I recently noticed that the latest digital cameras have a feature that not only tags people the camera can identify because you have tagged them before, but stops you to ask if you’d like to identify them if the camera notices that they keep turning up in your photos. Facial recognition is in the camera software. (Here is a Panasoic page describing this feature.)

That didn’t surprise me much, but somehow the Recognizr Android-phone app impresses me more. Point the camera at someone and the phone goes to the Web to identify the person and look up his or her profiles on Facebook and other social networks. Bingo, the phone reports back to you whatever the profiles disclose about them.

Nothing very complicated going on here, if you think about it, once you accept that facial recognition is a solved problem. The rest is just web search and retrieval. Underlying face recognition is by Polar Rose.

But think of it. Just miniaturize a bit more and we can all put these in our eyeglasses. Meet someone for the first time, and greet them by name. It will feel weird at first, but I suppose we will get used to it, in the same way that it no longer startles us to see pulled-together businesspeople striding confidently down the sidewalk talking to no one visible.

In B2B we briefly noted a couple of coming technologies in the advertising and marketing field—stores that would welcome you when they “saw” you coming in the door, perhaps suggesting things you might like to buy based on what they knew about what you had bought, etc. The New York Times reports today that it’s all here. It’s a good story, describing multiple technologies. It leads with the idea of pointing a cell phone camera at a window display after hours and having the item recognized from its image, so the shopper can buy it literally right out of the window. Here is another technology that I find particularly interesting:

Other retailers have begun testing a product from I.B.M. called Presence. Shoppers who sign up can be detected as soon as they set foot in a store. That enables Presence to offer real-time mobile coupons. And tracking shoppers’ spending habits and browsing time in various departments can help the system figure out who might be moved to suddenly buy a discounted item.

Presence can also make product recommendations. If a shopper was buying cake mix, Presence might suggest buying the store’s private-label frosting and sprinkles, too.

“We’re also able to do predictive analytics — predict what we think you might want based on what we already know about you,” said Craig W. Stevenson, an I.B.M. executive who oversees Presence.

We were imagining RFID chips in clothing as the identifiers. We should have expected that GPS phones would be ubiquitous and that people would happily tell merchants their whereabouts in exchange for small perceived rewards.

I am giving a talk with that title at Cornell on Thursday. It will be livestreamed at 4:15pm—details here. Thursday morning I am giving a talk on an earlier book, Excellence Without a Soul—that too will be livestreamed if anyone is interested. Same link.

Yesterday was the “Fairness Hearing” in the Google Books Settlement case. The New York Times has a good report on it. Judge Chin’s questions suggest he is worried that the settlement goes way beyond what was needed to settle the issues between the parties—which is true, of course. A class action lawsuit over copyright infringement should not be a platform for a world-changing business partnership, with the biggest rewards going to the infringer.

Alas, so far I see nothing to suggest that the privacy issues with the settlement have caught the judge’s attention. I found this paragraph from the ACLU particularly interesting:

Because the settlement does not contain any privacy protections for users, Google’s system will be able to monitor which books users search for, which pages of the books they read and how long they spend on each page. Google could then combine information about readers’ habits and interests with additional information it collects from other Google services, creating a massive “digital dossier” that would be highly tempting and possibly vulnerable to fishing expeditions by law enforcement or civil litigants.

Among the reasons Google will rue the day it decided to roll out Buzz as an opt-out product with your social network harvested from your Gmail address book is that it renders worries like the ACLU’s far more credible. With all that useful data about reader behavior, Google itself will be highly  tempted to repurpose it. After all, it has shown itself willing to do that with your address book, which many of us consider confidential information—why not do it with the information about which books, and which pages of which books, you spend your time reading?

A Harvard Law School student has filed a class action lawsuit against Google for Buzz’s privacy violations. The student, Eva Hibnick, says “I feel like they did something wrong,” which is surely true but probably not her best lede. “The document cites the Federal Electronic Communications Privacy Act, the Federal Computer Fraud and Abuse Act, the Federal Stored Communications Act and California common and statutory law,” says ABC News. The kitchen sink, in other words.

The Electronic Privacy Information Center has already complained to the Federal Trade Commission (see here for EPIC’s press release, with a link to the complaint itself). This lawsuit seems like overkill, no matter how mad people are, given the risks we’ve written about elsewhere of stretching any available law to make a club with which to attack a technological innovation.

—-

I was on the Callie Crossley Show on WGBH radio in Boston yesterday giving Google a piece of my mind about Buzz. But I was gentle compared to Callie herself. You can hear the short segment here.

Google yesterday reversed the crucial error it made when it rolled out Buzz. It decided not to initialize the service to follow your email correspondents, but simply to show those people to you as suggestions. In other words, you now have to opt in to following people, rather than opting out if you don’t want to follow them.

Bravo. You can pick at the edges–the company responded at first just by making the opt-out clearer, and didn’t go to opt-in until it realized that the first change wasn’t making the tidal wave of criticism any less powerful. But all things considered, this is a very professional response to a very serious self-inflicted wound.

