Big Brother is Watching

How very apt...

(Click image for full sized image.)

At least the Spanish tell you when you're being filmed.

Sensible privacy ruling

It isn't always bad news, sometimes those in power get it right.

Bruce Schneier reports on a good ruling from the German Constitutional Court: the court rejected a state's law allowing investigators to covertly search computers online, finding them to be a severe violation of privacy. Instead the court declared that searching PCs need to be treated like telephone wiretaps and similar such exceptions to the expectation of privacy.

More here.

Schneier also discusses David Brin's "The Transparent Society", and why transparency on its own is not enough to protect people from abuse at the hands of the powerful. David Brin responds, but sadly completely misses the point of the imbalance of power made by Schneier: in the restaurant analogy that Brin favoured, all the patron's have roughly equal power.

UPDATE, 16/3/08: I'm liking those Germans more and more. The High Court has put a stop to British-style total surveillance of car number plates. The surveillance laws were described by one German newspaper as having "all the hallmarks of a totalitarian state, which wants to know everything about everyone, suspect or not, without cause and without limitation", and the High Court seemed to agree.

The ruling isn't a complete win for citizens, with the court declaring that "random samples" were allowed, and scanning of cars crossing the border, but at least the German government isn't hell-bent on returning to the days of Stasi domination, unlike the British government.

The Anonymity Experiment

Can you live in a big city without leaving traces? Who is watching you and what you do?

2006, David Holtzman decided to do an experiment. Holtzman, a security consultant and former intelligence analyst, was working on a book about privacy, and he wanted to see how much he could find out about himself from sources available to any tenacious stalker. [...] When he put the information together, he was able to discover so much about himself—from detailed financial information to the fact that he was circumcised—that his publisher, concerned about his privacy, didn’t let him include it all in the book.

[...] Last year, 127 million sensitive electronic and paper records (those containing Social Security numbers and the like) were hacked or lost—a nearly 650 percent increase in data breaches from the previous year. [...] Last November, the British government admitted losing computer discs containing personal data for 25 million people, which is almost half the country’s population.

[...]

It was strangely calming, standing in this dim room, watching the words and thoughts of strangers reveal themselves to me. I still had my hat on, but for once there were no surveillance cameras, so I sat down on a bench in the room and pulled out my notebook, grateful to finally be the observer rather than the observed. And then, out of the corner of my eye, I saw her: a security guard standing in the room’s darkened corner—silent, motionless, watching.

Unlike some, I'm not ready to give up on privacy in the information age. I'm with this important essay by Bruce Schneier:

We've been told we have to trade off security and privacy so often -- in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric -- that most of us don't even question the fundamental dichotomy.

But it's a false one.

Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort.

[...]

There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.

Speaking of privacy... I want this.

Three links

Three interesting miscellaneous links:

Can the Cavendish banana be saved from extinction? (No.) Can the fruit growers create a new variety acceptable to the American market? (Probably not.)

The town of Brattleboro, Vermont, has tabled a motion authorizing the local cops to arrest Bush and Cheney if they come into the town.

A leaked British government document shows that they intend to coerce the population into giving up their privacy.

Deputizing the ISPs

One of the more insidious dangers coming out of the copyright lobby is the idea that ISPs must be made responsible for enforcing copyright law on their behalf by choking off infringing material. It's a rather bizarre concept, no different from the idea that the Post Office must scrutinize every piece of mail posted for signs of illegal activities.

In practice, not only would this a huge burden on ISPs, but it's also ridiculously impractical. Since infringing bytes aren't coloured differently from non-infringing bytes, the only "solutions" are to either non-selectively cut off entire avenues of communication, or make an expensive and ineffectual attempt to analyze Internet traffic, trying to detect infringing material. That sort of censorship is ripe for abuse and prone to errors. And let's not forget the privacy implications of having your ISP actively monitoring every packet of data you send.

