" /> net.wars: September 2017 Archives

« August 2017 | Main

September 15, 2017

Equifaction

equifax-announcement.pngThe Equifax announcement this week is peculiarly terrible. It's not just that 143 million Americans and uncertain numbers of Canadians and Britons are made vulnerable to decades of identity fraud (social security numbers can't - yet - be replaced with new ones). Nor is it the unusually poor apology issued by the company or its ham-fisted technical follow-up (see also Argentina). No, the capper is that no one who is in Equifax's database has had any option about being in it in the first place. "We are its victims, not its customers," a number of people observed on Twitter this week.

Long before Google, Amazon, Facebook, and Apple became GAFA, Equifax and its fellow credit bureaus viewed consumers as the product. Citizens have no choice about this; our reward is access to financial services, which we *pay* for. Americans' credit reports are routinely checked on every applications forcredit, bank accounts, or even employment. The impact was already visibly profound enough in 1970, when Congress passed the Fair Credit Reporting Act. In granting Americans the right to inspect their credit reports and request corrections, it is the only US legislation offering rights similar to those granted to Europeans by the data protection laws. The only people who can avoid the tentacled reach of Equifax are those who buy their homes and cars with cash, operate no bank accounts or credit cards, pay cash for medical care and carry no insurance, and have not need for formal employment or government benefits.

Based on this breach and prior examples, investigative security journalist Brian Krebs calls the credit bureaus "terrible stewards of very sensitive data".

It was with this in the background that I attended a symposium on reforming Britain's Computer Misuse Act run by the Criminal Law Reform Now Network. In most hacking cases you don't want to blame the victim, but one might make an exception for Equifax. Since the discussion allowed for such flights of fancy, I queried whether a reformed act should include something like "contributory negligence" to capture such situations. "That's data protection laws," someone said (the between-presentation discussions were under the Chatham House Rule). True. Later, however, merging that thought with other comments about the fact that the public interest in secure devices is not being met either by legislators or by the market inspired Duncan Campbell to suggest that perhaps what we need as a society is a "computer security act" that embraces the whole of society - individuals and companies - that needs protection. Companies like Equifax, with whom we have no direct connection but whose data management deeply affects our lives, he suggested, should arguably be subject to a duty of care. Another approach several of those at the meeting favored was introducing a public interest defense for computer misuse, much as the Defamation Act has for libel. Such a defense could reasonably include things like security research, journalism, and whistleblowing,

The law we have is of course nothing like this.

As of 2013, according to the answer to a Parliamentary question, there had been 339 prosecutions and 262 convictions under the CMA. A disproportionate number of those who are arrested under the act are young - average age, 17. There is ongoing work on identifying ways to turn the paths for young computer whizzes toward security and societal benefit rather than cracking and computer crime. In the case of "Wannacry hero" Marcus Hutchins, arrested by the FBI after Defcon, investigative security journalist Brian Krebs did some digging and found that it appears likely he was connected to writing malware at one time but had tried to move toward more socially useful work. Putting smart young people with no prior criminal record in prison with criminals and ruining their employment prospects isn't a good deal for either them or us.

Yet it's not really surprising that this is who the CMA is capturing, since in 1990 that was the threat: young, obsessive, (predominantly) guys exploring the Net and cracking into things. Hardly any of them sought to profit financially from their exploits beyond getting free airtime so they could stay online longer - not even Kevin Mitnick, the New York Times's pick for "archetypal dark side hacker", now a security consultant and book author. In the US, the police Operation Sundown against this type of hacker spurred the formation of the Electronic Frontier Foundation. "I've begun to wonder if we wouldn't also regard spelunkers as desperate criminals if AT&T owned all the caves," John Perry Barlow wrote at the time.

Thumbnail image for schifreen.jpgSchifreen and Gold , who were busted for hacking into Prince Philip's Prestel mailbox, established the need for a new law. The resulting CMA was not written for a world in which everyone is connected, street lights have their own network nodes, and Crime as a Service relies on a global marketplace of highly specialized subcontractors. Lawmakers try to encode principles, not specifics, but anticipating such profound change is hard. Plus, as a practical matter, it is feasible to capture a teenaged kid traceable to (predominantly) his parents' basement, but not the kingpin of a worldwide network who could be anywhere. And so CLRNN's question: what should a new law look like? To be continued...


