Emergent ChaosIn it, they present the results of a survey of 647 people with regard to a number of privacy hypotheses. Their results include:
It's a good short paper, and I'm glad to see research prising apart the ways people think about privacy.
- Contrary to some research, the chief privacy concern appears based on data use, not data itself.
- There is consumer demand for social control that focuses on data use.
- Sophisticated consumers care about economic context and indirect economic effects.
I'd love to know if the authors attempted to extract any initial (qualitative) reactions to the scenario they presented. I'm also curious how long people took, and if their results would be different under time pressure. Both of these questions are related to my belief that transactional costs are dominant in many privacy scenarios, and that people choose defaults to avoid the costs of considering many questions about privacy: they'll often say either yes or no without a lot of consideration.
Update: s/per/pir/g in title [cw][as]
Bookmark this post:
USA Today tells us, "Sci-fi writers join war on terror," in which, "the Homeland Security Department [sic] is tapping into the wild imaginations of a group of self-described "deviant" thinkers...."
There are many available cheap shots as well as fish to shoot in that barrel. I'm going to take a cheap shot at one not in the barrel. The writers brought in are: Jerry Pournelle, Arlan Andrews, Greg Bear, Larry Niven and Sage Walker.
Do you notice anyone missing who should be there? How about Tom Clancy, who wrote a novel in which a Boeing 747 is used as a cruise missile to take out the US Capitol and much of the government?
I can almost excuse the DHS, after all, they're the ones who admit to not having enough imagination. But look at this:
During a coffee break at the conference, Walker, Bear and Andrews started talking about the government's bomb-sniffing dogs. Within minutes, they had conjured up a doggie brain-scanning skullcap that could tell agents what kind of explosive material a dog had picked up.
Oh, wow! Brain-scanning dogs. (Incidentally, this shows how ignorant they are of how sniffer dogs work. They're playing "find the ball" by smell. They don't know explosives from treats.) Why did none of the writers ask each other in a coffee break, "Hey, why isn't a guy who actually predicted this sort of thing here?"
Probably because, "for this group, Walker says, there's no such thing as an 'unthinkable scenario.'"
Sometimes with imagination, less is more.
Bookmark this post:
The iTunes Plus music store opened up today, which sells non-DRM, 256kbit AAC recordings. In case you have missed the financial details, the new tracks are $1.29 per, but albums are still $9.99. You can upgrade your old tracks to high-quality, non-DRM, but you have to do it en masse and it's only for the ones presently offered.
In a delightful bit of evil, you can also set up iTunes to display iTunes Plus first. This effectively gives EMI the endcap.
Ars Technica reports that these tracks, however, contain your account name and email address in them in their article, "Apple hides account info in DRM-free music, too." They say,
With great power comes great responsibility, and apparently with DRM-free music comes files embedded with identifying information. Such is the situation with Apple's new DRM-free music: songs sold without DRM still have a user's full name and account e-mail embedded in them, which means that dropping that new DRM-free song on your favorite P2P network could come back to bite you.
I have verified that this is correct. Apple has encoded both the account name and email address using a steganographic coding mechanism standardized in ISO 10646. Colloquially, a subset of this is often called "ASCII."
I have also verified, however, that you can patch out this information using a variety of tools. Despite my snarky subject line, I did not use sed, I used a text editor. I happened to use one that Doesn't Suck, but I'm sure it will work with vi or emacs, or even Notepad. I give no further instructions, though, as it's easy to botch this if you're not well versed in the technical arts.
As I've noted in the past, they aren't the only one to watermark the files. Emusic does this as well, but with a more obscure scheme. It is possible that there is some other scheme that takes more wit than typing command-F, which is all I did. It is also possible that there are side effects; all I did was play the modified file all the way through and check the info screen, which I show below.
One last bit of advice -- if you're going to put music files up a P2P network, you cannot be paranoid. They are out to get you. It would be folly to take any music you bought from any service and serve it up.