Such is the influence of the copyright lobby that the idea is being taken seriously, so it is good to see that British bastion of middle-class respectability, the Guardian, slam the idea:

Some internet users are irresponsible, and their behaviour may even be damaging Taylor's clients. But in seeking legislative relief for this distress, governments need to strike a balance between the wider public interest and the demands of a particular industry to defend an increasingly obsolete business model. And though the record industry is important, it's an economic minnow compared with the IT industry.

An analogy may help to illustrate the point. Millions of people use the telephone network for questionable, illegal or unethical purposes. But we would regard it as unthinkable to impose on phone companies a legal obligation to monitor every conversation.

Who owns data?

Ed Felten raises a very important point about many of the debates we have about data portability: we start off by making a poor assumption, and that closes off options.

An example is the Internet storm over Facebook canceling well-known blogger Robert Scoble's account. Scoble had amassed a vast amount of data in his account, and got caught using software tools to export it. Facebook has a vested interest in locking people into their service (more users = more advertising revenue), and the way they have chosen to do this is to give people free accounts, encourage them to invest a lot of time creating valuable (to the users, if not anyone else) data, but prohibit them from extracting that data elsewhere.

Hmmm... I must update my Blogger backup script. It hasn't worked well since Google made the upgrade from Blogger version 1 to version 2.

The poor assumption that we make is that data -- facts -- must be owned by somebody. As Felten says:

Where did we get this idea that facts about the world must be owned by somebody? Stop and consider that question for a minute, and you’ll see that ownership is a lousy way to think about this issue. In fact, much of the confusion we see stems from the unexamined assumption that the facts in question are owned.

Once we give up the idea that the fact of Robert Scoble’s friendship with (say) Lee Aase, or the fact that that friendship has been memorialized on Facebook, has to be somebody’s exclusive property, we can see things more clearly. Scoble and Aase both have an interest in the facts of their Facebook-friendship and their real friendship (if any). Facebook has an interest in how its computer systems are used, but Scoble and Aase also have an interest in being able to access Facebook’s systems. Even you and I have an interest here, though probably not so strong as the others, in knowing whether Scoble and Aase are Facebook-friends.

How can all of these interests best be balanced in principle? What rights do Scoble, Aase, and Facebook have under existing law? What should public policy says about data access? All of these are difficult questions whose answers we should debate. Declaring these facts to be property doesn’t resolve the debate — all it does is rule out solutions that might turn out to be the best.

---

UPDATE: Chris Finke has an innovative solution to the Facebook problem, one which could (in principle) be extended to all similar such websites. His Facebook Scavenger extension for Firefox lets you capture copies of the data once it's in your browser.

Security and privacy

Security and privacy are often seen to be in opposition: we're often asked to give up some of our privacy for safety. By letting the trusted good guys watch everything we do, presumably the bad guys won't have a chance to do anything bad.

The Royal Academy of Engineering has just released a report disagreeing with that view. They claim that it is possible to design systems that increase security without eroding privacy.

For many electronic transactions, a name or identity is not needed; just assurance that we are old enough or that we have the money to pay. In short, authorisation, not identification should be all that is required. Services for travel and shopping can be designed to maintain privacy by allowing people to buy goods and use public transport anonymously.

The Register has more, and the full report is here [PDF file].

Windows phones home

Windows Vista "phones home" when you install it. More details are coming out about what identifying information it sends to Microsoft. Not only does it send back identifying information, but it does so even if you cancel the installation or update.

Google/Blogger privacy warning

I just noticed something... new improved Blogger requires you to sign in with your Google account, which means that Google can match the searches you perform with your Blogger account.

Hmmm... I think it's about time to investigate Yahoo Search -- especially as Firefox includes a "Yahoo search" engine, built right into the toolbar.

TV licensing

To those of us in civilized countries, the UK's television licensing comes as quite a shock. In Britain, anybody with a television, or other device for receiving TV signals (say, a TV tuner card) must pay a yearly license fee which (in theory) pays for the BBC, instead of coming out of general tax revenue.

