Blown To Bits

File under: If it can be done it will be done

August 30th, 2010 by Harry Lewis

Now here is an interesting Twitter feed: A running report on every book being checked out of all of Harvard’s libraries. Feels voyeuristic to me, but you have to stretch your imagination to figure out how this would be an invasion of privacy. If the tweets are close to real time, maybe somebody could watch who comes out of Widener library right after “Anglo-Saxon Wills” was checked out, and maybe identify the person who is trying to challenge a millennium-old bequest. (That is a real example — at least the name of the book part.) Still, even without being able to figure out who is reading this stuff, knowing that SOMEBODY is RIGHT NOW finding a need to read that classic tome, “Documents diplomatiques. Deuxième Conférence internationale pour la répression de la traite des blanches (18 avril-4 mai 1910),” — well, I just can’t help thinking it is none of my business. The book is about the white slave trade. Am I just a prude?

Re-identification is a very sophisticated art these days. Maybe someone can figure out how to make mischief by correlating these data with some other source. I can’t think of a way off the top of my head. What think you?

In the category of anything that can happen, will happen

August 5th, 2010 by Harry Lewis

Especially if it is the government that has the capability.

How many times were we told that the full body scanners at airports would be incapable of storing and transmitting images? Turns out they actually do have that capability. In one courthouse they have been used to store tens of thousands of images, apparently to reduce staffing demands (CNET report here). If something bad happens later, they can go back and check the images. The Electronic Privacy Information Center has filed suit about this.

The TSA spec document (pdf here), obtained by EPIC, says “the capability to capture images of non-passengers for training and evaluation purposes is needed,” a capability that seems to have been used by one TSA worker to tease another about the size of his genitalia (ACLU report here).

I happen to have no problem personally with full body scanners, but I am sympathetic with people who do. (This is a little a homeless person saying he has no problem with burglars. My body scan would not bring much on the image market.) Of course, what the government has accomplished by misrepresenting what the machines can do is to make it more likely that people like me will resist using them, or cooperating with any other kind of government data gathering. This should have been the lesson of the Bush warrantless wiretaps. It is one of the side effects of government growth that it becomes harder to monitor and those inside it become increasingly relaxed about infringements of publicly stated policies, as along as they judge that the exceptions either minor or due to extraordinary circumstances, and are meant ultimately to benefit the public.

A File With 100 million Facebook Users’ Data

July 28th, 2010 by Harry Lewis

So some clown, sorry, security researcher has done a scan of every Facebook profile his robot could reach and assembled a file of all their public information, and posted it for download. 100 million profiles.

I could have done it. You could have done it. No need to bother, though, because Ron Bowes did it for you.

This is one of those things that is not a technology story. It’s an ontology story, or a spiritual story, or something.

Facebook reports that it’s all public information, public because the users wanted it public. So there is no news here, in their view.
“No private data is available or has been compromised,” as they say. And they are correct technically. Why is it creepier to have your data in a file with 99,999,999 other profiles, on everybody’s laptop, when the same information about you would have turned up in a Facebook query, or a Google search for that matter? Public is public, right?

The aggregation sure makes it feel different. But that is a matter of feelings, and Facebook’s response was written by its legal team. For lawyers, everything is a binary. Things are either black or white. But privacy has lots of grey.

The Telegraph has a good report on it.

Speech control news from all over

July 14th, 2010 by Harry Lewis

More than a year ago, when the Supreme Court upheld the FCC’s authority to fineFox Television Stations for “fleeting expletives” uttered by Bono and others, we noted that the court made only a technical ruling and some of the opinions were sympathetic to Fox’s position on the underlying and more important First Amendment question:  was the rule the FCC applied too vague, capricious, and uncertain so that it chilled speech? Technology has changed, we noted, and perhaps it is time for the rules to change too, since they were always premised on an argument that television and radio were exceptional technologies, by comparison with books, for example.

