net.wars

The new normal

Fri, 04 Jul 2008 14:29:27 +0000

The (only) good thing about a war is you can tell when it's over.

The problem with the "War on Terror" is that terrorism is always with us, as Liberty's director, Shami Chakrabarti, said yesterday at the Homeland and Border Security 08 conference. "I do think the threat is very serious. But I don't think it can be addressed by a war." Because, "We, the people, will not be able to verify a discernible end."

The idea that "we are at war" has justified so much post 9/11 legislation, from the ID card (in the UK) and Real ID (US) to the continued expansion of police powers.

How long can you live in a state of emergency before emergency becomes the new normal? If there is no end, when do you withdraw the latitude wartime gives a government?

Several of yesterday's speakers talked about preserving "our way of life" while countering the threat with better security. But "our way of life" is a moving target.

For example, Baroness Pauline Neville-Jones, the shadow security minister, talked about the importance of controlling the UK's borders. "Perimeter security is absolutely basic." Her example: you can't go into a building without having your identity checked. But it's not so long ago - within the 18 years I've been living in London - that you could do exactly that, even sometimes in central London. In New York, of course, until 9/11, everything was wide open; these days midtown Manhattan makes you wait in front of barriers while you're photographed, checked, and treated with great suspicion if the person you're visiting doesn't answer the phone.

Only seven years ago, flying did not involve two hours of standing in line. Until January, tourists do not have to register three days before flying to the US for pre-screening.

It's not clear how much would change with a Conservative government. "There is a very great deal by this government we would continue," said Neville-Jones. But, she said, besides trackling threats, whether motivated (terrorists) or not (floods, earthquakes, "we are also at any given moment in the game of deciding what kind of society we want to have and what values we want to preserve." She wants "sustainable security, predicated on protecting people's freedom and ensuring they have more, not less, control over their lives." And, she said, "While we need protective mechanisms, the surveillance society is not the route down which we should go. It is absolutely fundamental that security and freedom lie together as an objective."

To be sure, Neville-Jones took issue with some of the present government's plans - the Conservatives would not, she said, go ahead with the National Identity Register, and they favour "a more coherent and wide-ranging border security force". The latter would mean bringing together many currently disparate agencies to create a single border strategy. The Conservatives also favour establishing a small "homeland command for the armed forces" within the UK because, "The qualities of the military and the resources they can bring to complex situations are important and useful." At the moment, she said, "We have to make do with whoever happens to be in the country."

OK. So take the four core elements of the national security strategy according to Admiral Lord Alan West, a Parliamentary under-secretary of state at the Home Office: pursue, protect, prepare, and prevent. "Prevent" is the one that all this is about. If we are in wartime, and we know that any measure that's brought in is only temporary, our tolerance for measures that violate the normal principles of democracy is higher.

Are the Olympics wartime? Security is already in the planning stages, although, as Tarique Ghaffur pointed out, the Games are one of several big events in 2012. And some events like sailing and Olympic football will be outside London, as will 600 training camps. Add in the torch relay, and it's national security.

And in that case, we should be watching very closely what gets brought in for the Olympics, because alongside the physical infrastructure that the Games always leave behind - the stadia and transport - may be a security infrastructure that we wouldn't necessarily have chosen for daily life.

As if the proposals in front of us aren't bad enough. Take for example, the clause of the counterterrorism bill (due for its second reading in the Lords next week) that would allow the authorities to detain suspects for up to 42 days without charge. Chakrabarti lamented the debate over this, which has turned into big media politics.

"The big frustration," she said, "is that alternatives created by sensible, proportionate means of early intervention are being ignored." Instead, she suggested, make the data legally collected by surveillance and interception admissible in fair criminal trials. Charge people with precursor terror offenses so they are properly remanded in custody and continue the investigation for the more serious plot. "That is a way of complying with ancient principles that you should know what you are accused of before being banged up, but it gives the police the time and powers they need."

Not being at war gives us the time to think. We should take it.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Mistakes were made

Fri, 27 Jun 2008 16:07:19 +0000

This week we got the detail on what went wrong at Her Majesty's Revenue and Customs that led to the loss of those two CDs full of the personal details of 25 million British households last year with the release of the Poynter Review (PDF). We also got a hint of how and whether the future might be different with the publication yesterday of Data Handling: Proecures in Government (PDF), written by Sir Gus O'Donnell and commissioned by the Prime Minister after the HMRC loss. The most obvious message of both reports: government needs to secure data better.

The nicest thing the Poynter review said was that HMRC has already made changes in response to its criticisms. Otherwise, it was pretty much a surgical demonstration of "institutional deficiencies".

The chief points:

- Security was not HMRC's top priority.

- HMRC in fact had the technical ability to send only the selection of data that NAO actually needed, but the staff involved didn't know it.

- There was no designated single point of contact between HMRC and NAO.

- HMRC used insecure methods for data storage and transfer.

- The decision to send the CDs to the NAO was taken by junior staff without consulting senior managers - which under HMRC's own rules they should have done.

- The reason HMRC's junior staff did not consult managers was that they believed (wrongly) that NAO had absolute authority to access any and all information HMRC had.

- The HMRC staffer who dispatched the discs incorrectly believed the TNT Post service was secure and traceable, as required by HMRC policy. A different TNT service that met those requirements was in fact available.

- HMRC policies regarding information security and the release of data were not communicated sufficiently through the organization and were not sufficiently detailed.

- HMRC failed on accountability, governance, information security...you name it.

The real problem, though, isn't any single one of these things. If junior staff had consulted senior staff, it might not have mattered that they didn't know what the policies were. If HMRC used proper information security and secure methods for data storage (that is, encryption rather than simple password protection), they wouldn't have had access to send the discs. If they'd understood TNT's services correctly, the discs wouldn't have gotten lost - or at least been traceable if they had.

The real problem was the interlocking effect of all these factors. That, as Nassim Nicholas Taleb might say, was the black swan.

For those who haven't read Taleb's The Black Swan: The Impact of the Highly Improbable, the black swan stands for the event that is completely unpredictable - because, like black swans until one was spotted in Australia, no such thing has ever been seen - until it happens. Of course, data loss is pretty much a white swan; we've seen lots of data breaches. The black swan, really, is the perfectly secure system that is still sufficiently open for the people who need to use it.

That challenge is what O'Donnell's report on data handling is about and, as he notes, it's going to get harder rather than easier. He recommends a complete rearrangement of how departments manage information as well as improving the systems within individual departments. He also recommends greater openness about how the government secures data.

"No organisation can guarantee it will never lose data," he writes, "and the Government is no exception." O'Donnell goes on to consider how data should be protected and managed, not whether it should be collected or shared in the first place. That job is being left for yet another report in progress, due soon.

It's good to read that some good is coming out of the HMRC data loss: all departments are, according to the O'Donnell report, reviewing their data practices and beginning the process of cultural change. That can only be a good thing.

But the underlying problem is outside the scope of these reports, and it's this government's fondness for creating giant databases: the National Identity Register, ContactPoint, the DNA database, and so on. If the government really accepted the principle that it is impossible to guarantee complete data security, what would they do? Logically, they ought to start by cancelling the data behemoths on the understanding that it's a bad idea to base public policy on the idea that you can will a black swan into existence.

