January 15, 2015

Why Western Governments Want to Destroy Computer Security -- and Your Security Along the Way

It's always illuminating when the longtime enemies of security and free speech come out from the shadows, making their intentions and sensibilities crystal clear for all to see and understand.

Nope, I'm not talking about terrorists of whatever stripes -- we've always known how criminal scum like that thinks and how they desire to remake the world in the image of their tiny minds and 13th century mindsets.

Nor am I speaking of Putin, Kim Jong-un, Ali Khamenei, Xi Jinping, or the like -- the iron fist with which these leaders desire to control speech and suppress domestic dissent is all too obvious even at a glance.

No. I'm painfully forced to note the new threat matrix aimed squarely at shedding our free speech and security rights that is spewing squarely from Western governments -- from the U.S., U.K, and across the length and breadth of Europe.

It's tempting to suggest that this renewed push to strip us of these fundamental rights was triggered by the recent devastating terrorist attack in Paris -- but that horrendous event serves only as an excuse for a long simmering, long sought crackdown on Internet speech and security that has been smoldering for ages.

Going all the way back to 1993 and the fiasco of the proposed U.S. "Clipper Chip" reveals the U.S. intelligence community's fear of strong cryptography. And today, the EU's enthusiastic embrace of the nightmarish "Right to Be Forgotten" concept, and their push to apply that EU censorship system across the entire world, gives us clues to European motives along these lines.

So for anyone really paying close attention to these matters, the dots were already pretty much in place, certainly sufficiently so that the latest proposals from Western leaders shouldn't come as any kind of significant surprise.

And those repulsive proposals have been arriving hot and heavy over the last few days.

President Obama is reportedly to offer a vast expansion of criminal penalties for "computer hacking" broadly defined, and as part of that legislative package also to vastly expand the definition of hacking in the process.

If you thought the late Aaron Swartz really had the book thrown at him by DOJ, the new proposals would likely make that look like a paperback novel compared with a wall of ancient encyclopedias dumped on the heads of future defendants.

The details we've heard so far reportedly suggest that at the discretion of prosecutors, merely clicking the wrong link on a public site, or conducting perfectly legitimate cybersecurity research, could net you being shackled in a federal cell for a decade or more.

But it gets worse.

Western leaders, led by David Cameron of the UK, appear poised to demand that all Internet communications be subject to data retention and monitoring by governments, and that no applications be permitted to deploy encryption that the government could not disable or defeat on demand. Prime Minister Cameron has said this explicitly of late, and is seeking support from other European leaders and President Obama for this disastrous concept.

Let's be crystal clear about this. While the initial discussion might revolve around instant messaging apps, it's obvious that the logical and inevitable extension of this concept is to require the undermining of all Internet encryption. Email. PGP. SSL/TLS. The works.

And what you can't backdoor or otherwise undermine you simply outlaw, with criminal penalties draconian enough to scare off all but the most dedicated or masochistic of free speech and security activists.

The word "security" is critical here, because while these leaders are claiming that such proposals would enhance security to "protect us from the terrorists" -- in reality the proposed decimation of the foundational structures of cryptographic systems would put all of us -- our personal information, our power systems, our industrial facilities, and so many other aspects of our lives -- at the mercy of cyberattacks newly enabled by such weakened and so inevitability exploitable encryption ecosystems.

Without any exaggeration, this may easily be the most serious threat to Internet security -- and so to the entire global community that now depends on the Internet for so many facets of our lives -- since the first ARPANET messages clattered over a teletype at UCLA decades ago.

Legitimate and measured means to fight against the scourge of terrorism are essential. But those do not include trying to convert the secure communications of law abiding citizens -- billions of them -- into "tap on demand" portals for government snoops, no matter how ostensibly laudable or graphically terrifying those officials attempt to frame their arguments.

We've all come to expect the "government owns your communications" propaganda from Putin and his ilk.

To hear the same sort of twisted reasoning -- no matter how candy coated or sprinkled with excuses -- flinging forth from our Western leaders is disheartening in the extreme, and must not be accepted without vigorous challenge, debate, and due consideration for the enormous damage such proposals could easily wreak on us all.

I am a consultant to Google -- I speak only for myself, not for them.

