" /> net.wars: February 2015 Archives

« January 2015 | Main

February 27, 2015

Barbershop quartet

"It's unlikely that we'll have a barbershop quartet singing it out every time," Emma Craddock. She was talking about ways to make it explicit to users when they are handing over data, kind of like the cookie directive on steroids. (You know, the thing that makes messages pop up on every website demanding that you accept cookies to make the site work.) She was speaking at this week's workshop run by the Meaningful Consent project at the University of Southampton. The main question up for consideration: what is meaningful consent, and how do we achieve it?

For a moment, I was entranced by the possibilities. A barbership quartet! I know - or knew - someone who sang in one of those. It's sort of entrancing to imagine him, as a retired engineer, touring around to people's houses to pop up with his buddies, like out of a cake, to sing out,

"You're paying with your data For this thing you think is free."

It's easy to become inured to clicking "OK" to make these trades just to get on with things; but how much harder to ignore four guys in striped jackets and hats singing full-voice in harmony, arms outflung, two feet from your ears? Yes, yes, in real life it would be spectacularly annoying and wildly labor-intensive (although: jobs!), but for a moment, imagine...it would certainly get users' attention as they traded their data away.

Craddock's main point was that the data protection laws reflect the expectation of their mid-1990s time that we always knew when we were disclosing personal information, just as at one time we knew when we crossed the border into a foreign country's legal jurisdiction and now the crossing is invisible. Today, we disclose information unknowingly: it requires an exercise of deliberate thought to see every typed-in search query as a gift from us to GooBingYa, and the data brokers who swap and trade behind the scenes are completely unknown to the millions whose data they keep. You visit Google, not its fully owned subsidiary DoubleClick; only a tiny minority of obsessed privacy advocates visit Axciom or Comscore. Under EU data protection law you have the right to file subject access request for your data file. But who would know to ask these hidden third-party data brokers - and even if you do, you are not their customer. Use the source, Luke.

Cut to: Motherboard, where Brian Merchant lays out what goes on behind the scenes when you search for information on medical conditions. A search for information on diabetes may get you tagged as "diabetes-worried". US health insurers certainly would want to know if a prospective customer might be on the verge of developing a chronic, expensive condition - and prospective employers might like to know, too. Is this what you "consented" to when you typed in your search term and hit ENTER?

On Tuesday evening I checked in for a flight on Iberia. At completion of check-in, a message popped up, offering me the great idea of sharing with my friends on Facebook. Iberia-checkin-facebook.jpgIt offered three "practical" messages, one announcing my flight number and departure time; another announcing takeoff and expected flight time; a third announcing my arrival. We talk about the "sharing economy" and this ultimate product placement is an aspect of it: advertising seamlessly integrated into activities that would formerly have been entirely separated that it's easy not to notice who benefits from the underlying data flow or that it actually *is* advertising. They can reasonably call it opt-in instead of "insidious propaganda".

The European NGO Alliance for Child Safety Online has been discussing the need for legislation to provide children with clearly understandable information about what they're sharing and with who in simple language. It's an unobjectionable idea except for the recurring problem: how? We don't even know how to do this for adults: hence the Southampton workshop.

We do know some things. We know that asking anyone to read lengthy privacy policies and terms and conditions is a meaningless exercise. First, because people hate it and won't do it, even if you make it a bulleted summary. Second, because without the market power to do more than say yes or no, use the service or don't use the service, it's futile. We cannot bargain, object to, or negotiate these contracts. Even phone apps, which are a bit more explicit about what they're asking for, come on a take-it-or-leave-it basis. Over time, if the app world goes the way desktop software did, there may be fewer alternatives to turn to when you don't like the terms than there are now.

We also know that asking users to participate in a lengthy set-up process to embed their preferences into some kind of dashboard or basic settings does not work. Most people accept the defaults and get on with things. (I am a member of the weird minority who read all customization options at the outset and configure them all.)

We really do need context-based single questions a user can answer. We really do need it made clear where our data goes, how it's shared, and with whom. But most of all, we need real choices. People seem not to care about privacy because they believe they've already lost. That barbershop quartet needs to bring with them the ability to rewrite the contract.


