Sensible privacy ruling

It isn't always bad news, sometimes those in power get it right.

Bruce Schneier reports on a good ruling from the German Constitutional Court: the court rejected a state's law allowing investigators to covertly search computers online, finding them to be a severe violation of privacy. Instead the court declared that searching PCs need to be treated like telephone wiretaps and similar such exceptions to the expectation of privacy.

More here.

Schneier also discusses David Brin's "The Transparent Society", and why transparency on its own is not enough to protect people from abuse at the hands of the powerful. David Brin responds, but sadly completely misses the point of the imbalance of power made by Schneier: in the restaurant analogy that Brin favoured, all the patron's have roughly equal power.

UPDATE, 16/3/08: I'm liking those Germans more and more. The High Court has put a stop to British-style total surveillance of car number plates. The surveillance laws were described by one German newspaper as having "all the hallmarks of a totalitarian state, which wants to know everything about everyone, suspect or not, without cause and without limitation", and the High Court seemed to agree.

The ruling isn't a complete win for citizens, with the court declaring that "random samples" were allowed, and scanning of cars crossing the border, but at least the German government isn't hell-bent on returning to the days of Stasi domination, unlike the British government.

Wikilinks

Wikilinks is a website devoted to disclosing leaked materials, including confidential information, with the aim of discouraging unethical and illegal behaviour by corporations and governments.

The site currently includes:

• leaked documents showing that the US military in Iraq is equipped with anti-personnel chemical weapons in contravention of US-ratified treaties prohibiting the use of such chemical weapons in warfare.


• the suppressed auditor's report detailing the extent and details of the corruption by former Kenyan Prime Minister Daniel Moi, including the purchase of 10,000 hectares of land in Australia with stolen money.


• The use of psychologists by US forces at Gitmo while torturing prisoners (I'm old enough to remember the US roundly criticizing the USSR for doing more or less the same thing).


• Secret trust structures used for money laundering and tax evasion and to hide assets by Swiss bank Julius Baer.


• A leaked German report showing that some of the people in charge of former Stasi files are themselves ex-Stasi.

Just under two weeks ago, a US judge ordered that the Wikilinks site be shut down. Specifically, the judge ordered that the hosting company remove the Wikilinks domain name. Naturally, to those who understand how the Internet works, that's no barrier to accessing the site, domain name or no domain name. Even the New York Times didn't hesitate to describe the judge's action as "feeble":

The feebleness of the action suggests that the bank, and the judge, did not understand how the domain system works or how quickly Web communities will move to counter actions they see as hostile to free speech online.

The site itself could still be accessed at its Internet Protocol (IP) address (http://88.80.13.160/) — the unique number that specifies a Web site’s location on the Internet. Wikileaks also maintained “mirror sites,” which are copies of itself, usually to insure against outages and this kind of legal action. These sites were registered in countries like Belgium (http://wikileaks.be/), Germany (wikileaks.de), and the Christmas Islands (http://wikileaks.cx) through domain registrars other that Dynadot, and so were not affected by the injunction.

Fans of the site and its mission rushed to publicize those alternate addresses this week. They have also distributed copies of the sensitive bank information on their own sites and via peer-to-peer file sharing networks.

Yesterday, the judge rescinded his own order, lifting the ineffective injunction.

I have high hopes that this site will be around for a long time.

The Anonymity Experiment

Can you live in a big city without leaving traces? Who is watching you and what you do?

2006, David Holtzman decided to do an experiment. Holtzman, a security consultant and former intelligence analyst, was working on a book about privacy, and he wanted to see how much he could find out about himself from sources available to any tenacious stalker. [...] When he put the information together, he was able to discover so much about himself—from detailed financial information to the fact that he was circumcised—that his publisher, concerned about his privacy, didn’t let him include it all in the book.

[...] Last year, 127 million sensitive electronic and paper records (those containing Social Security numbers and the like) were hacked or lost—a nearly 650 percent increase in data breaches from the previous year. [...] Last November, the British government admitted losing computer discs containing personal data for 25 million people, which is almost half the country’s population.