Bookmark this post:
Director Mike Figgis flew into LAX airport and was detained for five hours because he oopsed. He said, "I'm here to shoot a pilot."
On the one hand, yes indeed, on the list of things you shouldn't say while in Immigration, "I'm here to shoot a pilot" is right up there with being careful how you greet your friend John.
But on the other hand, is the US government really filled full of so many beady-eyed, mouth breathers with brains the size of cashews that it takes five hours to clear this up? And in Los Angeles, of all places? Dear God, click on the link above. It's a Google search for "Mike Figgis." All ten links on the first page point to the director, celebrity, and film maker Mike Figgis. Link #1 (IMDB), link #3 (filmbug.com), and link #5 (mooviees.com) all have pictures of him.
Admittedly, IMDB says he was born in Cumbria, England, and hollywood.com (link #4) says he was "Kenyan-born." Hmmm. Highly suspicious. But filmbug says,
Born in Carlisle, England, Figgis moved to Nairobi, Kenya as a baby. He lived there until his family relocated to Newcastle in the north of England when he was eight.
And that seems to clear it up a bit. Mooviees tells us: Born: Saturday, February 28, 1948 (Carlisle, Cumbria, England, UK), and that seems to let us know that Carlisle is in Cumbria, and hey, there's a date that might be on his passport! Wikipedia (link #2) agrees with that date, but says, "Cumberland" instead of "Cumbria" and unless you've taken Latin, that might look suspicious as well.
So what happened? Did the dates not match properly? Did he cut the curls and go all Bruce Willis? Surely there must be some reasonable explanation. Maybe they really hated Leaving Las Vegas. Or perhaps it was that Sopranos episode. Maybe he called the Immigration agent "Sugartits."
Tip of the hat to 27 B Stroke 6. Original article from The Guardian. Photo of the perp along with Saffron Burrows shamelessly stolen from IMDB, whom I would have linked to if they'd made it easy.
Update on 31 May 2007: This story is apparently too good to be true. Boing Boing got told by people in the know that it's not true.
Bookmark this post:
As EC readers may recall, I have made various Freedom of Information requests to state governments in order to obtain data regarding breaches reported to them under their various notification laws.
This week, I received responses to the latest request I made to New York and North Carolina. New York has 822 pages to send me (for a quarter each), so the scanner and the checkbook will be busy in June. North Carolina sent a printout from their "Breach Notification Log". Interested readers may obtain a PDF copy, which covers breaches from December 2005 until April 2007.
Since I already have info on breaches reported to New York from 12/05 through 12/06, I thought it would be interesting to see how much overlap there is between these sources. The thinking here is that as breaches go there are some that are purely local or perhaps regional, and there are some that sprinkle their effects nationally. Until now, I only had a deep view into one state, but now that has changed.
Herewith, the results for the period 12/05/2005 - 12/31/2006:
| New York |
North Carolina |
|
| New York | 281 | 41 |
| North Carolina | 41 | 77 |
I wouldn't try to squeeze a journal article out of this table, but it is interesting that so many of North Carolina's breaches hit New Yorkers, while a smaller portion of New York's hit North Carolinians. I am eager to receive the actual North Carolina reporting forms and notification letters.
(If you would like to support the gathering of these documents, along with their scanning and publication, you can do so over here)
Bookmark this post:
My friend Jeff Herrold has a new production company, Pure Evil Entertainment. Jeff is one of the best storytellers I know, and he's put a short he made a few years back up on YouTube. It's DEADLINE, and it's a pretty entertaining bit of twistedness.
Bookmark this post:
The cool bit is that the memo directs agencies to act within 120 days, including evaluating their data collection, and continuing collection of personal information only if it's necessary. Unfortunately, what I expect to happen is that all data collection will be declared necessary.
However, far more important than the nature of the changes that were announced is why they were announced, and that is that is that these breaches weren't just swept under the rug. What that means is that breach disclosure is good for you, the American citizen.
