Impersonation, Fraud and the Future of Deepfakes
All kinds of documents, communications, emails, text messages and other kinds of messages require authentication to be binding on the parties and to be admissible in court as evidence of the binding nature. Face-to-face agreements were long ago replaced by written contracts and writings have morphed from cuneiform to ink on vellum to typed, printed and now electronic documents—accompanied by electronic signatures. Since the pandemic, deals are negotiated over Zoom with a face on a screen acting as an avatar for the person. That seemed good enough.
Until now.
Patrick Hillman, the chief communications officer at cryptocurrency firm Binance, who describes himself as having “previously led one of the world’s largest cybersecurity teams and managed some of the largest data breaches in history (U.S. OPM, Ashley Madison, etc.)” learned the hard way how dedicated and motivated hackers can undermine many layers of security (and authentication) using AI and modern technology.
Deepfakes
In his blog, Hillman described receiving confirmation messages from various individuals concerning business deals he allegedly entered into on behalf of Binance. Problem was—it wasn’t him. Hillman explained that hackers took video and other images of him gleaned from TV and other press appearances and created a virtual avatar of him—a 3D representation of his face—and communicated with others using that avatar. While still in its infancy, deepfake technology permits a user to virtually put on the face of another—like substituting Nicolas Cage for Harrison Ford in movie clips.
As machine learning gets more sophisticated and processing speeds increase, a person sitting on a Zoom call will be able not only to put on fake bunny ears or an artificial pair of sunglasses, but can also put on someone else’s face—possibly in real-time. Other AI programs allow a user to train a computer to substitute another person’s voice for their own—again in real-time. As a result, a video conference call with another person, once thought to be one of the most effective means of authentication (I’d know my grandma anywhere), becomes a vehicle for establishing false trust.
It Wasn’t Me! SoDDI
The flip side of the deepfake/AI problem is that it undermines the trust we have in electronic communications in such a way that a person can now repudiate transactions they actually participated in. Emails can be hacked or spoofed. Man-in-the-middle (MiTM) attacks can compromise communications. Contracts and documents can be intercepted, altered and retransmitted, often substituting wiring instructions to direct funds from an authorized user to the hacker’s accounts. With cryptocurrency transactions, it is possible to initiate an unrecoverable transfer of funds through a spoofed email or purloined account. To make matters worse, suspicious transactions are often validated via a phone call or video conference between the participants — a channel that appears to have been compromised. The lack of verification leads to the so-called “SoDDI defense” — Some other dude did it.
Cat, Meet Mouse
We are probably a few years out from the widespread use (and misuse) of facial and voice spoofing technologies, particularly real-time spoofing that is good enough to fool the casual user. Of course, that will be accompanied by some new anti-spoofing technology designed to alert the user that the image/voice is an AI doppelganger. That will then mean that the use of the anti-spoofing technology will become the standard of care for authentication and those who rely on a simple phone call from the number of a contact with their voice on the other end could be deemed negligent for not confirming their contact’s true identity.
Rather than making it easier to conduct business online, all of these issues complicated the very basics of contract law. Knowing that the person with whom you are communicating not only has the authority to enter into a contract but fundamentally is the person you think they are and not a deepfake—and not, say, Nicolas Cage—is pretty important. Unless you want to contract with Nicolas Cage. And anyway, his real name is Nicolas Coppola.
