" /> net.wars: April 2010 Archives

« March 2010 | Main | May 2010 »

April 30, 2010

Child's play

In the TV show The West Wing (Season 6, Episode 17, "A Good Day") young teens tackle the president: why shouldn't they have the right to vote? There's probably no chance, but they made their point: as a society we trust kids very little and often fail to take them or their interests seriously.

That's why it was so refreshing to read in 2008's < a href="http://www.dcsf.gov.uk/byronreview/actionplan/">Byron Review the recommendation that we should consult and listen to children in devising programs to ensure their safety online. Byron made several thoughtful, intelligent analogies: we supervise as kids learn to cross streets, we post warning signs at swimming pools but also teach them to swim.

She also, more controversially, recommended that all computers sold for home use in the UK should have Kitemarked parental control software "which takes parents through clear prompts and explanations to help set it up and that ISPs offer and advertise this prominently when users set up their connection."

The general market has not adopted this recommendation; but it has been implemented with respect to the free laptops issued to low-income families under Becta's £300 million Home Access Laptop scheme, announced last year as part of efforts to bridge the digital divide. The recipients - 70,000 to 80,000 so far - have a choice of supplier, of ISP, and of hardware make and model. However, the laptops must meet a set of functional technical specifications, one of which is compliance with PAS 74:2008, the British Internet safety standard. That means anti-virus, access control, and filtering software: NetIntelligence.

Naturally, there are complaints; these fall precisely in line with the general problems with filtering software, which have changed little since 1996, when the passage of the Communications Decency Act inspired 17-year-old Bennett Haselton to start Peacefire to educate kids about the inner working of blocking software - and how to bypass it. Briefly:

1. Kids are often better at figuring out ways around the filters than their parents are, giving parents a false sense of security.

2. Filtering software can't block everything parents expect it to, adding to that false sense of security.

3. Filtering software is typically overbroad, becoming a vehicle for censorship.

4. There is little or no accountability about what is blocked or the criteria for inclusion.

This case looks similar - at first. Various reports claim that as delivered NetIntelligence blocks social networking sites and even Google and Wikipedia, as well as Google's Chrome browser because the way Chrome installs allows the user to bypass the filters.

NetIntelligence says the Chrome issue is only temporary; the company expects a fix within three weeks. Marc Kelly, the company's channel manager, also notes that the laptops that were blocking sites like Google and Wikipedia were misconfigured by the supplier. "It was a manufacturer and delivery problem," he says; once the software has been reinstalled correctly, "The product does not block anything you do not want it to." Other technical support issues - trouble finding the password, for example - are arguably typical of new users struggling with unfamiliar software and inadequate technical support from their retailer.

Both Becta and NetIntelligence stress that parents can reconfigure or uninstall the software even if some are confused about how to do it. First, they must first activate the software by typing in the code the vendor provides; that gets them password access to change the blocking list or uninstall the software.

The list of blocked sites, Kelly says, comes from several sources: the Internet Watch Foundation's list and similar lists from other countries; a manual assessment team also reviews sites. Sites that feel they are wrongly blocked should email NetIntelligence support. The company has, he adds, tried to make it easier for parents to implement the policies they want; originally social networks were not broken out into their own category. Now, they are easily unblocked by clicking one button.

The simple reaction is to denounce filtering software and all who sail in her - censorship! - but the Internet is arguably now more complicated than that. Research Becta conducted on the pilot group found that 70 percent of the parents surveyed felt that the built-in safety features were very important. Even the most technically advanced of parents struggle to balance their legitimate concerns in protecting their children with the complex reality of their children's lives.

For example: will what today's children post to social networks damage their chances of entry into a good university or a job? What will they find? Not just pornography and hate speech; some parents object to creationist sites, some to scary science fiction, others to Fox News. Yesterday's harmless flame wars are today's more serious cyber-bullying and online harassment. We must teach kids to be more resilient, Byron said; but even then kids vary widely in their grasp of social cues, common sense, emotional make-up, and technical aptitude. Even experts struggle with these issues.

"We are progressively adding more information for parents to help them," says Kelly. "We want the people to keep the product at the end. We don't want them to just uninstall it - we want them to understand it and set the policies up the way they want them." Like all of us, Kelly thinks the ideal is for parents to engage with their children on these issues, "But those are the rules that have come along, and we're doing the best we can."

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

April 23, 2010

Death, where is thy password?

When last seen, our new widow was wrestling with her late husband's password, unable to get into the Microsoft Money files he used to manage their finances or indeed his desktop computer in general. Hours of effort from the best geekish minds (we are grateful to Drew and Peter) led nowhere. Eventually, we paid £199 to Elcomsoft (the company whose employee Dmitry Sklyarov was arrested in 2001 at Defcon for cracking Adobe eBook files) for its Advanced Office Password Recovery software and it found the password after about 18 hours of constrained brute-force attempts. That password, doctored in line with the security hint my friend had left behind, unlocked his desktop.

My widow had only one digit wrong in that password, by the way. Computers have no concept of "close enough".

But the fun was only beginning. It is a rarely discussed phenomenon of modern life that when someone close to you dies, alongside the memories and any property real and personal they bequeath you a full-time job. The best-arranged, most orderly financial affairs do not transfer themselves gently after the dying of the light.

For one thing, it takes endless phone calls to close, open, or change the names on accounts. Say an average middle-class American: maybe five credit card accounts, two bank accounts, a brokerage account, a couple of IRA accounts, and a 401(K) plan per job held? Plus mortgage, utilities (gas, electric, broadband, cellphone, TV cable), government agencies (motor vehicles, Social Security, federal and state tax), plus magazine/product/service subscriptions. Shall we guess 40 to 50 accounts?

All these organizations are, of course, aware that people die, and they have Procedures. What varies massively (from eavesdropping on some of those phone calls) is the behavior of the customer service people you have to talk to. In a way, this makes sense: customer service representatives are people, too (sometimes), and if you've ever had to tell someone that your <insert close relative here> just died unexpectedly you'll know that the reactions run the gamut from embarrassed to unexpectedly kind to abrupt to uncomfortably inquisitive to (occasionally) angry. That customer service rep isn't going to be any different. Unfortunately. Because you, the customer, are making your 11th call of the day, and it isn't getting any easier or more fun.

A desire to automate this sort of thing was often the reason given for the UK to bring in an ID card. Report once, update everywhere. It sounds wonderful (assuming they've got the right dead person). Although my suspicion is that what organizations do with the information will be as different then as it is now: some automatically close accounts and send a barcoded letter with a number to call if you want to take the account over; some just want you to spell the new name; a few actually try to help you while doing the job they have to do.

What hasn't been set up with death in mind, though, is online account access. I'm told that in the UK, where direct debits and standing orders have a long history, all automated payments are immediately cancelled when the account holder dies and must be actively reinstated if they are to continue. In the US, where automated payments basically arrived with the Internet, things are different: some (such as mortgage payments) may be arranged with your bank, but others may be run through a third-party electronic payment service. In the case of one such account, we discovered that although both my friend and his wife had individual logins she could not change his settings while logged in using her ID and password. In other words, she could not cancel the payments he'd set up.

Cue another password battle. Our widow had already supplied death certificate and confirmation that she was executor. The company accordingly reset his password for her. But using her computer instead of his to access the site and enter the changed password triggered the site's suspicions, and it demanded an answer to the ancillary security question: "What city was your mother born in?"

There turned out to be some uncertainty about that. And then how the right town was spelled. By which time the site had thrown a hissy fit and locked her out for answering incorrectly too many times. And this time customer service couldn't unlock it without an in-person office visit.

Who thinks to check when they're setting up an automated payment how the site will handle matters when you're dead or incapacitated? We all should - and the services should help us by laying this stuff out up front in the FAQs.

The bottom line: these services are largely new, and they're being designed primarily by younger people who are dismissive about the technical aptitude of older people. At every technical conference the archetypal uncomprehending non-technical user geeks refer to is "your grandmother" or "my mother". Yet it does not seem to occur to them that these are the people who, at the worst moment of their lives, are likely to have to take over and operate these accounts on someone else's behalf and they are going to need help.

Death's a bitch - and then you die.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Unfortunately, this blog eats non-spam comments and I don't know why.

April 16, 2010

Data-mining the data miners

The case of murdered Colombian student Anna Maria Chávez Niño, presented at this week's Privacy Open Space, encompasses both extremes of the privacy conundrum posed by a world in which 400 million people post intimate details about themselves and their friends onto a single, corporately owned platform. The gist: Chávez met her murderers on Facebook; her brother tracked them down, also on Facebook.

Speaking via video link to Cédric Laurant, a Brussels-based independent privacy consultant, Juan Camilo Chávez noted that his sister might well have made the same mistake - inviting dangerous strangers into her home - by other means. But without Facebook he might not have been able to identify the killers. Criminals, it turns out, are just as clueless about what they post online as anyone else. Armed with the CCTV images, Chávez trawled Facebook for similar photos. He found the murderers selling off his sister's jacket and guitar. As they say, busted.

This week's PrivacyOS was the fourth in a series of EU-sponsored conferences to collaborate on solutions to that persistent, growing, and increasingly complex problem: how to protect privacy in a digital world. This week's focused on the cloud.

"I don't agree that privacy is disappearing as a social value," said Ian Brown, one of the event's organizers, disputing Mark privacy-is-no-longer-a-social-norm Zuckerberg's claim. The world's social values don't disappear, he added, just because some California teenagers don't care about them.

Do we protect users through regulation? Require subject releases for YouTube or Qik? Require all browsers to ship with cookies turned off? As Lilian Edwards observed, the latter would simply make many users think the Internet is broken. My notion: require social networks to add a field to photo uploads requiring users to enter an expiration date after which it will be deleted.

But, "This is meant to be a free world," Humberto Morán, managing director of Friendly Technologies, protested. Free as in speech, free as in beer, or free as in the bargain we make with our data so we can use Facebook or Google? We have no control over those privacy policy contracts.

"Nothing is for free," observed NEC's Amardeo Sarma. "You pay for it, but you don't know how you pay for it." The key issue.

What frequent flyers know is that they can get free flights once in a while in return for their data. What even the brightest, most diligent, and most paranoid expert cannot tell them is what the consequences of that trade will be 20 years from now, though the Privacy Value Networks project is attempting to quantify this. It's hard: any photographer will tell you that a picture's value is usually highest when it's new, but sometimes suddenly skyrockets decades later when its subject shoots unexpectedly to prominence. Similarly, the value of data, said David Houghton, changes with time and context.

It would be more right to say that it is difficult for users to understand the trade-offs they're making and there are no incentives for government or commerce to make it easy. And, as the recent "You have 0 Friends" episode of South Park neatly captures, the choice for users is often not between being careful and being careless but between being a hermit and participating in modern life.

Better tools ought to be a partial solution. And yet: the market for privacy-enhancing technologies is littered with market failures. Even the W3C's own Platform for Privacy Preferences (P3P), for example, is not deployed in the current generation of browsers - and when it was provided in Internet Explorer users didn't take advantage of it. The projects outlined at PrivacOS - PICOS and PrimeLife - are frustratingly slow to move from concept to prototype. The ideas seem right: providing a way to limit disclosures and authenticate identity to minimize data trails. But, Lilian Edwards asked: is partial consent or partial disclosure really possible? It's not clear that it is, partly because your friends are also now posting information about you. The idea of a decentralized social network, workshopped at one session, is interesting, but might be as likely to expand the problem as modulate it.

And, as it has throughout the 25 years since the first online communities were founded, the problem keeps growing exponentially in size and complexity. The next frontier, said Thomas Roessler: the sensor Web that incorporates location data and input from all sorts of devices throughout our lives. What does it mean to design a privacy-friendly bathroom scale that tweets your current and goal weights? What happens when the data it sends gets mashed up with the site you use to monitor the calories you consume and burn and your online health account? Did you really understand when you gave your initial consent to the site what kind of data it would hold and what the secondary uses might be?

So privacy is hard: to define, to value, to implement. As Seda Gürses, studying how to incorporate privacy into social networks, said, privacy is a process, not an event. "You can't do x and say, Now I have protected privacy."


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. This blog eats non-spam comments for reasons surpassing understanding.

April 9, 2010

Letter box

In case you thought the iPad was essentially a useless, if appealing, gadget, take heart: it now arguably has a reason to exist in the form of an app, iMean, designed to help autistic children communicate.

The back story: my friend Michael's son, Dan, is 14; his autism means he can't really speak and has motor control difficulties.

"He's somebody who at the age of 12 had a spoken vocabulary of 100 words," says Michael, "though he seemed to have a much greater recognition vocabulary and could understand most of what we said to him, though it was hard to be sure."

That year, 2008, the family went to Texas to consult Soma Mukhopadhyay, who over the space of four days was able to get Dan communicating through multiple-choice. At first, the choices were written on two pieces of paper and Dan would grab one. He rapidly moved on to using a pencil to point at large letters placed in alphabetical order on a piece of laminated cardboard, a process Michael compares to a series of multiple-choice questions with 26 possible answers.

"Before Soma there were no letters, only words. So what he came to realize was that all the words he knew and could recognize were all combinations of the same 26 letters," Michael says. "The letter board did for Dan what moveable type did for the Western world, but the difference is that before Gutenberg people could still write and Dan could not."

The need for a facilitator to keep Dan focused on the task of spelling out a sentence also raises the issue of ensuring that it's actually Dan who's communicating. Michael says, "I was always very concerned not to impose myself on Dan while helping him as much as possible."

The iPad, therefore, offered the possibility of a more effective letter board that could incorporate predictive text and remember what's been said, and one whose other features might help Dan move on to more efficient - and more independent - communication. Dan's eyes jump so he may miss details in written text, but voiceover can read him email, and what he types into iMean can be copied into an answer. Performing all those steps independently is some way off, but the potential is life-changing.

Michael proposed the app he had in mind to 18-year-old programmer Richard Meade-Miller. "I didn't think it was going to be that hard because Apple has done most of it for you," says Michael, "but it turns out that to write an app you really need to be able to do programming in objective-C. For someone who learned Fortran 35 years ago, that's really difficult."

However, there were constraints. "We wanted the buttons to be as big as possible so Dan would have as little chance of error as possible." That forced some hard choices, such as limiting available punctuation marks to four, and shrinking the backspace button a little smaller than Michael had originally hoped in order to make room for Yes and No keys.

"When somebody like Dan sits down with this he may not be able to spell right away, but he needs to be able to say yes or no or say if something goes wrong on the screen. There should be a No button, bright red and very clear." Getting all that into the available screen space also meant creating a different view for numeric input, needed so Dan can do math problems and to speed entering large numbers.

The iPad's memory is also a constraint. "The program runs very quickly and smoothly, but anybody write an app for this platform has to be careful to release all the things that use memory on a regular basis." For the word prediction feature, iMean uses ZenTap, whose author supplied the code for Meade-Miller to integrate.

Word prediction - as Dan spells out words iMean offers him a changing display of three completed words to choose from - has speeded up the whole process for Dan. But it also, Michael says, has had a noticeable effect on his ability to read, "Because he's reading all day long." A final set of constraints are imposed by Dan's own abilities. Many autistic children do not point, an early developmental milestone. "Dan has started to point a little bit now as a result of tapping things on the letter board." Michael knew that, but he didn't realize how hard it would be for Dan, whose fingers sometimes shake and slip, to distinguish between tapping a key and swiping his fingers across a key - and a few keys are programmed to behave differently if they are swiped rather than tapped. "That may have been a mistake," he says. "It has forced Dan to really concentrate on tapping, so sometimes he double and triple taps.

Dan insisted on making a baseline video the first day so that later they can compare and see how much he's improved.

Their long-term goal is for Dan to be able to communicate with people independently. Whether they get all the way there or not, Michael says, "We know the app works the way we want. He can read a paragraph now instead of just a line - and it's only been three days."

Dan, by voice, is calling it his "stepping stone".

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. This blog eats comments for unknown reasons. Email netwars@skeptic.demon.co.uk.

April 2, 2010

Not bogus!


"If I lose £1 million it's worth it for libel law reform," the science writer Simon Singh was widely reported as saying this week. That was even before yesterday's ruling in the libel case brought against him by the British Chiropractic Association.

Going through litigation, I was told once, is like having cancer. It is a grim, grueling, rollercoaster process that takes over your life and may leave you permanently damaged. In the first gleeful WE-WON! moments following yesterday's ruling it's easy to forget that. It's also easy to forget that this is only one stage in a complex series.

Yesterday's judgment was the ruling in Singh's appeal (heard on February 22) against the ruling of Justice David Eady last May, which itself was only a preliminary ruling on the meaning of the passage in dispute, with the dispute itself to be resolved in a later trial. In October Singh won leave to appeal Eady's ruling; February's hearing and today's judgment constituted that appeal and its results. It is now two years since the original article appeared, and the real case is yet to be tried. Are we at the beginning of Jarndyce and Jarndyce or SCO versus Everyone?

The time and costs of all this are why we need libel law reform. English libel cases, as Singh frequently reminds us, cost 144 times as much as similar cases in the rest of the EU.

But the most likely scenario is that Singh will lose more than that million pounds. It's not just that he will have to pay the costs of both sides if he loses whatever the final round of this case eventually turns out to be (even if he wins the costs awarded will not cover all his expenses). We must also count what businesses call "opportunity costs".

A couple of weeks ago, Singh resigned from his Guardian column because the libel case is consuming all his time. And, he says, he should have started writing his next book a year ago but can't develop a proposal and make commitments to publishers because of the uncertainty. These withdrawals are not just his loss; we all lose by not getting to read what he'd write next. At a time when politicians can be confused enough to worry that an island can tip over and capsize, we need our best popular science educators to be working. Today's adults can wait, perhaps; but I did some of my best science reading as a teenager: The Microbe Hunters; The Double Helix (despite its treatment of Rosalind Franklin); Isaac Asimov's The Human Body: Its Structure and Operation; and the pre-House true medical detection stories of Berton Roueché. If Singh v BCA takes five years that's an entire generation of teenagers.

Still, yesterday's ruling, in which three of the most powerful judicial figures in the land agreed - eloquently! - with what we all thought from the beginning deserves to be celebrated, not least for its respect for scientific evidence,

Some favorite quotes from the judgment, which makes fine reading:

Accordingly this litigation has almost certainly had a chilling effect on public debate which might otherwise have assisted potential patients to make informed choices about the possible use of chiropractic.

A similar situation, of course, applies to two other recent cases that pitted libel law against the public interest in scientific criticism. First, Swedish academic Francisco Lacerda, who criticized the voice risk analysis principles embedded in lie detector systems (including one bought by the Department of Work and Pensions at a cost of £2.4 million). Second, British cardiologist Peter Wilmshurst is defending charges of libel and slander over comments he made regarding a clinical trial in which he served as a principal investigator. In all three cases, the public interest is suffering. Ensuring that there is a public interest defense is accordingly a key element of the libel law reform campaign's platform.

The opinion may be mistaken, but to allow the party which has been denounced on the basis of it to compel its author to prove in court what he has asserted by way of argument is to invite the court to become an Orwellian ministry of truth.

This was in fact the gist of Eady's ruling: he categorized Singh's words as fact rather than comment and would have required Singh to defend a meaning his article went on to say explicitly was not what he was saying. We must leave it for someone more English than I am to say whether that is a judicial rebuke.

We would respectfully adopt what Judge Easterbrook, now Chief Judge of the US Seventh Circuit Court of Appeals, said in a libel a2ction over a scientific controversy, Underwager v Salter: "[Plaintiffs] cannot, by simply filing suit and crying 'character assassination!', silence those who hold divergent views, no matter how adverse those views may be to plaintiffs' interests. Scientific controversies must be settled by the methods of science rather than by the methods of litigation.

What they said.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.