Not In Sync

For a month I’ve been unable to log into BU Faculty Link or other Kerberos-protected sites with Chrome, my default browser. I deleted all passwords saved in Chrome and disabled its auto login features but the BU network still keeps me out.  I worked around it by using Firefox to access these sites, then today BUWorks, the portal for payroll, HR, and other employee functions also failed to operate with Firefox 7 and IE 9.  A bit of digging revealed that BUWorks officially does not operate with either–a pain if you keep browser software up-to-date.

OpenDNS

With Security at Risk, A Push to Patch the Web in today’s NY Times reminded me about OpenDNS, a free domain name system service.  The article, which deals with a serious security flaw discovered in the operation of the domain name system earlier this year by Dan Kaminsky, an Internet security expert, notes that individuals and small businesses can protect themselves from the flaw by using OpenDNS.   I configured my home network router for OpenDNS a few years ago and never thought about it again.  The router failed six months ago and, reading this article this morning, I realized I never changed the default server settings on the new router to use OpenDNS.  Making and implementing the changes took just a few minutes.  The OpenDNS site provides simple instructions for configuring popular routers and changing DNS settings in Macs, PCs, and other devices.  Take five minutes and do it.

You’ll Never Walk Alone

The NSA is not the only one monitoring every move you make, every breath you take. In their desire to anticipate our wants and needs before we know them ourselves, the New York Times reports that major web companies–Yahoo!, Google, AOL (it’s still around? I’ll be damned)–are “gathering clues about the tastes and preferences of a typical user several hundred times a month.” They too are ever-careful not to abuse our privacy and besides, “the data [they collect] is a boon to consumers, because it makes the ads they see more relevant.” You know what would be even more of a boon than more relevant ads? Fewer ads.

You’ll Never Walk Alone

The NSA is not the only one monitoring every move you make, every breath you take. In their desire to anticipate our wants and needs before we know them ourselves, the New York Times reports that major web companies–Yahoo!, Google, AOL (it’s still around? I’ll be damned)–are “gathering clues about the tastes and preferences of a typical user several hundred times a month.” They too are ever-careful not to abuse our privacy and besides, “the data [they collect] is a boon to consumers, because it makes the ads they see more relevant.” You know what would be even more of a boon than more relevant ads? Fewer ads.

Privacy and Security

A story in yesterday’s Wall Street Journal titled NSA’s Domestic Spying Grows as Agency Sweeps Up Data (subscription required) reports that–

According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called “transactional” data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns. Then they spit out leads to be explored by counterterrorism programs across the U.S. government, such as the NSA’s own Terrorist Surveillance Program, formed to intercept phone calls and emails between the U.S. and overseas without a judge’s approval when a link to al Qaeda is suspected.

The NSA’s enterprise involves a cluster of powerful intelligence-gathering programs, all of which sparked civil-liberties complaints when they came to light. They include a Federal Bureau of Investigation program to track telecommunications data once known as Carnivore, now called the Digital Collection System, and a U.S. arrangement with the world’s main international banking clearinghouse to track money movements.

The effort also ties into data from an ad-hoc collection of so-called “black programs” whose existence is undisclosed, the current and former officials say. Many of the programs in various agencies began years before the 9/11 attacks but have since been given greater reach. Among them, current and former intelligence officials say, is a longstanding Treasury Department program to collect individual financial data including wire transfers and credit-card transactions.

An NSA spokeswoman stated that the Agency “strictly follows laws and regulations designed to preserve every American’s privacy rights under the Fourth Amendment to the U.S. Constitution.” If you find comfort in that statement, consider this description of how the Agency uses its expanded domestic surveillance authority to pursue leads:

If a person suspected of terrorist connections is believed to be in a U.S. city — for instance, Detroit, a community with a high concentration of Muslim Americans –the government’s spy systems may be directed to collect and analyze all electronic communications into and out of the city. The haul can include records of phone calls, email headers and destinations, data on financial transactions and records of Internet browsing. The system also would collect information about other people, including those in the U.S., who communicated with people in Detroit.

