Tag Archives: Public safety

True Video Lies

This is a longer version of a piece I recorded for the BBC World Service.

The other day my wife lost her phone out shopping. We narrowed it down to either the supermarket or the taxi. So we took her shopping receipt to the supermarket and asked to see their CCTV to confirm she still had the phone when she left.

To my surprise they admitted us into their control room. Banks of monitors covering nooks, crannies, whole floors, each checkout line. There they let us scroll through the security video—I kind of took over, because the guy didn’t seem to know how to use it—and we quickly found my wife, emptying her trolley at checkout line 17. Behind her was our daughter in her stroller, not being overly patient. It took us an hour but in the end we established what look liked a pretty clear chain of events. She had the bag containing the phone, which she gave to our daughter to distract her at the checkout. One frame shows the bag falling from her hands onto the floor, unnoticed by my wife.

Then, a few seconds later, the bag is mysteriously whisked off the floor by another shopper. I couldn’t believe someone would so quickly swoop. The CCTV records only a frame a second, so it took us some time to narrow it down to a woman wearing black leggings, a white top and a black belt. Another half hour of checks and we got her face as she bought her groceries at another till. No sign of the phone bag by this time, but I was pretty sure we had our man. Well, woman.

Except I’m not sure we did. What I learned in that control room is that video offers a promise of surveillance that doesn’t lie. It seems to tell us a story, to establish a clear chain of events. But the first thing I noticed was when I walked back out into the supermarket, was that how little of the floor it covered, and how narrow each camera’s perspective was.

For the most part we’ve learned that photos don’t always tell the truth. They can be manipulated; they offer only a snapshot, without context. But what about videos? We now expect to see cameraphone footage in our news bulletins, jerky, grainy recordings taken by unseen hands, raw and often without context.

This is not to say videos are not powerful truth tellers. But we tend to see what we want to see. When a policeman pepper sprays protests at the University of California there is outrage, and it does indeed appear to be unwarranted. But when four of the videos are synchronized together a more complex picture emerges. Not only can one see the incident within context, but also one gets a glimpse of a prior exchange, as the officer explains what he is about to do to one protester, who replies, almost eagerly: “You’re shooting us specifically? No that’s fine, that’s fine.”

This is not to condone what happens next, but this exchange is missing from most of the videos. The two videos that contain the full prelude are, of course, longer, and have been watched much fewer times: 12,658 (15 minutes) and 245,226 times (8 minutes) versus 1,346,781 times (1 minute) for the one that does not  (the other video has since been taken down).

I’m not suggesting that the more popular video has been deliberately edited to convey a different impression, but it’s clearly the version of events that most are going to remember.

We tend to believe video more than photos. They seem harder to doctor, harder to hoodwink us, harder to take out of context. But should we?

It’s true that videos are harder to fake. For now. But even unfaked videos might seem to offer a version of the facts that isn’t the whole story. Allegations that former IMF president  Dominique Strauss-Kahn may have been framed during a sexual encounter at a New York Hotel, for example, have recently been buttressed by an extensive investigation published recently in the New York Review of Books. There’s plenty of questions raised by the article, which assembles cellphone records, door key records, as well as hotel CCTV footage.

The last seems particularly damning. A senior member of the hotel staff is seen high-fiving an unidentified man and then performing what seems to be an extensive dance of celebration shortly after the event. This may well be the case, but I’d caution against relying on the CCTV footage. For one thing, if this person was in any way involved, would they not be smart enough to confine their emotions until they’re out of sight of the cameras they may well have installed themselves?

Back to my case: Later that night we got a call that our phone had been recovered. The police, to whom I had handed over all my CCTV evidence, said I was lucky. A woman had handed it in to the mall’s security people. I sent her a text message to thank her. I didn’t have the heart to ask her whether she had been wearing black trousers and white top.

But I did realise that the narrative I’d constructed and persuaded myself was the right one was just that: a story I’d chosen to see.

The Real Lesson From CardSystems

The sad truth about the CardSystems debacle is that it wasn’t unusual, at least in the delay and obfuscation over reporting it. An AP report in yesterday’s HoustonChronicle says

Most businesses do not report cyber attacks to law enforcement authorities, fearing the disclosure would harm their image and benefit rivals, FBI Director Robert Mueller said Tuesday.