It would make more sense to create a design for government use of data that assumes there will be data breaches and attempts to limit the adverse consequences for the individuals whose data is lost. If my privacy is compromised alongside 50 million other people's and I am the victim of identity theft does it help me that the government department that lost the data knows which staff member to blame?

As Agatha Christie said long ago in one of her 80-plus books, "I know to err is human, but human error is nothing compared to what a computer can do if it tries." The man-machine combination is even worse. We should stop trying to breed black swans and instead devise systems that don't create so many white ones.

Print rules

Fri, 20 Jun 2008 12:57:12 +0000

Here's the modern, efficient way to kill a club: dump the printed newsletter in favour of an electronic one.

Probably ten years ago I suggested easing the ecnomics of producing the Skeptic by turning it into an electronic magazine. Several people disagreed with this idea. How right they were.

The theory is pretty obvious. Club saves money on paper, printing, and postage. Club member gets informed just the same.

The practice is less obvious. First of all, not everybody has email, and the ones who don't aren't going to buy computers and spend hours figuring out how to set up a Gmail account just to get the club newsletter. They will be effectively disenfranchised and will rely on friends among the membership to phone them if anything they should know about is going on.

Second of all, people use email in different ways. Some only read it at work. Now the club newsletter is on their work computer, but isn't available at home, where it might actually inspire the club member to join some activity or other. Some don't check it more than once every few days and don't respond when they do.

But third of all - and this can't be news to anyone - the whole point of email is that it's easily ignored. People join clubs because there's an activity they're interested in, but like everything else there's a core of obsessive active members and then a much, much larger group of discretionary members who need to be coaxed along to things. In theory the immediacy of email ought to galvanize those people into action, but the effect seems to be the reverse: they set the email newsletter aside "to read later" and forget all about it.

Though the club does save money - that part works. At least, until it starts losing members.

I'm not suggesting that clubs shouldn't use email. They should - for late-stage reminders, for last-minute changes, for calls for volunteers to help with a specific activity.

Before they do that, though, they should - as many seem not to - think through a standard format for those emails that make them quick and easy for recipients to parse. One of my clubs sends out a steady stream. None of them have meaningful subjects, and since they all come from the same person I can't easily search back later and find the one with the details I need. The messages are all formatted by different people (who send them on to the distribution point), and some think that GIANT FONTS filling the entire first screen with one word makes them look interesting. Others fill the first screen with words exhorting me to be inspired before getting around to tell me what the event is and when. This is a serious user interface error: if you are trying to get people to do something you need to make it as easy as possible for them to understand your request.

Scheduled distribution dates also seem to evaporate when the newsletter goes electronic. I don't quite understand why, although I suspect that outside pressures of printer deadlines, planned dates to go to the post office, and copy deadlines that gave time for layout are probably a lot of it. Printed newsletters provide regular confirmation that the club still exists as an entity; they provide, if you like, evidence that you still belong to it. I'm sure a steady stream of emails ought to do the same thing, but I'm not sure they carry the same weight as the newsletter magneted to the refrigerator.

I'm entirely prepared to be told that this is a generational thing, or maybe even a cultural thing (are things the same in the US? I can't tell). I'm sure today's kids, who are unaware that there ever was a time when there was no email, IM, or social networks, don't see the point of a printed newsletter they can't carry on their mobile phones. But even if that's true, most of today's clubs have a large phalanx of - let's say politely - "legacy" members who simply do not function that way. And I'm not convinced that it is true.

Some organizations do know this, most notably the Association for Computing Machinery, the leading membership organization for computer industry professionals. If any organization were most likely to adopt electronic publication you'd think it would be this group: they all had email in the 1980s. Instead, although the ACM has indeed begun issuing a digital edidtion of its highly respected and valuable Communications of the ACM, it has no plans to eliminate the print edition.

Why? Said ACM in an email announcing the digital edition, "Print continues to be a vital way for the ACM to reach its members and the computing industry at large." That ought to tell people something: when computer people themselves don't want to use computers in a particular way there's usually a good reason. (Note that the ACM also opposes electronic voting because they do not believe it can be made sufficiently secure.)

So: trust your local, native guides. Print is a proven technology. Abandoning it is false economy.

Naked in plain sight

Fri, 13 Jun 2008 14:30:18 +0000

I couldn't have been more embarrassed than if the tall guy carrying a laptop had just told me I was wearing a wet T-shirt.

There I was, sitting in the Queen's club international press room. And there was he, the only other possessor of a red laptop in the entire building, showing me a screen full of a hotel reservation from a couple of months back, in full detail. With my name and address on it.

"If I can see it," he said in that maddening you-must-be-an-idiot IT security guy way, "so can everyone else."

DUH.

I took that laptop to Defcon!

(And nothing bad happened. That I know of. Yet.)

Despite the many Guardian readers who are convinced that I am technically incompetent because I've written pieces in which it seemed more entertaining to pretend to be so for dramatic effect, I am not an idiot. I'm not even technically incompetent, or not completely so. I am just, like most people, busy, and, like most people, the problem most of the time is to get my computers to work, not to stop them from working. And I fall into that shadowland of people who know just enough to want to run their computers their way but not enough to understand all the ramifications of what they're doing.

So, for example: file shares (not file-sharing, a different kettle of worms entirely). What you are meant to do, because you are an ignorant and brain-challenged consumer, is drop any files you need to share on the network into the Shared Documents folder. While it's no more secure than any other folder (and its name is eminently guessable by outside experts), the fact that you have to knowingly put files in it means that very little of your system is exposed.

I, of course, am far too grand (and perverse) to put up with Microsoft telling me how to organize my system, so of course I don't do things that way. Instead, I share specific directories using a structure I devised myself that is the same on all my machines. That's where I fouled up, of course. That laptop runs XP, and in XP, as I suppose I am the last to notice, the default settings have what's known as "simple file-sharing" turned on, so that if you share a directory it's basically open to all comers. XP warns you you're doing something risky; what it doesn't do is tell you in a simple way how to reduce the risk.

Yes, I tried to read the help files. They're impenetrable. Help files, like most of the rest of computing, separate into two types: either they're written for the completely naïve user, or they're written for the professional system administrator. Despite the fact that people like me are a growing class of users, we have to learn this stuff behind the bicycle shed from people randomly selected via Google.

This is what it should have said. Do one of the following two things: either set permissions so that only those users who have passwords on your system can access this directory or stick a $ sign at the end of the directory name to make it hidden. If you do the latter, you will have to map the directory as a network drive on all the machines that want to use it. I note that they seem to have improved things in Vista, which I will no doubt start using sometime around 21012). I know Apple probably does this better and Linux is secured out the wazoo, but that's not the point: the point is that it's incredibly easy for moderately knowledgeable users to leave their systems with gaping wide open holes. What I would have liked them to do is offer me the option to view how my system looks to someone connecting from outside with no authentication. I feel sure this could be done.

The problem for Microsoft on this kind of thing is the same problem that afflicts everyone trying to do IT security: everything you do to make the system more secure makes it harder for users to make things work. In the case of the file shares, as long as your computer is at home sitting behind the kind of firewalled router the big ISPs supply, it's more important to grant access to other household members than it is to worry about outsiders. It's when you take that laptop out of the house...and the really awkward thing is that there isn't any really easy way to test for open shares within your own network if, like many people, you tend to use the same login ID and password on all your machines for simplicity's sake. Do friends let friends drive open shares?

