UK to streamline identity theft with data retention proposal, I report over at Ars.
Privacy, Security & Government Surveillance 
Reports have surfaced that Charter Communications, a mid-sized U.S. cable ISP, is monitoring its customers in partnership with NebuAd to deliver targeted advertisements. Luckily, Wayne Crews and I have a brand new C:Spin digesting the privacy implications of advertisers tracking our Web browsing:
Online ads can be annoying. From pop-ups to flash screens, it’s hard to surf the Web for long without encountering a sales pitch for an unwanted product. A world without these ads might be pleasant, of course, but then who would pay for all the original content websites make available? Advertising explains why we can browse the Internet without pulling out our credit cards at every turn. But New York lawmakers are now considering a bill that would make this scenario a reality, spelling doom for the advertising models that could fuel the Internet’s future.
Irked by pervasive advertising, some consumers see the Wild Wild Web as a realm warranting legislative assurances that all information stays private, hidden beyond the reach of marketers without explicit consent. They prefer that we opt-in, rather than opt-out.
But an alternative interpretation of the nature of the cyberspace is that any advertiser may legitimately assemble information that has been transmitted on what is clearly a very public network.
Even Wikipedia, long funded entirely by private donations, may soon have to place ads on its popular encyclopedic entries . All the server farms and fiber optic cables that power today’s Internet are not cheap, and somebody has to pay. Ad revenues indirectly fund many of the network upgrades needed to prepare for the ever-increasing stream of global Web traffic. And since advertisers are expected to tighten their belts as the global economy slows down, effective advertising models are more important than ever. If the Internet is to realize its full potential, firms must be free to develop experimental new methods of delivering ads.
Increasingly, today’s “dumb” online advertisements are yielding to “smart,” behavioral ads. By cataloguing individualized information about a user’s browsing tendencies, behavioral advertisers like Phorm and NebuAd can guess what sort of ads might interest that person, and select which product to promote accordingly. In this model, advertisers don’t even have to record specific web addresses; rather, browsing habits are stored only under broad subject categories , like automobiles or golf. Sensitive websites like WebMD aren’t logged whatsoever . All this data is tied not to our names but to anonymous identifiers like cookies or IP address, which typically cannot be traced back to a particular individual except by court order.
What a delightful chapter title in Adam Shostack’s and Andrew Stewart’s new book, The New School of Information Security. Adam is a guy I’ve known for a lot of years now – somehow. He always seems to pop up in the places I go – both physically (at conferences and such) – and intellectually. He blogs at Emergent Chaos and maintains a list of his interesting papers and presentations on his personal homepage.
Adam and his co-author have produced a readable, compact tour of the information security field as it stands today – or perhaps as it lies in its crib. What we know intuitively the authors bring forward thoughtfully in their analysis of the information security industry: it is struggling to keep up with the defects in online communication, data storage, and business processes.
Shostack and Stewart helpfully review the stable of plagues on computing, communication, and remote commerce: spam, phishing, viruses, identity theft, and such. Likewise, they introduce the cast of characters in the security field, all of whom seem to be feeling along in the dark together.
Why are the lights off? Lack of data, they argue. Most information security decisions are taken in the absence of good information. The authors perceptively describe the substitutes for information, like following trends, clinging to established brands, or chasing after studies produced by or for security vendors.
The authors revel in the breach data that has been made available to them thanks to disclosure laws like California’s SB 1386. A libertarian purist must quibble with mandated disclosure when common law can drive consumer protection more elegantly. But good data is good data, and the happenstance of its availability in the breach area is welcome.
In the most delightful chapter in the book (I’ve used it as the title of this post), Shostack and Stewart go through the some of the most interesting problems in information security. Technical problems are what they are. Economics, sociology, psychology, and the like are the disciplines that will actually frame the solutions for information security problems.
In subsequent chapters, Shostack and Stewart examine security spending and advocate for the “New School” approach to security. I would summarize theirs as a call for rigor, which is lacking today. It’s ironic that the world of information lacks for data about its own workings, and thus lacks sound decision-making methods, but there you go.
The book is a little heavy on “New School” talk. If the name doesn’t stick, Shostack and Stewart risk looking like they failed to start a trend. But it’s a trend that must take hold if information security is going to be a sound discipline and industry. I’m better aware for reading The New School of Information Security that info sec is very much in its infancy. The nurturing Shostack and Stewart recommend will help it grow.
Check out my write-up of the State Secrets Protection Act, which is Ted Kennedy’s answer to the Bush administration’s habit of answering every lawsuit with “we can’t litigate about that because it’s a state secret. We can’t tell you why it’s a state secret because that’s a state secret too.” It would create some clear ground rules regarding when the state secrets privilege can be invoked and how judges should deal with such assertions. I haven’t given this a great deal of thought, but from a quick read-through of the bill, it seems like a pretty worthwhile approach.