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


February 20, 2015

The gunpowder tea party

For several years in the mid-2000s, Privacy International ran annual Stupid Security Awards. The situation has not improved since.

Item: last week I took a small (under 100 grams) package destined for elsewhere within the UK to the post office. "What's in it?" the postmaster asked. I genuinely couldn't remember beyond that it was an item I'd found on my desk that I thought the recipient should have. "I can't send it if you don't tell me what's in it." He could, however, sell me stamps to put on the package so I could drop it in the post box outside.

Item: an absurd exchange with the now-departed-from-my-life Vodafone. On February 2, my number ported to the new supplier. As that was the day my bill was due, I thought I'd check the website to see if I had anything to pay and discovered porting the number had simultaneously shut down web access to my billing information - I say "my" billing information, but that's like "my library book". I initiated a web chat. All I wanted to know: would they send me a final bill?

"Dylan" (who I thought was a robot until he? started misspelling things, which, who knows, may be deliberate to make a bot look human) said he had to take me through security. Name, address, phone number, amount of my last bill. I gave the amount of the January bill and said I didn't have February. Dylan responded with a little encomium about how security is important and that's why he has to ask these questions. He did *not* indicate whether he'd accepted the January amount.

Which may be why his next question - "what is the IMEI number of your handset" - made me feel less confident that I was really chatting with someone from Vodafone. I know: I contacted them via their HTTPS-protected website. But malware...hacking...social engineering...someone asking a string of questions and providing no feedback...and I could see no logical reason why they needed this level of certainty in order to send a bill to an email address they already had on file. At that point my New York personality - impatience and distrust - kicked in and I said if they wanted payment they could let me know. end of conversation.

People confronted with situations like these do not conclude that there are terrible risks we must all work together to protect ourselves against. Instead, they conclude that security is stupid, inflexible, and a waste of their time, a result that makes solving the society-wide security problems we actually face even harder.

To be sure, a lot of the issue was a design problem. Vodafone did the right thing in telling me how long I would have to wait before my chat approach was answered - but it then did the wrong thing by not telling me how many questions I might have to answer or how long the security process might take. This is a mismatch between their perception of the task and mine. I want an answer to my question and anything leading up to that is "waiting". They think once they have connected to me I am no longer "waiting" and am now being served. Answering security questions is not being served; to the customer it's still waiting. "Being served" is: I'm looking for the answer to your question and here it is.

The other really significant thing Vodafone did wrong is to fail to offer any acknowledgment that we were making progress toward a defined goal. I understand that security people do not want to give a miscreant clues that might help them game the system. I get that. I also get that the procedure and number of questions may vary. But there still needs to be some feedback. I'm still *waiting* here. The even more significant failing was the depressingly standard behavior of not offering any information to confirm itself. If all organizations handling sensitive information had made two-way authentication (not two-*factor*) authentication when telephone banking began and made it standard practice that grew up alongside the internet, there would be few phishing problems now.

That's becoming an increasing issue because the other side of stupid security is that the people in charge of important building blocks are making the kinds of stupid decisions that make it impossible for us to make good ones. Just this week:

Item: Lenovo has been shipping PCs with adware that intercepts HTTPS connections in the interests of inserting ads. In the US, many companies do this, presumably with some idea that in-depth monitoring of their employees' web use will yield at least legal compliance, at best some ability to catch wrongdoing.

Item: Samsung has been shipping smart TVs that capture what's said in front of them and uploads it unencrypted. Yes, Samsung will fix it, but here is the future: updating myriad "smart" inanimate objects because their makers have no...let's call it street smarts.

Item: GCHQ and the NSA hacked Gemalto's network to steal the encryption keys that protect many of the world's mobile phone conversations. What they failed to win legally when key escrow was defeated, they went ahead and stole.Simon Davies.jpg

Every part of this ecosystem matters, from bad design decisions to deliberate undermining. As Privacy International founder Simon Davies said in 2003: a global menace.


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 13, 2015

The analog hole

In April 2000, one of my editors forwarded the latest press release he'd received announcing a new online sales site with an exasperated note: "Who would buy shoes on the internet?"

