Category Archives: Privacy

Digital Footprints

Posted on by

Hot off the digital presses at the Pew Internet & American Life project…

Internet users are becoming more aware of their digital footprint; 47% have searched for information about themselves online, up from just 22% five years ago. However, few monitor their online presence with great regularity. Just 3% of self-searchers report that they make a regular habit of it and 74% have checked up on their digital footprints only once or twice.

Indeed, most internet users are not concerned about the amount of information available about them online, and most do not take steps to limit that information. Fully 60% of internet users say they are not worried about how much information is available about them online. Similarly, the majority of online adults (61%) do not feel compelled to limit the amount of information that can be found about them online.

In addition to providing national telephone survey data, this report includes quotes from online survey respondents as well as experts in the fields of privacy, online identity management and search.

Full report (pdf) from here.

‘Default to public’, and its implications

Posted on by

Interesting Guardian column by Jeff Jarvis.

According to the marketing firm Alloy, 96% of teens and tweens use social networks; they are now universal. And I think this means that they will maintain friendships longer in life. Which, in turn, could lead to richer friendships. No longer can you escape relationships when you move on; you will be tied to your past – and to the consequences of your actions. I hope this could make us better friends.

But because you can’t escape your past, this also means that you could do one stupid thing in life, forever memorialised in Google, and you are embarrassed in perpetuity.

The Google chief executive, Eric Schmidt, jokes that we all should be able to change our names and start fresh at age 21. But I think we’ll be protected by mutually assured humiliation: we will all have our moments of youthful indiscretion and so we will have to forgive others’ if we want them to ignore ours. So you inhaled – so did I, what of it? That will be the golden rule of the social internet. And I say that could make us more tolerant.

There are other benefits to living life in public and, as a result, collaboratively. When the photo site Flickr began, its co-founder Caterina Fake said it made the fateful and fortunate decision to “default to public”.

The real Web 2.0

Posted on by

Nick Carr has an interesting post about what’s going on under the hood, as it were. It’s started me brooding…

Web 2.0 isn’t about applications. It’s about bricks and mortar. It’s about capital assets. It’s about infrastructure.

Yesterday, Google formally announced that, in addition to building a big utility computing plant in Lenoir, it will also build one a little to the south, at a 520-acre site in Mt. Holly, South Carolina, near Charleston. The company will be reimbursed by the state for some of its building expenses, and, the governor reports, legislators have “updated the state tax code to exempt the electricity and the capital investment in equipment necessary for this kind of a facility … from sales tax,” an exemption similar to one granted manufacturers. Google expects to invest $600 million in the facility and hire a modest 200 workers to man the largely automated plant. Google may also build yet another data center in Columbia, South Carolina.

At a pork barbecue celebrating the announcement of the data center deal, Google held a question and answer session with local dignitaries, but it was characteristically closed-mouthed about the details of its operation. Asked how it uses water and electricity at its sites, Google executive Rhett Weiss said, “We’re in a highly competitive industry and, frankly, one or two little pieces of information like that in the hands of our competitors can do us considerable damage. So we can’t discuss it.”

He goes on to discuss what Microsoft is doing in the infrastructure line too.

The local paper’s account of the Google deal is hilarious. Sample:

The company hopes to open its first building by December and the second building 18 months later.

It plans to begin advertising for the leadership positions on its Web site by next week at the latest.

Chris Kerrigan, president of the Trident United Way, said Google and Alcoa donated the money from the timber sale to Links to Success, a program that tries to keep children in schools in Dorchester and Berkeley counties.

Berkeley County Supervisor Dan Davis also praised the company for writing the county a check for $4.34 million for the right to tap into the water system.

Davis said the company could have spread the payment out over 30 years if it had wanted to.

John Scarborough, the county’s director of economic development, said the company’s annual payroll in Berkeley County will be about $12 million to $15 million, much of which will be spent in the area.

He said luring Google will be a major status symbol for Berkeley County.

“It shows companies that in Berkeley County we can handle the big projects, we can handle them professionally and confidentially, and we can solve problems that need to be solved,” he said.

EU has plans for your privacy

Posted on by

From today’s New York Times

PARIS, Feb. 19 — European governments are preparing legislation to require companies to keep detailed data about people’s Internet and phone use that goes beyond what the countries will be required to do under a European Union directive.

In Germany, a proposal from the Ministry of Justice would essentially prohibit using false information to create an e-mail account, making the standard Internet practice of creating accounts with pseudonyms illegal.

A draft law in the Netherlands would likewise go further than the European Union requires, in this case by requiring phone companies to save records of a caller’s precise location during an entire mobile phone conversation….

Apart from anything else, it’s an idiotic concept because it wouldn’t apply to services based in the US. So people will continue to use Gmail, Hotmail, Yahoo Mail etc. Unless, of course, the EU proposes to make it a crime for European citizens to have a Gmail account.

Hack early, hack often

Posted on by

This morning’s Observer column — on the security vulnerabilities of voting machines.

Oddly enough, it wasn’t these flaws that forced the ministry’s hand, but the further discovery that the ES3B emitted enough electromagnetic radiation for its operations to be monitored by snoopers, thereby violating the constitutional requirement for secret ballots.As a result, municipalities that had planned to use the ES3B have gone into panic mode. There was a stampede to purchase the alternative – and supposedly safe – voting machine, but supplies soon ran out.

Officials in Amsterdam, having decided to go back to pencil and paper, discovered that some ingenious jobsworth had sold all the old ballot-boxes for €25 apiece – and the Dutch media have been gleefully unearthing the uses to which their proud new owners have put them. (One has made an attractive barbecue from his.)