Consequently, retailers are required to collect the names and addresses of anyone who purchases a television, and report them to the TV Licensing Authority. The BBC Television website collects cookies to identify people visiting their television-related pages, passing them on to TV Licensing. Private inspectors can be sent to households, at any time without warning or notice, to inspect your house for televisions or other devices and ensure you are correctly licensed, and television detector vans roam the streets scanning for TV receivers. (According to Wikipedia, the inspectors don't have any powers to enter unless invited in, unless they get a warrant, nevertheless there are many abuses.) The Authority keeps vast databases of who owns televisions and who hasn't got a licence -- another part of the surveillance society.

There may be good arguments for TV licensing, but economics certainly isn't one of them. The costs of enforcing the licensing, borne by the TV Licensing Authority, householders, TV retailers, etc. are significant. Those costs would virtually disappear if it were subsumed into general taxation revenue.

An interesting case occured recently in the UK: a former prisoner and prison reform advocate, John Hirst, had his conviction for failing to be licensed over-turned on appeal after the court originally accepted he used the TV only for watching CCTV, videos and DVDs but found him "technically guilty".

According to the Register:

Despite the fact that Hirst was discharged, he took the appeal on a point of principle. "The TV Licencing Authority assume if you say that you don't watch your TV for live broadcasts you're a liar," Hirst told OUT-LAW Radio. "It's still down to the prosecution to prove guilt, not for the assumption to be there that you are guilty and you need to prove innocence.

"As far as I am concerned there is nothing such as 'technically guilty' in English law, you are either innocent or you are guilty," he said.

[snip]

It was a sense of injustice that led him to take his TV licence case as far as he did. "It began with a whole lot of letters that came, each letter got more and more threatening as it went along," he said "It was a whole lot of assumptions that I was doing something wrong."

"I have admitted to offences as severe as manslaughter and arson, so I'm not going to lie on something as piddling as a TV Licence," he said. "They got that wrong, they picked on the wrong person."

Schneier on Surveillance

Two from Bruce Schneier on widespread surveillance:

Why technology is fundamentally changing the balance between freedom and police power:

Years ago, surveillance meant trench-coated detectives following people down streets. It was laborious and expensive and was used only when there was reasonable suspicion of a crime. Modern surveillance is the policeman with a license-plate scanner, or even a remote license-plate scanner mounted on a traffic light and a policeman sitting at a computer in the station.

It's the same, but it's completely different. It's wholesale surveillance. And it disrupts the balance between the powers of the police and the rights of the people.

[...]

The effects of wholesale surveillance on privacy and civil liberties are profound; but, unfortunately, the debate often gets mischaracterized as a question about how much privacy we need to give up in order to be secure. This is wrong. It's obvious that we are all safer when the police can use all techniques at their disposal. What we need are corresponding mechanisms to prevent abuse and that don't place an unreasonable burden on the innocent.

[...]

Wholesale surveillance is not simply a more efficient way for the police to do what they've always done. It's a new police power, one made possible with today's technology and one that will be made easier with tomorrow's.

And why single vivid incidents can fool people into making bad judgements:

I'm in the middle of writing a long essay on the psychology of security. One of the things I'm writing about is the "availability heuristic," which basically says that the human brain tends to assess the frequency of a class of events based on how easy it is to bring an instance of that class to mind. It explains why people tend to be afraid of the risks that are discussed in the media, or why people are afraid to fly but not afraid to drive.

One of the effects of this heuristic is that people are more persuaded by a vivid example than they are by statistics. The latter might be more useful, but the former is easier to remember.

[...]

I can write essay after essay about the inefficacy of security cameras. I can talk about trade-offs, and the better ways to spend the money. I can cite statistics and experts and whatever I want. But -- used correctly -- stories like this one will do more to move public opinion than anything I can do.

Cognitive biases is something I've been meaning to write about for a long time, but for now I'll just point out that the number of Americans killed by terrorist actions since the 1960s is about the same as the number killed by accidents involving deer. Imagine Mad King George declaring a War on Deer.

On second thoughts, let's not give him any more ideas...