The Toyota analogy I mentioned earlier sticks in my mind. Was there something in their management structure that allowed this horse to get out of the barn? Will there be some mistrust of Google now, some greater awareness that the company never guaranteed Gmail users absolute privacy in the first place and that it retains the right to make commercially advantageous use of their data?

Sigh. It is so sad to see Google lurch from doing the wrong thing (helping the Chinese thought control regime) to doing the right thing (announcing they’d rather lose the business than keep censoring in China) to doing a spectacularly wrong thing: The much-hyped Buzz social network service sets up your initial group of contacts from the list of people with whom you’ve been exchanging email and instant messages. And then makes that list of contacts public to the world. So lawyers could be exposing their clients, doctors their patients, husbands their mistresses, journalists their tipsters, you name it.

Buzz is an opt-out service–you’re in it until you tell Google you want to be out. And it is hard to get out (though in the past few days Google has, in response to the furious reaction it’s gotten, made the instructions a bit more visible). Even if you get out of Buzz, however, your secret lover may be exposing you. Happy Valentine’s Day!

This reminds me of Facebook’s Beacon fiasco, in which the company did not think through the consequences of having members announce to their friends what they were buying. Except worse, because ANYBODY knows that your email contacts are private information. How could Google not have had this pointed out to them in some focus group? For that matter, don’t they employ some house skeptics who are there just to point out the kinds of flaws that lots of bloggers pointed out almost immediately after the product was released?

Google’s response, according to today’s New York Times, is that a lot of people like the way it works. Which I am sure is true, and is a reason why big industries get regulated. The interests of minorities, no matter how serious, are not as important as providing the majority a product they like. Except that this time it looks like Google miscalculated the size of the minority of people concerned about their privacy, and the intensity of their feelings. I hope Google, like Toyota, is doing some soul-searching about how they got into their current pickle.

Thanks to danah boyd for pointing me to this excellent post from a lawyers’ blog explaining and analyzing the privacy problem and giving specific instructions about how to turn Buzz off. Very much worth a read.

In a move that is remarkably aggressive even by the standards of totalitarian regimes, Iran has announced that Gmail will be banned and that a government-run email service will take its place. The Wall Street Journal explains,

An Iranian official said the move was meant to boost local development of Internet technology and to build trust between people and the government.

I get it. People will trust the government more if they know the government is watching all their email and there is nothing they can do about it. Wait, no, I don’t get it. Could you explain that again?

I have gotten two unsolicited emails over the past year from Iran. One was from a Gmail address, enclosing a manuscript about teaching for me to read. When I responded that we all think about the people of Iran and their struggles, the unguarded reply was “That is why I chose green for the cover of my book.” I hope that did not get him into trouble. Another, from a Yahoo mail address, asked for my help in locating a relative. Apparently the person writing thought the relative had gone to Harvard. I could find no evidence of that but I did find the fellow’s Facebook page, for which my correspondent was very grateful

These experiences left me wondering how thorough the surveillance is, and today’s announcement leaves me wondering if people will put up with it being heightened.

I’ve now both listened to and read Secretary of State Hilary Clinton’s speech on Internet freedom. (That’s a link to the State Dept. home page, where it is still featured. I imagine it will move off shortly.)

It’s a good speech, I think. At least it was good enough to annoy the Chinese. A columnist for the People’s Daily snorted that Google had been reduced to an “ideological tool” of the US government and noted, correctly, that Google is losing the competition with the native Chinese search engine, Baidu. (Note: You can compare for yourself the search results returned by the US version of Google, the Chinese version of Google, and Baidu. But be aware that the link for Chinese Google takes you to servers inside the US, while the link for Baidu takes you, I think, to China. The result is that you may not see google.cn, the Chinese version, as the Chinese experience it. When I tried Googling “Falun Gong” inside China, I lost the Internet connection to my hotel room.)

The China Daily simply denies that Clinton is telling the truth. [A Foreign Ministry spokesman] “said the speech indicated China restricts internet freedom. ‘It is a far cry from the truth,’ he said.” And the People’s Daily accuses the US of hypocrisy. “It is common practice for countries, including the United States, to take necessary measures to administer the Internet according to their own laws and regulations. The Internet is also restricted in the United States when it comes to information concerning terrorism, porn, racial discrimination and other threats to society.” The paper goes on to cite Steve Ballmer as one of the good guys. “Noting that most countries exert some sort of control over information, Microsoft Chief Executive Steve Ballmer said Friday his company must comply with the laws and customs of any country where it does business.”

In fact, in her speech, Clinton, after stirring invocations of the US First Amendment and the Universal Declaration of Human Rights, conceded the point about Internet freedom having its limits. Here is the crucial paragraph:

Now, all societies recognize that free expression has its limits. We do not tolerate those who incite others to violence, such as the agents of al-Qaida who are, at this moment, using the internet to promote the mass murder of innocent people across the world. And hate speech that targets individuals on the basis of their race, religion, ethnicity, gender, or sexual orientation is reprehensible. It is an unfortunate fact that these issues are both growing challenges that the international community must confront together. And we must also grapple with the issue of anonymous speech. Those who use the internet to recruit terrorists or distribute stolen intellectual property cannot divorce their online actions from their real world identities. But these challenges must not become an excuse for governments to systematically violate the rights and privacy of those who use the internet for peaceful political purposes.