It's also why we see so much resistance to talking about breaches. Because as we do, we'll catalyze change. I think that's a good thing, even if it's scary. Some senior officials seem to think the same way.
Via Threat Level 27B-6.bis, "White House Issues Data Breach Prevention Guidelines" and several others
Bookmark this post:
Bookmark this post:
Woo hoo! I feel so much safer! The TSA reports, "Transportation Security Officers SPOT Passenger in Fake Military Uniform at Florida Airport." Picture at right is my foofification of the picture on the TSA site.
Our brave protectors write:
A TSA behavior detection team at a Florida airport helped catch a passenger allegedly impersonating a member of the military on May 10 as he went through the security checkpoint.The passenger, who was en route to New York's John F. Kennedy International Airport, exhibited suspicious behavior that caught the attention of officers. In addition, he was in a military uniform but had long hair, which is not consistent with military regulations, and had conflicting rank insignias on the uniform.
When officers asked for his military identification, the passenger said he had none. He was then questioned about the irregularities of his uniform. The passenger first claimed that the uniform was his brother's, and later, that it was his nephew's.
TSA contacted law enforcement partners at the airport who interviewed the passenger. The passenger was arrested on a state charge of impersonating a U.S. soldier.
Behavior detection officers are trained to focus on behavior and not physical characteristics as part of TSA's Screening of Passengers by Observation Techniques (SPOT) program.
I have questions:
Based solely on the information above, it does not appear that he actually impersonated a soldier. It appears that he was walking around with irregular bits of regalia, and someone called him on it, and he got nervous. Many people get nervous when confronted with authorities like police or TSA, and actually, the better a person you are, the more likely it is that you'll say "brother" when you meant "brother's kid."
I got this courtesy of Bruce, who advocates procedures like "SPOT" which look for "hinky" behavior.
I agree with Bruce, that it's better to look for hinky than rip apart every laptop bag, but the TSA needs to look at this as a failure, even if this guy was actually guilty of a crime worthy of punishment stronger than an afternoon with Carson Kressley. This ain't what we're paying you for.
Let me finish with an anecdote. Like many people in this industry, I have clothing with NSA logos on it, or embroidery that says, "National Security Agency." The NSA sells them in the gift shop of the National Cryptologic Museum as part of their widows-and-orphans fund.
A few Defcons ago, I was wearing such a shirt as I checked out of my hotel. The doorman pointed at the logo as he was getting me a cab and asked, "Do you work for them?"
I met his gaze, smiled and replied, "If I did, I wouldn't be able to answer that question, would I?"
I locked my eyes to his as he went compute-bound for a good three seconds, which is a long time when someone's not flinching. He finally nodded sharply, said, "Right," and pulled my cab over.
Here are some essay questions:
Bookmark this post:
Bookmark this post:
This via Salon's "The man who made Gordon Ramsay cry" -- and let's face it, making Gordon Ramsay cry is a great place to start.
Alex Koppelman asks:
.... Do you think a chef's recipes should be protected as intellectual property?
White replies:
You can't reinvent the wheel. Everyone takes from everybody. How many people are serving foie gras on their menu? How many? How many people do a soupe de poisson? Go to France -- a pigeon en croute de sel, a loup de mer en croute de sel. We live in a world of refinement, not invention. It's the greatest compliment he can be given, this guy. If someone takes one of your dishes and does it, it's flattery. For you to get pissed off because he didn't acknowledge you is ego. It's all too political really, isn't it? I mean, we're fucking chefs.
I think he brings up an interesting issue -- refinement versus invention. Of course, though, the brouhaha he refers to treads close to invention. Ferràn Adrià, Heston Blumenthal, and Wylie Dufresne come very close to inventing with food. On the other hand, what they're doing is so creative that they don't need lots of protection, and don't seek it. If you make foam, we know who you're stealing from. Ditto for putting a laser on a vanilla bean or a cyber-egg. And if one doesn't want people to steal one's recipes, one doesn't publish a cookbook, after all.
