Identity, Privacy and Dataveillance (II)

The TJX data break-in has gotten the Boston press all a-twitter about data privacy, so we get this great discussion of some of the fundamental disconnects that seem to underly the problem: We’re helping the hackerspdf

There is no doubt that the true victim in identity theft is the individual, who must bear the worry, cost, and aggravation of fixing personal data and finances. But in many cases, the legal victim is the institution that was attacked and robbed of their data. This fact only underscores that we do not own our personal data. The institutions with which we do business own our information and, in their practices of storing and sharing such data, expose millions to the consequences.

[…] The problem perhaps is best illustrated by the fact that pornography has more legal protection (copyright) than anyone’s Social Security number. Too often the problem of identity theft is considered a failure of technology, but the true failure is that neither culture nor the law recognizes personal data should be owned and controlled by the individual. [….]

Sadly, this writer’s solution to the problem illustrates exactly why this one in so hard — the solution is meaninglessly impossible to achieve:

Consumers, it is up to us. Think of the benefit of shopping your corner store where their database is maybe a paper notebook and their service is friendly and effective. Shred your credit cards; both your mailbox and bank account will thank you. Get yourself and your kids off social-networking sites. Peer pressure was bad enough when it was the size of a classroom; don’t make it the breadth of the Internet.

Related: this letter to the editor (pdf); ask yourself how the direct marketing associations might react to such a proposal:

With regard to TJX Cos. and the latest breach in security to threaten consumers, I am disgusted that retailers such as TJX feel they are entitled to keep my credit card number and personal information in their databases (“TJX facing customer complaints,” Jan. 20 [pdf]). Once the retailer has been paid and the transaction completed, there is no need for TJX to keep that data. It is time for the public and our lawmakers to demand that this practice stop. My credit card number and personal information are personal. They belong to me and to the bank that issued the card, not to retailers.

See Turow’s Niche Envy, Solove’s The Digital Person and O’Harrow’s No Place To Hide.

Reminder: Boston Athenæum Event Feb 22

Hands Off, That’s Mine! Who Owns What, and For How Long?; part of the Boston Athenæum Bicentenniel Lecture Series, Current and Back Issues: Persistent Themes in the Library; Thursday February 22 at 6:00 PM; Rabb Lecture Hall, Boston Public Library. Speakers: Meredith McGill and Siva Vaidhyanathan; Moderator: William Strong.

This provocative series will examine a number of isses that have long confronted the library world, and which hold implications for libraries in the future.

Each program will feature two distinguished speakers, one of whom will offer a historical perspective on the issue as it affected libraries (such as the Boston Athenæum); the second speaker will address the issue from a contemporary vantage point.

A moderated discussion will follow.

“We’re the Government, and We’re Here to Help”

FBI turns to broad new wiretap method [via Slashdot]

The FBI appears to have adopted an invasive Internet surveillance technique that collects far more data on innocent Americans than previously has been disclosed.

Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords.

[…] Call it the vacuum-cleaner approach. It’s employed when police have obtained a court order and an Internet service provider can’t “isolate the particular person or IP address” because of technical constraints, says Paul Ohm, a former trial attorney at the Justice Department’s Computer Crime and Intellectual Property Section. (An Internet Protocol address is a series of digits that can identify an individual computer.)

In a telephone conversation afterward, Ohm said that full-pipe recording has become federal agents’ default method for Internet surveillance. “You collect wherever you can on the (network) segment,” he said. “If it happens to be the segment that has a lot of IP addresses, you don’t throw away the other IP addresses. You do that after the fact.”

“You intercept first and you use whatever filtering, data mining to get at the information about the person you’re trying to monitor,” he added.

Sony BMG Settlement

Sony BMG settles with FTC over anti-piracy softwarepdf

The U.S. Federal Trade Commission said on Tuesday Sony BMG agreed to settle charges that it secretly embedded potentially damaging anti-piracy software in some of its CDs.

The settlement requires Sony BMG, a joint venture of Sony Corp. (6758.T) and Germany’s Bertelsmann AG (BERT.UL), to make further disclosures, to allow consumers to exchange the CDs at issue and reimburse consumers for up to $150 to repair any damage to their computers, the FTC said.

“Consumers’ computers belong to them, and companies must adequately disclose unexpected limitations on the customary use of their products so consumers can make informed decisions regarding whether to purchase and install that content,” FTC Chairman Deborah Majoras said in a statement.

The FTC Press Release, Sony BMG Settles FTC Charges, also includes links to the documents in the complaint and the settlement — In the Matter of Sony BMG Music Entertainment, a general partnership.

Business Opportunities

The developing market in exploitable software bugs — with both white hats and black hats participating: A Lively Market, Legal and Not, for Software Bugs

Companies like Microsoft do not endorse such bounty programs, but they have even bigger problems: the willingness of Internet criminals to spend large sums for early knowledge of software flaws that could provide an opening for identity-theft schemes and spam attacks.

The Japanese security firm Trend Micro said in December that it had found a Vista flaw for sale on a Romanian Web forum for $50,000. Security experts say that the price is plausible, and that they regularly see hackers on public bulletin boards or private online chat rooms trying to sell the holes they have discovered, and the coding to exploit them.

Especially prized are so-called zero-day exploits, bits of disruption coding that spread immediately because there is no known defense.

Software vendors have traditionally asked security researchers to alert them first when they find bugs in their software, so that they could issue a fix, or patch, and protect the general public. But now researchers contend that their time and effort are worth much more.

“To find a vulnerability, you have to do a lot of hard work,” said Evgeny Legerov, founder of a small security firm, Gleg Ltd., in Moscow. “If you follow what they call responsible disclosure, in most cases all you receive is an ordinary thank you or sometimes nothing at all.”