The case went back to the lower court, which took up the constitutional question, and ruled against the FCC. (New York Times story.) The judge in the case made a number of correct observations–why should the standards be different for cable TV than for broadcast TV, for example. She did not rule out the possibility of the FCC adopting rules that would be constitutional, and noted that she was bound by the Supreme Court’s 1978 Pacifica decision which made that FCC authority clear. But for the moment, the networks can relax a bit about prosecution for the occasional cuss out of the blue — for example, the one in a discussion of Middle East policy that was spoken by a US President to a British Prime Minister, and which the broadcast networks had to bleep out.

It will be interesting to see what the government does now. It could appeal, but the case seems like a loser, and an appeal all the way to the Supreme Court could backfire, since Justice Thomas signaled that there may well be five votes for overturning Pacifica and costing the government all of its regulatory authority over televised speech.

In other speech control news:

A judge in Pennsylvania signed an order, drafted by a defense attorney, requiring newspapers to expunge their archives of all mention of the defendants’ arrest. The defense attorney actually has part of the logic right: “What’s the sense in having your record expunged if anyone can Google you and it comes up?” He’s right that expungement orders have been blown to bits. He’s just wrong that the way to fix that problem is retroactive censorship of the printed word. It’s a problem that can’t really be fixed, in the U.S. anyway. What was this judge thinking?

Also, a couple of notes on anonymity. I was reading Richard Clarke’s book Cyber War, which makes a compelling case for a more controlled version of the Internet by riding roughshod over civil liberties concerns. Having described the Internet as basically a hippie invention (“the Internet as we know it today is deeply imbued with the sensibilities and campus politics of [the 1960s]“), Clarke scornfully distances himself from any respect for anonymous speech, or reading.

The “open Internet” people believe that if you wish to read The Communist Manifesto, or research treatments for venereal disease, or document China’s human rights violations, or watch porn online, your access to that information will not be free if anyone knows that you are looking at it.

So much not just for Vint Cerf, but for the professional and legal standards governing libraries in most states in the U.S. He comes off sounding just like the Chinese government in its latest “explanation” about how it will control the Internet. “We will make the Internet real name system a reality as soon as possible,” a Chinese official said recently, referring to a requirement that Chinese will in the future have to use their actual names in all Internet communications, no anonymous postings or emails allowed. Just what Clarke would like to see happen here.

The News on Internet Censorship

July 13th, 2010 by Harry Lewis

Either it’s an election year, or the Massachusetts Legislature and Governor don’t understand how the Internet works. Or both.

Close readers of this blog will remember my discussion back in February of a case in Massachusetts where some creep got off the hook for sending lewd text messages to a child, because the relevant statutory definition of “matter” not to be disseminated did not include text messages. At the time, I said that the definitional problem was easily remedied.

So the Commonwealth remedied it, by including not just text messages but the entire Internet. The new clause in the definition reads as follows:

any electronic communication including, but not limited to, electronic mail, instant messages, text messages, and any other communication created by means of use of the Internet or wireless network

This definition certainly plugs the legal loophole through which that creep escaped after sending little Johnny a text message. Unfortunately the clause also captures Johnny finding his way to the online edition of Fanny Hill, or Memoir of a Woman of Pleasure, or to a site such as Dr. Marty Klein’s “sexed.org,” which gives “Straight Talk on Sex, Love, and Intimacy.” It may also include this site, since I just linked to that 18th century novel and that 21st century advice site. And maybe it applies to any social networking site where someone posts a comment linking to any of the above.

The problem, as ArsTechnica explains, is that “disseminate” is a term carried over from the days when one obtained information by going into a bookstore and buying it. The clerk at the book store could look at Johnnie and tell he was 13, or ask him for an ID if he looked like he might be 17 rather than 18. It also nicely covered sending obscene stuff telephonically or by postal delivery, since those are person-to-person media. The way information flows through the Internet makes it impossible to know where it is going. And there is nothing in the statute that restricts the crime to cases in which you actually know that you’ve reached a minor. You just have to reach a minor, and to know that what you disseminated is harmful to minors.

Dr. Klein, the ACLU, Harvard Book Store, and several other plaintiffs have asked for an injunction blocking the law, which took effect yesterday. The complaint (pdf, 44 pages) makes a number of strong points, of which perhaps the most disturbing is this:

The United States Congress and the states of Arizona, Michigan, New Mexico, South Carolina, Vermont and Virginia previously enacted laws which, like Sections 2 and 3, applied the harmful to minors test to Internet speech. All of them were either held unconstitutional or enjoined on First Amendment grounds. Ohio and Utah also passed such laws. The Ohio statute has been narrowed by the courts to constitutional dimensions. The Utah statute is being challenged in federal court and has been preliminarily enjoined.

This is where I begin to wonder about the effect of the election cycle. Why enact a censorship law pretty much identical to others that have been ruled unconstitutional, if not because it will be politically popular to do so?

In the same vein, the National Review offers an article by Jonah Goldberg and Nick Schulz, Gated or X-Rated? The authors ridicule the open-Internet gurus, and defend Apple for its effort to create a walled garden with no porn. They encourage legislative measures that will support private-sector solutions to the problem of children seeing bad stuff–their particular proposal is the creation of a .kids domain, where only child-friendly stuff would appear. (And where apparently it would be impossible for any 17-year-old to find a link to sexed.org.) The authors specifically call out Free Press and Public Knowledge for transforming the Internet’s “sensible design principle into something approaching an ideology.” “… [T]he culture of the Internet is to oppose anything approaching actual culture. Strong cultures edit and constrict,” they say. Well, it depends what you mean by “culture.” What is the culture of paper, or of books? There isn’t any. Anything goes. Of course society can control what gets printed–except that the culture of the U.S., as defined in its constitution, is that it can’t be controlled very much–and not in ways, as the Supreme Court has repeatedly held, that would unreasonably restrict what adults can legally see.

Nonetheless, Goldberg and Schulz argue, we should have more edited, constricted, walled-off parts of the Internet. They use the metaphor of the “frontier” to describe the goal of the Internet utopians, suggesting that their real agenda–Noam Chomsky gets a shout, of all people–is anti-corporate.

In addition to the practical problems of keeping a big part of the webby structure sterile, the problem is that every attempt to legislate Internet safety has proved to be over-inclusive, to violate the plain language of the First Amendment. And relying on private parties would be a lot less frightening if the world were not converging on a few private information monopolies. If Google and Apple and a handful of media companies control all the content and all the pipes, the private sector “alternatives” become the sole sources.

Recommended reading: Closing the Digital Frontier, in the Atlantic, by Michael Hirschorn. It is an apt metaphor, but it leaves one thinking that Goldberg and Schulz have nothing to worry about. All the digital land is going to be owned and controlled by a few private players anyway, and they will make sure that the Internet provides just what best suits their business purposes.

It is always sad to see conservatives, who ought to be the biggest worriers about information freedom, find common cause with the nanny-staters such as our Massachusetts legislators.

Oh Dear, A Windows Messenger Privacy Mess

June 29th, 2010 by Harry Lewis

In the world of social media, it is hard to get the privacy defaults right, because the whole point of social media is to connect with other people. So you want to make that easy, so people don’t have to fight the system. And of course there is a network effect so the designers tip toward connecting more people to each other rather than less, where there is a choice. They don’t always get the design right, as the Google Buzz fiasco showed.

But then things happen that are just bugs, or unanticipated reactions between multiple databases and applications. In which category it seems the current problem with Microsoft Messenger falls. InfoWorld explains it thus:

Consider this sobering scenario: You and your boss use Windows Live Messenger (or MSN Messenger or Windows Messenger) to keep in touch. One day, you get a job offer from Snidely Whiplash at a competing company across town. You and Snidely have a brief IM conversation, using Messenger. Innocent and private, yes? Well, no.

The next time your boss logs into Hotmail — not Messenger, mind you, but Hotmail — your boss glances at the initial Hotmail screen and sees that you and Snidely have become “friends.” That’s what the notice says: “Woody Leonhard and Snidely Whiplash are now friends.”

Or think wife and girlfriend, instead of boss and competitor. Any two people with whom you are IM’ing who should certainly not be made aware that they are both part of your social circle.

This problem persists no matter how you have the privacy settings set. It’s the sort of high-stakes privacy glitch that undermines people’s trust in the entire Internet. Who knows what will go wrong with the next release of your favorite communications app?