Mueller’s comments were based on an annual survey conducted by the FBI and the private Computer Security Institute that found just 20 percent of businesses reported computer intrusions last year, a figure that has held steady for several years.

The reasons cited most often for keeping the incidents quiet were loss of business to competitors and potential damage to a company’s image.

In other words, don’t tell anyone and you’re fine. The old security through secrecy thang. Hopefully CardSystems will make people aware that’s just not going to cut it anymore.

Well-Meaning Pressure Group Or Sleazy Promotional Gimmick?

Maybe I’m getting too wary, but when I received a press release from something called the Internet Security Foundation, I wasn’t convinced. And I’m still not.

The email was provocative enough: The headline ran “Microsoft’s Policy Leaves Millions Open to Identity Theft; Internet Security Foundation Releases Free Protection Tool”. An explanation followed that users were vulnerable because they erroneously believed that their stored passwords in Windows were safe because they appeared in asterisks. “The truth is,” the release said, “that such passwords are not normally protected in Microsoft Windows and can be easily reviewed by using software like SeePassword (www.SeePassword.com).”

This is true. And a good point. But who is the Internet Security Foundation? The email suggested that I visit their website for more information about the foundation. I did, and all I found was one page, which was a virtual re-run of the press release. No ‘About’ page or anything, at least when I visited it. The only couple of links led to a download file, and to SeePassword, the software mentioned in the release and an external webpage which didn’t load at the time of visiting. So who are these guys, and is this for real?

I checked their whois data, which will at least tell me who registered the site. It was KMGI Corp., a New York-based advertising agency whose website design bears uses distinctive fonts — indeed the same fonts as the Internet Security Foundation. KMGI, I read elsewhere, is also a software company (although no mention is made on their website) and are the guys behind SeePassword, the software the ISF website suggests I use — “If you first need to look up any forgotten passwords, you can use SeePassword software available at www.SeePassword.com“. SeePassword, according to the PCMag article, costs $20.

Now I’m suspicious. Has KMGI set up a spurious foundation to try to sell a product? The only online references to the Internet Security Foundation I can find are in the NYT. But if you look closely at the story, there’s a correction at the bottom which corrects the reference to the organisation. “The group is the Information Security Foundation, not the Internet Security Foundation.” (If you do a Google search, such references are all to the NYT article.) So now I’m getting very suspicious. What is going on?

I tried calling the public relations number on the press release and left a message. If I get any clarification I’ll post it. But my feeling is: If this ISF is kosher, it should make clear who it is and its interest, if any, in a company that sells a product it recommends. And while pointing out the asterisk security issue is a good one, it’s not exactly a new problem. To me the whole thing smacks of promotional gimmick, rather than a clean and well-intentioned issue-raiser. But maybe I’m getting too wary.

The Price Of Democracy

An interesting essay by security guru Bruce Schneier (via the brianstorms weblog) on the economics of fixing an election. Put simply: How much is it worth a party to fix an election, and so how much would they be willing to spend on doing it? Put another way, how much should the folk designing an electronic voting system assume will be spent on trying to get past the security software?

Bruce does the math and concludes ”that affecting the balance of power in the House of Representatives is worth at least $100M to the party who would otherwise be losing. So when designing the security behind the software, one must assume an attacker with a $100M budget. Conclusion: The risks to electronic voting machine software are even greater than first appears.”

Scary stuff. Although much of the emphasis of such articles has been on how this might be done in established democracies (and there’s still plenty to worry about there) my worry is how about how voting systems may be exported to the developing world.

News: Buy Some Razor Blades And Get Your Photo Taken!

 Yes, it’s true! All you need to do is pick up a packet of Gillette Mach3 razor blades at Tesco’s in Cambridge, England, and you’ll trigger a CCTV camera. A second camera takes a picture at the checkout and security staff then compare the two images. Apparently the aim of the trial, The Guardian reports, is to provide stock information, but the manager of the store has already described how he presented photos of a thief to police.
 
 
Retailers have hailed the technology as the “holy grail” of supply chain management but civil liberties groups argue that the so-called “spy chips” are an invasion of consumers’ privacy and could be used as a covert surveillance device.