The security guys (really, the wi-fi suppliers and tech support), who were only looking around the network for open shares because they were bored, had a good laugh, especially when I told them who I write for (latest addition to the list: Infosecurity magazine!). And they obligingly produced some statistics. Out of the 60 to 100 journalists in the building using the wireless, three had open shares. One, they said, was way more embarrassing than mine, though they declined to elaborate. I think they were just being nice.

The Digital Revolution turns 15

Fri, 06 Jun 2008 13:22:55 +0000

"CIX will change your life," someone said to me in 1991 when I got a commission to review a bunch of online systems and got my first modem. At the time, I was spending most or all of every day sitting alone in my house putting words in a row for money.

The Net, Louis Rossetto predicted in 1993, when he founded Wired, would change everybody's lives. He compared it to a Bengali typhoon. And that was modest compared to others of the day, who compared it favorably to the discovery of fire.

Today, I spend most or all of every day sitting alone in my house putting words in a row for money.

But yes: my profession is under threat, on the one hand from shrinkage of the revenues necessary to support newspapers and magazines - which is indeed partly fuelled by competition from the Internet - and on the other hand from megacorporate publishers who routinely demand ownership of the copyrights freelances used to resell for additional income - a practice that the Internet was likely to largely kill off anyway. Few have ever gotten rich from journalism, but freelance rates haven't budged in years; staff journalists get very modest raises and for those they are required to work more hours a week and produce more words.

That embarrassingly solipsistic view aside, more broadly, we're seeing the Internet begin to reshape the entertainment, telecommunications, retail, and software industries. We're seeing it provide new ways for people to organize politically and challenge the control of information. And we're seeing it and natural laziness kill off our history: writers and students alike rely on online resources at the expense of offline archives.

Wired was, of course, founded to chronicle the grandly capitalized Digital Revolution, and this month, 15 years on, Rossetto looked back to assess the magazine's successes and failures.

Rossetto listed three failures and three successes. The three failures: history has not ended; Old Media are not dead (yet); and governments and politics still thrive. The three successful predictions: the long boom; the One Machine, a man/machine planetary consciousness; that technology would change the way we relate to each other and cause us to reinvent social institutions.

I had expected to see the long boom in the list of failures, and not just because it was so widely laughed at when it was published. Rossetto is fair to say that the original 1997 feature was not invalidated by the 2000 stock market bust. It wasn't about that (although one couldn't resist snickering about it as the NASDAQ tanked). Instead, what the piece predicted was a global economic boom covering the period 1980 to 2020.

Wrote Peter Schwartz and Peter Leyden, "We are riding the early waves of a 25-year run of a greatly expanding economy that will do much to solve seemingly intractable problems like poverty and to ease tensions throughout the world. And we'll do it without blowing the lid off the environment."

Rossetto, assessing it now, says, " There's a lot of noise in the media about how the world is going to hell. Remember, the truth is out there, and it's not necessarily what the politicians, priests, or pundits are telling you."

I think: 1) the time to assess the accuracy of an article outlining the future to 2020 is probably around 2050; 2) the writers themselves called it a scenario that might guide people through traumatic upheavals to a genuinely better world rather than a prediction; 3) that nonetheless, it's clear that the US economy, which they saw as leading the way has suffered badly in the 2000s with the spiralling deficit and rising consumer debt; 4) that media alarm about the environment, consumer debt, government deficits, and poverty is hardly a conspiracy to tell us lies; and 5) that they signally underestimated the extent to which existing institutions would adapt to cyberspace (the underlying flaw in Rossetto's assumption that governments would be disbanding by now).

For example, while timing technologies is about as futile as timing the stock market, it's worth noting that they expected electronic cash to gain acceptance in 1998 and to be the key technology to enable electronic commerce, which they guessed would hit $10 billion by 2000. Last year it was close to $200 billion. Writing around the same time, I predicted (here) that ecommerce would plateau at about 10 percent of retail; I assumed this was wrong, but it seems that it hasn't even reached 4 perecent yet, though it's obvious that, particularly in the copyright industries, the influence of online commerce is punching well above its statistical weight.

No one ever writes modestly about the future. What sells - and gets people talking - are extravagant predictions, whether optimistic or pessimistic. Fifteen years is a tiny portion even of human history, itself a blip on the planet. Tom Standage, writing in his 1998 book The Victorian Internet, noted that the telegraph was a far more radically profound change for the society of its day than the Internet is for ours. A century from now, the Internet may be just as obsolete. Rossetto, like the rest of us, will have to wait until he's dead to find out if his ideas have lasting value.

Ten

Fri, 30 May 2008 14:48:13 +0000

It's easy to found an organization; it's hard to keep one alive even for as long as ten years. This week, the Foundation for Information Policy Research celebrated its tenth birthday. Ten years is a long time in Internet terms, and even longer when you're trying to get government to pay attention to expertise in a subject as difficult as technology policy.

My notes from the launch contain this quote from FIPR's first director, Caspar Bowden, which shows you just how difficult FIPR's role was going to be: "An educational charity has a responsibility to speak the truth, whether it's pleasant or unpleasant." FIPR was intended to avoid the narrow product focus of corporate laboratory research and retain the traditional freedoms of an academic lab.

My notes also show the following list of topics FIPR intended to research: the regulation of electronic commerce; consumer protection; data protection and privacy; copyright; law enforcement; evidence and archiving; electronic interaction between government, businesses, and individuals; the risks of computer and communications systems; and the extent to which information technologies discriminate against the less advantaged in society. Its first concern was intended to be researching the underpinnings of electronic commerce, including the then recent directive launched for public consultation by the European Commission.

In fact, the biggest issue of FIPR's early years was the crypto wars leading up to and culminating in the passage of the Regulation of Investigatory Powers Act (2000). It's safe to say that RIPA would have been a lot worse without the time and energy Bowden spent listening to Parliamentary debates, decoding consultation papers, and explaining what it all meant to journalists, politicians, civil servants, and anyone else who would listen.

Not that RIPA is a fountain of democratic behavior even as things are. In the last couple of weeks we've seen the perfect example of the kind of creeping functionalism that FIPR and Privacy International warned about at the time: the Poole council using the access rules in RIPA to spy on families to determine whether or not they really lived in the right catchment area for the schools their children attend.

That use of the RIPA rules, Bowden said at at FIPR's half-day anniversary conference last Wednesday, sets a precedent for accessing traffic data for much lower level purposes than the government originally claimed it was collecting the data for. He went on to call the recent suggestion that the government may be considering a giant database, updated in real time, of the nation's communications data "a truly Orwellian nightmare of data mining, all in one place."

Ross Anderson, FIPR's founding and current chair and a well-known security engineer at Cambridge, noted that the same risks adhere to the NHS database. A clinic that owns its own data will tell police asking for the names of all its patients under 16 to go away. "If," said Anderson, "it had all been in the NHS database and they'd gone in to see the manager of BT, would he have been told to go and jump in the river? The mistake engineers make too much is to think only technology matters."

That point was part of a larger one that Anderson made: that hopes that the giant databases under construction will collapse under their own weight are forlorn. Think of developing Hulk-Hogan databases and the algorithms for mining them as an arms race, just like spam and anti-spam. The same principle that holds that today's cryptography, no matter how strong, will eventually be routinely crackable means that today's overload of data will eventually, long after we can remember anything we actually said or did ourselves, be manageable.