The information collected “doesn’t generally include the contents of conversations or emails.” Generally. That’s a word we lawyers use to say “most of the time we don’t, unless we do.” Even without such content the NSA can identify the parties to phone calls and emails, their locations, and their cell phone numbers. The telecoms enable the NSA’s efforts either by copying all data through their switches to share with the NSA, or by ceding control to the NSA over the switches. The White House is pushing a bill that would immunize the telecoms from liability for privacy claims arising from this data collection. The NSA domestic surveillance program includes elements of and technology from the Pentagon’s Total Information Awareness initiative that Congress defunded in 2003 following criticism of TIA’s potential for civil rights abuses. Before it was killed the Pentagon renamed TIA to Terrorist Information Awareness to make it seem less creepy. Now the NSA is implementing TIA through its “black budget,” beyond effective non-NSA scrutiny.

The Journal story reminded me of a recent Wired column by the always-prescient Bruce Schneier: What Our Top Spy Doesn’t Get: Security and Privacy Aren’t Opposites. Schneir’s column focuses on a proposal from National Intelligence Director Michael McConnell to monitor all–“that’s right, all–” Internet communications:

In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. “Google has records that could help in a cyber-investigation,” he said. Giorgio warned me, “We have a saying in this business: ‘Privacy and security are a zero-sum game.'”

This states it as baldly as one can. This administration’s top intelligence personnel consider every increase in security to require a corresponding decrease in privacy. As Scheier states “I’m sure they have that saying in their business. And it’s precisely why, when people in their business are in charge of government, it becomes a police state.” Scheier says privacy versus security is a false dichotomy, that the true dichotomy is between liberty and control–and that “liberty requires both security and privacy.”

Facebook Two-Step

As discussed previously (here, here, here, here, and here) when it comes to issues of user information and privacy Facebook has shown an unerring ability to get things right, sort of, only after it gets things really wrong. The latest example surfaced last weekend when the New York Times reported that “[s]ome users have discovered that it is nearly impossible to remove themselves entirely from Facebook, setting off a fresh round of concern over the popular social network’s use of personal data.” When users deactivated their accounts Facebook kept “copies of the information in those accounts indefinitely.” Said former Facebook account holder Nipon Das “”It’s like the Hotel California . . . You can check out any time you like, but you can never leave.” On Wednesday came the story that following the inevitable creation of a Facebook user group protesting retention of account content the company “modified its help pages to tell people that if they wanted to remove their accounts entirely, they can direct the company by e-mail to have it done. But . . . representatives of Facebook stopped short of saying the company would introduce a one-step delete account option.”

This is the dark side of Web 2.0/social networking sites. Users may create the content but it is controlled by and treated as the property of the networking sites.

Qtrax: Oops

Someone commented recently about Qtrax, a recently-announced music file-sharing company that promised a free download service with 25 million licensed songs. There’s only one problem: as reported in Music site Qtrax forced into humiliating U-turn, the company neglected to secure deals with the four major record labels before its splashy $500,000 launch party. These folks would have felt right at home during the late-90s dot-com bubble.

Networking for $

A few days after Mark Zuckerberg apologized for how Facebook handled the rollout of its Beacon and Social Ads programs–“We’ve made a lot of mistakes building this feature, but we’ve made even more with how we’ve handled them. We simply did a bad job with this release, and I apologize for it” (Wall Street Journal)–Facebook ads are in the news again. Using a service called Weblo Facebook members are placing ads on their own profile pages, their value determined “based on variables like how many friends they have in their social networks, and, thus, how many people will likely see ads on their pages.” Facebook’s terms of use prohibit such ads because, according to its chief privacy officer, “Facebook does not want people’s profile pages to become cluttered.” That’s disingenuous. My modest Facebook profile page, which features little personal information, no news feed, one photo, and few message, contains nine separate content panes. One would barely notice if it contained an ad or two.

This isn’t about clutter and page design. As the Beacon and Social Ad programs demonstrate, Facebook wants to convert the wealth of users’ personal information into ad revenue for its own coffers. This is the conflict inherent in social networking sites: the site owner provides the platform, the users provide all of the content, so who has the right to the economic benefit in the aggregate content? There would be no content without the users, but the total value of the individual browsing histories and purchasing choices of 1,000,000 users is far less valuable than the aggregate of that information. Only Facebook is in the position to obtain the maximum value from that aggregated information. Facebook could share revenue with those users who choose to share their information and reduce the incentive for individual ads. It should start by being honest about the issue these ads raise.