[...]

It was strangely calming, standing in this dim room, watching the words and thoughts of strangers reveal themselves to me. I still had my hat on, but for once there were no surveillance cameras, so I sat down on a bench in the room and pulled out my notebook, grateful to finally be the observer rather than the observed. And then, out of the corner of my eye, I saw her: a security guard standing in the room’s darkened corner—silent, motionless, watching.

Unlike some, I'm not ready to give up on privacy in the information age. I'm with this important essay by Bruce Schneier:

We've been told we have to trade off security and privacy so often -- in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric -- that most of us don't even question the fundamental dichotomy.

But it's a false one.

Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort.

[...]

There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.

Speaking of privacy... I want this.

Who owns data?

Ed Felten raises a very important point about many of the debates we have about data portability: we start off by making a poor assumption, and that closes off options.

An example is the Internet storm over Facebook canceling well-known blogger Robert Scoble's account. Scoble had amassed a vast amount of data in his account, and got caught using software tools to export it. Facebook has a vested interest in locking people into their service (more users = more advertising revenue), and the way they have chosen to do this is to give people free accounts, encourage them to invest a lot of time creating valuable (to the users, if not anyone else) data, but prohibit them from extracting that data elsewhere.

Hmmm... I must update my Blogger backup script. It hasn't worked well since Google made the upgrade from Blogger version 1 to version 2.

The poor assumption that we make is that data -- facts -- must be owned by somebody. As Felten says:

Where did we get this idea that facts about the world must be owned by somebody? Stop and consider that question for a minute, and you’ll see that ownership is a lousy way to think about this issue. In fact, much of the confusion we see stems from the unexamined assumption that the facts in question are owned.

Once we give up the idea that the fact of Robert Scoble’s friendship with (say) Lee Aase, or the fact that that friendship has been memorialized on Facebook, has to be somebody’s exclusive property, we can see things more clearly. Scoble and Aase both have an interest in the facts of their Facebook-friendship and their real friendship (if any). Facebook has an interest in how its computer systems are used, but Scoble and Aase also have an interest in being able to access Facebook’s systems. Even you and I have an interest here, though probably not so strong as the others, in knowing whether Scoble and Aase are Facebook-friends.

How can all of these interests best be balanced in principle? What rights do Scoble, Aase, and Facebook have under existing law? What should public policy says about data access? All of these are difficult questions whose answers we should debate. Declaring these facts to be property doesn’t resolve the debate — all it does is rule out solutions that might turn out to be the best.

---

UPDATE: Chris Finke has an innovative solution to the Facebook problem, one which could (in principle) be extended to all similar such websites. His Facebook Scavenger extension for Firefox lets you capture copies of the data once it's in your browser.

Secrecy is like a weed

Unless you take steps to keep it under control, it spreads and takes over everything.

The Bush government has been one of the most secretive ever, for less reason than ever before. This stain has started spreading to even scientific organisations like NASA, which has refused to release the results of a survey into airline safety.

Anxious to avoid upsetting air travelers, NASA is withholding results from an unprecedented national survey of pilots that found safety problems like near collisions and runway interference occur far more frequently than the government previously recognized.

NASA gathered the information under an $8.5 million safety project, through telephone interviews with roughly 24,000 commercial and general aviation pilots over nearly four years. Since ending the interviews at the beginning of 2005 and shutting down the project completely more than one year ago, the space agency has refused to divulge the results publicly.

Just last week, NASA ordered the contractor that conducted the survey to purge all related data from its computers.

The Associated Press learned about the NASA results from one person familiar with the survey who spoke on condition of anonymity because this person was not authorized to discuss them.

A senior NASA official, associate administrator Thomas S. Luedtke, said revealing the findings could damage the public's confidence in airlines and affect airline profits [emphasis added].

