Keeping politicians' hands off the Net & everything else related to technology
Although the word “spyware” alone can make the blood boil for those who have struggled to remove the stuff from their computers, coming up with an actual definition of the concept is actually quite difficult. Still, the Anti-Spyware Coalition, consisting of consumer groups, Internet service providers (ISPs), and software companies, is struggling to pin one down. The group released a draft definition this week.
Alex Leary of the St. Petersburg times is on the story of an “intruder” who “hacked” into a wide-open WiFi and “stole” Internet service. Fortunately, the good guys caught him in the act, and now he’s facing hard time.
Mr. Leary, needs to take a deep breath and calm down.
Here’s something he might ponder once he’s got his blood pressure under control: on a recent trip to the Midwest, I probably “stole” Internet access from a dozen open access points around town. When I needed to check my email or look up an address, I’d drive down the street until I found myself within range of an unsecured wireless network. Then I logged in, checked my email, and logged off.
It’s almost certain that the owner didn’t even know I was there. The amount of bandwidth I “stole” was trivial, probably worth a fraction of a penny. I didn’t try to hack into anyone’s computer or snoop their private data. So am I a criminal?
ISPs will point out that such access technically violates their Terms of Service. Which is true. Comcast, for example, prohibits its broadband users from “making available to anyone outside the Premises the ability to use the Service (i.e. wi-fi, or other methods of networking).” But the TOS is an agreement with the guy who owns the access point, not with the guy who’s barrowing it. If Comcast has a beef with how its customers are using their service, they should take that up with the customer, not the guy driving by on the street. More to the point, this is the sort of thing that’s best dealt with with benign neglect. That provision in the TOS is to prevent a whole apartment building from sharing one broadband connection, depriving the ISP of revenue. But allowing me to use a WiFi network for 30 seconds isn’t going to make me any less likely to sign up for home broadband.
But I guess people have a tendency to get freaked out about things they don’t understand. When everything about a computer network is a mystery to you, I imagine it’s frightening to think that random strangers might have access. But whether or not you think it’s ethical to log into an unsecured wireless network, it’s certainly not a huge deal. Trading kiddie porn and stealing credit card numbers are a big deal, but one can do that with any Internet connection. There’s nothing special about WiFi in that respect.
Moreover, it takes all of 2 minutes, and virtually no technical savvy, to set a password for your access point. The procedure depends on which one you’ve got, so consult your manual, but most likely it involves opening your browser, typing in a number like “10.0.0.1” for the address, and clicking a “change password” button. If you don’t want people sharing your network–and more power to you if you don’t–that will deter 99.9% of the people who might try to log in. And I’d certainly be open to the idea that the remaining .1% should be liable for criminal sanctions.
A more tech-savvy reporter likely would have made fun of the bumbling flatfoots who think checking your email on a wide-open computer network is a felony. Of course, a more tech-savvy policeman wouldn’t have made an arrest in the first place.
Tucked inside the $82 billion emergency military appropriations bill that passed unanimously in the Senate yesterday (because what senator would vote against “supporting our troops”?) was the REAL ID Act, courtesy of Rep. James Sensenbrenner (R-Wis.). That act effectively creates a national ID card by standardizing state drivers licenses and databases. Worst of all, the Act requires that all licenses include a “common machine-readable technology.” RFID is a top candidate to fill that bill, as I lament here. What’s amazing to me is how little debate there was on this particular bill, even though decades of disagreement on national IDs had managed to stave them off. Check out this column by Bruce Schneier to learn why the new IDs are bad news for privacy, for security, and for the states.
A story linked from Drudge describes a new service that Google is offering: saved search history. Create a Google login, and the search service will keep track of all your searches, as well as the results that you’ve clicked-through to access. Anyone who has used Westlaw or Lexis-Nexis will find the idea familiar–those services have offered it for years.
Reaction, however, has not been uniformly positive. Once again the privacy wingnuts (so said to distinguish them from from people with legitimate concerns about privacy) are all worked up:
“It’s really a bad idea,” said Dixon, executive director of the World Privacy Forum. “If you need to keep track of your past searches, I recommend using a notebook. It would be a lot more private and a lot less risky.”
Had Google or any other operator of a web server some kind of malicious intent, it could keep track of every page you access on its servers and every search term you send to it. If you’ve ever sent them your email address or some other personally identifying information–then bingo, they’ve got you! For better or worse, this is the way that computer networks work, barring those that employ extremely complex, unreliable, and slow misdirection technologies. Dixon might as well caution users to stay away from the Web altogether, because the privacy implications are about the same as Google’s new service.
Still, she is right that some people don’t like like to divulge any information at all, ever, whether they’re using a computer network or boarding an airplane. At least in the case of Google, as opposed to boarding a flight, these people have options: they can choose not to use the search history service, not to use Google at all, or even not to use the Internet, period.