A “sensor” is a device that measures a physical quantity and converts it into a signal that can be read by an observer or instrument. Sensors that convert analog information into digital form are the most interesting. The information they collect is easy to store, transmit, and reuse.
Digital sensors are all around – the keyboard on your computer, your cell phone, the surveillance cameras in your office building, and so on.
Lots of good things come from having these sensors around, and the systems they attach to – that’s for sure. But they don’t always serve our interests. Let’s take a look at an example of digital sensing gone wrong.
A colleague of mine recently returned from a business trip to Las Vegas, where he engaged in important and sober work. He arrived home late from his trip, and his patient and loving wife, already in bed, engaged him in some conversation. Fairly quickly, she asked him whether he had enjoyed himself at the strip bar (!). My hard-working and serious colleague was concerned. Why, on returning to the warm glow of his happy home-life, should he be asked this question?
My fiancee relates the following:
I was just listening to one of my knitting podcasts, where the podcaster was interviewing an author of knitting books. They started talking about how they arrange their knitting needles in their luggage to get them on planes. The author puts them next to the seams of her bag so the blend in, or puts them in a pencil case with a bunch of pens and pencils! When middle-aged ladies are scheming how to get their knitting past security, you know things have gotten ridiculous.
This essay by Josh Chasin over at the MediaPost’s Metrics Insider Blog is the best piece I’ve read on behavioral marketing & privacy in a long time. I like this analogy, in particular:
Let’s say you are a tall, dashing, smartly dressed Chief Research Officer at a major Internet audience measurement company, and you walk into Nordstrom’s. A sales clerk you recognize comes up to you and says, “Hey, your wife’s birthday is coming up in a few weeks, and we just got in those sweaters she likes. Should I put a couple of them away for you in her size and color?” Now let me ask you. Does this hypothetical Chief Research Officer perceive this to be: (a) an egregious violation of his privacy, causing him to immediately rush home and write his state assemblyman; or (b) another example of Nordstrom’s world-class customer service? If you answered (b), then you’re tracking with me so far. So how come if this exact same thing happens on the other side of the screen, it stops being outstanding customer service and turns into a violation of privacy?
Great question! And yet some over-zealous privacy advocates make this stuff out to be the coming endtimes and call for comprehensive regulation using scare tactics and twisted logic, as Chasin notes:
If Big Brother barges into your home at midnight and takes you away because someone doesn’t like the books you’ve been reading, that’s an invasion of your privacy (and way worse.) But if the ads you see on Yahoo are increasingly relevant to your life, that’s not an invasion of privacy. That’s just the digital version of that nice lady at Nordstrom’s. Let’s not confuse the two.
Exactly.
Here’s a great article on the recent history of the civil liberties debate, beginning with the CALEA battles of the 1990s. It gives some interesting details on the formation of CDT.
The big question the article asks is why it’s so much harder today to get the various factions in the FISA debate together in a room and work out a compromise, the way the parties did in 1994. It seems to me that the fundamental difference is that the previous administration accepted the fundamental premise that the government had an obligation to obey the law. So while the Clinton-era FBI pushed aggressively for statutory changes that dramatically expanded eavesdropping powers, and then litigated aggressively for interpretations of the law that expanded them further, it generally accepted that if Congress and the courts ruled against them, they had an obligation to defer to their judgments.
In contrast, the current administration believes, fundamentally, that the need to defend people from terrorism trumps old-fashioned concepts like the separation of powers and the rule of law. So while they’d certainly like Congress to rubber-stamp what they’re pleased to call the “War on Terror”, they’re prepared to ignore the law and peoples’ civil liberties regardless of what the other branches say.
Under those circumstances, negotiation is a waste of time because there’s no particular reason to think the administration will respect the outcome of the legislative process. Worse than that, pretending that the administration takes the law seriously, when it has made it crystal clear that it does not, serves the political ends of the White House by making it clear that contempt for the law has no consequences. When one side in the negotiations has made it clear they’ll do what they like regardless of what the law said, the only reasonable response is the one the House has taken: pass legislation that makes clear that the administration’s actions were and are illegal, and that increased scrutiny is needed. Not until we have a new president who re-affirms his (or her) commitment to the rule of law will it make sense to enter into serious negotiations with the White House.
…or in this case, you can’t stop the terrorists without occasionally letting a baby die while customs officials inspect his paperwork. I hope the people responsible for this spend some time in prison.
I have a new blog post on Cato@Liberty about a recent sit-down that DHS Secretary Chertoff had with a select group of bloggers. Below the video, a further item:
http://www.youtube.com/v/B48ee0VGnaE&hl=enTLF-exclusive update!: I just noticed that Secretary Chertoff describes the machine-readable zone in REAL ID as if it is literally the sequence of letters and numbers in the MRZ of the passport. In fact, the REAL ID regulation calls for the use of a 2D barcode standard. A 2D barcode can hold quite a bit more information per unit of surface area and, of course, it can’t be interpreted by the eye as the MRZ on a passport can.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.