Retroactive Copyright on Public Domain Works

June 27th, 2010 by Harry Lewis

A federal appeals court has handed down a worrisome decision in the case of Golan v. Holder et al (decision available on DocStoc here). As part of the Uruguay Round Agreements (“URAA”) on international copyright, the U.S. agreed to extend copyright protection to certain foreign works which had previously been in the public domain in the U.S. Indeed, some of those erstwhile public domain works had been used by U.S. artists and writers to create derivative works. For example, one Richard Kapp, now deceased but whose estate is a plaintiff in the case, used a sound recording based on works by Dmitri Shostakovich to create a work of his own. Having in good faith acted creatively with public domain works, such plaintiffs now find that Congress has cut their legs out from under them, and maintained that Congress infringed their First Amendment rights.

The courts that dealt with the case went back and forth and this judicial stop is probably not its last. The court ruled that the government had sufficient reason to act as it did. Here is the key sentence, from page 12 of the decision.

The government argues on appeal that Section 514 is narrowly tailored to advancing three important governmental interests: (1) attaining indisputable compliance with international treaties and multilateral agreements, (2) obtaining legal protections for American copyright holders’ interests abroad, and (3) remedying past inequities of foreign authors who lost or never obtained copyrights in the United States. We hold that the government has demonstrated a substantial interest in protecting American copyright holders’ interests abroad, and Section 514 is narrowly tailored to advance that interest.

In other words, there are American copyright holders (the Motion Picture Association of America and several other agents of the content industries presented themselves as amici) who stand to benefit, because their works, previously in the public domain abroad, will now be protected. The judge carefully stated that he was offering no opinion on rationales (1) and (3).

Copyright and free speech are always in some tension. There is ample reason to believe that copyright has been the winner in that dynamic for the past 15 years or so. What is interesting here is the deference the U.S. is giving, and the court is supporting, to an international treaty as the basis for copyright expansion. Because the protests over the drafted-in-secret Anti-Counterfeiting Trade Agreement, ACTA, are getting intense. See Public Knowledge’s take and invitation to write to the White House. So the combination of treaty and copyright in the Golan case sounds alarm bells. Stay tuned.

On ACTA, see also the statement on the site of the Program on Information Justice and Intellectual Property.

Privacy and Petitioning

June 25th, 2010 by Harry Lewis

A fascinating case has been before the US Supreme Court this spring. Opponents of a gay civil union statute in Washington state petitioned to place its repeal on the ballot so voters could have the last word. Backers of the law asked the Secretary of State to declare the names of the petitioners a public record and post the names on the Web. The petitioners sued the state to prevent publication, saying they feared harassment.

It’s a wonderful puzzle. Both sides claim their free speech rights are at stake: the one side holding that the names are really part of the legislative process for which transparency is essential; and the other side arguing that their capacity to speak freely requires a level of anonymity. It’s an Internet-created issue, because although petitions have been around for centuries, until now it would have been impossible to publish them quickly enough to influence an election, and to sort and analyze them effectively enough to be a serious privacy threat.

The court’s decision is at once one-sided and inconclusive. By an 8-1 vote the court decided the immediate question before it: Petitions are, generally speaking, public. But the near-unanimity is only superficial, and may not even settle the question of the case at hand. Most, but not all, of the 8 allowed that there might be circumstances—some credible risk of harm, for example—under which petitioners would have a right to keep their names from being published. So the case goes back to a lower court, but may rise back up again.

What is most interesting is that the views of the justices cut obliquely across the usual liberal-conservative lines. In fact, the justice who is the most dismissive of any privacy right, and the sole justice who would have made privacy the norm, not the exception, are the two most conservative justices, Scalia and Thomas, who rarely split their votes on anything. Scalia called for “civic courage, without which democracy is doomed,” and added that he does “not look forward to a society which … exercises the direct democracy of initiative and referendum hidden from public scrutiny and protected from the accountability of criticism.” Thomas held with equal conviction that routinely publishing the names of petition signers would unacceptably chill free speech through a loss of “associational right to privacy.”

A case of the Internet confusing the traditional alignments on free speech issues.

