One of the basic bottom lines of Chapter 2 of Blown to Bits is that the Orwellian nightmare of constant government surveillance through advanced technology hasn’t worked out quite that way. The government is doing it, to be sure. But so are teenagers with their GPS systems and cameras in their cell phones. So are corporations, who can boost their profit margins at tad by keeping track of the digital fingerprints we leave everywhere without thinking about it. And so are jealous husbands and suspicious mothers, who install spyware on the computers that their family members are using.

The spyware business is going mainstream now, supported by the social movement toward flexible work hours, work-at-home arrangements, and the dispersal to domestic settings of jobs like answering 800 numbers. Those social trends are a boon to parents who need to work from home, and will doubtless become even more popular now that moving the employee to the office in a gas-guzzling automobile has become even more expensive, by comparison with moving the bits representing the workload to the worker’s home. Socially useful as work-at-home may be, it has always been tainted with an odor of unprofessionalism. How is anyone to know if the worker is really working?

Last Wednesday, July 30, Sue Schellenbarger of the the Wall Street Journal reported on the trend to install software on those workers’ computers which takes screen snapshots every ten minutes or so, and logs every keystroke and web site visited. Some even take periodic webcam photos and screen outsourced call centers using voice recognition, waiting for hot-button words or just tonal indications that the call-center employee is getting angry. (Sorry, no link; it’s the WSJ. I wonder if Mr. Murdoch will change that.) Mentioned in the story are oDesk.com and Working Solutions. Some expect employees to time their bathroom breaks so the clock is not running while they pee.

If you’ve never seen Chaplin’s Modern Times, you should. It’s hard not to think that there will eventually be some workplace standards for stay-at-home bits workers in the way there are for assembly line workers — developed either through legislation, collective organization, or competitive pressure, as certain businesses succeed by having happier and less stressed employees.

The Higher Education Act is now at the President’s desk and is certain to be signed. The full text can be viewed here. Like most such laws that update ones previously passed, it is almost unreadable, because it is really an edit log: “change this word to that, add this sentence at the end of that paragraph,” etc. 

It includes many disclosure and reporting requirements (colleges will have to include textbook costs in their online catalogs, for example). While I am all in favor of more transparency, my guess is that this will mostly result in colleges adding more clerks to satisfy the requirements, or, for colleges unable to afford more hires, conversion of educational and student-service positions into bean-counting and bean-reporting positions.

A lot of recent interest in the bill has come because of the entertainment industry’s efforts to pressure Congress into making colleges copyright enforcers on its behalf. Colleges are in a unique position — their residential students have no choice of Internet Service Providers. All the bits that students get go through the college’s connections to the Internet. Monitor and choke off illegal activity there, and students have nowhere else to get their bits.

The problem, as I noted in the Commencement issue of the Harvard Crimson, is that colleges should be the last place where communications are monitored for anything without probable cause. Students who have come to college to have new worlds opened up to them, to explore ideas and works that would have caused them shame and shunning at home, should not have every bit they are reading screened for appropriateness. That’s what we expect of Chinese universities, not American universities. If the entertainment industry (which pays a lot of the bills for many congressional campaigns) can get filtering installed on college’s networks, they will likely use that as a precedent to pressure Congress to act against other ISPs. And if the government can compel colleges to exclude this particular kind of material, it can compel colleges to keep out other kinds of bits it deems bad for the young to be consuming.

The compromise version of the Act that is at the President’s desk doesn’t mandate that colleges filter all incoming bits, only to disclose what weapons they are using to help the entertainment industry’s anti-”theft” crusade. But Congress hands the entertainment industry a different huge gift. It mandates that colleges develop plans to buy music subscription services. Here is the relevant language:

`SEC. 494. CAMPUS-BASED DIGITAL THEFT PREVENTION.

•  `(a) In General- Each eligible institution participating in any program under this title shall to the extent practicable–
  `(1) make publicly available to their students and employees, the policies and procedures related to the illegal downloading and distribution of copyrighted materials required to be disclosed under section 485(a)(1)(P); and  

  `(2) develop a plan for offering alternatives to illegal downloading or peer-to-peer distribution of intellectual property as well as a plan to explore technology-based deterrents to prevent such illegal activity.

