like this

4. Check your Business Page roles

From your Business Page use the Page roles tab:

You should be the Page Owner and you should recognise all the accounts that have access under Existing Page roles:

Make sure anybody who has access to this page has Multi-Factor Authentication setup too!

5. Check your Page management history

If anybody has had unauthorised access to your Page, you should find it in this section; one person I was helping had this – bad news!

Note the change to a different country’s audience… and the Pages Manager was actually an App…

Finally… Use Revoke

Not strictly related to securing your Facebook page(s) but you should also be taking back control of your data!

www.revoke.com (disclaimer: I’m the CEO)

I hope that was useful and helped to protect your Facebook account and business page(s)!