The key to votes

Posted on by

From Ed Felten’s Blog

The access panel door on a Diebold AccuVote-TS voting machine — the door that protects the memory card that stores the votes, and is the main barrier to the injection of a virus — can be opened with a standard key that is widely available on the Internet.

On Wednesday we did a live demo for our Princeton Computer Science colleagues of the vote-stealing software described in our paper and video. Afterward, Chris Tengi, a technical staff member, asked to look at the key that came with the voting machine. He noticed an alphanumeric code printed on the key, and remarked that he had a key at home with the same code on it. The next day he brought in his key and sure enough it opened the voting machine.

This seemed like a freakish coincidence — until we learned how common these keys are.

Chris’s key was left over from a previous job, maybe fifteen years ago. He said the key had opened either a file cabinet or the access panel on an old VAX computer. A little research revealed that the exact same key is used widely in office furniture, electronic equipment, jukeboxes, and hotel minibars. It’s a standard part, and like most standard parts it’s easily purchased on the Internet. We bought several keys from an office furniture key shop — they open the voting machine too. We ordered another key on eBay from a jukebox supply shop. The keys can be purchased from many online merchants.

Using such a standard key doesn’t provide much security, but it does allow Diebold to assert that their design uses a lock and key. Experts will recognize the same problem in Diebold’s use of encryption — they can say they use encryption, but they use it in a way that neutralizes its security benefits.

The bad guys don’t care whether you use encryption; they care whether they can read and modify your data. They don’t care whether your door has a lock on it; they care whether they can get it open. The checkbox approach to security works in press releases, but it doesn’t work in the field.

Update (Oct. 28): Several people have asked whether this entry is a joke. Unfortunately, it is not a joke.

It turns out that the same key opens the Nedap/Groenendaal e-voting machines that the Dutch government has decided are unsafe for the forthcoming November 22 general election! Truly, you could not make this stuff up.

Schneier on the Facebook Riots

Posted on by

Thoughtful article by Brice Schneier in Wired News

As the Facebook example illustrates, privacy is much more complex. It’s about who you choose to disclose information to, how, and for what purpose. And the key word there is “choose.” People are willing to share all sorts of information, as long as they are in control.

When Facebook unilaterally changed the rules about how personal information was revealed, it reminded people that they weren’t in control. Its 9 million members put their personal information on the site based on a set of rules about how that information would be used. It’s no wonder those members — high school and college kids who traditionally don’t care much about their own privacy — felt violated when Facebook changed the rules.

Unfortunately, Facebook can change the rules whenever it wants. Its Privacy Policy is 2,800 words long, and ends with a notice that it can change at any time. How many members ever read that policy, let alone read it regularly and check for changes?

Not that a Privacy Policy is the same as a contract. Legally, Facebook owns all data that members upload to the site. It can sell the data to advertisers, marketers and data brokers. (Note: There is no evidence that Facebook does any of this.) It can allow the police to search its databases upon request. It can add new features that change who can access what personal data, and how.

But public perception is important. The lesson here for Facebook and other companies — for Google and MySpace and AOL and everyone else who hosts our e-mails and webpages and chat sessions — is that people believe they own their data. Even though the user agreement might technically give companies the right to sell the data, change the access rules to that data or otherwise own that data, we — the users — believe otherwise. And when we who are affected by those actions start expressing our views — watch out.

Hmmm… I’ve been looking at the Facebook privacy statement and it seems to me to be more reasonable that I had expected from reading Schneier’s piece. Also — unusually — it is written in plain English rather than legalese.

Nevertheless, I agree with Schneier’s general conclusion:

The lesson for Facebook members might be even more jarring: If they think they have control over their data, they’re only deluding themselves. They can rebel against Facebook for changing the rules, but the rules have changed, regardless of what the company does.

Whenever you put data on a computer, you lose some control over it. And when you put it on the internet, you lose a lot of control over it. News Feeds brought Facebook members face to face with the full implications of putting their personal information on Facebook.

Anonymous browsing

Posted on by

Hacktivismo has just released Torpark, an anonymous, fully portable Web browser based on Mozilla Firefox. Torpark comes pre-configured, requires no installation, can run off a USB memory stick, and leaves no tracks behind in the browser or computer. Torpark is a highly modified variant of Portable Firefox, that uses the TOR (The Onion Router) network to anonymize the connection between the user and the website that is being visited.

“We live in a time where acquisition technologies are cherry picking and collating every aspect of our online lives,” said Hacktivismo founder Oxblood Ruffin. “Torpark continues Hacktivismo’s commitment to expanding privacy rights on the Internet. And the best thing is, it’s free. No one should have to pay for basic human rights, especially the right of privacy.”

Torpark is being released under the GNU General Public License and is dedicated to the Panchen Lama…

And — right on cue — the United Arab Emirates has barred the Torpack download site!

Dunn falls on her sword

Posted on by

Patricia Dunn is stepping down as the H.P. bugging scandal gathers speed. New York Times report says:

The furor over Hewlett-Packard’s spying operation claimed its highest-ranking victim on Friday with the immediate resignation of its chairwoman, Patricia C. Dunn.

The move was announced by Mark V. Hurd, the chief executive, who will now succeed her. But even as he offered an account of an investigation gone awry, and offered apologies to those whose privacy was invaded, he made it clear that many questions had yet to be answered.

His voice shaking, Mr. Hurd said a review of the means used to trace leaks from the company’s board had produced “very disturbing” findings. He also conceded that “I could have, and I should have,” read a report prepared for him while the operation was under way…