Facebook: Conform or else

Robert Scoble, discussing Facebook founder Mark Zuckerberg:

He also said that his system looks for “outlying” behavior. He said if you behave like an average user you should never trigger the algorithms that will get you kicked off.

Let’s be specific here: if you behave like the system’s Harvard undergraduate founders and primarily-male engineering staff have programmed the software to think like “an average user” behaves you should never trigger the algorithms that will get you kicked off. Except in reality, most people don’t behave that way. Robert is surprisingly sympathetic to arbitrary undocumented limits on speech:

Of course, that irks me a bit because my usage of social media sites is totally outlier behavior. But, I can see his point. One thing that’s nice about Facebook is that I see very little spam or other nasty behavior.

That’s Jon Pincus discussing “Zuckerberg: Facebook to ratchet up exploitation, only bans “outliers”.”

I think this is a real concern. Facebook exists as a means of connecting with others. As I discuss in “ Identities are Created Through Relationships,” we create and evolve our identities through such interaction. If Facebook imposes conformity through secret rules whose violation results in suspension, then it acts as a censor on our social interaction and our willingness to explore and excel.

It’s unsurprising that Scoble sees little spam or other nasty behavior, but free communities have some level of that, or they have a constant level of looking over one’s shoulder for the camera or the plainclothesman. Scoble shouldn’t be ok with that, and neither should we.

They’re trying to dress up giving users the ability to up/down vote on their rules as “democracy,” and giving users a voice but as Michael Zimmer documents, it’s a vote. They haven’t (say) Wikified their Terms of Service and given users real input. They certainly aren’t offering minorities any protection against the wishes of the majority.

What if the entire userbase votes to make everything from a member of the Screen Actors Guild fully public?

It is fascinating to watch the autocracy of Facebook forced to take tentative steps towards democracy. Here’s hoping that their community also pushes for liberty.

SDL Threat Modeling Tool 3.1.4 ships!

On my work blog, I wrote:

We’re pleased to announce version 3.1.4 of the SDL Threat Modeling Tool. A big thanks to all our beta testers who reported issues in the forum!

In this release, we fixed many bugs, learned that we needed a little more flexibility in how we handled bug tracking systems (we’ve added an “issue type” at the bug tracking system level) and updated the template format. You can read more about the tool at the Microsoft SDL Threat Modeling Tool page, or just download 3.1.4.

Unfortunately, we have no effective mitigation for the threat of bad π jokes.

I’m really excited about this release. This is solid software that you can use to analyze all sorts of designs.

Security Breach Notification Symposium

Next Friday (March 6th) I’ll be speaking at the “Security Breach Notification Symposium:”

A one-day symposium on identity theft and security breaches. Experts from law, government, computer science, and economics will discuss laws that protect personal information and suggest reforms to strengthen them. Although most agree that reforms are needed, leading thinkers clash on what the solutions should be. Questions remain concerning the scope of security breach laws, their effectiveness, and cost. Critics argue that notification laws are wasteful and that most breaches aren’t connected to identity theft. Supporters say the laws create vital incentives to safeguard information and reveal hidden cracks in security.

The symposium begins with a session on California’s security breach law and continues with a look at current research and proposed reforms by the state’s top policy makers and scholars.

Conference Information and agenda is online at: http://www.law.berkeley.edu/institutes/bclt/security/schedule.htm.

DETAILS: The program is free for public interest groups and media. Registration required by the general public. For more info, go to http://www.law.berkeley.edu/institutes/bclt/security/about.html

Space is still available, please join us!

[Update: the linked site had permission issues, now fixed. Thanks Chris!]

More on Privacy Contracts

Law Prof Dan Solove tool the A-Rod question I posted, and blogged much more in depth in A-Rod, Rihanna, and Confidentiality:

Shostack suggests that A-Rod might have an action for breach of contract. He might also have an action for the breach of confidentiality tort. Professor Neil Richards and I have written extensively about breach of confidentiality. The tort is recognized in most states, and it provides for liability whenever one owes a duty of confidentiality and breaches that duty. We observed, however, that the tort has remained “relatively obscure and frequently overlooked” in American law. In contrast, in England, the tort is robust and applies quite broadly. We suggested in our article that the American tort could develop more along the lines of the English tort, and it is, in fact, already beginning to head in that direction. See Neil M. Richards & Daniel J. Solove, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).

Lots more very interesting analysis. Check it out!

Congratulations, Justin!

Justin Mason has won the 2009 Irish Blog Award for Best Technology Blog/Blogger.

I don’t know how Justin manages to stay engaged with his blog and others while getting so much work done. When I say others, I mean this blog. Justin found Emergent Chaos back when it was a solo gig and I was blogging about taxonomies a lot. It was really cool to engage with him, and helped me see the potential for where this might go.

So thanks, Justin, and congratulations on a well-deserved award!

Don’t put Peter Fleischer on Ice

Peter Fleischer is Google’s chief privacy counsel. I met Peter once at a IAPP event, and spoke pretty briefly. We have a lot of friends and colleagues in common.