Posted by Lauren at 02:25 PM | Permalink

January 08, 2015

The Charlie Hebdo Assassinations, Free Speech, and The Right To Be Forgotten

You can watch and hear it spreading virally around the world -- a chant of defiance against evil: "Je Suis Charlie" - "I am Charlie" -- crowds, signs, hashtags -- it's everywhere, and it deserves to be.

And in the wake of the hideous mass assassinations at the offices of Charlie Hebdo in Paris, suddenly France, Europe, and the rest of the world are very suddenly very enthusiastic indeed about free speech.

Lest there be any confusion about the matter, free speech -- even obnoxious, ridiculing speech -- even speech that sometimes is immensely disturbing and painful to innocent parties, is a fundamental aspect of this phenomenon. For provocation via free speech was Charlie's stock in trade, and the proud avocation of its murdered staff.

They had been physically attacked before. At least one now senior staff member -- killed in this attack -- reportedly had continuous police protection. Recorded employee interviews display clearly not only that Charlie's writers and cartoonists understood how offensive and disturbing much of their publication was to many persons, but also that they were fully cognizant of how potentially dangerous to themselves this could be. They routinely rejected outside suggestions, even by world leaders such as President Obama, that in some cases they were exacerbating problems rather than helping to solve them. For indeed, the freedom to say something doesn't necessarily mean that it's always appropriate to actually say it.

But except in a relatively minuscule number of situations where immediate, direct physical risk to individuals or property are involved, we must hold the right to free speech as inviolate, as one of the most fundamental of human rights.

For when speech is censored or otherwise controlled by governments, we lose access to the fundamental raw material -- information -- by which we can determine what's really going on around us affecting the lives of ourselves, our colleagues, and our loved ones.

It is entirely appropriate in the wake of the Paris horror that we also now hear people around the world quoting Evelyn Beatrice Hall's famous illustrative line from her 1906 biography of French writer, historian, and philosopher François-Marie Arouet -- Voltaire -- "I disapprove of what you say, but I will defend to the death your right to say it."

So it is notably ironic indeed that it's from Europe itself that the single most dangerous and potentially damaging anti-free speech abomination has spewed forth -- the EU's notorious "Right To Be Forgotten" (RTBF), since the very concept of RTBF -- which the EU is now proposing be applied as a global censorship mechanism against Google and other websites -- is utterly and absolutely in conflict with the entire basis of free speech.

Even if for the sake of the argument we momentarily ignore the slippery slope nightmare of RTBF-type laws in the hands of evil leaders and others whose goals are to cleanse history of search results of which they don't approve or appreciate, the foundational idea of RTBF, the false belief that it is possible to slice and dice and micromanage free speech without destroying it, is utterly specious and immensely dangerous.

If we are to stand as a world in support of free speech in the vein of the murdered patriots of Charlie Hebdo, we must also stand united against the gross hypocrisies represented by The Right To Be Forgotten and similar concepts around the world.

To do less would be to dishonor the many brave persons who have died in the name of free speech -- not only in Paris this week, but throughout history.

We are all Charlie. And we are all the Internet.

And free speech must remain truly free.

Take care, all.

I am a consultant to Google. I speak only for myself, not for them.

Posted by Lauren at 09:15 AM | Permalink

December 24, 2014

To President Obama, Sony Pictures, and The World on this Christmas Eve

Once upon a time -- not so very long ago, because I can remember it quite clearly myself -- it was traditional to release films and shows for Christmas Day that celebrated the underlying message of peace and hope inherent in Christmas -- a message I believe we can all appreciate regardless of our religious affiliations, religious beliefs, or lack thereof. It's not often that I quote the New Testament or any religious works, but buried down in John 8:7 a key personage is quoted as making a rather profound statement about he who is without sin casting the first stone. And for Christmas, I would assert that this concept especially applies.

Anyone who truly believes that the celebration of a trash, adolescent "comedy" focused on assassinating the current (yes, dictatorial, murdering, evil, vile) leader of North Korea is likely to do anything other than make matters worse for the oppressed populations there -- well, you're living in the nightmare twin of Fantasyland.

And while none of us would celebrate the mess that the Sony hack has created for their innocent employees and ex-employees, it is also a fact that Sony's longstanding abysmal computer security practices left them wide open for such an attack -- regardless of whoever actually launched it (and a wide variety of technical observers, including myself, are highly skeptical that it was actually North Korea, despite convenient U.S. federal government claims).