The most interesting question is: what of the next ten years? Nigel Hickson, now with the Department of Business, Enterprise, and Regulatory Reform, gave some hints. On the European and international agenda, he listed the returning dominance of the large telephone companies on the excuse that they need to invest in fiber. We will be hearing about quality of service and network neutrality. Watch Brussels on spectrum rights. Watch for large debates on the liability of ISPs. Digital signatures, another battle of the late 1990s, are also back on the agenda, with draft EU proposals to mandate them for the public sector and other services. RFID, the "Internet for things" and the ubiquitous Internet will spark a new round of privacy arguments.

Most fundamentally, said Anderson, we need to think about what it means to live in a world that is ever more connected through evolving socio-technological systems. Government can help when markets fail; though governments themselves seem to fail most notoriously with large projects.

FIPR started by getting engineers, later engineers and economists, to talk through problems. "The next growth point may be engineers and psychologists," he said. "We have to progressively involve more and more people from more and more backgrounds and discussions."

Probably few people feel that their single vote in any given election really makes a difference. Groups like FIPR, PI, No2ID, and ARCH remind us that even a small number of people can have a significant effect. Happy birthday.

The haystack conundrum

Fri, 23 May 2008 14:11:39 +0000

Early this week the news broke that the Home Office wants to create a giant database in which will be stored details of all communications sent in Britain. In other words, instead of data retention, in which ISPs, telephone companies, and other service providers would hang onto communications data for a year or seven in case the Home Office wanted it, everything would stream to a Home Office data center in real time. We'll call it data swallowing.

Those with long memories - who seem few and far between in the national media covering this sort of subject - will remember that in about 1999 or 2000 there was a similar rumor. In the resulting outraged media coverage it was more or less thoroughly denied and nothing had been heard of it since, though privacy advocates continued to suspect that somewhere in the back of a drawer the scheme lurked, dormant, like one of those just-add-water Martians you find in the old Bugs Bunny cartoons. And now here it is again in another leak that the suspicious veteran watcher of Yes, Minister might think was an attempt to test public opinion. The fact that it's been mooted before makes it seem so much more likely that they're actually serious.

This proposal is not only expensive, complicated, slow, and controversial/courageous (Yes, Minister's Fab Four deterrents), but risk-laden, badly conceived, disproportionate, and foolish. Such a database will not catch terrorists, because given the volume of data involved trying to use it to spot any one would-be evil-doer will be the rough equivalent of searching for an iron filing in a haystack the size of a planet. It will, however, make it possible for anyone trawling the database to make any given individual's life thoroughly miserable. That's so disproportionate it's a divide-by-zero error.

The risks ought to be obvious: this is a government that can't keep track of the personal details of 25 million households, which fit on a couple of CDs. Devise all the rules and processes you want, the bigger the database the harder it will be to secure. Besides personal information, the giant communications database would include businesses' communication information, much of likely to be commercially sensitive. It's pretty good going to come up with a proposal that equally offends civil liberties activists and businesses.

In a short summary of the proposed legislation, we find this justification: "Unless the legislation is updated to reflect these changes, the ability of public authorities to carry out their crime prevention and public safety duties and to counter these threats will be undermined."

Sound familiar? It should. It's the exact same justification we heard in the late 1990s for requiring key escrow as part of the nascent Regulation of Investigatory Powers Act. The idea there was that if the use of strong cryptography to protect communications became widespread law enforcement and security services would be unable to read the content of the messages and phone calls they intercepted. This argument was fiercely rejected at the time, and key escrow was eventually dropped in favor of requiring the subjects of investigation to hand over their keys under specified circumstances.

There is much, much less logic to claiming that police can't do their jobs without real-time copies of all communications. Here we have real analogies: postal mail, which has been with us since 1660. Do we require copies of all letters that pass through the post office to be deposited with the security services? Do we require the Royal Mail's automated sorting equipment to log all address data?

Sanity has never intervened in this government's plans to create more and more tools for surveillance. Take CCTV. Recent studies show that despite the millions of pounds spent on deploying thousands of cameras all over the UK, they don't cut crime, and, more important, the images help solve crime in only 3 percent of cases. But you know the response to this news will not be to remove the cameras or stop adding to their number. No, the thinking will be like the scheme I once heard for selling harmless but ineffective alternative medical treatments, in which the answer to all outcomes is more treatment. (Patient gets better - treatment did it. Patient stays the same - treatment has halted the downward course of the disease. Patient gets worse - treatment came too late.)

This week at Computers, Freedom, and Privacy, I heard about the Electronic Privacy Information Center's work on fusion centers, relatively new US government efforts to mine many commercial and public sources of data. EPIC is trying to establish the role of federal agencies in funding and controlling these centers, but it's hard going.

What do these governments imagine they're going to be able to do with all this data? Is the fantasy that agents will be able to sit in a control room somewhere and survey it all on some kind of giant map on which criminals will pop up in red, ready to be caught? They had data before 9/11 and failed to collate and interpret it.

Iron filing; haystack; lack of a really good magnet.

Everything new is old again

Fri, 16 May 2008 16:57:28 +0000

One of the curiosities about the future as portrayed in most movies is its homogeneity. Everyone wears all white or all black, or they all dress the same and live in houses with a minimum of furniture all designed by someone who is apparently anxious not to waste any of the Earth's resources. The bar in Star Wars reminded us that in a universe full of intelligent life there will be lots of different shapes and sizes of aliens sentient enough to drink beer. Terry Gilliam's Brazil and similarly established a much more likely look of the future: a junkyard hodge-podge of old and new technologies and styles. Even the most obsessive fashionistas don't throw out all their belongings every couple of years.

The more subtle point about Gilliam's pictures of the future, however, is that the pieces of old technology distributed throughout - the duct work, the weird old teletypes with their magnified son-of-wing-mirror screens - are what make the movie look futuristic instead of dated. By contrast, the then ultra-modern TV and computer screens are, other than the title, the things that have dated about the movie 2001.

I was reminded of these principles this week while reading David Edgerton's The Shock of the Old, newly out in paperback. In it, Edgerton tries something a bit unusual. Most technology histories, as he says, tell the story of innovations: this is how the airplane was invented and now it's everywhere; this is where the Internet came from. Partly, the idea of human past and future history as an orderly succession of inventions displacing each other in turn, is appealing mythology.

Scott Berkun makes a similar point about ideas in this week's other book, The Myths of Innovation. In it, he notes that the most famous moments of insight - Newton's apple, Aristotle's Eureka - were preceded by decades of hard work that promoters and popular culture prefer to ignore in favor of the better story. And partly, a lot of these histories are written by followers of one particular technology or company, who have an interest in making it seem as important as possible.

A lot of my career has been spent reviewing books like these: biographies of Andy Grove, Steve Jobs, or Carly Fiorina; company histories, pro and con, of IBM, Apple, or Amazon.com; creation tales that follow the development of a single technology or product, like cryptography, pen computing, a new mini-computer, or collaborative software. (Some samples of recent reviews are here.) This sort of book is interesting (particularly the latter group, which includes Steven Levy's Crypto, Jerry Kaplan's Go, Tracy Kidder's The Soul of the Machine, and Scott Rosenberg's Dreaming in Code), but they rarely place any of their central subjects into a wider context.