Illustrations: Equifax CEO Rick Smith; Robert Schifreen;

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

September 3, 2017

Going dark

"Democracy dies in darkness," slogans the Washington Post on its morning emails and front page. This week, a case in point surfaced with the news that during the US presidential campaign Facebook sold about $100,000 worth of ads to a Russian company with a history of pushing pro-Kremlin propaganda. A "troll farm", the article calls it. The news comes directly from Facebook, in both testimony to congressional investigators and a blog post by Alex Stamos, the company's chief security officer. Stamos says there were roughly 3,000 of these ads and that they were associated with about 470 "inauthentic" accounts. (That is, the accounts were real enough, but the people behind them weren't provably who they said they were.) "We don't allow inauthentic accounts on Facebook," he advises, adding that the accounts have been shut down.

Thumbnail image for Facebook-76536_640.pngThe Post writers note that although Facebook reports in that blog post that about a quarter of these ads were geographically targeted, company' official declined to provide specifics about which areas or demographic groups were the targets. The company also declined to disclose samples of the ads in question, citing "federal law" and Facebook's own data policy as reasons why they couldn't disclose user data and content. However, a company official did say that the ads were directed at "people on Facebook who had expressed interest in subjects explored on those pages, such as LGBT community, black social issues, the Second Amendment, and immigration". Stamos says in his blog post that the "vast majority" of these ads didn't specifically reference the election, voting, or any specific candidate but appeared to focus on "amplifying divisive social and political messages across the ideological spectrum". This is the kind of strategy that worked so well for Iago. Games People Play author Eric Berne would call this one, "Let's you and him fight". Democracy can also die in divisiveness, as in "divide and conquer".

At the Atlantic, David A. Graham considers the history of Russian interference efforts and the implications for election law: US campaign finance laws bar foreigners from spending to influence an election. When you're talking about the auditable financial accounts belonging to candidates and their campaigns, that's a manageable prospect, as the Sunlight Foundation shows. What makes the Facebook situation hard is the lack of insight into the company's inner workings: darkness deeper than that of the "dark web" because it's defended by well-paid experts.

James_Comey.jpgWhen James Comey, the head of the FBI under the Obama administration, complained about "going dark", he meant encryption. This is the same back door argument so exercising UK Home Secretary Amber Rudd at the moment, and it elicits the same response: it's dangerous, unworkable, and counter-productive. All of this was laid out clearly in the 2015 paper Keys Under Doormats: Mandating Insecurity, written by a parliament of security experts, who noted that today's law enforcement has access to a wildly greater supply of data about all of us than at any time in history.

What is really at risk of going dark is our visibility into public life as more and more of it moves onto proprietary platforms whose inclination is to stockpile information rather than make it transparent. In another of this week's Facebook stories, Politico's Jason Schwartz talks to Facebook's new army of fact checkers and finds that the company's refusal to share data about their results is hurting their ability to decide which stories to prioritize for fact checking. The only feedback they apparently get is the advice that false news is decreasing on Facebook. It's hard to know what that even means: does it mean fewer fake stories are shared, that fewer people see fake stories, or, the hardest to measure, that the stories' influence is less? Have they found any unwanted side effects, such as the disappearance of real stories? Recall that only a few months ago, Facebook's leaked training slides showed that the company's policies are already a mess of ad hoc precedents.

THE_BRAINWASHING_OF_MY_DAD.jpgAlong with this is the Slate story from a couple of weeks ago following the post-Charlotteville purge of hate speech, in which April Glaser finds that the "alt-right", Nazis, and white supremacists are building their own web of social media sites. This is unsurprising to anyone who's seen filmmaker Jen Senko's excellent documentary, The Brainwashing of My Dad. In studying the personal transformation of her own father under the influence of a steady diet of Fox News and Rush Limbaugh, Senko unearths the history of conservative right-wind media. The Nixon strategist (1968) and Fox News chair Roger Ailes played a key role in creating a media of "our own". The bubble that created was bad enough; now we have a group of already-alienated, angry people pushed together even further away from the mainstream on platforms where they can bond as "martyrs" and "refugees". What could possibly go wrong?

In lamenting the end of the Sun operating system Solaris, Brian Cantrill says that becoming proprietary is the moment of death for software. Only open source, he writes, lives eternally. The same is true of public discourse.

