Tag Archives: Law

The Gist of Things

(This is a copy of my Loose Wire Sevice column, produced for newspapers and other print publications. Hence the lack of links.)

By Jeremy Wagstaff

It’s interesting to see how we’ve changed in the past few years.

If you had predicted that we could follow someone’s activities by accessing a single page, right down to where they were, what restaurant they’d visited, where they’d been on holiday, what they were reading, what they were listening to, their employment history, what had made them laugh or cry, the reaction would probably have been somewhat negative.

Back then we had a different idea of privacy.

We basically saw privacy as a garden fence. Only neighbors could look in—unless they’ve got telescopes and twitching curtains. Our privacy wasn’t exactly a massive wall, but a shared understanding that there was a kind of wicker fence, or hedge, between us and the outside world.

Nowadays—maybe five years on—our views have changed. Well, they haven’t really changed, because I don’t think we really ponder it too much. Perhaps we’ve just tacitly accepted that the garden fence no longer exists.

This is probably because the benefits of accepting this outweigh the disadvantages.

Let’s look at the first bit again. If we befriend people on Facebook, we share with them tonnes of personal information, from our birthdays to our kids’ photos to our views and thoughts on the world, revealing either directly or indirectly all sorts of things about our lives.

Two friends died recently and Facebook was the vector for not only that information but for the grieving process of all their friends and relatives.

What was private or intimate is now public or semi-public.

LinkedIn blasts our CVs out there for everyone to see. What we once treated as confidential is now public—including our yearnings for another job. If you doubt me, scroll down to the bottom of a LinkedIn page and you’ll see how many people have opted to include the line “interested in career opportunities”. I’m surprised this doesn’t put more bosses’ noses out of joint.

Then there’s twitter: Every thing we feel, think, or get irked by is out there for everyone to see.

Music sites like Last.fm and Pandora share what you’re listening to, while Google Latitude and foursquare share your location.

You can get a sense of how all this fits together—and why, perhaps, it’s not such a bad thing—when you try out services like Gist. Gist assembles all the people in your address book and creates sort of virtual pages for them, populating each with whatever it can find on the Internet about them.

So, their LinkedIn page, their twitter feed, their MySpace page, their blog, any mentions of them in the media, are all collected together, alongside your email exchanges with them and other people involved in those email exchanges. Calendar entries, and email attachments, are all there easily found and reconciled.

The result is a somewhat disconcerting, but very useful, page which tells you everything you need to know about that person in order to remain in contact.

Indeed, that’s the purpose of Gist: to turn business networking into more of a science and less an art. You can see when you last communicated with them—and whether you should ping them to keep things bubbling.

Gist has even bought a service that flashes photos of your contacts at you to help you remember who they are.

From a privacy point of view, it’s unnerving to see your details so readily collated in someone else’s address book. And from a human point of view, it’s scary to see the personal reduced to a few algorithms and search spiders.

But it’s actually very useful, and turns our familiar tools of email and contact books into something more dynamic.

I don’t care so much about staying in touch with business contacts; I do, however, like to be able to see what my friends and colleagues have been talking about. And to be able to see all that on one page is a boon.

It bypasses both my address book and my email service. Gist finds pictures of the people I’m corresponding with before I’ve even met them. (Some surprises are in store: Not everyone is the gender you think they are.)

This, in short, is what has happened to our notions of privacy. What once would have been considered somewhat creepy stalking is now considered a valid means of staying on top of all the people and bits and pieces in your professional life.

No more garden fences. Now it’s more like a permanent open house cum garage sale, where anyone can poke around as much as they like.

And maybe offer you a job.

Art, the Internet and the Rise of Symbiosis

Great piece from the NYT on the decline of mystery and the rise of symbiosis for artists, who find there’s a living of sorts to be made by engaging with fans online and allowing the community that emerges to choose the direction their musical careers take — even to the point of how much to charge for their creations. But it leaves some doubts:

clipped from www.nytimes.com

“I vacillate so much on this,” Tad Kubler told me one evening in March. “I’m like, I want to keep some privacy, some sense of mystery. But I also want to have this intimacy with our fans. And I’m not sure you can have both.”

The Privacy Myth

If there’s one myth that endures in this age of online participation, blogs, shared photo albums and Web 2.0, it’s that we’ve overcome our concerns about privacy. It sounds on the surface, logical: We must have gotten over this weird paranoia, or else why would we share so much online? Why would we bother about privacy issues when there’s no real evidence that people, companies, governments and the NSA are out to get us? This, for example, from Web 2.0 blog TechCrunch guest contributor Steve Poland:

I’m sure there’s data to back me up on this, but today compared to 10 years ago — people are way more comfortable with the Internet and have less privacy concerns. Or at least the younger generations that have grown up with the Internet aren’t as concerned with privacy — and spew what’s on their mind to the entire world via the web.

I can’t speak for the younger generation, having been kicked out of it some years ago. But if we’re talking more generally about folk who have embraced the Net in the past 10 years, I’d have to say I don’t think it’s that we don’t care about privacy. We just don’t understand it. In that sense nothing has changed. I think what is happening is the same as before: People don’t really understand the privacy issues of what they’re doing, because the technology, and its liberating sensuality, are moving faster than we can assimilate to our culture. This is not new: Technology has always outpaced our intellectual grasp. If you don’t believe me think radio, TV, cars and cellphones. We were lousy at predicting the impact of any of these technologies on our environment. Lousy.

Usually, it’s because we just don’t stop to think about the privacy implications, or we don’t stop to ask deeper questions about the sacrifices we may be making when we buy something, give information to a stranger, register for something, accept something, invite someone in to our digital lives, install software, sign up for a service, or simply accept an email or click on a link. The speed of communication – click here! register here! — makes all this easier. But I don’t really blame the reader. Often it’s us journalists who are to blame for not digging enough.

Take, for example, a new service called reQall from QTech Inc in India. On the surface, it sounds like a great service: phone in a message to yourself and it will appear in your email inbox transcribed with 100% accuracy. Great if you’re on the road, on the john or at a party and don’t want to start jabbing away or scrawling the note on the back of your spouse’s neck.

Rafe Needham of Webware initially enthuses about it on his blog. But then he later finds out that

Update: I’m told that ReQall’s speech-to-text engine isn’t wholly automated. “We use a combination of automated speech recognition technology and human transcription,” a company co-founder told me. Which means there may be someone listening to your notes and to-do items. Yikes!

Yikes indeed. Who would record a message knowing that a stranger is going to be transcribing it, and a company storing it on their servers? To be fair to Rafe he’s not the only one not to initially notice this privacy angle. And at least he bothers to write it up. Dean Takahashi didn’t mention it in his (admittedly) brief Mercury News piece, for example. The company’s press release makes no mention of it either, saying only that

reQall is patent-pending software technology that uses a combination of voice interface and speech-recognition technology to record, log and retrieve your tasks, meetings and voice notes.

(The same press release appears on Forbes’ own website, which I always think looks a bit odd, as if there’s no real difference between a story and a press release. But that’s another rant for another day.) That, frankly, would leave me thinking there was no human interaction either.

But then again, there are clues here and if we (by which I mean us hacks) were doing our job we should probably follow them. Any Google search for reqall and privacy throws up an interesting trail. A CNN report on memory quoted Sunil Vemuri talking about reQall but says issues about privacy and keeping such records free from subpoena have yet to be worked out. When a blogger called Nikhil Pahwa quoted CNN on ContentSutra someone from QTech wrote in:

Please note that there is an inaccuracy in the post. QTech is not “currently working on sorting out issues related to privacy laws, and how to prevent these recordings from being subpoenaed.” Can you correct this?

The text was duly crossed out, so now it reads:

According to the report, they’re currently working on sorting out issues related to privacy laws, and how to prevent these recordings from being subpoenaed are still to be worked out.

So we’re none the wiser. Are there issues? Are QTech working on those issues? Or are there issues that other people are working on, not QTech? Their website sheds little light. There’s nothing about human transcription on any of the pages I could find, nor in the site search. Their privacy policy (like all privacy policies) doesn’t really reassure us, but neither does it explicitly scare our pants off. A brief jaunt through it (I’m not a lawyer, although I sometimes wish I was, and I think John Travolta in “A Civil Action” makes a good one) raises these yellow flags:

  • QTech can use your location, contact details etc to “send you information related to your account or other QTech Service offerings and other promotional offerings.” I.e. the company knows where you are, your phone number and home address and could spam you.
  • QTech may “include relevant advertising and related links based on Your location, Your call history and other information related to Your use of the Services.” I.e. The company could send you stuff based on what information you’ve given in your messages, and any other information you carelessly handed over during the course of using the service.
  • QTech can use the content of your audio messages (and your contact information) for, among other things, “providing our products and services to other users, including the display of customized content and advertising,  auditing, research and analysis in order to maintain, protect and improve our services … [and] developing new services.” I.e. the company can mine the contents of your messages and other stuff and spam other customers. Somehow this seems more scary than actually spamming you.
  • QTech will hold onto those messages “for as long as it is necessary to perform the Services, carry out marketing activities or comply with applicable legislation.” I.e. don’t think your messages are going to be deleted just because you don’t need them anymore.

Privacy documents are written by lawyers, so they’re about as weaselly as they can be. And QTech’s is no different. But there is some cause for concern here, and we journalists should at least try to explore some of these issues. I looked for any acknowledgement that there’s a human involved in the transcription, and some reassurance that the content of those messages is not going to be mined for advertising purposes, and that it would be possible for customers to insist their messages are deleted. I couldn’t find anything, although to their credit QTech do say they won’t “sell, rent or otherwise share Your Contact Information or Audio Communications with any third parties except in the limited circumstance of when we are compelled to do so by a valid, binding court order or subpoena”. But if QTech are doing their own advertising then does that really make any difference?

I’m seeking comment from QTech on this and will update the post when I hear it. And this isn’t really about QTech; it’s about us — citizens, readers, bloggers, journalists — thinking a little harder about our privacy before we throw it away for a great sounding service. Do you want, for example, your personal memos (“Calling from the pub. God I really need a holiday. I think I’m cracking up”) mined for advertising (“Hi! Can I interest you in Caribbean cruise? I hear you’re cracking up!” “Hi, need psychological counselling? I’m told you do” “Hi! Need Viagra? I hear from that last message you left you probably do”)?

Are You a Pirate?

In my town piracy, I suspect, is the norm. But in an effort to to see whether that’s true, and how that compares to other places, I’ve launched a survey, which I hope you, dear reader, will take a few minutes to complete.

It’s entirely anonymous, I’m not connected to the industry, and I have no intention of kowtowing to anyone, except perhaps my wife.

The questions are kind of designed to find out how widespread consumption of pirated content is and where, if any, the moral boundaries lie.

Thanks in advance for any time you spend on it. Feel free to pass it on to a friend. If you’d like to be added to a list of exclusive Loose Wire Surveyors, with the chances of free prizes and glory, drop me a line.

Needless to say, the irreverent tone of the survey is not meant in any way to condone or encourage piracy or the consumption of pirated materials. And this survey has been created using entirely non-pirated software. So there.

Oh and if you came here by mistake looking for pirate outfits, you can buy ’em here. (No the survey isn’t sponsored by them, although that’s a great idea.)

The Future: Software on a Stick

Why isn’t more software sold on sticks these days?

F-Secure sent me their latest offeing, F-Secure Internet Security 2006, on a USB dongle. I don’t know if this how you buy it in stores but it makes a lot of sense. Why isn’t all software delivered like this, instead of on CD-Roms? Or is it and I’ve just missed it?

Advantages:

  • Coolness: It would be much more fun to have a drawer full of colorful dongles than a boring sleeve-book of CDs. Handing freebies out at expos would be easier too.
  • Piracy. I’m sure it would be crackable, but how about if the key were stored on the USB drive? You wouldn’t want to get into having to have the USB drive inserted in the computer for the program to run every time, but if it was possible for the key drive to leave its fingerprint on the computer this could perhaps be used as a way of making software harder to crack. I have no idea how this might be done.
  • Portability. With the rise of USB drive-based applications via the likes of U3, wouldn’t it be great if you could take your Adobe Photoshop or whatever with you? Say you have to work on another computer, you just insert your USB drive and run all your favourites from there. No installation, no more serial numbers, no infraction of EULAs. This is the U3 idea, but so far that idea doesn’t seem to encompass bigger programs, nor does it embrace the idea of using both USB drive and computer in tandem. Say I’m using Photoshop on my desktop, with all my settings and plugins there, why couldn’t I tell the software ‘OK, now I’m hitting the road with my USB drive. Load all my recent stuff onto the drive along with any relevant serial numbers until I tell you otherwise.’
  • Flexibility: You could run the software from the USB drive if you preferred, before actually installing it.

And just in case you haven’t seen it, check out this list of software that can be run off a stick.

Phishing And The U.S.-Europe Link

A 23–year old man called Daniel A. Defelippi in the U.S. has pleaded guilty to three years of phishing and identity fraud, according to the the Democrat & Chronicle:

A Rochester man admitted Tuesday that he engaged in widespread identity theft, pilfering credit card numbers through fake Web sites and even collaborating with computer hackers in Eastern European countries.

So far there’s no more detail about the Eastern European angle, but attorneys are quoted as saying the fraud added up to about $400,000. Defelippi was arrested last December:

That arrest prompted a search of Defelippi’s Rochester-area business — Compumasters, at 3495 Winton Place — where the federal Secret Service unearthed evidence of a major identity-theft operation.

Among the items seized were devices to create counterfeit driver’s licenses and credit cards, and computers used to fabricate Web sites.

Defelippi, whose address was unavailable, admitted that he stole thousands of credit card numbers from unsuspecting people across the country.

It’s interesting to see how phishing and more traditional credit card fraud go hand in hand here, and how the phishing operation had a quite active U.S. end to it.

A Glimpse Of The Internet Banking Future?

One bank in my town has stopped offering Internet banking, and suddenly I feel I can see the future post-phishing.

Of course, the bank is not saying it’s abandoning Internet banking. Nor is it saying that the fact that now customers have to dial into a modem in the bank to access their account is because of phishing. The message on the website merely says that to improve capability [sic] and security the bank is “undergoing improvement process to make the service even more convenience [sic] and reliable in the future. Therefore, temporarily please access internet banking through VPN (Virtual Private Network). We apologize for any inconvenience caused.”

It will be interesting to see how quickly the original service is resumed, and, if it is, what changes will have been made. But do we see a glimpse here of the kind of thing other banks may do? Might it just not be worth the hassle in future to offer Internet-based services?

Bicycle Bandits And Phishing

Further to my post about the phishing incident at SunTrust, you don’t always need to be that sophisticated to rob a bank. All you need is a bicycle.

Late last month, the Richmond Times-Dispatch in Virginia reported that a man entered the SunTrust bank in Richmond “shortly before 11 a.m. and made a verbal demand for money. He displayed no weapon. After receiving an undisclosed amount of cash, the man fled on a bicycle heading west toward the Toys “R” Us store.” Clearly a man keen to get his kids’ Christmas shopping out of the way ahead of the rush.

It may not be the first time the Bicycle Bandit has hit. The Dispatch reports: “Police are investigating whether the man is the same person who robbed the Bank of Richmond at 8905 Fargo Road on Nov. 15. In that case, the robber also escaped on a bicycle.” Quite a getaway.

Could this be the same guy behind the phishing attack? Was he just probing the bank’s vulnerabilities, and decided to opt for cross-site scripting rather than a bicycle-borne attack?

Credit Card Fraud And Keeping The Customer In The Dark

Banks have failed customers over credit card fraud; why should they do any better over phishing?

Further to my piece on how banks had failed customers over phishing by continuing to communicate with them by email and failing to warn customers about possible breaches of security, here’s an example from the world of credit card fraud, which still remains the avenue of choice for most scammers.

Gartner reports in a recent ‘FirstTake’ briefing (no URL available) of the recent arrest of 28 members of an alleged cybercrime ring from seven countries. Gartner’s authors, Avivah Litan and Richard Hunter, reckon that the stated activities of the gang — 1.7 million credit card numbers stolen, with financial losses estimated at $4.3 million — doesn’t “give the entire picture”. The reason: Those figures translate to little more than $2.50 of fraud per stolen card. Much more likely, the two say, is that the gang used a small number of them to perpetrate big frauds, and the rest of the cards weren’t used, or were protected in some way by fraud detection software.

This, Gartner says, begs a question: If your credit card number is stolen, but no one successfully buys something with it, are you informed? No, Gartner says. Issuers “reason that they don’t know whether the card theft will ever result in fraud, and that it costs too much (about $10) and poses too much inconvenience to close an account and issue a new card.” This, sadly, is the same sort of fuzzy logic the bank in yesterday’s piece was using: ‘Our customers’ security has just been compromised but until something bad happens, let’s not worry them about it.’ As Gartner says: “The stolen card information will likely be used one day to commit either new account fraud or card fraud. Consumers would be better protected if they knew their card number had been stolen.”

My suspicion is that banks don’t want to inform customers of the problem, not just because of expense, but because they don’t want to scare them. Credit card fraud is a massive industry, processing, or attempting to process, millions of stolen card numbers a day. Most of those transactions don’t go through, for one reason or another. But how would you feel if your bank was not telling you that your credit card was out there, circulating on the darker corners of the Internet? My guess is you’d rather know about it, just as you’d rather know whether your account is vulnerable to phishers. Ignorance is not bliss.