Edgerton, on the other hand, attempts to organize his history by use. This can, of course, lead to some difficult comparisons. Which had more impact on human history, the computer or the screwdriver? Computers have all the publicists, of course, but over time they may, as Donald A. Norman predicted in The Invisible Computer, to become both ubiquitous and ordinary, just part of the landscape's back office. Like electric motors,

Part of Edgerton's point is that quite often when a technology seems to change the world - say, the Pill - it isn't really new. Birth control was available before, in the form of the condom, and given that the condom can prevent disease and the Pill can't, what was the fuss all about? This is one of only a few times that Edgerton just plain missed the point: the huge change the Pill brought was to put women in control of their fertility.

Why do we keep falling for sexy new technologies? Because, as Bruce Sterling writes in his review of Edgerton's book, human hope springs eternal, and every innovation seems like the very one to fulfill all the dreams we've had all along. Those dreams have changed remarkably little in the last century; electricity, radio, telegraphy, computers, television, the Internet were all supposed to bring a new era of democracy, peace, equality, and education.

Even more mundane details don't seem to have changed that much: Popular Mechanics' idea of the smart home in 1939 doesn't sound much different from today's. Nearly 70 years later, we can say the technology is almost there to do most of what they had in mind. (Although the use of mood-altering colors arguably reached its peak in about 1968.)

Future hype has quieted down some since the early days of the Internet, when a host of commentators including French economist and scholar Jacques Attali, Wired founder Louis Rossetto, and hyperbolist John Perry Barlow all compared its importance favorably to the discovery of fire. But as nanotechnology begins to seep - or perhaps goo - into the mainstream, we're beginning to hear the same things again. At last summer's Center for Responsible Technology conference predictions were that molecular manufacturing would bring wealth for all, permanent prosperity, and all without having to work for a living.

I sense that shortly a new technology will be needed to pin our hopes on. For sale: one future, slightly used.

Swings and roundabouts

Fri, 09 May 2008 13:06:55 +0000

There was a wonderful cartoon that cycled frequently around computer science departments in the pre-Internet 1970s - I still have my paper copy - that graphically illustrated the process by which IT systems get specified, designed, and built, and showed precisely why and how far they failed the user's inner image of what it was going to be. There is a scan here. The senior analyst wanted to make sure no one could possibly get hurt; the sponsor wanted a pretty design; the programmers, confused by contradictory input, wrote something that didn't work; and the installation was hideously broken.

Translate this into the UK's national ID card. Consumers, Sir James Crosby wrote in March (PDF)want identity assurance. That is, they - or rather, we - want to know that we're dealing with our real bank rather than a fraud. We want to know that the thief rooting through our garbage can't use any details he finds on discarded utility bills to impersonate us, change our address with our bank, clean out our accounts, and take out 23 new credit cards in our name before embarking on a wild spending spree leaving us to foot the bill. And we want to know that if all that ghastliness happens to us we will have an accessible and manageable way to fix it.

We want to swing lazily on the old tire and enjoy the view.

We are the users with the seemingly simple but in reality unobtainable fantasy.

The government, however - the project sponsor - wants the three-tiered design that barely works because of all the additional elements in the design but looks incredibly impressive. ("Be the envy of other major governments," I feel sure the project brochure says.) In the government's view, they are the users and we are the database objects.

Crosby nails this gap when he draws the distinction between ID assurance and ID management:

The expression 'ID management' suggests data sharing and database consolidation, concepts which principally serve the interests of the owner of the database, for example, the Government or the banks. Whereas we think of "ID assurance" as a consumer-led concept, a process that meets an important consumer need without necessarily providing any spin-off benefits to the owner of any database.
This distinction is fundamental. An ID system built primarily to deliver high levels of assurance for consumers and to command their trust has little in common with one inspired mainly by the ambitions of its owner. In the case of the former, consumers will extend use both across the population and in terms of applications such as travel and banking. While almost inevitably the opposite is true for systems principally designed to save costs and to transfer or share data.

As writer and software engineer Ellen Ullman wrote in her book Close to the Machine, databases infect their owners, who may start with good intentions but are ineluctibly drawn to surveillance.

So far, the government pushing the ID card seems to believe that it can impose anything it likes and if it means the tree collapses with the user on the swing, well, that's something that can be ironed out later. Crosby, however, points out that for the scheme to achieve any of the government's national security goals it must get mass take-up. "Thus," he writes, "even the achievement of security objectives relies on consumers' active participation."

This week, a similarly damning assessment of the scheme was released by the Independent Scheme Assurance Panel (PDF) (you may find it easier to read this clean translation - scroll down to policywatcher's May 8 posting). The gist: the government is completely incompetent at handling data, and creating massive databases will, as a result, destroy public trust in it and all its systems.

Of course, the government is in a position to compel registration, as it's begun doing with groups who can't argue back, like foreigners, and proposes doing for employees in "sensitive roles or locations, such as airports". But one of the key indicators of how little its scheme has to do with the actual needs and desires of the public is the list of questions it's asking in the current consultation on ID cards, which focus almost entirely on how to get people to love, or at least apply for, the card. To be sure, the consultation document pays lip service to accepting comments on any ID card-related topic, but the consultation is specifically about the "delivery scheme".

This is the kind of consultation where we're really damned if we do and damned if we don't. Submit comments on, for example, how best to "encourage" young people to sign up ("Views are invited particularly from young people on the best way of rolling out identity cards to them") without saying how little you like the government asking how best to market its unloved policy to vulnerable groups and when the responses are eventually released the government can say there are now no objectors to the scheme. Submit comments to the effect that the whole National Identity scheme is poorly conceived and inappropriate, and anything else you say is likely to be ignored on the grounds that they've heard all that and it's irrelevant to the present consultation. Comments are due by June 30.

Bet and sue

Fri, 02 May 2008 12:10:43 +0000

Most net.wars are not new. Today's debates about free speech and censorship, copyright and control, nationality and disappearing borders were all presaged by the same discussions in the 1980s even as the Internet protocols were being invented. The rare exception: online gambling. Certainly, there were debates about whether states should regulate gambling, but a quick Usenet search does not seem to throw up any discussions about the impact the Internet was going to have on this particular pastime. Just sex, drugs, and rock 'n' roll.

The story started in March, when the French Tennis Federation (FFT - Fédération Française de Tennis) filed suit in Belgium against Betfair, Bwin, and Ladbrokes to prevent them from accepting bets on matches played at the upcoming French Open tennis championships, which start on May 25. The FFT's arguments are rather peculiar: that online betting stains the French Open's reputation; that only the FFT has the right to exploit the French Open; that the online betting companies are parasites using the French Open to make money; and that online betting corrupts the sport. Bwin countersued for slander.

On Tuesday of this week, the Liège court ruled comprehensively against the FFT and awarded the betting companies costs.

The FFT will still, of course, control the things it can: fans will be banned from using laptops and mobile phones in the stands. The convergence of wireless telephony, smart phones, and online sites means that in the second or two between the end of a point and the electronic scoreboard updating, there's a tiny window in which people could bet on a sure thing. Why this slightly improbable scenario concerns the FFT isn't clear; that's a problem for the betting companies. What should concern the FFT is ensuring a lack of corruption within the sport. That means the players and their entourages.