He’s now threatened with three years of jail in Italy. Google took under 24 hours to remove a video which invaded the privacy of someone with Down Syndrome. See law firm Proskauer Rose’s “Google Execs Face Privacy Related and Other Criminal Charges for Taunting Video” for or Dan Solove’s “Criminalizing Google’s YouTube in Italy” for background.

A small part of me is happy to see enforcement of privacy laws. This is clearly a sit up and take notice moment for many executives around privacy, and that might be for the good.

I think much more, it’s to the detriment of much of what’s good about the internet, and not even good for privacy. On the scale of privacy invasions, this one isn’t like publishing someone’s medical records, their financial records, or their diary. It’s three minutes of bullying. I’m not trying to universalize my values, but it’s hard to understand 191 seconds of bullying as justifying three years in jail. The executive ‘takeaway’ from this is likely to be “we need to get those laws fixed.”

Google claims that 200,000 videos are uploaded to Google Video daily. There’s all sorts of good–people are enthralled, and choose to spend a tremendous amount of time watching that crap. No, really, 99% of it’s crap, but 1% is great, and we all differ on which video is which. It’s chaotic. The value of Google Video emerges from hundreds of thousands of people providing video, and Google making it available to others.

If Peter Fleischer goes to jail, that will stop. Not just at Google, but at other companies (not speaking for my employer–I have no knowledge of plans.) No executive will say this is worth jail time. The chilling effect would be massive, and also ineffective.

Video on the internet will move to a peer to peer system, just like music has. The ability to remove content will fall away, as will searchability. What’s more, we won’t gain much in privacy (except, perhaps, with regards to how much Google can observe). New business will be hesitant to step into these areas, and we’ll give up all the good which might emerge.

Ironically, Google’s aggressive tracking (with 3 domains worth of cookies and 2 Flash LSOs) offer up a perfect “more speech” opportunity. There are logs of who viewed the original video. It would be easy (if an apology video existed) to show it to each person who viewed the original video, and to measure what fraction had seen it.

None of this is aided by a threat of jail time for Peter Fleischer.

Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column.

Brenner watched the FUD as he spreads it. He moans histrionically,

When security is your company’s business, even the smallest breach is worthy of scorn. If you can’t keep the bad guys out of your own database, how can customers reasonably expect that you’ll keep theirs safe?

Oh, please. Spare us the gotcha. Let me toss something back at Brenner. In the quote above, he says, “theirs” but probably meant to say “them.” The antecedant of “theirs” is database, and Kaspersky isn’t strictly a database security company, but an anti-virus company. “Them” is a much better turn of phrase, and I hope what he meant to say. How can we possibly trust CSO Online as a supplier of security knowledge when they can’t even compose a simple paragraph? And how can we even trust your own tagline:

Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items.

Why is FUD Watch creating the very sort FUD they claim to watch? Who watches the FUD watchers? I do, I suppose.

Is my criticism unfair and picayune? Yup.

People make mistakes, even Kaspersky and F-Seecure. And heck, even CSO Online. I forgive you.

Brenner came very close to writing the article that should have been written. If even the likes of Kaspersky and F-Secure fall victim to stupid things like SQL injection, what does that say about the state of web programming tools? How can mere mortals be safe if they can’t?

The drama about these breaks is FUD. It shows that no one is immune. It shows that merely being good at what you do isn’t good enough. It means that people need to test, verify, buy Adam’s book, read it, and act on it.

The correct lesson is not schadenfreude, but humility. There but for the grace of God, go all of us.

Synthetic Identity “Theft” – The Mysterious Case of Prawo Jazdy

The BBC tells the tale of a Polish immigrant flouting traffic regulations across the emerald isle:

He had been wanted from counties Cork to Cavan after racking up scores of speeding tickets and parking fines.
However, each time the serial offender was stopped he managed to evade justice by giving a different address.

As it turns out, however, there was more (and less) to this dastardly villain’s wild ride than meets the eye.

“Prawo Jazdy is actually the Polish for driving licence and not the first and surname on the licence,” read a letter from June 2007 from an officer working within the Garda’s traffic division.
“Having noticed this, I decided to check and see how many times officers have made this mistake.
“It is quite embarrassing to see that the system has created Prawo Jazdy as a person with over 50 identities.”

BBC News

And thus, the mystery was solved.

Public domain image via pl.wikipedia.org

A-Rod had a privacy contract, and so did you

urine sample.jpg

In 2003 the deal was simple: The players would submit to anonymous steroid testing, and if more than 5 percent tested positive, real testing with real penalties would begin in 2004.

But in 2003, the tests were going to be (A) anonymous and then (B) destroyed. Those were the rules of engagement, and in any civilized contest, the rules of engagement are critical. Everything has rules of engagement, even something as life-or-death as war. Ever heard of the Geneva Convention? Those are rules of engagement, and it’s something we are expected to follow — even against a war-time enemy we literally want to kill.

Somebody broke the rules of engagement with A-Rod. Baseball and the union were supposed to destroy the tests in 2003. If there was a master list linking each test to a specific player, that list was supposed to be destroyed, too. This was serious stuff, this confidentiality, and only because it was so serious did players like Alex Rodriguez submit to it. (“A-Rod should sue sinister system that snagged him,” CBS Sports)

So there’s an obvious violation of the contract, which may or may not have specified damages. Are there other torts here?