Then, as now, my personal collection of shoes encompassed a couple of pairs of Merrell Jungle Mocs and several pairs of tennis shoes in varying degrees of growing decreptitude. They had all been bought online, from LL Bean and Tennis Warehouse, both long-time catalogue sellers newly enwebbed. You know the shoe, you know the size, what's to see? A friend with a gigantic teenaged son weighed in: "Try finding size 15 men's shoes in London for under £70."

My own limit - I thought - was prescription glasses to correct substantial myopia and astigmatism. I have lousy eyesight but great visual acuity. I can see differences eye doctors acknowledge are there "but you can't see it" ("And yet, that's why I came in"), and consequently my eyes are tricky to correct. A small difference in angle or positioning can turn crystal clarity into "Is that a cat?" I have long since learned to avoid mass-market opticians. Yet this year, with only a small prescription change and no time to visit the skilled, US-based local optician who does get it right, when I read about an ultra-cheap online outlet on Slashdot and found it was excellently designed I thought it was worth an experiment. Four days ago I received in the post a pair of new glasses with a Chinese shipping label. They are perfect.

I think it was the New Yorker writer Ken Auletta who said something to the effect that if your industry hadn't been disrupted by Google it was about to be disrupted by Google. Swap out Google in favor of the internet more generally, and even an optician in a small central Pennsylvania town isn't safe - with all the knock-on effects to their suppliers. What large companies can do to save money by transferring their manufacturing to countries with cheaper labor we can all now do individually. The internet democratizes outsourcing.

It might be more accurate to call it "internet-plus". The "plus" refers to the fact that the internet can only do its enablement when the infrastructure is already in place: it doesn't actually make or ship the glasses. Bits, however perfectly formed, cannot make me see better. So, sitting with my new, perfect glasses that cost less than a quarter of what they would have cost locally, here's the question: what is the real price of allowing the infrastructure that keeps me able to see clearly to be exported to China? The answer to that can't be captured by counting lost sales tax/VAT or empty shops on the High street. I have not researched the economics of opticians, but my guess is that services like eye tests and general care are like the money theatres make from showing movies, and making and selling glasses is the popcorn and fizzy drinks. In defense of the fact that I will probably order a second, spare pair, I might argue that the influx of name designers into eyeglasses abruptly doubled the price of what had up until then been a reasonable biannual cost. You might reply that I handled that by wearing the same frames for more than a decade until they wore out, replacing lenses as needed. You would be right. These are my first new frames since 2004.

There's a parallel here to a discussion of copyright, specifically digital rights management, that I also attended this week. Many of the decisions we've made at all levels about the internet and digital technologies generally were based on the idea that they were experimental media. Given the number of copies of Alice and the red queen.jpgAlice in Wonderland in the world, it's hard to see the damage if a publisher issues an ebook version that is protected with DRM. If it's one publisher and one ebook, maybe none because there are so many alternatives. I can't take my new glasses into the online shop and ask for adjustments, but I can take them apologetically to the local optician and offer to pay for his time. If the hardware required to read my ebook of Alice dies in 25 years, where do I go to get it fixed? Must I replace my entire library every time an ebook supplier goes bust?

This is what happens as we put more and more reliance on the "experimental" infrastructure: the alternatives wither through disuse. At that point, what has effectively happened is that a work that was in the public domain and readily accessible has been privatized - a different type of export. In this case, the infrastructure we rely on for ideas and access to culture has become as remote and inaccessible as a China-based optician. What's needed is to stop thinking of the digital world as a new "alternative" and accept that for many people, especially those under 35, it is the primary infrastructure, and the hole where the analog precursor used to be is the alternative. This means a profound change in how we think about the policy decisions we're making: they're not temporary any more. As a friend said when he turned 47, "I've realized that the things in my life I thought were penciled in are permanent."