But the people who harbor such concerns are clearly on the fringe; the success of online services testifies to that. These are the sort of people who exclusively use anonymous proxies to access the Internet and send all their email encrypted. The really radical ones live “off the grid” altogether and pay for everything in cash. These are not normal computer users–who do take their privacy seriously but have proven more than willing to divulge certain bits of information when there is a payoff to doing so. All of us make that compromise every day when we access the Internet.
So Dixon is right that some people might want to think twice about Google’s search history service. Normal users, however, will probably make their decision based solely on whether it’s useful to them. And that’s the way it should be, that users get to choose what they’re willing to accept.
What this episode reinforces, though, is that privacy “advocates” like Dixon don’t really speak for normal users but for the paranoid. Whether their paranoia is legitimate–who’s to say? But the next time that privacy advocates come out calling for government controls on innovative technologies–a regular occurrence–remember that their concerns are likely far different from yours and those of most users.
The U.S. State Department is proposing to use RFID in passports. Bad idea.
Much has been made of the privacy and security risk, by such sites as RFIDKills.com. Yes, “RFID Kills” is waaaay over-the-top, and will certainly sully the technology overall, but it’s with a purpose.
My comments to the State Department deal just as much with the practical question. What good does RFID do in a passport?:
If chips save significant time over optical character readers, the choice of a contactless RFID chip over a contact chip is not explained. This particularly needs justification in light of the security and privacy concerns that come with RFID chips that would store personal information unencrypted.
The configuration of the RFID chip and reader at border crossings would apparently require the chip to be brought within four inches of the reader, meaning that RFID holds a four- inch advantage over a contact chip. If the Department believes that not having to move passports four inches to make contact with a reader will alleviate congestion at international borders, it should say so. If it does not believe this, it should select a non-RFID chip at most, and perhaps withdraw the proposal entirely, sticking with optical character recognition.
That’s not to say we shouldn’t be wary of the abuse of government power, but it is to say that arguments over whether or not we should have a national ID are outdated. The truth is that we already have at least two national IDs: our driver’s license and our social security numbers.
The more important issue Americans face is how to ensure that government is strong enough to fight terrorists but also weak enough to be forced to respect liberty, privacy and the general will of the people. This may mean stronger security on national ID accompanied by stronger constraints on what government can do with the data. For more, see my recent column here.
“If you are one of the 10 million people who have purchased an Apple iPod, you’ve almost certainly loaded it up with songs from your favorite CDs,” Bob Sullivan writes on MSNBC.com.
But watch out. As the subtitle to his story so ominously puts it, “Database company provides song titles and quietly tracks digital music listener habits.”
According to Sullivan, Privacy advocates” (not them again!) are concerned that a company called Gracenote is collecting data whenever you load a CD onto your computer and then onto your iPod.
Gracenote, as the article describes, has been doing this for years, whether you’ve noticed it or not. Usually when you insert a CD into your computer for the first time, it will send some information about that disc to Gracenote’s servers, which send back the album information–the artist, album name, track list, etc. That way, you don’t have to type it all in yourself. And after that, your computer stores the information instead of contacting Gracenote.
And Gracenote, as a company, seems to take privacy pretty seriously. To begin with, its network protocol includes no personally identifying information. (I wrote a Gracenote client a few years ago, when it was called CDDB.) It doesn’t even put a cookie on your computer or assign you a serial number. As a result, the company can’t really track what CDs you’ve put on your computer.
And it really doesn’t try to, either. Gracenote spokeswoman tells Sullivan that the company does not even keep users’ IP addresses, a way of identifying computers on the Internet, after they look up an album. But even if the company did, it wouldn’t make much difference: many users are behind firewalls and share a single IP address with dozens or thousands of other users. And among those non-server computers that get their own IP addresses, most only keep a single address for a few days or a week before they are assigned a new one. If Gracenote did log IP addresses, the most it could tell is that some unidentifiable user at a particular network address inserted into his or her computer, for the first time, a certain list of CDs.
What data does Gracenote collect? It can tell what client you’re using–whether it’s iTunes, MusicMatch, or whatever. It can tell, very roughly, what region you’re in–for example, the Washington metropolitan area, but usually not your city and certainly not your neighborhood or street address. And it can tell what the CD you put into your computer is–assuming that you haven’t turned this feature off in your software. (It’s a prominent preference item in iTunes.) That’s about it.
Gracenote can’t even tell if your CD is real or a copy because of the way that it works.
In that context, this seems a bit shrill:
“The user has immediate benefit, but the potential trade-offs are very unclear,” said Alessandro Acquisti, an expert on the economics of privacy at Carnegie Mellon University. “This is a problem for us on the Internet. It is difficult to assign a value to our data… and there is a future cost which is uncertain. Under these conditions, we often opt for immediate gratification.”…
“It is a technology that could be privacy diminishing,” Ponemon said. “People are starting to become more sensitive to things that relate to your hobbies, interests, your reading habits. To some people, that’s really sensitive. … What music they listen to may be a surrogate for what political beliefs they have.”…
“If the data is there, at some point, I’d bet somebody would find a way to make use of it in the particular, not just the general,” he said. While he hasn’t studied Gracenote, O’Harrow is an expert in marketing practices, and fears the chilling effect that could be produced if people know someone else knows their musical tastes.