Your shoes are spying on you

Bruce Schneier blogs about a surveillance system that automatically tracks people by their shoes.

Don't toss your loafers away and go barefoot just yet: it can't track any shoes, just the particular combination of Nike + iPod Sport Kit.

Schneier writes:

To me, the real significance of this work is how easy it was. The people who designed the Nike/iPod system put zero thought into security and privacy issues. Unless we enact some sort of broad law requiring companies to add security into these sorts of systems, companies will continue to produce devices that erode our privacy through new technologies. Not on purpose, not because they're evil -- just because it's easier to ignore the externality than to worry about it.

Web feedback form

A friend of mine who preferred to remain anonymous passed this on to me, with permission to post it for the world to see.

He had been trying to purchase a product from Officeworks' website, but the site said it was unavailable over the Internet, only direct from stores, and to call a number to find out which stores had stock. Unfortunately, the number they gave wasn't connected.

So he tried to send them a message via a form on their website. Naturally enough, being a multi-bazillion dollar company, the software they are using is broken, and it deleted his message when he tried to send it because he didn't fill in enough information. Which led to this message being sent:

This is my SECOND attempt to send this. The first time was to notify you that your catalog contains an error. Product ID CHH5606 says "Not available at all locations, call 13 15 05 for details" but that phone number is not connected. First rule of successful marketing: get your own phone number right.

I'm also writing to say that your brain-damaged software deleted my message when I clicked send, just because I didn't specify my last name. YOU DON'T NEED MY LAST NAME TO ANSWER AN EMAIL. If I wanted you to know my last name, I would have told you.

And even if you did need to know it, it is rude and stupid beyond belief for the software to delete everything I typed because I left something out. What sort of C-grade pile of crap software are you people running? You probably spent tens of millions of dollars on it too, and the moron responsible for the project probably got a promotion. What a joke.

Damn straight. In fact, according to Australian privacy legislation, Officeworks is skating on awfully thin ice if they force people to leave their name in order to make a random enquiry. Imagine doing that to a phone enquiry -- "I'm sorry sir, I can't answer your questions unless you tell me your full name."

Gmail careless with privacy -- again

When you click on a link in your web browser to go to a new page, your browser sends information to the web server which includes the page you were coming from. This information is called the "referer" [sic] and is normal behaviour in web browsers. However, Gmail goes beyond the normal amount of information in the referer, and leaks enough information to sometimes identify the originator.

Marc from O'Reilly Books writes:

When I get referers from GMail messages on my new blog, they often contain a query string parameter labeled 'cat' with a cleartext, meaningful value in it. I've often been able to determine, from the 'cat' value, exactly who is talking about my site in email, and in one case, exactly what they thought of what we're doing!

It isn't clear to me whether it is the person who emails the link via Gmail, or the person who clicks on the link in Gmail, who can be identified, but either way, this is a worrying privacy breach from Google -- especially when their privacy policy specifically states that they use a cut-down version of the referer to help protect the user's privacy.

Now, I'm not going to say Liar liar pants on fire!, but it seems that Gmail's claim about the steps they take to protect the user's privacy is rather different from the actual steps they take to spray users' fingerprints all over the Internet.

Facebook privacy trainwreck

Danah Boyd discusses the user-revolt on the social-networking site Facebook after they introduced software that displays every action you take to all your friends.

Not surprisingly, people were horrified -- even though everything they did was, in a sense, public, the sense of invasion of privacy was huge.

As Danah points out, privacy is often about the ick-factor -- that sense that, even though you haven't done anything wrong, you don't want people knowing everything you do.

Privacy [...] is about the sense of vulnerability that an individual experiences. When people feel exposed or invaded, there's a privacy issue.

Even if you don't use social network software like LiveJournal, Facebook or similar, you should read her post.

"I am not Saddam's son!"

An American has been forced to deny publically that he is the son of Saddam Hussein after a credit agency placed a note on his credit record stating that he was.