White touches on a favorite aphorism of mine that I'm sure someone else independently invented: plagiarism is the most sincere form of imitation.
Photo deep-linked from Salon, by Drew Gardner/eyevine/Zuma Press
Bookmark this post:
Bookmark this post:
The Cutty Sark, perhaps the last sailing clipper, has burned in Greenwich. It was undergoing a £25M restoration. Details from the BBC as well as CNN.
Photo courtesy yours truly. I visited it last summer. I'm going to pour myself a strong drink.
Bookmark this post:
The observation is no less true of legislation than it is of code.
Case in point is the debate over whether to trigger breach notifications when a "reasonable" risk of harm or a "significant" risk of harm exists. Everybody is quick to cite California's breach law, so I'm going to cite New York's:
Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.New York State General Business Law § 899-aa
"Reasonably believed". Not "reasonable risk".
I think this standard is better. The reason is that courts are much better at telling what a reasonable person would believe than they are at assessing probabilities. Philosophically, I could argue that it is unreasonable by definition to believe anything for which you lack empirical evidence, but who am I to argue with 600 years of Anglo-Saxon jurisprudence? Which gets me to a point Adam has been writing about a bit lately -- the quality of the data we have about data breaches.
I'm going to recycle part of a comment I made a couple of weeks ago: If somebody loses my PII, and by virtue of that fact my risk of being an ID theft victim increases 1%, I would say that is significant. If my risk increases .0001%, I would say it is insignificant.
However, what do we -- and by that I mean anyone who can read the open literature -- know about these probabilities? Do we have knowledge of how those probabilities vary across subpopulations? The answer, of course, is no.
Well obviously, even if the probability of me getting my ID stolen given a PII breach is high, I won't care if the probability of the PII breach is low enough in the first place. Kinda like if lightning hits me, I'm gonna be dead. But lightning hardly ever hits people, so why worry. This (I think) is behind the incredibly bad "participate in an anti-fraud program and get out of notifying" loophole in one of the proposed federal bills.
Thing is, we do not (even) know how likely it is that my PII will be breached! We "know" that 150 millionish records are out there, but that is basically just a lower bound. We further do not know how likely an ID theft furthered by such a breach is.
Not knowing these basics, we should not make disclosure conditional on knowledge of states of the world about which are ignorance is so profound.
Let Congress pass a law mandating the collection of data on all breaches. Let them allocate money for ID Analytics (or a competitor, or some sort of quasi-governmental agency) to do the analysis necessary to derive the probabilities. Let this analysis, and the data behind it, be published and vetted by people who actually know their stuff. When we have knowledge, we can act.
Bookmark this post:
Most UK residents want to be informed if their personal data is lost or stolen after a corporate security breach, the latest E-Communications Household Survey from the European Commission (EC) has revealed.Across Europe, it's 64%. Someone should do a survey here, and let the folks at US PIRG know the results. As Dissent covers in "Breach notification proposals in Congress," the main bills, S.495 and S.1178 would both include 'sweep under the rug' provisions. If the public in the US wants to know about mistakes at anything like the rate that people in the EU would like to know, then these bills are seriously off-target in their particulars.Eighty-four percent of UK respondents said they would want to receive information of a breach resulting in data losses. Three-quarters of this group wanted to be informed in any circumstance, while a further nine percent only wanted to be made aware if the lost or stolen data put them at risk of financial damages.
Bookmark this post:
We're sorry, but we could not fulfill your request for /2007/04/21/astroglide-data-breach-exposes-customer-information/ on this server.This is broken. I'm trying to read. My request is well-formed HTTP. Bloggers like readers, right? If you're an attacker and trying to blog spam in some way, this doesn't help. You'll add a referrer header. Blocking some URLs that come in without an HTTP referrer header might help a little, but all this does is lose you readers.An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.
Your technical support key is: 4051-a119-45b3-5e30
You can use this key to fix this problem yourself.