Heaven forbid if the airlines profits were hurt because people could make informed decisions. That's not the capitalist way!

Pictures that lie

News.com is running a pictorial report on photo manipulation. The old cliche "the camera never lies" is not true any more, and possibly never was.

There is also an interesting article about software that is being developed which can detect photo-manipulated images by looking for discrepencies in lighting and statistical anomalies at the pixel level.

Photo manipulation is (potentially) big business: as Gartner analyst L. Frank Kenney points out, the potential commercial and political gains from faked photos are huge:

"How much is the presidency of a country worth, or control of a company? People tend not to read the retractions," he said. "Once the stuff is indelibly embedded in your memory, it is tough to get out."

It is interesting to see the difference in photo manipulation strategies during recent American elections. For example, there were no shortage of photoshopped pictures of President Bush carrying "Presidenting For Dummies" or pretending to read books upside down: silly and obvious fakes. On the other hand, somebody faked a photo of John Kerry together with hated anti-Vietnam war protestor "Hanoi Jane" Fonda. Nobody really thinks George W. Bush can't tell when a book is upside down -- that's satire. But a photo of presidential candidate Kerry apparently sharing a podium with the woman who millions of Americans still consider a traitor... that goes beyond satire into outright dishonesty. If you can't find mud to sling, fake some.

I must admit I was rather disappointed with the manipulated images chosen by News.com. Too many of them were obvious fakes (which is not the same as being bad fakes) and the political implications were merely implied rather than discussed.

If you want to see highly imaginative and excellent quality photoshopped images, you could do far worse than to visit Worth1000.com and check out the contests. The possibilities are shown by entries like Paris Hilton's newest pet:


or Bishop Hugh Hefner:



[Click on images for full view]

No photos please, we're Australian

Melbourne's Southbank shopping centre wants to ban tourists and shoppers from taking photos in the shopping centre -- and even Australia's conservative Prime Minister, John Howard, thinks they're going too far.

But unfortunately there are no laws laying out freedom in privately-owned but public spaces like shopping centres. Because they are privately owned, the centre management is legally permitted to demand virtually any conditions they choose, regardless of whether they are reasonable or not.

The problem (apart from the stupidity of thinking that taking photographs of public buildings is a terrorism threat) is that the law doesn't distinguish between truly private property, like your house and office, and public property that just happens to be privately owned. Once a property owner issues a general invitation for anyone and everyone to enter his property, common sense tells us that the property takes on the characteristics of public property.

The shopping centres want to have their cake and eat it too: they claim that there is no expectation of privacy in the shopping centre because it is a public space, and therefore they can photograph and film visitors, but then turn around and declare that for "privacy reasons" shoppers aren't allowed to take photos. That's just nonsense, but unfortunately it is legally-protected nonsense.

Recently, employees at Flinders Street train station were criticised for abusing Japanese tourists who took photos of the famous Flinders Street clock. The train company defended the practice by playing the terrorism card: what if terrorists took photos of the famous landmark?

Well, what if they did? It's not like the clock is a secret. It's on maps and in books and everything. In any case, these imaginary terrorists could simply walk less than 100 metres down the street to a tourist souvenire shop and buy postcards showing photos of Flinders Street station.

Don't take that camera to town

Neftaly Cruz was arrested by Philadelphia police for taking a picture of police arresting a drug dealer with his mobile phone camera.

"[The police officer] opened up the gate and Neffy was coming down and he went up to Neffy, pulled him down, had Neffy on the car and was telling him, 'You should have just went in the house and minded your own business instead of trying to take pictures off your picture phone,'" said [neighbour] Gerrell Martin.

Cruz said police told him that he broke a new law that prohibits people from taking pictures of police with cell phones.

"They threatened to charge me with conspiracy, impeding an investigation, obstruction of a investigation. ... They said, 'You were impeding this investigation.' (I asked,) "By doing what?' (The officer said,) 'By taking a picture of the police officers with a camera phone,'" Cruz said.