Cyberspace as a National Asset

June 24th, 2010 by Harry Lewis

That is the name of the bill introduced this week by Senators Lieberman, Collins, and Carper, giving broad powers to the executive branch to control the Internet in case of certain emergencies. It is an important bill and it’s going to excite a lot of discussion about how much we need, and how much we fear, government control of the Internet.

The worries have been growing. A year ago a similar bill was introduced by Jay Rockefeller of WV. Richard Clarke’s Cyberwar is #1605 on Amazon as I write this post. We all know the damage that teenagers and criminals can do — imagine what an organized cyber-attack orchestrated by our enemies could accomplish.

As the worries have been growing, so has the skepticism. There was a terrific Intelligence Squared debate a couple of weeks ago about whether the “cyberwar” risks had been exaggerated. Mike McConnell of Booz Allen Hamilton, and former director of the NSA, argued that the risks had not been exaggerated, and he was joined by Jonathan Zittrain. Arguing the other side were privacy expert Marc Rotenberg and computer security expert Bruce Schneier. Shneier listed some of the purple language that had been used to describe the attacks that are occurring already — 9/11, Pearl Harbor, etc. — and noted that we in the U.S. love to use war language for describing things that are not wars but crimes, almost as much as we hate labeling as wars things that really are wars, our decade-old undeclared wars abroad. McConnell acknowledged that “war” is a metaphor, but so was “Cold War,” and no one doubts that the risk was real and that we won.

But it was Rotenberg who drilled down on the underlying problem with the rhetoric, which is not the semantic question of metaphors and language, but that purple language has repeatedly been used by the government in the past to argue for sweeping technological controls that undermine personal liberties. Rotenberg referred to the demands (recounted in Chapter 5) for government control of encryption technology, key escrow requirements, and the proposed requirement for the Clipper Chip). None of these supposedly essential measures wound up being approved, Rotenberg notes, and here are our friends from NSA back to help us again. McConnell responded that there was no danger to civil liberties — you just have to get the laws right and then unwarranted government surveillance would be illegal. Mark exploded that mere illegality had not stopped warrantless wiretapping under the Bush administration. McConnell promised to return to the issue if asked to, but it never happened.

I do think that exchange was at the crux of the issue. If you could trust the government, we wouldn’t worry about government monitoring what we are doing. But the whole Constitution is premised on the fact that we can’t trust the government always to do the right thing. Even reasonable-sounding laws are written with vague edges — especially laws about technology, which are drafted to cover innovations that haven’t happened yet. Prosecutors and other government officials, confronted with people they don’t like and a law with elastic edges, will stretch the law to cover the situation, and such cases often don’t even come to trial because the defendant pleads to a lesser charge rather than risk the judgment of the court on whether a harsh law is being stretched too far. (See Harvey Silverglate’s gripping and scary Three Felonies a Day.)

The Lieberman-Collins proposal allows the President to declare a “national cyber emergency” (the term is defined, but based on the examples in Clarke’s book and McConnell’s debate remarks, the NSA would probably argue that we have been in one several times, perhaps continuously). A new bureaucracy, the National Center for Cybersecurity and Communications, would reside within Homeland Security and would be charged with developing plans for responding to emergencies and seeing that they are implemented. CNET’s Declan McCullagh described the legislation as creating an Internet “kill switch,” separating problematic servers from the Net by government edict. Lieberman’s spokespeople were offended, saying that the legislation actually restricted authority the president already had under the 1934 Telecommunications Act.

The devil will be in the details.

Missing in the immediate reaction is the answer to a question raised by Chris Soghoian in the Intelligence Squared debate. None of this would be as much of a problem if our computer software wasn’t buggy. If Microsoft’s operating system were not so vulnerable to attack, the risks to the nation of being attacked would be a lot less. Is anyone in Washington thinking about requiring Internet security  at that level–with some significant financial penalties for violators?

Blog rescued!

June 24th, 2010 by Harry Lewis

We owe a big debt to researchers at Carnegie Mellon University, who took it upon themselves to disinfect this blog. As reported earlier, it had been riddled with links to an online drug store, which was riding the coat tails of our Google page rank to attract hits. Huge thanks to Timothy Vidas and Nicolas Christin for figuring out how the infection worked and resolving it. And thanks to Tyler Moore for connecting us to them!