If you are unable to fix the problem yourself, please contact badbots at ioerror.us and be sure to provide the technical support key shown above.
I don't know who's to blame for this really ill-considered software, but it blocks me from visiting URLs I've bookmarked at a couple of blogs. Oh well. You've lost me as a reader. So, homeland stupidity, no link for you. Not knowing the difference between reading and writing means you don't me as a reader for your blog.
Bookmark this post:
In 27 B Stroke 6 Threat Level, Kevin Poulsen writes, "News from Bizzaro World: Ashcroft Opposed Taps."
Kevin, your reality tunnel is showing. There are many things that Ashcroft was (I apologize for using the past tense), starting with prig and prude. I'm not particularly a fan of his, but the Venn diagram of what he valued and what I value looks more like the Mastercard logo than the Hooters logo, and I don't think that this is an ipso facto surrealism.
Back in 1998 as a Senator, Ashcroft was a supporter of Goodlatte's SAFE (Security And Freedom through Encryption) Act, not to be confused with the 2003 "Security and Freedom Ensured" act, which was an attempted limitation of the PATRIOT Act. When that SAFE Act was destroyed in the House, he with Patrick Leahy and Conrad Burns introduced the E-PRIVACY (Encryption Promotes the Rights of Individuals in the Virtual Arena Using Computers) bill. Despite the fact that there was no "Y" in their acronym (perhaps it was a silent "Y'all"), it's a pity it never was passed. The EFF gave a good news/bad news assessment with the good news being:
EFF is pleased to say that the E-PRIVACY Act is the most thoughtful piece of encryption legislation to date. Introduced by Senators John Ashcroft (R-Mo.), Patrick J. Leahy (D-Vt.), and Conrad Burns (R-MT), the new bill sharply varies from proposals favored by the Clinton Administration and law enforcement/national security agencies by easing export controls on mass market encryption products, limiting government access to decryption keys, and prohibiting the government from requiring key recovery mechanisms.
The bad news was that it created a new crime of using encryption as part of a criminal act. I'm not in favor of that, but we got that part, and we never got the good news.
After E-PRIVACY never went anywhere, there was the 1999 PROTECT Act, and you can find Ashcroft saying it doesn't go far enough fast enough.
Despite many quirks, such as being bothered by bare breasts, he favored bearing arms and clothing communications. His successor as AG, Alberto "Schultzie" Gonzales, often seems to be to be the incarnation of the cynical adage, "be careful what you ask for." Take a look through the EFF archives from '98, and feel a bit wistful. Read Dahllia Lithwick in Slate, and feel moreso. Ashcroft was a complex person with whom many of us had disagreements, not an inhabitant of Bizarro World.
Bookmark this post:
What, indeed, was the nature of the "program" before Goldsmith, Comey and Ashcroft -- those notorious civil libertarian extremists -- called a halt to it, and threatened to resign if the President continued to break the law? And what was the nature and breadth of its legal justification? I am hardly alone in realizing that these are the most important questions arising from the recent Comey testimony. It's the question of the night, all over the Web. (When will the mainstream press catch on? And more importantly, as I asked in my last post -- When will the Congress insist on comprehensive and public hearings, both on this and on the legal support for the Administration's torture practices?)Marty Leberman continues to have the best analysis of the NSA's wiretap program. Go read "What Was "The Program" Before Goldsmith and Comey?" In "Putting the Pieces Together" he also explains how the criminal wiretaps led to the appointment of Gonzales to clean the DOJ of libertarians like Ashcroft.
Bookmark this post:
So reports Haft of the Spear, in "You'll Share and You'll Like It!"
The Homeland Security and Justice departments have spent $893 million on information-sharing networks in the last two years but still do not have effective networks in place, according to a report from the Government Accountability Office.Admittedly, there are more problems in sharing intelligence data than there are in sharing breach data. The fear of change runs deep, as does our unwillingness to give up control of the little bits of data we can see. It would be funny, if it wasn't so painful.
Bookmark this post:
