True Video Lies

This is a longer version of a piece I recorded for the BBC World Service.

The other day my wife lost her phone out shopping. We narrowed it down to either the supermarket or the taxi. So we took her shopping receipt to the supermarket and asked to see their CCTV to confirm she still had the phone when she left.

To my surprise they admitted us into their control room. Banks of monitors covering nooks, crannies, whole floors, each checkout line. There they let us scroll through the security video—I kind of took over, because the guy didn’t seem to know how to use it—and we quickly found my wife, emptying her trolley at checkout line 17. Behind her was our daughter in her stroller, not being overly patient. It took us an hour but in the end we established what look liked a pretty clear chain of events. She had the bag containing the phone, which she gave to our daughter to distract her at the checkout. One frame shows the bag falling from her hands onto the floor, unnoticed by my wife.

Then, a few seconds later, the bag is mysteriously whisked off the floor by another shopper. I couldn’t believe someone would so quickly swoop. The CCTV records only a frame a second, so it took us some time to narrow it down to a woman wearing black leggings, a white top and a black belt. Another half hour of checks and we got her face as she bought her groceries at another till. No sign of the phone bag by this time, but I was pretty sure we had our man. Well, woman.

Except I’m not sure we did. What I learned in that control room is that video offers a promise of surveillance that doesn’t lie. It seems to tell us a story, to establish a clear chain of events. But the first thing I noticed was when I walked back out into the supermarket, was that how little of the floor it covered, and how narrow each camera’s perspective was.

For the most part we’ve learned that photos don’t always tell the truth. They can be manipulated; they offer only a snapshot, without context. But what about videos? We now expect to see cameraphone footage in our news bulletins, jerky, grainy recordings taken by unseen hands, raw and often without context.

This is not to say videos are not powerful truth tellers. But we tend to see what we want to see. When a policeman pepper sprays protests at the University of California there is outrage, and it does indeed appear to be unwarranted. But when four of the videos are synchronized together a more complex picture emerges. Not only can one see the incident within context, but also one gets a glimpse of a prior exchange, as the officer explains what he is about to do to one protester, who replies, almost eagerly: “You’re shooting us specifically? No that’s fine, that’s fine.”

This is not to condone what happens next, but this exchange is missing from most of the videos. The two videos that contain the full prelude are, of course, longer, and have been watched much fewer times: 12,658 (15 minutes) and 245,226 times (8 minutes) versus 1,346,781 times (1 minute) for the one that does not  (the other video has since been taken down).

I’m not suggesting that the more popular video has been deliberately edited to convey a different impression, but it’s clearly the version of events that most are going to remember.

We tend to believe video more than photos. They seem harder to doctor, harder to hoodwink us, harder to take out of context. But should we?

It’s true that videos are harder to fake. For now. But even unfaked videos might seem to offer a version of the facts that isn’t the whole story. Allegations that former IMF president  Dominique Strauss-Kahn may have been framed during a sexual encounter at a New York Hotel, for example, have recently been buttressed by an extensive investigation published recently in the New York Review of Books. There’s plenty of questions raised by the article, which assembles cellphone records, door key records, as well as hotel CCTV footage.

The last seems particularly damning. A senior member of the hotel staff is seen high-fiving an unidentified man and then performing what seems to be an extensive dance of celebration shortly after the event. This may well be the case, but I’d caution against relying on the CCTV footage. For one thing, if this person was in any way involved, would they not be smart enough to confine their emotions until they’re out of sight of the cameras they may well have installed themselves?

Back to my case: Later that night we got a call that our phone had been recovered. The police, to whom I had handed over all my CCTV evidence, said I was lucky. A woman had handed it in to the mall’s security people. I sent her a text message to thank her. I didn’t have the heart to ask her whether she had been wearing black trousers and white top.

But I did realise that the narrative I’d constructed and persuaded myself was the right one was just that: a story I’d chosen to see.

Journalists’ Responsibility Is To The Truth, Not The Cops

I have a lot of admiration for BuzzMachine who expresses better than most the changes underway in blogging and journalism, but sometimes I get depressed about how the blogosphere views journalists, and, frankly, how little they understand their profession. This would be fine, but the success of blogs (a good thing) sometimes engenders what feels like a moral superiority over journalists. That lack of humility is out of place in such a new, and fast-changing medium.

Take this post, for example, that calls on journalists to behave more like citizens and report criminal activities to the police, like NYT reporter Kurt Eichenwald turned in child porn web sites because it is the law. Jeff’s take:

I think the reporter who does not follow Eichenwald’s lead is in a riskier position: of allowing and thus even abetting crimes to be committed. And what does that tell the public about our role in our communities? What kind of citizens are we then?

As I understand it, Jeff is suggesting a journalist should report to the police if he or she believes a crime has been committed. He says that the only counterargument to this is that “sources – especially if those sources are the ones performing the criminal act – will not trust reporters and reveal information that should be revealed if they believe those reporters will not protect them and will hand them over to the authorities.”

This call gets the usual smattering of anti-MSM comments in agreement. But at least one commenter, Charles Arthur, editor of the technology supplement of The Guardian, sees the obvious hole in this one: “Sometimes journalists have to do things that involve talking to people who break the law in order to show society what it’s like. That doesn’t mean standing idly by while someone breaks into a store. But if the only way you can get to talk to someone about something is by promising that you won’t betray their trust, that can be the price of freeing up the information that person holds.”

But that’s not all. Journalists are not designed to operate as citizens, and it’s unreasonable to suggest that being a reporter means being a bad citizen. The problem with the suggestion is that it concerns itself with clearcut cases: It may seem irresponsible not to report a paedophile ring, but should I then report every case of apparent corruption I come across? Every spammer I interview? Every indication of corporate fraud I come across on my stock reporting beat?

The bigger point is that journalists are in a place to report, and occupy a place somewhere alongside the Red Cross in terms of neutrality. This may sound pompous if you’re not in a war zone, but if you are, that’s exactly where you’d like others to consider you. This is why press and their vehicles are clearly marked. You want both sides to consider you as an impartial observer; your life may depend on it. This is a core tenet of journalism, and is something bloggers should be embracing, not trying to dismantle. (In many countries if a journalist was seen to be cooperating so closely with law enforcement, their lives would be in danger.)

Furthermore, what law? If a journalist is considered by government and law enforcement agencies as a model citizen who shops every law breaker she/he comes across in his/her line of work, does that mean even controversial laws that the journalist is writing about? So interview a bunch of human rights illegally blocking a military runway, and you’ll have to turn them after the interview is over?

The bottom line is that we expect our journalists to go out there and talk to all the people we can’t talk to, because we’re here, we don’t have the access, we don’t have the background, we don’t have the time, and then distill their knowledge and, where applicable moral judgements, in a way that makes sense to us. Their eyes and ears are ours not because we want to hear what laws have been broken, but because we want to understand the essential truth of the situation. A family living on benefits in a tenement: We don’t want the journalist to report potential abuses of the benefit system to the police, we want to know why the family is having problems, and, hopefully what may be done to solve the problem.

Journalism is rarely to do with the law. It’s about much more than that. If we suddenly expect our journalists to be model citizens, whatever they are, we can only blame ourselves if they come back with a much smaller part of the story.

The Tilted Software Piracy Debate

Software piracy is a tricky topic, that requires some skepticism on the part of the reporter, though the media rarely show signs of that in their coverage. Here’s another example from last week’s Microsoft press conference in Indonesia, one of the prime culprits when it comes to counterfeit software:

JAKARTA (AFP) – Software piracy is costing the Indonesian economy billions of dollars each year and is stymieing the creation of a local information technology industry, a Microsoft representative said.

There is some truth to these statements, but it’s not really what Microsoft is interested in. First off, is it really the Indonesian economy that’s suffering because of piracy? One could argue the Indonesian economy is largely built on pirated software, as a kind of subsidy (like gasoline, which was until recently heavily subsidized.)

Secondly, when did Microsoft ever support the creation of a “local information technology industry”? That’s not their job — and I don’t blame them — but why hide behind this kind of argument? (Interestingly, there’s a lively Linux development community in Indonesia, but I’m not sure that’s what Microsoft is talking about here).

Some 87 percent of computer software on the market in Indonesia in 2005 was pirated, Microsoft Indonesia’s Irwan Tirtariyadi said citing a study from the Business Software Alliance, an organisation representing manufacturers.

That’s probably about right. It’s huge. It’s hard to find a company that doesn’t use pirated software. You can buy pretty much every program ever written, and I don’t know of a single person who uses a computer and who doesn’t buy pirated software. This is not to condone it, but I also only know of about half a dozen shops in a city of 12 million people which actually sell legal software. And forget buying online: Most companies won’t ship to Indonesia.

Lax law enforcement and widespread corruption contributed to Indonesia clocking in with the fifth highest rate of software counterfeiting in the world, he said, after Vietnam, Ukraine, China and Zimbabwe. “I’ve heard when police come to a shop (selling pirated software) it is closed. Basically information is leaking and this is an indication of the quality of law enforcement in action,” Tirtariyadi said.

This is part of the problem, it’s true. The malls are full of shops openly selling pirated software, often on the ground floor near the entrance, with policemen patrolling by. When a raid is planned, everyone knows about it, the shops quietly shut, cover their wares in tarpaulins and keep their heads down for a day or two. (Sometimes it’s hard to tell whether the imminent raid is from the police or some Islamic group cracking down on the counterfeit DVD stores, which often sell software too.)

Tirtariyadi told a gathering of foreign reporters that if piracy dropped by just 10 percent, it would add 3.4 billion dollars to the economy, according to figures cited by the International Data Corporation.

Could someone please explain to me how that figure came about? To me it sounds suspiciously as if the argument is based on a false premise: That everyone who buys pirate software would pay full price for legitimate software if there was no alternative. Let me think about that: $3 for brand new software — often a collection of software — against $50–500 for the same thing, in a country where half the population earn less than $2 a day. I don’t think so.

Counterfeiting also inhibited an “inventive culture” and the development of a strong local information technology (IT) industry here, he said. “Some students like to create new software but three months later they find it’s pirated,” he said.

True, there is definitely an inhibiting factor. I wrote a year or so ago about a guy developing a machine translation program which wasn’t bad, but which required him to spend at least half his time developing anti-piracy features in the software. But I still think this is a disingenuous argument. Let’s face it: Microsoft (and Adobe, and all the other BSA big boys) are mainly interested in quashing piracy of their products and building up their market share; I don’t see much sign of Microsoft actually nurturing this “local IT industry”.

Indonesia, Southeast Asia’s largest economy, has less than 100 IT companies, whereas neighboring Singapore, with a far lower rate of piracy, has between 400 to 800 such companies, he added.

This is not a useful comparison. Singapore is a highly developed country and one of the world’s technology hub. Though, interestingly, it’s not really a locally creative industry, with the exception of a couple of big names.

All this makes me realise that Microsoft et al still don’t get it. Piracy is massive; they’re right. But you don’t deal with it by sponsoring misleading press conferences and well-telegraphed police raids.

Indian Slumdwellers Protest Biometric Scanning of Impersonators. I Think

Who says that privacy is only an issue in the First World? According to The Times of India residents of Palsora and Lal Bahadur Shastri colonies have demonstrated against “alleged irregularities in the biometric test, which is being carried out in the slum areas to check “impersonation at any level.” The problem, it seems, is that people have been impersonating other people, sometimes twice, to register or occupy property.

A couple of interesting things about this. First off, this is not just any old biometric test. The administration, the story says, plans to test “all those living in slums [who] will have to furnish details of their fingerprints, photographs, face recognition, voice recognition, signature, shape of the hand, and other such details.” This sounds quite advanced. (Shape of the hand? Is this a first? ) Slumdwellers would also be asked to submit the usual stuff, such as “personal details, including date and place of birth, father’s name, number of family members, present address, et al.” All in all, that’s quite a survey. The government is going to have more data on the slumdwellers of Chandigarh than probably anyone else on the planet.

Slumdwellers are now protesting outside the regional government offices, probably as we speak. Well, not today, as it’s the Hindu New Year, I believe. However, they are not up in arms about this apparent invasion of their privacy (voice recognition?), but that “genuine people were being ignored in the survey.” I take this to mean (and I could be wrong) that the survey teams seem to be focusing mainly on impersonators. (Can that be right? – Ed) If true, this might be the first recorded Protest Against A Survey of Slumdweller Impersonators.

The Big Credit Card Theft

Trying to make sense of the massive theft of credit card numbers at CardSystems, ‘a leading provider of end-to-end payment processing solutions focused exclusively on meeting the needs of small to mid-sized merchants’, in which information on more than 40 million credit cards may have been stolen.

CardSystems itself has issued only a brief statement on its website (no permalink available) saying it had identified

a potential security incident on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the Federal Bureau of Investigation. Subsequently, the VISA and MasterCard Card Associations were notified to alert them of a possible security incident. CardSystems immediately began a remediation process to ensure all systems were secure. Additionally, CardSystems immediately engaged an independent 3rd party to validate systems security.

Notice the careful language: It talks only of ensuring all ‘systems were secure’ — in the security industry this is like checking all the locks work while watching all the horses bolting off down the street. (And don’t the FBI work on Sundays? Why wait a day to let them know?)

Then there’s the question: Why wait almost a month to let us know? A separate story by AP quotes CardSystems as saying that

it was told by the FBI not to release any information to the public. The company says it’s surprised by MasterCard’s decision to go public.

Actually, not so, say the FBI: Another AP story quotes an FBI spokeswoman, Deb McCarley, as denying

that the agency told CardSystems not to disclose the existence of the intrusion. McCarley says the FBI told CardSystems to follow its corporate policies without disclosing details that might compromise the ongoing investigation.

In fact, a MasterCard statement suggests that it was they, not CardSystems, who first identified the breach:

MasterCard International’s team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party processor of payment card data. Third party processors process transactions on behalf of financial institutions and merchants.

Through the use of MasterCard fraud-fighting tools that proactively monitor for fraud, MasterCard was able to identify the processor that was breached. Working with all parties, including issuing banks, acquiring banks, the processor and law enforcement, MasterCard immediately launched an investigation into the breach, and worked with CardSystems to remediate the security vulnerabilities in the processor’s systems.

In the meantime CardSystems was pretending it was business as usual, including an announcement on June 14 of a move into check processing, and posting job-ads for a ‘Software Quality Assurance Analyst’ to cover, among other things, ‘troubleshooting from operations, production, and outside vendors’ who can work ‘in a very fast-paced, high-visibility organization where priorities often change’. Indeed.

Anyway, the scale of the thing is pretty awesome: Softpedia quotes experts as saying

that this is the worst case of data theft in IT history. “In sheer numbers, this is probably one of the largest data security breaches,” said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif.

And just how did the theft happen? Details are sketchy, probably because no one yet knows (the MasterCard software which identified the fraud did so by monitoring transactions, not the actual breach. In other words, they observed the stolen goods being peddled, not the actual break-in). According to another AP story, MasterCard has identified CardSystems as being ‘hit  by a viruslike computer script that captured customer data for the purpose of fraud’, but hasn’t given any more details. CardSystems itself is not talking:

CardSystems’ chief financial officer, Michael A. Brady, refused to answer questions and referred calls to the company’s chief executive, John M. Perry, and its senior vice president of marketing, Bill N. Reeves. A message left for Perry and Reeves at the company’s Atlanta offices was not returned.

Both Perry and Brady have been with CardSystems a little over a year.

ZabaSearch, A New People Search Engine

Here’s a new — and perhaps scary — way to find out about people in the U.S.: .

It throws up details of most folk in the U.S., often including their birthdate, along with links to premium services, such as background checks. The search engine plows through nearly 30,000 free databases.

Blink, Diallo And The Serpico Blog

I re-watched the excellent Serpico recently: A classic movie that should be watched back-to-back with The Corporation.

Hunting the web for more on Serpico the man I found he has his own blog: the Official Frank Serpico Blog. I find that a pretty amazing example of how the Internet, and in particular blogging, has changed things. From the sense of isolation Al Pacino’s Serpico projects in the movie, and the fact he had to go to the New York Times to be heard, to having a blog to air his views. Not perfect, but a great advance. (Of course, there’s the question as to whether it really is his blog, and how one proves one is the real author, but let’s leave that aside. There is a website as well.)

Anyway, like all blogs, it’s patchy. Started last May, there’s a big gap from last December until two days ago, when he publishes a letter he sent earlier this week to Malcolm Gladwell, author of the excellent Blink:

In the book Blink, by Malcolm Gladwell, I believe Gladwell has mistaken bad police work in the killing of Amadou Diallo with the life and death split second decisions that police officers are forced to make every day. A situation like this raises issues of police credibility. This is a letter that I sent to Mr. Gladwell expressing my thoughts on the matter.

I don’t have the book handy, but as I recall Gladwell uses the Diallo shooting as an example of how ‘thin-slicing’ predictions can go awry, in this case based on race. Serpico’s point, as I understand it, is that Gladwell may be mis-using the example because of the very thing he himself was a victim of: the institutional ‘lie-factor’.

As I understand it, Serpico says the policemen’s testimony over the shooting — in which an innocent man was mistaken for a criminal because of his race and his ‘suspicious’ behaviour in response to the policemen’s approach — is suspect, and therefore should not be used as academic source material. He says it is called ‘testilying’ — when policemen are coached to deliver testimony that better fits with operating procedures:

In the Diallo case officers continually testified “I’m like, alright, definitely something is going on here” …“What I seen was an entire weapon”, “my prior experience and training, my prior arrest, dictated to me that this person was pulling a gun”, key words when testilying. “Gun, he’s got a gun” ad nauseum. Fact — there was no gun. They never saw a gun, they were never in any danger. They created, orchestrated and dictated the entire scenario, ending in catastrophe, supercharged by testosterone.

I don’t know much about the case itself beyond what Gladwell and Serpico wrote, but I guess it will be interesting to hear Gladwell’s response. As far as I know, he has no blog. Shame, because blogging is a perfect way to address these kinds of issues, and dig out some kind of truth.

Fingerprint Readers And Baths

Something I’ve noticed about biometric fingerprint readers. They don’t work well after a bath. Why is that? Are our fingers different after a bath? I mean, they look different — all wrinkly, for one thing — but why does that mess up the fingerprint reader? I do my best thinking in the bath, and it’s getting frustrating to have to wait five minutes while my fingers return to normal before I can gain access to my computer. That’s the sort of warning they should put on the box.

How Secure Is Bluetooth?

Could people use Bluetooth to access your phone and steal confidential data? Apparently, yes.

A company specialising in security and encryption, London-based A.L. Digital Ltd, says it has discovered “serious flaws” in the way that some Bluetooth gadgets authenticate connect to other Bluetooth gadgets and share information. In two separate flaws, the company says:

  • The SNARF attack: confidential data can be obtained, anonymously, and without the owner’s knowledge or consent, from some Bluetooth enabled mobile phones. This data includes, at least, the entire phonebook and calendar;
  • The BACKDOOR attack: the complete memory contents of some mobile phones can be accessed by a previously trusted (“paired”) device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be “backed up” to an attacker’s own system.

There’s more detail here. Of course, just because someone’s found out this is possible, doesn’t mean it’s happening. But with Bluejacking becoming popular, the pairing of Bluetooth devices becomes commonplace. The other point is that it’s hard to see what benefit could be extracted from this sort of thing, except to grab some phone numbers.

But that doesn’t mean it’s not a threat. In my part of the world, police have managed to roll up terrorist networks (Jemaah Islamiyah is the prime example) by looking through their handphone address book. If that kind of information could be gained remotely imagine the benefits for law enforcement, or crime, or extortionists, or politicians, or whatever. Just because we can’t see a use for it, just means our imaginations aren’t working properly.

What’s also worrying, according to CommDesign, a technical website, is that the company appeared to get short shrift from the manufacturers when it tried to show them what it had found, particularly Nokia. Given this issue first came to late last November, it would be good to know where the manufacturers are on this: I will follow this up with Nokia and post their response.

Update: Congressman Wrestle Spammers to the Ground

Here’s more on my earlier posting about congress, spam and a new survey.

Here’s the survey link. “In general our study suggests that consumers want government to provide greater protection against spammers,” commented Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “We hope our joint study provides insight on consumers’ concerns about the growing frequency of spam and the role government and industry should play in curtailing abuse.” The study was released at a press conference called by Senator Charles Schumer whose Stop Pornography and Abusive Marketing Act (The SPAM ACT) would create a do-not-spam list. (No really, that’s the acronym.)

“The emailing public has been at the mercy of spammers for way too long. This survey confirms that people are screaming out to be empowered with the ability to stop the constant flow of unsolicited e-mails into their in-boxes,” said Schumer. “My anti-spam bill fights spam on two fronts: It gives e-mail users the ability to put their names on a list to stop getting spammed and gives law enforcement the ability to go after those spammers that send this junk.” Hurray.