Daily Archives: July 30, 2013

LinkedOut

Posted on by

As readers of this blog will know, I have a low opinion of LinkedIn, which I consider to be one of the most annoying, intrusive and useless online services in existence. (See here and here, for example.) So today, after yet another of my hapless connections had “endorsed” me for something for which I had never requested an endorsement I finally got round to deleting my account. The ensuing dialogue box contained this interesting information.

LinkedIn_threats

The second bullet-point has a vaguely menacing tone. Does it imply that someone else can use my email address(es) to open a (fake) LinkedIn account in my name? Or is it simply saying that I can always think again and use my email address to get back in?

Engineering ethics

Posted on by

Joe Bonneau is one of the smartest young people I’ve met. He was a Gates Scholar at Cambridge and did a PhD in Ross Anderson’s group in the Computer Lab. On July 18, his paper on “The Science of Guessing” won a prestigious award as the Best Scientific Cybersecurity Paper of 2012. But here’s the catch: the Award, which is judged by a panel of distinguished academic experts, is sponsored by the NSA!

Here’s how Joe blogged about it, and explained his thinking.

I’m honored to have been recognised by the distinguished academic panel assembled by the NSA. I’d like to again thank Henry Watts, Elizabeth Zwicky, and everybody else at Yahoo! who helped me with this research while I interned there, as well as Richard Clayton and Ross Anderson for their support and supervision throughout.

On a personal note, I’d be remiss not to mention my conflicted feelings about winning the award given what we know about the NSA’s widespread collection of private communications and what remains unknown about oversight over the agency’s operations. Like many in the community of cryptographers and security engineers, I’m sad that we haven’t better informed the public about the inherent dangers and questionable utility of mass surveillance. And like many American citizens I’m ashamed we’ve let our politicians sneak the country down this path.

In accepting the award I don’t condone the NSA’s surveillance. Simply put, I don’t think a free society is compatible with an organisation like the NSA in its current form. Yet I’m glad I got the rare opportunity to visit with the NSA and I’m grateful for my hosts’ genuine hospitality. A large group of engineers turned up to hear my presentation, asked sharp questions, understood and cared about the privacy implications of studying password data. It affirmed my feeling that America’s core problems are in Washington and not in Fort Meade. Our focus must remain on winning the public debate around surveillance and developing privacy-enhancing technology. But I hope that this award program, established to increase engagement with academic researchers, can be a small but positive step.

This is — as you’d expect — a very adroit and sophisticated post by an interesting and thoughtful man. I’m inclined to agree with him that “America’s core problems are in Washington and not in Fort Meade [the NSA’s HQ]”. I guess that many (most?) of the engineers who work for the NSA (and GCHQ, for that matter) are decent and humane folks. But they must be reaching the point where they realise that there may be tricky ethical problems associated with working in these kinds of organisations, especially when they have no control over what their managerial or political masters do with their work.

The practice of engineering, in whatever speciality, often throws up involve ethical dilemmas, even though many engineers pretend that it doesn’t. After all, they protest, they’re just solving technical problems set to them by their employers. Moral and ethical questions are “above my pay-grade”, as the saying goes.

The first time I ever thought seriously about this was when I met Robert Jan van Pelt, an architectural historian and an expert on Auschwitz. He talked about the architectural and engineering documents pertaining to the design of Auschwitz that had been found in the Soviet archives in Moscow by a British historian. These documents show how professionals working for two firms, one an architectural practice, the other an engineering company which specialised in incinerators, struggled conscientiously to meet the ever-changing needs of a very demanding client — Himmler’s SS — as they sought to increase the capacity and the throughput of the camp. And both groups of professionals clearly understood what Auschwitz was for.

This is NOT to imply any kind of moral equivalence between those who work for outfits like the NSA and those who services the Nazi genocidal programme. But engineering is, like most other kinds of professional practice, drenched in ethical questions. Even as I write this, there are engineers working for arms companies (for example designing lethal unmanned drones, ingenious new fragmentation bombs whose fragments are less easily detected by X-rays or covert online surveillance technology for authoritarian regimes). All medical schools now insist that their students study ethics. Should engineering schools do the same?

Why advertisers are obsessing about the ‘interest graph’

Posted on by

George Orwell once observed that watching an idea move through a communist meeting was like watching a flurry of wind move across a ripe cornfield. Each stalk sways briefly and then resumes its upright posture. Much the same goes for the folks who are desperate to make money from online advertising. Once upon a time, they were all obsessing about the ‘social graph’ (i.e. Facebook). Now they’ve moved on to the ‘interest graph’. Just came on a neat explanation of the idea, apparently taken from a Goldman Sachs interview (so you know how seriously to take it).

Social graph signals have not been helpful in optimizing advertising. It seems intuitive to everyone that your friends’ recommendations would be powerful motivators…but when you look a little deeper, you hang out with people who have very different tastes than you. And you may have a special affinity through a hobby or something that they don’t share. One of the mythical high grounds that everyone’s thinking about…is this notion of an interest graph. Facebook connects you with people you know. But what connects you, if you’re into road biking, with the top 15 road bikers that are within 15 miles of where I live? 

[For a platform to] capture the interest graph, they’d be closer to the Google search paradigm, because they’d be right in line with demand generation, and with discovery that relates to product purchases. Context, for the history of the Internet, has been a big deal. The websites that do verticals, while they may not have abundant traffic, have always had huge CPMs, relative to the “Yahoo! Mail”s of the world. That may be this middle ground, between search and the social graph, to bring together people with like interests.

I wonder what the next obsession will be?

So how many Booz Allen employees are reading your email?

Posted on by

Glenn Greenwald had a fascinating conversation with George Stephanopolous on ABC’s Sunday morning TV show, This Week in which Greenwald said, at one point,

One of the most amazing parts of this entire episode has been that top-level national security officials like James Clapper really did get caught red-handed lying to the American Congress, which everyone now acknowledges, about what the NSA is doing. And it’s amazing that he not only hasn’t been prosecuted, but still has his job. And what that does is, it lets national security officials continue to lie to the public, which is what happened in that exchange you just referenced.

The way that I know exactly what analysts have the capability to do when they’re spying on Americans is that the story I’ve been working on for the last month that we’re publishing this week very clearly sets forth what these programs are that NSA analysts — low level ones, not just ones who work for the NSA, but private contractors like Mr. Snowden — are able to do. The NSA has trillions of telephone calls and emails in their databases that they’ve collected over the last several years. And what these programs are, are very simple screens like the ones that supermarket clerks or shipping and receiving clerks use, where all an analyst has to do is enter an email address or an IP address and it does two things: it searches a database and lets them listen to the calls or read the emails of everything that the NSA has stored, or look at the browsing histories or Google search terms that you’ve entered. And it also alerts them to any further activity that people connected to that email address of that IP address do in the future.

And it’s all done with no need to go to a court, with no need to even get supervisor approval on the part of the analyst. There are legal constraints for how you can spy on Americans. You can’t target them without going through the FISA court. But these systems allow analysts to listen to whatever emails they want, whatever telephone calls, browsing histories, Microsoft Word documents. It’s an incredibly powerful and invasive tool exactly of the type that Mr. Snowden described. And NSA officials are going to be testifying before the Senate on Wednesday. And I defy them to deny that these programs work exactly as I just said.

Two points here. The first is the question of why a public official who lies to Congress has not been suspended, prior to prosecution? The second is whether the NSA officials who are scheduled to testify before Congress on Wednesday will be asked to respond under oath to Greenwald’s remarks?