Previous installments (1, 2, 3, 4 & 5) in this series have documented how our government seems to have a difficult time keeping tabs on laptops and personal information. The latest on this front comes from the Energy Department which notified Congress yesterday that it has lost 1,415 laptop PCs over the past six years. However, according to this report in Government Computer News, the DOE stressed that none of the laptops contained classified information. I guess that qualifies as good news on this front.
Mine is a simple – dumb, even – adaptation of Metcalfe’s Law.
“The security and privacy risks increase proportionally to the square of the number of users of the data.” – first quoted in this eWeek article about the electronic employment verification system included in the current immigration bill.
I actually suspect that Briscoe’s et al’s refinement of Metcalfe’s law is more accurate, but that’s just so complicated.
Bob Hagen from Global Crossing reminds us that as of today, the ISPs are legally required to help the government spy on you, although (so far) only with a court order:
On March 10th, 2004, the Department of Justice, the Federal Bureau of Investigations, and the Drug Enforcement Agency submitted a petition to expand the scope of CALEA to include communications that traverse the Internet (again, at the carriers’ expense). The proposed changes to CALEA were approved in August 2005.
To those law abiding citizens that view this as an Orwellian infringement of their civil liberties, there are tools available that you can use to preserve your privacy and anonymity on the Internet. Since CALEA only addresses the interception of data, it does preclude the use of encryption to transform that data into gibberish. Here are some free tools that utilize strong encryption and are devoid of hierarchical trust models such as PKI:
Continue reading →
Yesterday I highlighted the publication of the transcript from an event I hosted on age verification proposals for social networking sites. Today I want to highlight another excellent event that followed close on the heels of my event and expanded upon several of the issues we discussed that day.
On May 3rd, my friend Tim Lordan, Executive Director of the Internet Education Foundation, hosted a panel discussion on Cap Hill entitled “Just The Facts About Online Youth Victimization.” The event featured the comments of 4 of the leading experts in the field of online child safety, including:
- Dr. David Finkelhor, Director, Crimes against Children Research Center (CCRC), University of New Hampshire
- Dr. Michele Ybarra, President, Internet Solutions for Kids and author of several studies on youth online
- Amanda Lenhart, Senior Research Specialist, Pew Internet & American Life Project
- danah boyd, Researcher, University of California, Berkeley and Fellow, University of Southern California Annenberg Center for Communications
It was an eye-opening discussion that shattered many of the myths driving legislative efforts aimed at regulating Internet sites or activities in the name of protecting children. I strongly encourage you to read the transcript, or just watch the video of the event here. It will change the way you think about these issues.
Julian gives a much-deserved thrashing to this ridiculous op-ed in the Washington Post attacking anonymity on the Internet:
What’s most bizarre about this piece is how incredibly superfluous it seems. Like the idea of accountable discussion forums, where every idea is linked to a verifiable real name? Well, there are plenty of those already. Worried about people “hate-mongering” or calling each other “the vilest names”? There’s no reason a site can’t limit that behavior while preserving pseudonymity, and indeed, so long as there are some people who don’t care about being hateful under their own names, that seems like a better way to address the problem. And the author’s imagination is so grossly impoverished that the only legitimate reason he can imagine to permit the use of a nom de Net is for the protection of whistleblowers, for whom he’ll grant sites ought to make exceptions on a “case-by-case basis.”
Fortunately, this sort of “transparency” has precisely no chance of becoming the general rule, for precisely the same reason the op-ed misapprehends the problem from the outset. Pseudonymous speakers are not “elevated to the podium”—note how the passive voice obfuscates as well as any handle—we elevate or ignore them when we decide what to read, how much credence to give it, and whose views to link and propagate in our own writing. Indeed, the “podium” metaphor—as though the Internet were a big room in which we all sit and listen to whomever’s got the mic for the next five minutes—is a pretty good early warning signal for the cluelessness that pervades the piece. Fora for anonymous speech are common because lots of people like them, because the annoyance of filtering out the boors is, for many of us, dwarfed by the benefit of having the freedom to air your views without worrying about what Bob in HR or Aunt Hortense would think if they came across them on Google. And even though some of the more prominent formerly-pseudonymous bloggers—Jane Galt and Atrios, say—have since ditched their masks, I’d bet theres a significant proportion of both their daily readers who wouldn’t even recognize the names “Megan McArdle” or “Duncan Black.” Why? Because when you’re making a cogent argument based on verifiable facts, supported by links, and with equal openness for others to poke holes in the argument or link contradictory information, the names of the people, names just don’t matter a whole lot. When the ideas and arguments are transparent, identities don’t need to be.