[...]

"There is no law that prevents people from taking pictures of what anybody can see on the street," said Larry Frankel of the American Civil Liberties Union. "I think it's rather scary that in this country you could actually be taken down to police headquarters for taking a picture on your cell phone of activities that are clearly visible on the street."

Cruz was not charged. After being held for an hour, he was told by the police that he was being released because their supervisor wasn't on duty.

Why hide the security lesson of Mumbai?

Bruce Schneier points out there is a serious, if minor, security lesson to be learnt from the Mumbai train bombings:

Two quotes:

Authorities had also severely limited the cellular network for fear it could be used to trigger more attacks.

And:

Some of the injured were seen frantically dialing their cell phones. The mobile phone network collapsed adding to the sense of panic.

(Note: The story was changed online, and the second quote was deleted.)

Cell phones are useful to terrorists, but they're more useful to the rest of us.

This is an important lesson. There is a tendency amongst certain "authorities" to distrust and be condescending to the public. Honesty and transparency is alien to their way of thinking, and it shouldn't be. The fear of a mobile phone signal triggering more attacks is ridiculous -- as far as I know, such an attack has never taken place, ever. Mobile phones are frequently used as timers to trigger bombs, but they don't need to be connected to the cellular network for that. Cutting off the network has zero benefit: it doesn't prevent further bombings (they can run off a timer, just like the original bombs). But it does have significant costs: not just the human cost of preventing the dying, injured and merely worried victims from calling their loved ones, but the more serious costs to first responders like ambulance. After Sept 11, the private networks used by police and fire departments broke down under the load, and the first responders relied on their personal mobile phones to communicate. Cutting off the cellular network imposes a significant burden on the already-struggling first responders.

Zero benefit, significant cost -- I'm not surprised that the clueless authorities would be in love with the idea of shutting off the mobile network. But I am surprised that the New Zealand "Stuff" website is a party in hiding that lesson by censoring their report.

China criminalises journalism

Seems that China is about to criminalise the reporting of news without government permission.

Didn't the Soviet Union try that? How did it go for them?

How much tax do companies pay?

Are companies being hit with onerously high taxes?

Of course, that's a ridiculously broad question. Which companies, in what countries? Narrow it down: how about Britain?

As reported by the Telegraph, The Hundred Group report that they contributed £18 billion to the UK government, and call for greater transparency in just how much company taxes they pay.

Unfortunately, the report doesn't actually mention when they paid that £18 billion, or even whether it was a single year's payment. It is strongly implied, so let's assume that it is the tax paid over one year.

Note also that these aren't offical statistics from the tax department, these are self-reported figures by the companies in question. Have you ever known a company to argue that they aren't paying enough in taxes? So there is a potential bias here.

But for the sake of the argument, let's accept the numbers are accurate. £18 billion sounds like a lot; what percentage of profits is it?

Unfortunately, the Telegraph doesn't report the profits made by The Hundred Group, so we are forced to look elsewhere for that information. (This is ironic, given The Hundred Group's call for greater transparency.)

The Telegraph reports that members of The Hundred Group are the FTSE 100 companies, plus a number of other large organisations such as the BBC and the Institute of Chartered Accountants in England and Wales. Can we find out their profits?

Each year, the Guardian publishes an account of how much money the FTSE 100 companies donate to charity. In 2005, the FTSE 100 companies donated 0.87% of their before-tax profits to charitable, social or environmental projects, for a total of £948.69 million.

So, let's do some calculations:

0.87% of the total before-tax profits of the FTSE 100 companies = £949 million

So the total before-tax profits = £949/0.0087 = £109,080 million, or £109 billion.

Out of that £109 billion, they paid £18 billion in taxes, or a little less than 17%.

That figure is an over-estimate of the percentage, because the numerator (taxes paid) comes from FTSE 100 companies plus others, while the denominator (before-tax profit) only counts the FTSE 100 companies. So, we're over-counting the tax paid and under-counting the total profit.