So, what is Google trying to accomplish, really? I can only read this as a pre-emptive strike on something, but I just don’t know what it is that Google is worried about. Google Halts ‘Miserable Failure’ Link to President Bush

Writing on the Google blog, Matt Cutts, the head of the Google’s Webspam team, said that Google bombs had not “been a very high priority for us.” But he added: “Over time, we’ve seen more people assume that they are Google’s opinion, or that Google has hand-coded the results for these Google-bombed queries. That’s not true, and it seemed like it was worth trying to correct that misperception.”

Mr. Cutts was not available on Friday to expand on his blog, a Google spokeswoman said. A White House spokesman had no comment on the issue.

Despite the changes by Google, some other Google bombs are still operative.

Scientific American On Slamming Open Access

Discussing the way the debate is being “framed:” Open Access to Science Under Attackpdf [via Salon]

The Professional and Scholarly Publishing Division of the Association of American Publishers hired Eric Dezenhall, head of Dezenhall Resources, a public relations firm that specializes in “high stakes communications and marketplace defense,” to address some of its members this past summer and potentially craft a media strategy. Dezenhall declined to comment for this article, citing “our longstanding policy due to strict confidentiality agreements neither to identify our clients nor comment on the work we do for them,” in an e-mail response to a request for an interview. But “nobody disagrees on the goals of high-stakes communications—sell a controversial product, win an election, defuse conflict and so forth,” Dezenhall notes in the “manifesto” on the firm’s Web site. “The life-or-death public relations struggles facing businesses today are not about information, they are about power.” In this case, the struggle is over access to scientific information.

Specifically, according to Dezenhall’s suggestions in a memo to the publishers that they should “develop simple messages (e.g., Public access equals government censorship; Scientific journals preserve the quality/pedigree of science; government seeking to nationalize science and be a publisher) for use by Coalition members.” In addition, Dezenhall suggests “bypassing mass ‘consumer’ audiences in favor of reaching a more elite group of decision makers,” including journalists and regulators. This tack is necessary, he writes, because: “it’s hard to fight an adversary that manages to be both elusive and in possession of a better message: Free information.” Finally, Dezenhall suggests joining forces with think tanks like the American Enterprise Institute and National Consumers League in an attempt to persuade key players of the potential risks of unfiltered access. “Paint a picture of what the world would look like without peer-reviewed articles,” he adds.

Of course, open access does not mean no peer review. While the National Institutes of Health (NIH) is not in the business of peer review, according to Norka Ruiz Bravo, NIH’s deputy director for extramural research, the entirety of PLoS journals are peer-reviewed. “Open-access journals are peer-reviewed to the same standards,” notes Mark Patterson, PLoS’s director of publishing. “We wanted to provide an open-access alternative to the best journals to allow the very best work to be made publicly available.”

Viral Video and the 2008 Election

This article focuses on sticking it to McCain, but it’s just the beginning: Attack ads go online and undergroundpdf – [via Salon]

The first whack at McCain, now on the video-sharing site YouTube, joins a rapidly growing collection of Web videos posted by critics of leading contenders in the 2008 presidential race. Targets so far include Barack Obama, Rudolph W. Giuliani, John Edwards, Mitt Romney and Hillary Rodham Clinton.

The explosion of video-sharing on the Web poses major risks for presidential candidates: Gaffes and inconsistent statements witnessed by dozens can be e-mailed instantly to millions.

[…] For the candidates, as well as their detractors, the chief attribute of Web video is its broad reach, accomplished at little or no expense.

“You can grab it, send it, link it, and at zero cost,” said Matthew Dowd, a top strategist for President Bush’s 2004 reelection campaign. “Two hundred thousand people could see it in 24 hours.”

Later: In Politics, the Camera Never Blinks (or Nods)

Hmmm — A Privacy Candidate?

And I thought health care was a tough row to hoe: Hillary: The Privacy Candidate? [via Slashdot]

Clinton, the presidential front-runner among Democrats in way-early polling, addressed electronic privacy issues at a constitutional law conference in Washington, D.C. last June. There she unveiled a proposed “Privacy Bill of Rights” that would, among other things, give Americans the right to know what’s being done with their personal information, and offer consumers an unprecedented level of control over how that data is used.

“At all levels, the privacy protections for ordinary citizens are broken, inadequate and out of date,” Clinton said.

[…] “The reality (of her proposals) is that they would almost turn the information economy inside out — it’s like saying, ‘OK, now the water in the stream is going to flow in the other direction,'” said Jim Harper, director of information policy studies at the libertarian think tank The Cato Institute. “It’s easy to imagine, but changing the way information moves in the economy is very, very hard to do.”

“I think that over time that these ideas will reemerge (and gain momentum),” said Marc Rotenberg, the Electronic Privacy Information Center’s executive director, who adds that the second half of this congressional session will provide the senator with many opportunities to support privacy-related legislation.

Note that, for any number of reasons, Russ Feingold is a far more credible “privacy” candidate.

Geist Looks at Vista’s Fine Print

Vista’s Fine Print Raises Red Flags [via Slashdot]

While those reviews have focused chiefly on Vista’s new functionality, for the past few months the legal and technical communities have dug into Vista’s “fine print.” Those communities have raised red flags about Vista’s legal terms and conditions as well as the technical limitations that have been incorporated into the software at the insistence of the motion picture industry.

The net effect of these concerns may constitute the real Vista revolution as they point to an unprecedented loss of consumer control over their own personal computers. In the name of shielding consumers from computer viruses and protecting copyright owners from potential infringement, Vista seemingly wrestles control of the “user experience” from the user.