Now that passage contains a remarkable juxtaposition. A grand buildup.  A concession that there are limits to expressive freedom. A citation of the example of mass terrorism. OK, I’m listening. The next examples are the usual nondiscrimination categories, presented as hate-speech categories. Now I am getting worried; what counts as hate speech is so often in the ears of the listener. To be sure, it is easy to imagine a Tibetan rant about Chinese oppression that the Chinese could reasonably tag as ethnic hate speech. This is beginning to sound like a list of exceptions to freedom big enough to put almost anyone in shackles. Then there is the “issue” of anonymous speech. Secretary Clinton has nothing good to say about it, and then in a flat declaration puts Osama Bin Laden in the same box with millions of American teenagers—in the box of “those use the internet to recruit terrorists or distribute stolen intellectual property.” At this point I think the speech loses its operative edge. It leads inevitably to the conclusion that the speech control tools aren’t the problem—they are necessary in fact—only the way they are used.

So I finished the speech feeling good; it’s certainly better than a speech that emphasized cooperation at all costs, and that might have been expected. On the other hand it leaves me unconvinced that the administration actually has a consistent point of view on cyber-freedom.

One ironic footnote. The streaming video comes via a service called Brightcove. If you click on the “Information” icon on the video window while the speech is playing, you get Brightcove’s who-knew? privacy policy, which explains that “By using the Site, you agree to the terms and conditions of this Privacy Policy. If you do not agree to the terms and conditions of this Privacy Policy, please do not use the Site.” Much of the privacy policy does not apply to visits to the state.gov site, which requires no login and hence generates no personal information. But of course viewing the Internet Freedom video does send Brightcove your IP address, which Brightcove treats as “Non-Personal Information.” And, it says, “we reserve the right to share Non-Personal Information with affiliates and other third parties, for any purpose.” So Brightcove could, for example, sell Harvard University the information that I watched the Internet Freedom video via the wired jack in my Harvard office. Freedom does have its limits, but I might have hoped they fell a bit farther out than that.

The Associated Press reports a strange case in which a Facebook user logged into her account from her cell phone and wound up in someone else’s. Except it turns out that though strange, it is not unprecedented. A couple of people even wound up in each other’s accounts.

It’s a little hard to figure out what is going on, but it seems that the wrong cookie (code identifying the Facebook account) got installed on the user’s cell phone. According to the story, it’s AT&T’s fault, though it is hard to be sure since all the cases involve not just the same carrier but the same web service (Facebook) and the same Nokia phones. If, as reported, it’s a bug in AT&T’s cell-phone-to-Internet connection, it’s easy to imagine that a user might be taken to another’s Gmail account in the same way.

If the connection had been encrypted, that would probably have prevented the cookie bug from doing any harm. But Facebook does not use encrypted connections.

Which reminds me of something I should have mentioned earlier. In what was already a good week for Google on the privacy front, because of its announcement that it would stand up to the Chinese censors, Google announced in a much less publicized blog post that it was going to enable https by default for Gmail. That is, up to now, your Gmail has flowed to you in plaintext, available for sniffing and snooping anywhere in the Internet. There was always a way to change that default and have your Gmail encrypted, but it took a little digging to find the check box and few people bothered. The disadvantage to Google in making encrypted email the default is that the encryption takes time, so Google had to upgrade its systems, costing them money. Now they have decided to to exactly that, and once again, good for them!

Added a little later: The betting in the Slashdot comment thread is that it’s simpler than the AP story suggests. As one comment says,

My guess is that it’s as simple as this: the http returned by a request to “www.facebook.com” was cached by AT&T and delivered to other users who attempted to fetch that URL in an attempt to save bandwidth. The login credentials are irrelevant… once AT&T cached the page it thought of as “www.facebook.com” it would deliver it to anyone who asked for that URL. It probably only changed for the next person because someone insisted on logging out and back in, and the caching server detected the change then re-cached the NEW user’s page. This used to happen a lot on the internet to unencrypted streams that allowed log-ins. These days most caching servers are properly configured, but it’s still an easy mistake to make if you’re setting up a caching proxy.

That is, sometimes an ISP will cache (keep its own local copy) of a web page it retrieves from a server so the ISP can deliver it to multiple users who may request it without going back to the server for a fresh copy each time. Obviously this is the wrong thing to do if there is any possibility that the page may change in an important way in between requests that the ISP is receiving. Perhaps it was just delivering one party’s version of “facebook.com” (a logged in page) to another user who also asked for “facebook.com”. Whatever it was doing, it was wrong! And reminds us that nothing in a distributed system ever works better than the poorest code that gets invoked. Even retrieving a web page involves lots of parties.