On average, the FTSE 100 consists of 100 companies making £1 billion in pre-tax profit each. They pay less than 17% tax on that £1 billion. That's not a bad little earner.

Now, companies are supposed to be "people" for the purposes of the law -- not "natural persons", like you or I, but people still. If you or I earned £1 billion in profit, we'd pay significantly more than 17% in tax. The top tax rate for "natural persons" is typically between 40% and 50% in many Western democracies -- and, for the purposes of taxation, corporations get many deductions which natural people don't.

The Telegraph writes:

Philip Broadley, chairman of the group and the finance director of the Prudential, insisted yesterday that the timing of the survey's publication was not dictated by the fact that the 2006 Budget is in less than two weeks' time.

Nevertheless, he said: "There is a need for greater transparency regarding all taxes paid by business, not just corporation tax, to ensure that stakeholders are more aware of these other business taxes and the total amount of tax that companies contribute to society in the form of Government revenues."

Absolutely. More people need to understand that they, as individuals, are being taxed disproportionally more than corporations making billions of pounds of profit.

The Tale of the Lost Phone

The New York Times (warning: registration and DNA sample required) tells the tale of a lost mobile phone, and how it was found:

Three weeks ago, Mr. Guttman went on a quest to retrieve a friend's lost cellphone, a quest that has now ended with the arrest of a 16-year-old on charges of possessing the missing gadget, a Sidekick model with a built-in camera that sells for as much as $350. But before the teenager was arrested, she was humiliated by Mr. Guttman in front of untold thousands of people on the Web, an updated version of the elaborate public shamings common in centuries past.

The tale began when Mr. Guttman's best friend Ivanna left her cellphone in a taxicab, like thousands of others before her. After Ivanna got a new Sidekick, she logged on to her account - and was confronted by pictures of an unfamiliar young woman and her family, along with the young woman's America Online screen name.

The 16-year-old, Sasha Gomez, of Corona, Queens, had been using the Sidekick to take pictures and send instant messages. She apparently did not know that the company that provided the phone's service, T-Mobile, automatically backs up such information on its remote servers. So when Ivanna got back on, there was Sasha.

Using instant messages, Mr. Guttman tracked down Sasha and asked her to return it. "Basically, she told me to get lost," Mr. Guttman recalled. "That was it."

Big mistake. Guttman set up a web page detailing everything that happened, and word rapidly spread. Before long, Guttman was receiving thousands of emails from people whose phones had been lost or stolen -- and more importantly, messages from lawyers, police officers and others volunteering to help retrieve the phone.

Sasha Gomez, meanwhile, was receiving a lot of unwelcome attention:

Some readers also began visiting Sasha's MySpace page and bombarding her and her friends with e-mail messages. Others found her street address in Corona and drove by her family's apartment building, taking videos or shouting out "thief" in front of her neighbors.

It didn't take long for the threats to begin:

Mr. Guttman also kept exchanging e-mail messages with Sasha and, eventually, her family. Then he heard from her older brother, Luis Pena, who said he was a military policeman and warned Mr. Guttman to let his sister alone.

Mr. Guttman posted the exchange.

Within days, he was contacted by dozens of active and retired soldiers. One said he had gone through basic training with Mr. Pena; several others told Mr. Guttman that making such a threat was a violation of military policy and promised to report Mr. Pena to his superior officers.

Mr. Guttman posted it all.

"I don't want people to be punished," he said last week. "I just want them to give the Sidekick back."

Eventually, the police became involved:

The police arrested Sasha and charged her with possession of stolen property in the fifth degree, a misdemeanor. (The police have possession of the Sidekick and plan to return it to Ivanna.) Sasha was released, but was not available to comment. Her mother offered a parting remark.

"I never in my life thought a phone was going to cause me so many problems," Ms. Gomez said.

It's not the phone which caused the problem. It was the refusal to return it to its rightful owner.