Priming the Pump

In the blur of class preparation, reading papers, meetings with students, social engagements, workouts, and late-night Patriots games my desktop has become jammed with articles and ideas. Since I can’t go back in time I’ll clear the slate with these brief posts and try to get back in posting rhythm.

First, Facebook Founder Finds He Wants Some Privacy reports on Mark Zuckerberg’s attempts to force 02138 magazine (for those who do not “go to school in Cambridge,” 02138 is the Harvard zip code) to remove some “unflattering documents” from its website. A freelance reporter obtained the documents from the federal district court in Boston, where they were filed in connection with a lawsuit against Zuckerberg by the founders of ConnectU who claim that Zuckerberg stole their idea for a campus-based networking site after they engaged Zuckerberg for programming help. The documents include “include Mr. Zuckerberg’s handwritten application for admission to Harvard and an excerpt from an online journal he kept as a student that contains biting comments about himself and others.” The court rejected Zuckerberg’s motion to remove the documents without explaining his ruling.

Steven Kirsch–inventor, a serial entrepreneur, and philanthropist–has come up with a new way to stop junk email. Spam’s End? Maybe, if Time Allows discusses his scheme and his personal challenge in seeing it to fruition. Kirsch has Waldenstrom’s macroglobulinemia, a form of blood that is “considered incurable, although it can be managed beyond the five- to seven-year longevity that new patients are usually told to expect.” His spam-blocking technique relies on “the recognition that the ratio of spam to legitimate e-mail is individually unique. It is also a singular identifier that a spammer cannot manipulate easily. By assessing the combined reputations of the recipients of any individual message, the Abaca system determines the “spaminess” of a particular message.” Kirsch is approach his illness like an engineer, treating it as a problem requiring a solution.

Adult website Perfect 10–described by a defendant in a lawsuit as “a serial filer of nuisance copyright claims”–has come up short in one of its suits. This week the U.S. Supreme Court refused to hear its appeal from the 9th Circuit’s decision in Perfect 10 v CCBill LLC. In one of those coincidences that makes teaching–especially teaching Internet law–so much fun, the Court denied Perfect 10’s appeal on Monday of a week in which we are reading and discussing Perfect 10’s copyright lawsuits against Google and CCBill. To be fair, the 9th Circuit did remand the case against Google for further consideration of some of Perfect 10’s claims.

Last for this desk-clearing exercise, there have been numerous articles written about the suicide of 13 year-old Megan Meier. The story in a nutshell:

Meier met a 16-year-old named “Josh Evans” on MySpace. Her mother reluctantly gave permission to add Josh as a friend and visit with him online. They became close, but he suddenly turned on her, calling her names, saying she was “a bad person and everybody hates you.” Others joined the harassment, and the barrage culminated in Meier’s Oct. 16, 2006, suicide, just short of her 14th birthday.

Weeks later, Meier’s parents learned the boy didn’t exist—he’d been fabricated by a neighbor, Lori Drew, the mother of one of Meier’s former friends. The girls had had a falling-out, police say, and Drew wanted to know what Meier was saying about her daughter.

Drew managed to stay under the radar for a while but eventually she was outed–a Google search for “Lori Drew” yields about 59,000 hits and a search for <“Lori Drew” helicopter parent> yields almost 370 hits including Judith Warner’s piece in the NY Times: Helicopter Parenting Turns Deadly. Outrage and venom notwithstanding, the local prosecutor announced this week that he will not charge Drew in Megan Meier’s death because her conduct did not violate any criminal statutes. reviewed laws related to stalking, harassment and child endangerment before making his announcement. “[Prosecutor Jack] Banas said harassment and stalking laws both require proof that communication was made to frighten, disturb or harass someone. In this case, he said, the fictitious MySpace profile was created not to bully Megan, but to find out what she was saying about the neighborhood mother’s then-13-year-old daughter, a former friend. There are a few statements at the end that are a heated argument,” he said. “That’s why you have a hard time making a harassment case.””