It seems that given the nature of the literally irreparable harms to reputation that privacy invasions can entail, the law may or may not have reasonable remedies here. (Note that I said irreparable, not un-compensatable or even of great magnitude. Even if it turns out that the tests were flawed, A-Rod’s reputation will be permanently sullied by those who remember the initial burst of news.)

There’s also a tie to Facebook’s latest changing and re-changing of their privacy rules.

The idea that your privacy contract is fungible and flexible inhibits the creation of a real market differentiation around privacy. If a company can change the rules at any time, why bother reading what they say today?

What should the law say about this?

Image: StockXpert.

[Update: Dan Solove has very interesting follow-on analysis in “ A-Rod, Rihanna, and Confidentiality.”]

Three on the Value of Privacy

First, the Economist, “Everybody Does It:”

WHY is a beer better than a woman? Because a beer won’t complain if you buy a second beer. Oops. There go your correspondent’s chances of working for Barack Obama, America’s president-elect.

(Ironically, the Economist’s articles are all anonymous.)

Second, Fraser Speirs, “On the Flickr support in iPhoto ‘09:”

As you may guess, I was a little perturbed at this since I pay my mortgage by selling, er, a Flickr upload plugin for iPhoto.

Fraser looks at his (excellent) product, FlickrExport, and finds that the value is now in privacy and control of what leaves your computer and how.

And finally, a follow-on to an aside in ‘Lessons for security from “Social Networks’,:”

In recent months, American Express has gone far beyond simply checking your credit score and making sure you pay on time. The company has been looking at home prices in your area, the type of mortgage lender you’re using and whether small-business card customers work in an industry under siege. It has also been looking at how you spend your money, searching for patterns or similarities to other customers who have trouble paying their bills.

In some instances, if it didn’t like what it was seeing, the company has cut customer credit lines. It laid out this logic in letters that infuriated many of the cardholders who received them. “Other customers who have used their card at establishments where you recently shopped,” one of those letters said, “have a poor repayment history with American Express.”

It sure sounded as if American Express had developed a blacklist of merchants patronized by troubled cardholders. But late this week, American Express told me that wasn’t the case. The company said it had also decided to stop using what it has called “spending patterns” as a criteria in its credit line reductions. (“A (Very) Watchful Eye on Credit Card Spending,” The New York Times.

Apparently, that was just too creepy, even for American Express, who I’ve commented on in “American Express and Privacy.”

MI5 Head Critiques Government on Liberties

The BBC reports:

A former head of MI5 has accused the government of exploiting the fear of terrorism to restrict civil liberties. Dame Stella Rimington, 73, stood down as the director general of the security service in 1996…”Furthermore it has achieved the opposite effect – there are more and more suicide terrorists finding a greater justification.”

What’s new? It’s gone far enough that even former spy chiefs are speaking out.

Let’s stop the madness, and embrace liberty and the risk that the chaos won’t be all for the good.

Thanks to Nicko for the pointer.

Javelin ID theft survey

Salon reports “Identity theft up, but costs fall sharply:”

In 2008, the number of identity theft cases jumped 22 percent to 9.9 million, according to a study released Monday by Javelin Strategy & Research. The good news is that the cost per incident — including unrecovered losses and legal fees — fell 31 percent to $496.

Javelin, unfortunately, does work with confidential numbers, so we can’t reproduce or analyze their results.

So we can’t tell if this undercuts the idea that breach disclosure laws don’t work. We can tell that the common reporting is wrong, as Kevin Poulsen demonstrates in “Stolen Wallets, Not Hacks, Cause the Most ID Theft? Debunked.”

Via Concurring Opinions
[Update: fixed image url.]

Closing the Collapse Gap

There’s a very interesting annotated presentation at “Closing the ‘Collapse Gap’: the USSR was better prepared for collapse than the US.” In it, Dmitry Orlov lays out his comparison between the USSR and the USA of 2006. Posting this now because a talk he gave at Long Now is getting lots of attention.

In closely related news, Maurizio d’Orlando lays out that U.S. debt approaches insolvency:

In 2007, public debt in the United States was 10.6 trillion dollars, compared to a GDP (gross domestic product) of 13.811 trillion dollars. Public debt in 2007 was therefore 76.75% of GDP. In just one year, direct and indirect public debt have grown to more than 100% of GDP, reaching 176.9% to 184.2%. These percentages exclude the debt guaranteed by policies underwritten by AIG, also nationalized, and liabilities for health spending (Medicaid and Medicare) and pensions (Social Security)[2]. By way of comparison, the Maastricht accords require member states of the European Union (EU) to reduce their public debt to no more than 60% of GDP. Again by way of comparison, in one of the EU countries with the largest public debt, Italy, public debt in 2007 was equal to 104% of GDP.

[Update: I’d meant to include both Bruce Sterling, “2009 Will Be a Year of Panic” and Rob Sama, “
The Federal Government Has Jumped The Shark