On August 10, after his family was refused a home loan, an Arcata man was mortified to find the phrase “son of Saddam Hussein” included on his credit report. “I looked at it and couldn’t believe my eyes!” Said the Arcata man who asked that only his middle name, Hassan, be divulged.
[...]
According to Shirin Sinnar from the San Francisco branch of the Lawyers’ Committee for Civil Rights, credit bureaus are listing the names of known terrorists on the credit reports of unsuspecting everyday, average citizens across the country. Sinnar indicated the names are harvested from the U.S. Treasury Watchlist by credit bureaus and other financial institutions.

Goggle versus privacy

It's not easy being Google. Once you take the moral high ground, and make your unofficial company motto "Don't be evil", people actually expect you to not be evil -- even when it is inconvenient to you.

Google is currently blocking a number of privacy-enhancing proxies, such as FoxyProxy and Tor, possibly because some bot or bots are misusing them all. (Why am I skeptical that all of these services have been compromised by a bot?)

Just maybe Google has a legitimate reason for blocking these proxies. But, legitimate reason or not, they're putting their convenience ahead of people's right to privacy -- and that is stretching "Don't be evil" virtually to breaking point.

Disney and fingerprinting

Another reason to avoid the over-priced rides, junk food and crowds of Disneyland: Disney now fingerprints visitors to their theme parks.

Their excuse for doing so is that it is necessary to prevent ticket fraud and resale of tickets. That's nonsense. You don't need to fingerprint buyers to prevent fraud, and as for preventing resale, that goes against everything that the free market stands for. What does Disney care if I buy a valid ticket and sell it to somebody else? They got their money, what I do with the ticket -- use it, burn it, eat it with ketchup, sell it for ten times the price -- is none of their concern and not their business.

Cory Doctorow writes:

For me, the worst part of this is that it conditions us to get used to being treated like crooks. If you were asked for a fingerprint when you bought a doughnut, you'd rightly leave the store. Why should an amusement park get a walk?

Also in Doctorow's post is one of the best quotes I've seen for a long time:

Our national immune system has begun to attack us in a terrible anaphylactic spasm -- indiscriminate NSA wiretaps, meaningless TSA security theater, secret aviation rules and no-fly lists, "free speech zones," suspension of habeas corpus and all the rest.

Why TrackMeNot is a waste of time

In the wake of vast privacy breaches from AOL, and the possibility of others from Google, Yahoo and other search engines, some well-meaning coders created a Firefox extension called TrackMeNot.

TrackMeNot sounds like a good idea: while you browse the Internet, it runs in the background sending fake search requests to the major search engines, hiding your actual searches in a sea of fake ones. From the TrackMeNot website:

It hides users' actual search trails in a cloud of 'ghost' queries, significantly increasing the difficulty of aggregating such data into accurate or identifying user profiles.

Bruce Scheier explains why it is a waste of time. So does BoingBoing.

As it stands now, TMN is pointless. Any serious dataminer can easily separate the fake queries from the real ones. But even if the technical flaws in it were solved, it doesn't "hide" your searches at all -- it just gives the bad guys/authorities more reason to investigate you, which makes it not just pointless but counter-productive. The only way this tool could be genuinely useful would be if enough people used it that dataminers decided that all search data was suspect -- and that would require a large percentage, maybe even a majority, of Internet users to use it. And that isn't going to happen without an unholy army of virus-born 'bots, millions upon millions of computer trojans and viruses, firing off fake search requests from innocent third parties' computers. But that would be Wrong.

Random bag searches

Security consultant Bruce Schneier discusses New York City's random bag searches on subways, and why they are a pointless waste of time. Recently the US Supreme Court ruled that the searches are legal, on the basis of some exceedingly dubious reasoning, and Scheier discusses that too. Especially of interest is one of the reader's comments, which points out that Customs has found its ability to do its job seriously hampered by the ineffective and dubious "anti-terrorism" programmes foisted upon it. It seems quite likely that, at least in more excitable nations such as the USA, the end result of many of these "security" measures will be less, not more, security.