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 6, 2015

Wheelwright


Network neutrality has been with us as an issue for something like ten years now - I first wrote about it for Scientific Americanin early 2006 - and despite the clamor of various people this week claiming that "we" - that is, the forces for an open internet that supports innovation and freedom of expression - have won the debate seems likely to be with us for a long time yet. This week, Tom Wheeler, the chair of the US Federal Communications Commission, that he intends to base new net neutrality rules on Title II of the 1934 Telecommunications Act (PDF). Wheeler discusses his proposed rules (PDF) in a blog post0 for Wired and various folks are getting all excited but the FCC itself doesn't vote on Wheeler's proposals until February 26, and even assuming the FCC votes in favor there will doubtless be much industry pushback and even after that icky! legal! details! and probably at least one court case. Still, TechPresident calls passage a "virtual certainty".

There's a particularly expert radio discussion between Tim Wu, the Columbia University professor who is generally credited with coining the phrase "network neutrality", speaking in favour and Dave Farber, a pioneering computer scientist and professor at Carnegie-Mellon University, voicing reservations. Also worth checking out is Public Knowledge'a Reddit question-and-answer session.

The issue of what right ISPs had to discriminate among the sources of content reaching consumers over internet links was originally kicked into the public consciousness in November 2005, when the then CEO of AT&T, Edward E. Whitacre (who six years earlier had told Business Week he had neither a computer nor email in his own office and was almost completely computer-illiterate) said publicly that companies like Google, Yahoo!, and Vonage should be paying his company for delivering audiences to them. Otherwise, he said, AT&T would have no incentive to invest in upgrading its network. Ignoring the ludicrousness of that argument (really no incentive? you need more competitors, if that's the case).

Since then, the issue has only continued to grow. In the last year, since the FCC proposed to issue rules allowing the creation of discriminatory "internet fast lanes", it has received an unprecedented 4 million public comments.

The issue in its current form was set off just over a year ago, when a federal court struck down substantial portions of the FCC's last attempt to impose regulatory control, 2010's Open Internet Order (PDF). Legal wrangles since have focused on whether ISPs should be classed as "common carriers", which the FCC has the authority to regulate, or "information services", which it does not. This week, Wheeler made plain his intention to classify them as common carriers - telecommunications services like the old phone companies were, not information services like CompuServe was. Most important for free and open internet advocates, common carriers may not discriminate among the content they carry: they're not allowed, for example, to accept payment to deliver telemarketers' calls and send all your personal calls to voicemail or , in the case of ISPs, to hobble the delivery of Skype calls while allocating extra bandwidth to their own.

Probably the best summary of what the proposals do and don't do is at Ars Technica. The best news seems to be that the Title I classification, and therefore the rules, will be extended to mobile broadband for the first time (although mobile network operators' voice services have always been included). As for the rest, as the Streaming Media blog says, what many US consumers want is greater choice, and they seem unlikely to get it, since the FCC's proposals explicitly promise not to require last-mile unbundling, regulate prices, or require ISPs to file tariffs. So, regulated, but not as heavily as an electric or gas utility.

You can measure indirectly the probable worth of the proposals, even without reading them, by seeing how the players line up: AT&T hates them as much as it ever did, despite a change in CEO; in the New York Times the telecommunications expert Susan Crawford welcomes the oversight.

So until or unless the proposals fail in a vote or in court, we can be cautiously optimistic. For the US, however, which is falling behind in broadband provision in some significant ways, there is still a lot to fix: most regions have at most two, sometimes one, provider; bandwidth caps and sponsored data also limit access.

And another thought: in 2005, when this squabble over who has pole position to demand payment began, Netflix wasn't streaming yet and pre-Google YouTube was only six months old, but the fear of bandwidth-swamping video was already with us. Rightsholders, whose fear of lost revenues and control meant that the only services that could get legal licenses to carry copyrighted content were centralized ones using acceptably protected technology. As the EFF's Danny O'Brien danny-final-color.jpgpointed out to me in conversation in December, we may think of what we call "streaming" as a computerized analogue of broadcasting, but in fact what's happening technically is download-and-delete. Like "free" instead of "pay-with-data" used to describe services like Google or Facebook, "streaming" serves to hide the iniquitous reality. Would we be arguing about network neutrality at all if peer-to-peer sharing, instead of download-and-delete, were the norm?

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.