Is there another area of private industry from which Congress mandates that colleges plan to buy subscription services? This section goes on to promise grants to colleges who fight the good fight against piracy. The recording and movie studios are rubbing their hands and setting up their money-changing tables right now, waiting for the colleges to line up to negotiate with them as federal law will soon demand.

Here’s a suggestion. Let’s instead pass a law requiring colleges to inspect laptops at the border of their property, the way DHS inspects laptops at the U.S. border, without probable cause. Students arriving as freshmen will have their laptops searched as they are unloaded from their parents’ cars. Same after they come back from winter break, etc. Ipods too, of course.

The reason this won’t happen is that students and their families wouldn’t stand for it. There would be face to face confrontations of a kind not seen since the draft protests of my youth.

The problem with network monitoring, and what makes it a more plausible and acceptable alternative, is that no one would see it happening. We all tend to accept intrusions that are logically equivalent to physical searches, even if we know they are happening, if we don’t see them happening.

The entertainment industry is winning in its efforts to force public and other private institutions keep its anachronistic business models alive for a few years longer. As much money as they claim to be losing, they have plenty to lobby Congress to do their bidding.

Google already knows what you’ve been looking for with its search engine, and whether you have a swimming pool in your backyard (and it will happily disclose the latter to anyone who wants to know — just use Google Earth). Now Google is toying with the idea of “activity recognition,” such as watching you eat. “Activity recognition systems unobtrusively observe the behavior of people and characteristics of their environments, and, when necessary, take actions in response — ideally with little explicit user direction.” So states a recent paper by Google researcher Bill N. Schilit and two coauthors. Why would they want to do that? Well, to improve your health, for example. ”Information about household activities can even be used to recommend changes in behavior — for example, to reduce TV viewing and spend more time playing aerobic games on the Wii,” the paper suggests.

Lovely. An automated nag.

To be fair, home health care is a huge market, and it’s very costly to have people see physicians just to be told the same things about behavior modification every six months. If people want it, why not?

Well, what if it’s their insurance company that wants it, on pain of canceling their policy? Or the government that wants it, in exchange for a tax credit?

Health improvement is a good thing, but where does it stop?

And, of course, there are all the usual questions about the bits: who gets them, how could they be repurposed, and what if they leak.

Thanks to Information Week for its nice summary story on this.

Readers of Blown to Bits know that when it comes to bits, nothing goes away (koan #6). Information, even information you’ve deleted, can come back to your surprise – and your embarrassment. In the book, we illustrated this at Harvard University’s expense by showing that an outspoken presidential statement on Harvard’s Web site about the scientific abilities of women had quickly been replaced by a more conciliatory version, and yet the original remained accessible to anyone who thought to look in Google’s cache.

The McCain campaigners had similar fun last week at Obama’s expense when they revealed how the Obama Web site’s statement on the plan for ending the war in Iraq was substantially rewritten between June 11 and July 14. For instance, where the earlier version led with “Bring our troops home,” the later version spoke of “A responsible, phased withdrawal.” The McCain camp scolded that this was politics-as-usual flip-flopping; Obama supporters replied that that it was simply elaborating a position and to more details. The tussle is unlikely to sway any votes.

What’s more interesting from a Bits perspective is that the McCain folks discovered the change through a new on-line service called Versionista <http://www.versionista.com/>, which is set up to track just these kinds of changes to web sites. Tell Versionista to monitor a web site, and it will watch it constantly, keeping track of every addition or deletion, and show you side-by-side comparisons of the different versions with the changes highlighted. You can compare Obama’s before and after Iraq plans yourself by following this Versionista link.

We can be sure that Obama and McCain through November – and perhaps all political campaigns from now on – will think twice when they modify their Web sites. That goes for the rest of us as well: anything you place on the Web can now be monitored by an automated agent in the service of a competitor, enemy, or rival, and any change or inconsistency can be thrown back in your face.

There are many more shoes yet to drop in this tale of automated change monitoring. Here’s something to ponder, relating to subpoenas for email and other documents: Word processors make automated backups as you write. You might type a phrase as you are composing and delete it almost immediately, and yet the original fleeting text might have been caught by a backup. If your documents are subpoenaed, do you have to turn over only the final versions, or the backup drafts as well? You might end up having to answer not only for email messages you sent, but for the unedited drafts of those messages, including the stupid   ill-considered words that you later edited out. The issue hasn’t yet come up in court, but those drafts fit the legal definition of “stored documents” and so in principle should be turned over. We can be sure that the issue will arise before long.

As the book says, bits never go away; they can’t even be replaced.

As the New York Times reported last week, Google now keeps track of what you’ve been searching for in order to show you more relevant advertising. So if you’ve been asking about various islands in the South Pacific and you search for “Java,” you’ll likely get advertisements for travel offers, not for guides to the programming language by the same name.

Google’s technology for achieving this effect involves leaving cookies on your computer. But the article notes that Google already had access to the previously visited site, even without leaving a cookie. That’s a standard part of the HTTP protocol for web browsers. Click on a link, and the browser dispatches to the web server not just the URL of the page it wants, but the URL of the page that contains the link on which you clicked.

That datum is called the “referer.” (Yes, the word is misspelled that way in the HTTP standard. Oh well.) This is what makes possible some interesting customizations of web pages. For example, if Joe’s Books has a site that links to Blown to Bits, we could greet people who visit our page from Joe’s with a distinctive message such as “Thanks for coming over from Joe’s Books!”

Now this is all wonderful and a little disquieting. Such tricks make the experience more personal, and perhaps more informed. But is that what we really want? Do we like knowing we are leaving tracks that others know about? And if not, would we rather have them know about the tracks but not tell us that? 

At lunch today I did an informal survey.  The question was this:

Is it acceptable for Customs officers to search through the contents of your laptop, look at files, read your email, go through your pictures, pick over your web search history, check to see if you have any illegal MP3 downloads, maybe some movies?

There are actually three parts to the question.

1. Is it legal to search all the electronic stuff you are carrying?
2. Is it legal to do it without any “reasonable suspicion” that you’re doing something illegal?
3. And, most importantly, how do you feel about it?  if it is legal, should it be?

There was 100% agreement, at least among the ten people at lunch today, that it was completely wrong to do so, and they presumed that it was either illegal, or, at least illegal without probable cause and maybe even a search warrant.

Not so.

On April 21, 2008, Judge Diarmuid F. O’Scannlain issued an opinion in the case of United States of America v. Michael Timothy Arnold.  Mr. Arnold, a forty-three year old man,  was returning from a trip to the Phillipines.  He landed at LAX and went through customs.  We’ve all done that - gone through customs that is.  They have an important function to peform; making sure that people don’t bring bad stuff into the country, things they haven’t paid duty on, animals, fruits that might harbor insects, contraband, and mostly drugs.  Mr. Arnold wasn’t a suspect, nor was he behaving in a suspicious way.  He was selected randomly for more careful screening.  In this case, the customs agent asked him to turn on his laptop, and proceeded to look through his photo album.  The agent found pictures of nude women and called in more experts.  They went through all his digital files and found images that they considered to be child pornography.

Mr. Arnold argued that the customs officers should not have been allowed to search his laptop without “reasonable suspicion,” and filed a motion to suppress.  The District Court agreed, but that finding was overturned by the Appeals court, as detailed in Judge O’Scannlain’s opinion.

Contrary to the opinion of my lunch companions, searching your laptop, your cell phone, your flash drive, iPod iPone, Blackberry - reading your emails, looking at your pictures, checking your web surfing history is all just fine - with or without “reasonable suspicion.”

But my point is not to argue the subtleties of the law, it is to recognize that, as we say so often in Blown to Bits, that quanititative changes have qualitative impacts.  Looking through your briefcase for undeclared purchases, searching your bag for the cheese you are trying to bring into the country, or for the kilo of cocaine, feels quite different from going through everything on your hard drive.  For many of us, our laptops contain a record of much of our lives: years of pictures, enormous email archives (mine’s about 2 GB.), every appointment we’ve had.  There is something inherently creepy about the notion of being laid bare in front of a customs agent simply because you are crossing the border.

We have strong legal protections for what we have in our homes.  The Fourth Amendment states that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated . . . .” Homes used to be where we kept the record of our lives, the pictures, the correspondence, our entire music collection.  It was inconceivable that you would carry it all about with you. But no more.  You can fit quite a bit if personal history on a 120GB disk drive. The digital explosion blew a big hole in the wall of our house.  Many of us carry our history with us.

Once again our legal structures feel intuitively to be out of whack with the nature of the digital universe.  How profoundly will our privacy be violated if a customs agent can pour through our most intimate thoughts, read our digital diaries, explore our interests and desires, our corporate secrets and health records.

Like all the stories we tell about BITS, this one is not over, but the implication is both clear, and consistent with our other observations: those who make the laws, and those who interpret them need to bring a deeper understanding of the technologies that are so much a part of the fabric of our lives

The House passed the revised and extended Foreign Intelligence Surveillance Act, and the Senate is sure to follow suit next week. ArsTechnica has a good explanation of how the bill undercuts constitutional assurances that the government will not spy on its citizens. And also of why the guarantees that really, truly the government will play by the rules now are nothing more than was already present in the previous legislation and ignored by the the Bush administration.

Today’s news (see the Washington Post story) is that Obama will vote for this bill, while promising to watch its application if he becomes president. 

One of the things Obama stressed in his primary campaigns was that he voted against the war in Iraq, and that Clinton voted for it. Obama cast himself as the cautious one, the one prepared to say that the president’s say-so for going to war was not enough. Certainly, many who voted for the war did so out of fear that they would seem weak if Saddam Hussein really did have WMD’s; Clinton and others erred on the side of not being seen as risking the security of the nation, and Obama roundly criticized them for having done so.

Here Obama is doing the same thing. His reputation in military and defense matters being open to question because of his inexperience, he is trying to establish himself as a strong defender of national security. He apparently doesn’t need to court the civil libertarian voters, believing they have nowhere else to go.

It doesn’t look like this can be an issue for the debates, since McCain is planning to vote the same way. I wonder what Clinton’s plans are.

One of the reasons that we wrote “Blown to Bits” was because we realized that so much of what goes on is connected to the changes digital technology has brought, and we wanted everyone to understand the implications.  Not a day goes by when we don’t see more bits stories.

Like today.  A witness alleged that the driver of an MBTA trolley that crashed was talking on her cell phone at the time. Thanks to the fact that cell phone service is now all “bits” that allegation is gone. Recent news stories reported that the cell phone records show no phone, text, or Internet activity at the time.

“We were able to recover the driver’s cell phone at the scene. We issued legal process to access records of her phone calls and text messages as well as her Internet usage on the phone, and engaged in forensic analysis,” Middlesex District Attorney Gerry Leone said in a statement.

We should all be aware that every single thing that we do with our handy little phones is tracked and stored.  It may take a warrant to retrieve those data, but they are there for the asking.

That wasn’t the only bits story today.  The front page of USA Today reported that visitors to the Olympics are at risk of being hacked by the Chinese government.  That story won’t be news to anyone who has read Blown to Bits - we talk at some length about how digital communications can be monitored and analyzed, about how search results vary from country to country, and, most importantly, how digital censorship can be a powerful tool for molding the thinking of a nation.

The Celtics (sadly!) lost to LA last night.  How, you might ask, is that one a bits story?  Answer - Kobe. whose 36 points made the difference, was cleared of charges to some degree because the cellphone text messages of his accuser were all stored, and subsequently retrieved.  You may have thought those message went away after you sent them.  Not so.