Illustrations: Facebook logo; James Comey; Jen Senko's dad.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

September 1, 2017

Capture the flag

John-Sherman.jpgEarlier this week, at BoingBoing, Cory Doctorow alerted us all to the existence of a lengthy Yale Law Journal article by Lina M. Khan that discusses the last half-century of the operation of US antitrust law (aka the Sherman Act) using Amazon as an example case. The tl;dr: where antitrust law originally sought to balance market power, in current interpretation, influenced by the Chicago School of economics, it focuses narrowly on pricing and profits, and fails to consider broader impact on workers, creators, competitors, and society at large. Khan is a third-year law student and a fellow with the Open Markets group - the one the headlines say was dumped by the New America Foundation for being welcoming of the EU's fining Google. Numerous people cite reasons to believe pressure was applied.

Both Khan's original 24,000-word, accessibly-written article and Doctorow's discussion of it are worth reading. Khan lays out clearly many, often unconsidered, aspects of Amazon's dominance: it is the biggest single player in online retail; it is a force in book publishing; it is building its own delivery network that critics fear will eventually bypass UPS and Fedex; its Marketplace infrastructure allows it insight into smaller competitors' businesses; and it owns the infrastructure on which many other internet businesses - including Netflix - rely.

Lina-Khan.original.jpgMost important, as Khan writes, all those activities have produced huge piles of data Amazon can leverage to push its way into further sprawl. At one time, investors were concerned that Marketplace would divert customers away from Amazon's own offerings; I remember seeing in an annual report that to Amazon's bottom line the transactions were of equal value. That calculation is more or less what Khan is complaining about: the same dollars and cents accrued, but no one valued the data it collected from all those small sellers' transations. The result, Khan finds, is that Amazon has developed its own retail lines by cherry-picking Marketplace successes. No muss, no fuss, no risky maybe-this-is-a-good-idea. Netflix selects its original content the same way: unlike traditional broadcasting, it knows what people actually watch instead of what people want others to think they watch.

Companies like AT&T, Standard Oil, and the Hollywood studios got broken up for less.

For me, Khan's analysis explains a lot: it answers critics who insist that the EU is wholly animated by obstructive nationalism. The EU may also be nationalist, but the principles it's applying are ones that the US has progressively abandoned. In that sense, although the EU's choice of target, Google's shopping search seemed quirky and somewhat out-of-date, the idea was not necessarily wrong.

Amazon is chiefly providing fodder for Khan's main point, which is that the school of thought inspired by failed Supreme Court nominee Robert Bork's book The Antitrust Paradox has made American antitrust practice ill-equipped to deal with today's technology titans. This was less true 20 years ago, when the US Department of Justice went after Microsoft for leveraging Windows 95 to force people to use Internet Explorer.

Fifty years ago, when IBM was investigated by the antitrust authorities, the company was ordered to unbundle its software and services from its hardware. Thirty-five years ago, when AT&T was broken up, the company was split between local service provision (the seven Baby Bells, which have since coagulated back into three, and long distance services. The arrival of the internet then up-ended everything. Twenty years ago, when the Microsoft case was being decided, there was a lot of talk: should Microsoft be broken up into operating systems (in that scenario, the equivalent of pipes) and office software (the equivalent of content)? The internet, Google, open source software, and smartphones utterly changed that landscape. Since then, it may have seemed reasonable to think that we only had to wait for two guys in a garage to up-end any or all of GAFA.

But AT&T could have blocked the consumer internet by continuing to refuse to allow the connection of third-party phone equipment to phone lines. IBM might have sought to control microcomputer design. In all these cases, innovation hasn't up-ended older players until some limitations have already been placed upon them and they've known they were under scrutiny. As Khan's analysis suggests, giddy optimism that new technological breakthroughs will make regulatory intervention unnecessary is misplaced.

Google's moment of truth arrived this year, when the EU issued its monster fine. Facebook, too, is finding the EU attentive: it was fined $122 million for misleading regulators in its acquisition of (former) competitor WhatsApp. Despite widespread disquiet over Amazon's various disputes with publishers, so far Amazon has escaped, yet it's arguably been the most successful of the lot in burrowing its way deep into the internet infrastructure.

bezos-final-0404-cropped.jpgI have come to think in terms of capturing gateways that control our access to the internet, media content, social relationships, real-world navigation, and so on. Amazon, all the over >there< by itself using shopping, has looked to be outside the fray. GAFA's strategies are known. Amazon is capturing - look, ma! no advertising - an entire business landscape, rather like Uber, by exploiting investors' willingness to provide it with the cash to finance the whole thing. We've had a nice long run with its cheap prices - now coming to a Whole Foods near you. But predators always get us in the end.


Illustrations: John A. Sherman; Lina Khan; Jeff Bezos.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.