Quite so. One of the things I find odd about these sorts of articles is it’s never clear what we’re supposed to do about them. There are lots of different websites on the Internet, and if there was widespread annoyance over anonymous speech, one assumes that consumers would begin gravitating toward sites with stricter policies. It’s not obvious what’s served by hashing the issue out in the pages of the
Washington Post.
Ars Technica reports that an amendment to the FY 2008 Intelligence Authorization Act “upholds the 1978 Foreign Intelligence Surveillance Backed (FISA) as the only means by which to do electronic surveillance—and . . . requires continuous judicial oversight of requests.”
Divided government is a real boon.
In late March, I hosted a congressional seminar entitled “Age Verification for Social Networking Sites: Is It Possible? And Desirable?” I brought together 5 experts in the field to debate the issue, including:
- John Cardillo, President & CEO, Sentinel
- Jay Chaudhuri, Special Counsel to North Carolina Attorney General Roy Cooper
- Raye Croghan, Vice President, IDology, Inc.
- Tim Lordan, Executive Director, Internet Education Foundation
- Jeff Schmidt, CEO, Authis
It was an outstanding discussion and I’m happy to report that the transcript is now available online here. Also, you can listen to the audio from the event here. Also, you can find the big study of mine that we discussed that day here.
http://documents.scribd.com/ScribdViewer.swf?document_id=2887394&access_key=key-18jii1mp0o9wovvaijjs&page=&version=1&auto_size=true
Here’s Google’s Global Privacy Counsel Peter Fleischer discussing in more detail Google’s recent laudable decision to anonymize its server logs after 18-24 months. The discussion helps illustrate the diverse interests that must be balanced in choosing how long to maintain information.
It’s often easy to disregard the value that deep wells of raw information have for information-based business. Fleischer explains some of how Google makes use of data to improve its services and protect users. These consumer-beneficial activities must be balanced against the background demand for privacy protection.
Of particular note, of course, is his discussion of the emerging government demands for data retention (some of which conflict with government demands for data destruction). Data retention mandates are outsourced government surveillance, neatly shifting the cost of surveillance to the private sector while avoiding limits on government action like the Fourth Amendment and Privacy Act (in the case of the U.S.). Too put a fine point on it, data retention is bad.
This explication of Google’s thinking is a welcome contribution to public understanding. I did get a little chirping on my B.S. detector where Fleischer says he had talked to privacy activists in developing their plans. I’d like to know which ones. It’s a small enough community that I figure I would have known about it (I say at the risk of sounding self-important).
I’ve been aware in the past of government agencies deluding themselves about taking privacy into consideration because they’ve heard from government contractors selling “privacy enhancing technologies” like immutable audit logs and such. As often as not, this stuff is lipstick on a pig – seeking to make bad surveillance programs acceptable by tacking on complex, fallible privacy protections.
I’m sure Google has done better than that in its consultations with privacy experts. At least, I hope I’m sure.
Update: Nate Anderson at Ars is not nearly so sanguine about Google’s data retention practices and its defense of them.
A debate is raging over at the Second Life blog about Linden Labs’ (LL) annoucement that the company plans on imposing age verification requirements on its users starting in mid-May. LL says they are making this move “to insure that minors do not inadvertently access Second Life or have access to adult content in-world. In addition, age verification provides an additional layer of trust for in-world businesses and Residents.”
Those are certainly worthy goals. But LL face two very challenging issues in attempting to implement this plan:
Continue reading →
The Department of Homeland Security’s Data Privacy and Integrity Advisory Committee is filing comments on the REAL ID regulations. Comments close today (Tuesday). Instructions for commenting can be found here, and apparently, due to difficulties with the automatic comment system and with receiving faxes, DHS has opened an email address for receiving comments: oscomments@dhs.gov. Emails must have “DHS-2006-0030” in the subject: line.
The Committee took care to offer constructive ideas, but the most important takeaway is summarized by Ryan Singel at Threat Level:
The Department of Homeland Security’s outside privacy advisors explicitly refused to bless proposed federal rules to standardize states’ driver’s licenses Monday, saying the Department’s proposed rules for standardized driver’s licenses — known as Real IDs — do not adequately address concerns about privacy, price, information security, redress, “mission creep”, and national security protections.
“Given that these issues have not received adequate consideration, the Committee feels it is important that the following comments do not constitute an endorsement of REAL ID or the regulations as workable or appropriate,” the committee wrote in the introduction to their comments for the rulemaking record.
I’ll be testifying on REAL ID today in the
Senate Judiciary Committee.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.