Blocking digital cameras

BoingBoing writes about new technology that can detect and blind digital cameras:

Georgia Institute of Technology researchers developed a system that scans an area for the CCDs in digital still and video cameras. Once it locates one, the system would shine a laser into the CCD to "neutralize" its imaging capabilities.

The list of suggested applications is ... interesting:

• Preventing movie piracy


• Stopping industrial espionage


• Blocking people from taking photos of their kids with Santa at a shopping mall

One the inventors missed is stopping people from taking photos of public areas. Heaven forbid if people could just take a photo of the landscape without money changing hands.

See also this news release.

What really makes Wikipedia great

There's been a lot of recent discussion about the Hive Mind and when collectivism is wise. For the Internet-savvy generation, the two best examples of collective wisdom are Google and Wikipedia. I would hope that Google needs no support -- it is by far the best search engine available today. But Wikipedia is frequently criticised for equating the opinions of amateurs -- and not very good amateurs at that -- with the opinions of experts.

But there is a factor which people have not considered. While Google is collectivist, it is opaque -- Google's Page Ranking algorithm is secret. We cannot criticise or test Google's results, only take them as revealed wisdom.

But Wikipedia is the opposite: it is completely transparent. You aren't forced to choose between accepting Wikipedia's articles as revealed wisdom, or rejecting them all together. Instead, you can click on the "discussion" button on each page, and see for yourself the discussions, arguments, disagreements and agreements that led to the article. Where the stakes are high, the wise person will not only read the article, but take into account the article's history and those who wrote it. Was this section written by somebody with an axe to grind? Is this point controversial? Does this authour have the respect of other authors, or is he a loose cannon with an agenda? All that information is publically available in Wikipedia.

In that regard, Wikipedia reminds me of that other great example of collectivism: the scientific consensus. In science and mathematics, it doesn't -- or at least shouldn't -- matter whether you are a self-trained amateur or Mr. Establishment himself: it's what you say, not who you are, that is important. The scientific consensus is completely open and transparent (at least in principle) -- anyone can borrow or subscribe to the appropriate scientific journals and follow the debate between scientists as they nut out a collectivist opinion.

In that regard, I see the greatest feature of Wikipedia is its transparency: unlike other encyclopedias, with Wikipedia you don't have to accept the wisdom of the article on trust, but can see for yourself where it came from.

Previous posts on this subject:
The Hive Mind is stupid and boring -- why do we love it so?
The Hive Mind, part II

L.A. Court declares open season on whistleblowers

Mack Reed, writing for the L.A. Voice, tells how the U.S. Supreme Court has ruled 5 to 4 that whistle-blowers can be legally punished for upholding the law:

The nation's highest court just ruled that an L.A. County prosecutor had no constitutional protection under whistle-blowing laws when he was demoted and passed over for promotion after writing a memo questioning whether a sheriff's deputy had lied in an affidavit for a search warrant...

Over on Online Journal, Evelyn Pringle has more details about both the ruling and the case that lead up to it. It appears to be a straightforward case of a government-employed attorney being punished for trying to uphold the law in the face of outrageous police corruption.

It is interesting to see where the nine Supreme Court judges fell:

Declared that whistle-blowers' speech is not protected by the First Amendment:

Anthony Kennedy	appointed by Ronald Reagan
John Roberts	appointed by George Bush Jr
Antonin Scalia	appointed by Ronald Reagan
Clarence Thomas	appointed by George Bush Sr
Samuel Alito	appointed by George Bush Jr

Declared that whistle-blowers' speech is protected by the First Amendment:

John Paul Stevens	appointed by Gerald Ford
David Souter	appointed by George Bush Sr
Ruth Bader Ginsburg	appointed by Bill Clinton
Stephen Breyer	appointed by Bill Clinton

Fascinating to see that, with the exception of Justice Souter, all the "no protection, fire at will" judges were appointed by presidents who claimed to stand for smaller, more accountable government.

More detail on the ruling from Gov Exec.