The latter issue has been a touchy subject in the tennis world ever since last August, when Russian player Nikolay Davydenko, currently fourth in the world rankings, retired in the third and final set of a match in Poland against 87th ranked Marin Vassallo Arguello, citing a foot injury. Davydenko was accused of match-fixing; the investigation still drags on. In the resulting publicity, several other players admitted being approached to fix matches. As part of subsequent rule-tightening by the Association of Tennis Professionals, the governing body of men's professional tennis, three Italian players were suspended briefly late last year for betting on other players' matches.

Probably the most surprising thing is that tennis, along with soccer and horse racing, is actually among the most popular sports for betting. A minority sport like tennis? Yet according to USA Today, the 2007 Paris Masters event saw $750 million to $1.5 billion in bets. I can only assume that the inverted pyramid of matches every week involving individual players fits well with what bettors like to do.

Fixing matches seems even more unlikely. The best payouts come from correctly picking upsets, the bigger the better. But top players are highly unlikely to throw matches to order. Most of them play a relatively modest number of events (Davydenko is admittedly the exception) and need all the match wins and points from those events to sustain their rankings. Plus, they're just too damn rich.

In 2007, Roger Federer, the ultra-dominant number one player since the end of 2003, earned upwards of $10 million in prize money alone; Davydenko picked up over $2 million (and has already won another $1 million in 2008). All of the top 12 earned over $1 million. Add in endorsements, and even after you subtract agents' fees, tax, and travel costs for self and entourage, you're still looking at wealthy guys. They might tank matches at events where they're being paid appearance fees (which are legal on the men's tour at all but the top 14 events, but proving they've done so is exceptionally difficult. Fixing matches, which could cost them in lost endorsements on top of the tour's own sanctions, surely can't be worth it.

There are several ironies about the FFT's action. First of all (something most of the journalists covering this story don't mention, probably because they don't spend a lot of time watching tennis on TV), Bwin has been an important advertiser sponsoring tennis on Eurosport. It's absolutely typical of the counter-productive and intricately incestuous politics that characterize the tennis world that one part of the sport would sue someone who pays money into another part of the sport.

Second of all, as Betfair and Bwin pointed out, all three of these companies are highly regulated European licensed operations. Ruling them out of action would mean shift online betting to less well regulated offshore companies. They also pointed out the absurdity of the parasites claim: how could they accept bets on an event without using its name? Betfair in particular documented its careful agreements with tennis's many governing bodies.

Third of all, the only reason match-fixing is an issue in the tennis world right now is that Betfair spotted some unusual betting patterns during that Polish Davydenko match, cancelled all the bets, and went public with the news. Without that, Davydenko would have avoided the fight over his family's phone records. Come to think of it, making the issue public probably explains the FFT's behavior: it's revenge.

The shape of the mushroom

Fri, 25 Apr 2008 23:34:15 +0000

The digital universe is big. Really big. You just can't believe how mind-bogglingly big... Oh, never mind.

There's nothing like a good the-sky-is-falling scenario to get a one-day conference awake, and today at the LSE was no exception.

"It's a catastrophe waiting to happen," said Leslie Willcocks, the head of the Information Systems and Innovation Group at the LSE, putting up a chart. What it showed: the typical data center's use of energy and processing power. Only 1.5 percent of the total energy usage powers processing; 80 percent of CPU is idle. Well. They weren't built to be efficient. They were built to be reliable.

But Willcocks wasn't gearing up to save the planet. Instead, his point was that all this wastage reflects a fetish for connectedness: "The assumption is you have to have reliable information on tap at all times." (Cue Humphrey Appleby: "I need to know everything. How else can I judge whether I need to know it?") Technology design, he argued, is being driven by the explosion in data. The US's 28 million servers today represent 2.5 percent of the US's electricity needs; in 2010 that will be 43 million. This massively inefficient use of energy is trying to fix what he called a far bigger problem: the "data explosion". And, concurrently, the inability to manage same.

In 2007, John Gantz, chief research officer at IDC, said, for the first time in human history the amount of information being created was larger than the amount of storage available. That sounds alarming at first, like the moment you contemplate the mortgage you're thinking of taking out to buy a house and realize that it is larger than the sum of all your financial assets. At second glance, the situation isn't quite so bad.

For one thing, a lot of information is transient. We aren't required to keep a copy of every TV signal - otherwise, imagine the number of copies we'd add every Christmas just for rebroadcasts of It's a Wonderful Life. But once you've added in the impact of regulatory compliance and legal requirements, along with good IT practice, consider the digital footprint of a single email message with a 1Mb attachment. By the time it's done being backed up, sent to four recipients, backed up, and sent to tape at both sending and receiving organizations it's consuming over 51.5Mb of storage.
And things are only going to get exponentially worse between now and 2011. The digital universe will grow by an order of magnitude in five years, from about 177EB in 2006 to 1,773EB in 2011. More than 90 percent of it is unstructured information. Even more alarming for businesses is that while individual consumers account for about 70 percent of the information created, enterprises have responsibility or liability for about 85 percent of it. Think Google buying YouTube and taking on its copyright liability, or NASA's problem with its astronauts' email.

"The information bomb has already happened," said Gantz. "I'm just describing the shape of the mushroom."
To be sure, video amps up the data flows. But it's not the most important issue. Take, for example, the electronification of the NHS. Discarding paper in favor of electronics saves one kind of space - there's a hospital in Bangkok that claims to have been able to open a whole new pediatric wing in the space saved by digitizing its radiography department - but consumes another. All those electronic patient records will have to be stored, backed up and stored and backed up again in each new location they're sent to. Say it all over again with MP3s, electronic patient records, digital radio, VOIP, games, telematics, toys...

No wonder we're all so tired.

And the problem the NHS is solving with barcoding - that people cannot find what they already have - is not so easily solved with information.

Azeem Azhar, seven months away from a job as head of innovation at Reuters, said that one thing he'd learned was that every good idea he had - had already been had by someone else in the organization at some point. As social networks enable people to focus less on documents than on expertise, he suggested, we may finally find a way around that problem.

The great thing about a conference like this is that for every solution someone can find a problem. The British Library, for example, is full of people who ought to know what to keep; that's what librarians do. But the British Library has its roots in an era when it could arrogantly assume it had the resources to keep everything. Ha. Though you sympathized with the trouble they have explaining stuff when an audience member asked why, given that the British Library has made digital copies, it should bother to keep the original, physical Magna Carta.

That question indicates a kind of data madness; the information we derive from studying the physical Magna Carta can't all be digitized. If looking at the digital simulacrum evokes wonder, it's precisely because we know that it is an image - a digital shadow - of the real thing. If the real thing ceases to exist, the shadow grows less meaningful.

But what starts in America usually winds up here a few years later, and this week, the CEO of Virgin Media, Neil Berkett, threatened that video providers who don't pay for faster service may find their traffic being delivered in slow "bus lanes". Network neutrality, he said, was "a load of bollocks".

His PR people recanted - er, clarified a day or two later. We find it hard to see how a comment as direct as "a load of bollocks" could be taken out of context. However. Let's say he was briefly possessed by the spirt of Whitacre, who most certainly meant what he said.