“Those joyful moments when you are listening to Jimmy Page, maybe they aren’t as carefree anymore,” he said.
So what’s the beef? The real issue is probably that Gracenote sells some aggregate data to marketers. And once again, this raises “privacy advocates'” hackles. It’s not privacy that bothers them so much, it seems, as capitalism. Note that FreeDB, a less-comprehensive and less-reliable Gracenote knockoff run as a non-profit, doesn’t even merit a mention or complaint–even though it publishes pages like this and this!
But in this case, the critics are even more anti-consumer than usual. Think about it this way: Is it to your benefit, as a music listener, for an advertising exec to learn that, say, the Fiery Furnaces are gaining steam in Washington, D.C.?
Think about that the next time you’re watching television and marveling at how tone-deaf all of Madison Avenue must be.
This would be funny if it weren’t true:
Instead of competing head-to-head with his rivals in the business world, [True.com owner Herb] Vest has veered into the political world by pressing for new laws that would put True.com’s competitors at a severe disadvantage.
Vest has managed to convince legislators in states including California, Texas, Virginia, and Michigan to sponsor bills that would target rival dating sites like Match.com, Yahoo Personals, Spring Street Networks, craigslist and eHarmony.
Those sites would be required to stamp this stark warning atop every e-mail and personal ad, in no less than 12-point type: “WARNING: WE HAVE NOT CONDUCTED A FELONY-CONVICTION SEARCH OR FBI SEARCH ON THIS INDIVIDUAL.”
On second thought, it is funny, regardless.
The online-dating service True.com, no surprise, does perform such background checks–for felony and sexual convictions–while rivals like Match.com do not. But as Declan McCullagh reports, True.com’s background checks can be easily foiled: just provide a fake name. Any felon searching for love (or an easy mark) online should be able to figure that out.
Interestingly, the legislation, as proposed in California, would apply to any “social referral services,” including social networking sites (e.g., Friendster) and conceivably even message boards. Social software, a broad field now thriving with startups and energy, would be severely hamstrung. Could garage-stage entrepreneurs really afford to screen all their users? Would they want to?
So anyway, besides all the obvious concerns, there are two other problems with this particular proposal, assuming it could be made to work.
First, are mandatory background checks really in keeping with the free-for-all nature of the ‘Net? For many online flirts, a certain sense of freedom would be lost.
And second, shouldn’t consumer preferences matter? Should anyone visiting this site (or one of the many like it) really be forced to pay for a background check?
In the end, McCullagh’s conclusion is spot-on: “Leave love alone. It has enough problems flourishing without ‘help’ from politicians.”
Yet another impediment to rapid worldwide RFID deployment is the lack of qualified people to operate the systems. Yet another reason to retreat from the sci-fi view of RFID as all-encompassing.
A recent Slate article goes over the ins and outs of “stealing” your neighbors’ Internet connection via wi-fi:
Every techie I know says that you shouldn’t use other people’s networks without permission. Every techie I know does it anyway. If you’re going to steal–no, let’s say borrow–your neighbor’s Wi-Fi access, you might as well do it right. Step one: Lose the guilt. The FCC told me that they don’t know of any federal or state laws that make it illegal to log on to an open network. Using someone’s connection to check your e-mail isn’t like hacking into their bank account. It’s more like you’re borrowing a cup of sugar.
This techie doesn’t say that you shouldn’t use other people’s networks without permission. In fact, I deliberately leave my wi-fi network unprotected, in case my neighbors have problems with their service and need a backup. They also have wi-fi, and do the same. I have no idea if they’re doing it on purpose or don’t know any better, but in either event my mooching doesn’t seem to have bothered them.
Technically speaking, you probably are violating your ISP’s terms of service by “sharing” your connection. But those provisions are vague enough, (and, if interpreted literally, silly enough) that I don’t have any real qualms about ignoring them. It doesn’t cost them appreciably more to occasionally carry traffic from my neighbors, and the benefit of having a backup Internet connection in a pinch is substantial.
My geeky ex-co-workers would kill me for saying this, but I really don’t think it’s a big deal from a security standpoint. Yes, if you happen to have a determined hacker next door to you, opening your wireless network makes his job easier. But the fact is that there are only a few thousand determined hackers in the country. My chances of landing one of them as a neighbor is remote. And besides, being my neighbor would make them pretty easy to catch if they did something illegal with my connection.
Assuming you don’t have a determined hacker next door, locking your computer down isn’t that difficult. Turn off services you don’t need, like file sharing. If you must use a local network service, make sure you pick a decent password for it. And never send personal information like credit cards via email or over other non-encrypted channels. Really, you should be taking all those steps whether you’re leaving your wi-fi network or not– the unencrypted Internet is inherently secure, and you should assume any open service could be hacked and any data sent in the clear could be snooped.
So I say: share and share alike. Let your neighbors use your wi-fi service, and go ahead and use theirs. Information, after all, wants to be free.
HT: J. Lo.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.