As my hero, Ron Popeil likes to say, “wait, there’s more.”  According to the Washington Post, the Red Cross was fined because six units of blood were improperly washed.  That’s six units out of literally millions.  Imagine finding that needle in a haystack if the records weren’t all bits.

The list has no end.  We are living in a bits world, with endless possibilities and perils.

Vontu, Tablus, Code Green, PacketSure, — these are all players in the world of “data security,” of making sure that valuable, confidential, protected, secure data doesn’t leak out. It’s a noble calling. After all, we don’t want our private information leaking everywhere, and corporations, for sure, don’t want theirs sneaking out the back door either.

Here’s what they do. They listen to everything passing through the company network. Often, they sit in a place on the network where information heads out the digital door to the Internet. They are “configurable.” That means that, like much of the software we use, the administrator can set up rules. “If Susan Black sends an email that includes the word ‘Prada’ or ‘Tiffany’ then …” Oh wait, that isn’t exactly the kind of rule you would expect for data security. My point exactly.

The tools that guard against data leaks are nothing more or less than digital wiretaps. The marketing term is “content inspection agents.” I love marketing-speak. The folks in marketing could have just named them “eavesdroppers.” Unlike the wiretaps of old, they don’t require a human listener. They have digital listeners; software that can be configured to detect whatever the administrator might think is suspicious, and then take appropriate action. That action might be as severe as blocking the transmission, or as aparently benign as keeping a copy for administrative review. The tools can look at every form of network traffic, because they operate at the deepest level, inspecting all the bits as they pass by.

Like so many innovations in our digital world, things developed for one purpose can be directed, or mis-directed to another. So it is with these tools. Guarding against data leaks is like protecting the homeland from terrorists. No one would ever argue against it. The question is, which of our assumptions about personal privacy are being sacrificed along the way. Our observation is that, for the most part, we don’t care. The more we know about the world of bits, the more we will come to accept that Big Brother is watching and listening, and we will just have to accept that new reality.

I got an email yesterday from a sales agent for Palisade Systems, which offers a product called PacketSure. The “Packet” in that name refers to Internet packets, the little blocks of bits that are the unit of information the Internet transports. And “Sure” means that the product will make sure the packets going into and out of your business won’t contain information you’d rather not see crossing the boundary into and out of the outside world. For example, movies you don’t want your employees wasting their time watching, or Social Security Numbers that might be client or employee data leaking out, or medical records which are private by law. The web site has a short demo video that gives the idea.

As originally conceived, the Internet was simply a packet delivery system. A computer at a junction point in the network was just supposed to look at the address part of the packets so it could send them off on the proper outgoing link. Those computers were slow enough that it wasn’t practical for them to do much more anyway in the way of peeking inside packets, and it also wasn’t feasible to do much scanning of bits as they entered or left host computers at the edge of the Internet.

With faster computers and much more concern about undesirable uses of the Internet, it is now possible, as the email I received states, “to manage communications across over 150 different protocols and applications … to block, log, report, and alert based on company policy.” Not only possible — it may well be wise or even necessary, given the variety of laws and regulations now in place about appropriate handling of data.

But the “based on company policy” part makes this technology much more than a tool for legal compliance. It gives the company complete control over the web sites employees are allowed to visit, the content of their email, and the use of office computers for sharing pictures. It is as though your office phone were locked to work only with certain other phone numbers, and was subject to a constant wiretap to boot. (Except that, I suspect, most personal communication out of offices these days probably goes by IM or email: Telephone conversations are less private because they are audible.)

Questions: If there were a home version of this product, would you buy it to keep your children in line? Should a university install these boxes to monitor or prevent students’ illegal music and movie downloading? If you were the government of Myanmar, would you want to install the system for the entire country?

Like so many other ingenious and useful technologies, this one is wonderful or terrible, depending on how it is used. A few years ago, no one needed to face the question of whether such systems were good or bad, because there was no practical way to build them. Now they exist, and they will keep getting cheaper and better. And I’m sure no one from Palisade Systems does ethics checks on its customers before shipping the PacketSure products.