The recharacterization of Berkett's comments: the company isn't really going to deliberately slow down YouTube and the BBC's iPlayer. Instead, it "could offer content providers deals to upgrade their provisioning." I thought this sounded like the wheeze where you're not charged more for using a credit card, you're given a discount for paying cash. But no: what they say they have in mind is direct peering, in which no money changes hands, which they admit could be viewed as a "non-neutral" solution.

But, says Keith Mitchell, a fellow member of the Open Rights Group advisory board, "They are in for a swift education in the way the global transit/peering market works if they try this." Virgin seems huge in the context of the UK, where its ownership of the former ntl/Telewest combine gives it a lock on the consumer cable market - but in the overall scheme of things it's "a very small fish in the pond compared to the Tier 1 transit providers, and the idea that they can buck this model single-handedly is laughable."

Worse, he says, "If Virgin attempts to cost recover for interconnects off content providers on anything other than a sender-keeps-all/non-settlement basis, they'll quickly find themselves in competition with the transit providers, whose significantly larger economies of scale put them in a position to provide a rather cheaper path from the content providers."

What fun. In other words, if you're, say, the BBC, and you're faced with paying extra in some form to get your content out to the Net you'd choose to pay the big trucking company with access to all the best and fastest roads and the international infrastructure rather than the man-with-a-van who roams your local neighborhood.

ISPs versus the iPlayer seems likely to run and run. It's clear, for example, that streaming is growing at a hefty clip. Obviously, within the UK the iPlayer is the biggest single contributor to this; viewers are watching a million programs a week online, sopping up 3 to 5 percent of all Internet traffic in Britain.

We've seen exactly this sort of argument before: file-sharing (music, not video!), online gaming, binary Usenet newsgroups. Why (ancient creaking voice) I remember when the big threat was the advent of the graphical Web, which nearly did kill the Net (/ancient creaking voice). The difference this time is that there is a single organization with nice, deep, taxpayer-funded pockets to dig into. Unlike the voracious spider that was Usenet, the centipede that is file-sharing, or the millipedes who were putting up Web sites, YouTube and the BBC make up an easily manageable number of easily distinguished targets for a protection racket. At the same time, the consolidation of the consumer broadband market from hundreds of dial-up providers into a few very large broadband providers means competition is increasingly mythical.

But the iPlayer is only one small piece of the puzzle. Over the next few years we're going to see many more organizations offering streaming video across the Net. For example, a few weeks ago I signed up for an annual pass for the streaming TV service for the nine biggest men's tennis tournaments of the year. The economics make sense: $70 a year versus £20 a month for Sky Sports - and I have no interest in any of Sky's other offerings - or pay nothing and "watch" really terrible low-resolution video over a free Chinese player offering rebroadcasts of uncertain legality.

The real problem, as several industry insiders have said to me lately, is pricing. "You have a product," said one incredulously, "that people want more and more of, and you can't make any money selling it?" When companies like O2 are offering broadband for £7.50 a month as a loss-leading add-on to mobile phone connections, consumers don't see why they should pay any more than that. Jerky streaming might be just the motivator to fix that.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

My IP address, my self

Fri, 11 Apr 2008 15:03:44 +0000

Some years back when I was writing about the data protection directive, Simon Davies, director of Privacy International, predicted a trade war between the US and Europe over privacy laws. It didn't happen, or at least it hasn't happened yet.

The key element to this prediction was the rule in the EU's data protection laws that prohibited sending data on for processing to countries whose legal regimes aren't as protective as those of the EU. Of course, since then we've seen the EU sell out on supplying airline passenger data to the US. Even so, this week the Article 29 Data Protection Working Party made recommendations about how search engines save and process personal data that could drive another wedge between the US and Europe.

The Article 29 group is one of those arcane EU phenomena that you probably don't know much about unless you're a privacy advocate or paid to find out. The short version: it's a sort of think tank of data protection commissioners from all over Europe. The UK's Information Commissioner, Richard Thomas, is a member, as are his equivalents in countries from France to Lithuania.

The Working Party (as it calls itself) advises and recommends policies based on the data protection principles enshrined in the EU Data Protection Directive. It cannot make law, but both its advice to the European Commission and the Commission's action (or lack thereof) are publicly reported. It's arguable that in a country like the UK, where the Information Commissioner operates with few legal teeth to bite with, the existence of such a group may help strengthen the Commissioner's hand.

(Few legal teeth, at least in respect of government activities: the Information Commissioner has issued an opinion about Phorm indicating that the service must be opt-in only. As Phorm and the ISPs involved are private companies, if they persisted with a service that contravened data protection law, the Information Commissioner could issue legal sanctions. But while the Information Commissioner can, for example, rule that for an ISP to retain users' traffic data for seven years is disproportionate, if the government passes a law saying the ISP must do so then within the UK's legal system the Information Commissioner can do nothing about it. Similarly, the Information Commissioner can say, as he has, that he is "concerned" about the extent of the information the government proposes to collect and keep on every British resident, but he can't actually stop the system from being built.)

The group's key recommendation: search engines should not keep personally identifiable search histories for longer than six months, and it specifically includes search engines whose headquarters are based outside the EU. The group does not say which search engines it studied, but it was reported to be studying Google as long ago as last May. The report doesn't look at requirements to keep traffic data under the Data Retention Directive, as it does not apply to search engines.

Google's shortening the life of its cookies and anonymizing its search history logs after 18 months turns out to have a significance I didn't appreciate when, at the time, I dismissed it as insultingly trivial (which it was): it showed the Article 29 working group that the company doesn't really need to keep all that data for so long. In

One of the key items the Article 29 group had to decide in writing its report on data protection issues related to search engines (PDF) is this: are IP addresses personal information? It sounds like one of those bits of medieval sophistry, like asking how many angels can dance on the head of a pin. In the dial-up days, it might not have mattered, at least in Britain, where local phone charges forced limited usage, so users were assigned a different IP address every time they logged in. But in the world of broadband, where even the supposedly dynamic IP addresses issued by cable suppliers may remain with a single subscriber for years on end. Being able to track your IP address's activities is increasingly like being able to track your library card, your credit card, and your mobile phone all at the same time. Fortunately, the average ISP doesn't have the time to be that interested in most of its users.

The fact is that any single piece of information that identifies your activities over a long period and can be mapped to your real-life identity has to be considered personal information or the data protection laws make no sense. The libertarian view, of course, would be that there are other search engines. You do not actually have to use Google, Gmail, or even YouTube. But if all search engines adopted Google's habits the choice would be more apparent than real. Time was when the US was the world's policeman. With respect to data, it seems that the EU has taken on this role. It will be interesting to see whether this decision has any impact on Google's business model and practices. If it does, that trade war could finally be upon us. If not, then Google was building up a vast data store just because we can.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Million-dollar baby

Fri, 04 Apr 2008 13:05:22 +0000

The first time I saw James Randi he was hauling a load of fresh chicken guts out of a guy's stomach.

Of course, in my eagerness to make it sound like a good story I've jazzed that up a bit. The chicken guts were real and the guy's stomach was real (he was an innocent audience member who'd been recruited for the purpose of demonstration), but the pull-outage was clever sleight-of-hand. The year was 1982 and the occasion was a lecture demonstration at Cornell University. The point was demonstrating how "psychic surgeons" achieve their effects.

The next time I'll see James Randi is on April 19, when he's giving a talk at Conway Hall, in London. I don't think chicken guts will be involved, though a number of other prominent skeptics will also be speaking and you just never know.

It was Randi's ability to demonstrate plausible explanations for the apparently inexplicable that blew me away on that particular day. A lot of people like to claim that skeptics are closed-minded, but in fact it seems to me that the key to skepticism is tolerance of uncertainty and patience. A skeptic sitting in an empty house and hearing inexplicable creaking thinks, "I wonder what that is." A believer thinks, "Must be a ghost." Randi never claimed to be able to explain everything, but he went a long way toward showing me that things that friends thought must be inexplicable might still have natural explanations if you had the patience to wait to find out what they were and the right kind of mind to. A lie goes round the world while the truth is still putting its boots on; it takes seconds to claim something's paranormal but years of research to find out the truth.

One of the sad things about science these days is that so many disciplines require so much expensive equipment and funding that it's hard for an amateur to make much of a contribution. There are, to be sure, exceptions: some friends on Crete were successful in finding the nests of griffin vultures and did a lot of work keeping count, and anyone can look for fossils and hope to fill in a gap in the record. But few can afford their own radio telescope, particle collider, or climate modelling supercomputer. Randi showed that amateurs with a particular bent - a knowledge of stage magic and deception - were more effective at assessing paranormal claims than many scientists.

None of this would qualify Randi as a subject for net.wars except that recently he's been the subject of Usenet spam. Most people who do not participate in Usenet are under the impression that all newsgroups drowned under email levels of spam long ago. But in fact until the last month, when the Chinese apparently discovered Usenet, spam levels have been negligible for quite a few years now. Once Web boards, blogs, and social networks got going Usenet became even more of a minority pastime than it was in its heyday. Spamming Usenet doesn't cost much, but why bother when the audience is relatively tiny?

But people who want to boast that they've bested James Randi apparently want to lump themselves in with ads for cheap knockoffs of Nike shoes, Breitling watches, and Prada handbags. And so a version of this message began popping up randomly. It is, of course, all over the Net by now, and there's not a lot anyone can do other than debunk it and hope someone notices.
To deal with the most trivial bit, the bit that asks if James Randi is "even a real name". Well, it's not the name Randi was born with, although it's a modification of his first and middle names. But he's been using it consistently for something over 50 years, and it is his legal name. So it's real enough for all intents and purposes.

The million-dollar challenge was a relative newcomer that had its origins in a similar $10,000 challenge that Randi had going for more than 30 years. The increased money made the challenge a much juicier story, of course. But as this rational game theoryish analysis of the challenge makes clear, the challenge was only ever likely to attract the deluded. As I understand it, the mailbag got ridiculous in both size and content. There's plenty of evidence for that; the apparent basis of the claim that Randi was beaten is impenetrable. It is true, though, that until the beginning of this year the challenge rules stated that the prize would continue to be offered until it was awarded, including after Randi's death. Now, it ends March 6, 2010. (Get your claim in now!)

The end of the challenge is the end of an era for skeptics. For years, if any paranormal claimant was particularly insistent that he could dowse for oil or read minds we could say, "If you're so psychic, why ain't you taking Randi's challenge?" Now, my god - we're going to have to think of new stuff to say.

Meantime, come watch Randi in person and find out about the kinds of tests he's been doing all these years.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Leaving Las Vegas

Fri, 28 Mar 2008 15:17:59 +0000

Las Vegas shouldn't exist. Who drops a sprawling display of electric lights with huge fountains and luxury hotels that into the best desert scenery on the planet during an energy crisis? Indoors, it's Britain in mid-winter; outdoors you're standing in a giant exhaust fan. The out-of-proportion scale means that everything is four times as far away as you think, including the jackpot you're not going to win at one of its casinos. It's a great place to visit if you enjoy wallowing in self-righteous disapproval.

This all makes it the stuff of song, story, and legend and explains why Jeff Jonas's presentation at etech was packed.

The way Jonas tells it in his blog and at his presentation, he got into the gaming industry by driving through Las Vegas in 1989 idly wondering what was going on behind the scenes at the casinos. A year later he got the tiny beginnings of an answer when he picked up a used couch he'd found in the newspaper classified ads (boy, that dates it, doesn't it?) and found that its former owner played blackjack "for a living". Jonas began consulting to the gaming industry in 1991, helping to open Treasure Island, Bellagio, and Wynn.

"Possibly half the casinos in the world use technology we created," he said at etech.

Gaming revenues are now less than half of total revenues, he said, and despite the apparent financial win they might represent problem gamblers are in fact bad for business. The goal is for people to have fun. And because of that, he said, a place like the Bellagio is "optimized for consumer experience over interference. They don't want to spend money on surveillance."

Jonas began with a slide listing some common ideas about how Las Vegas works, culled from movies like Ocean's 11 and the TV show Las Vegas. Does the Bellagio have a vault? (No.) Do casinos perform background checks on guests based on public records? (No.) Is there a gaming industry watch list you can put yourself on but not take yourself off? (Yes, for people who know they have a gambling addiction.) Do casinos deliberately hire ex-felons? (Yes, to rehabilitate them.) Do they really send private jets for high rollers? (Cue story.)

There was, he said, a casino high roller who had won some $18 million. A win like that is going to show up in a casino's quarterly earnings. So, yes, they sent a private jet to his town and parked a limo in front of his house for the weekend. If you've got the bug, we're here for you, that kind of thing. He took the bait, and lost $22 million.

Do they help you create cover stories? (Yes.) "What happens in Vegas stays in Vegas" is an important part of ensuring that people can have fun that does not come back to bite them when they go home. The casinos' problem is with identity, not disguises, because they are required by anti-money laundering rules to report it any time someone crosses the $10,000 threshold for cash transactions. So if you play at several different tables, then go upstairs and change disguises, and come back and play some more, they have to be able to track you through all that. ID, therefore, is extremely important. Disguises are welcome; fake ID is not.

Do they use facial recognition to monitor the doors to spot cheaters on arrival? (Well...)

Of course technology-that-is-indistinguishable-from-magic-because-it-actually-is-magic appears on every crime-solving TV show these days. You know, the stuff where Our Heroes start with a fuzzy CCTV image and they punch in on a tiny piece of it and blow it up. And then someone says, "Can you enhance that?" and someone else says, "Oh, yes, we have new software," and a second later a line goes down the picture filling in detail. And a second after that you can read the brand on the face of a wrist watch (Numb3rs or the manufacturer's coding on a couple of pills (Las Vegas. Or they have a perfect matching system that can take a partial fingerprint lifted off a strand of hair or something and bang! the database can find not only the person's identity but their current home address and phone number (Bones). And who can ever forget the first episode of 24, when Jack Bauer, alarmed at the disappearance of his daughter, tosses his phone number to an underling and barks, "Find me all the Internet passwords associated with this phone number."

And yet...a surprising number of what ought to be the technically best-educated audience on the planet thought facial recognition was in operation to catch cheaters. Folks, it doesn't work in airports, either.

Which is the most interesting thing Jonas said: he now works for IBM (which bought his company) on privacy and civil liberties issues, including work on software to help the US government spot terrorists without invading privacy. It's an interesting concept, partly because security at airports and other locations is now so invasive. But also because if Las Vegas can find a way to deploy surveillance such that only the egregious problems are caught and everyone else just has a good time...why can't governments?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).