So I for one am unwilling to reward Sony for an awful film concept -- I'd categorize any film that tried to make light of killing an actual, living human being that way (no matter how awful that person might be).

It is also the case that documents revealed in that hack -- there's no way to ignore them or get them back into the bottle -- have revealed Sony's complicity in an underground effort to effectively seize control of Internet freedom of communications, in furtherance of protecting their own perceived intellectual property rights -- collateral damage to everyone else be damned! Yet another reason not to reward or celebrate Sony.

So I have a modest suggestion. Instead of paying to see The Interview when Sony launches its limited debut on Christmas Day, head over to:


There you will find (at least for now) the entire, uncut, wonderful 1962 presentation of Mr. Magoo's Christmas Carol. I've discussed this marvel in other venues in the past, but for now I'll simply note that this adaptation of Charles Dickens' A Christmas Carol still rates among the most popular versions, all these decades later. The songs being written by the Broadway team of Jule Styne and Bob Merrill, who shortly thereafter collaborated on Funny Girl -- are no small part of its magic.

My original more extended comments about this program are at this 2011 G+ posting (the video clip linked to that posting appears to no longer be fully intact):


So please. We all know that North Korea is probably the most horrible place to live on Planet Earth. But don't reward Sony for this awful mess that they themselves enabled through their own unforced errors.

I fully support those theaters and online venues that have chosen to make this movie available in the interests of free speech. But that doesn't mean you're required to watch it. A film like this is unlikely in the extreme to bring about positive change in a horrible place like North Korea. If anything, it could drive their insane leadership to even further internal repression.

So my personal recommendation is to ignore this film. Instead, fire up the Chromecast, or the Google TV box, or the Roku, or the Amazon Fire, or the smart TV, and watch Mr. Magoo's Christmas Carol on the big screen, from a beautiful print that TV viewers couldn't imagine ever seeing back in 1962!

Peace to you all for Christmas and this holiday season.

Take care, everyone.

I am a consultant to Google. I speak only for myself, not for them.

Posted by Lauren at 08:51 AM | Permalink

December 18, 2014

How We're All Being Suckered Over the Sony Hack

By now you've heard that Sony has canceled (for the moment, anyway) the debut of a controversial "comedy" film concerning a plot to assassinate the current leader of North Korea. Given that North Korea indeed has an evil, vile government, Sony apparently thought that a vile, tasteless film was the appropriate response -- very 21st century Hollywood thinking, indeed.

Sony's suspension of "The Interview" -- ostensibly in response to the mass hacking of their corporate systems and associated threats -- has already become a new talking point among proponents of controversial legislation that would almost certainly ultimately give the government vast new abilities to monitor and control privately owned networks and computer systems -- "for those private firms' own good" of course.

Yeah. Of course. But who are we mere computer scientists and technologists to argue with the likes of world-renowned "cybersecurity expert" Newt Gingrich, who has already declared that the Sony hack and Sony's response means that the USA has "lost its first cyberwar." Wow, that sounds scary.

And hell, if Newt proclaims something, it must be true.

Or not.

The very nature of this situation suggests that we will never know the real truth of the matter.

But boys and girls, my gut feeling is that we're being seriously suckered.

First we're told that the Sony hack was incredibly sophisticated and brilliant, of the sort that (supposedly) only a well-funded nation-state could muster.

Then we start to hear from researchers who have looked at this in more detail, and we learn that the actual exploit was relatively simplistic and run-of-the-mill, rather sloppy in fact.

So how could such a crude exploit do so much damage to Sony?

Well, we've also now learned that -- reportedly -- Sony's computer security practices were well known within the company as being somewhere south of McMurdo Station -- that is, really abysmally sloppy and inept.

So you apparently didn't need a nation-state with vast cyberwar attack resources to pull this off. Perhaps a bored 18-year-old looking for "lulz" from his parents' basement would be more than adequate to the task.

Given all this, why are we seeing so much focus on North Korea? Why is the U.S. government saying that North Korea is "behind" the attacks -- or that at least some group "allied" with North Korea was responsible.

Or maybe just someone who has "heard" of North Korea?

Let's face it. Since this attack has been tied to a film that at the very least attempted to make sick "fun" of assassinating Kim Jong-un, one might say (if one was of a conspiratorial mindset about this) that it all almost seems "purpose built" as a mechanism to justify whatever new anti-North Korea sanctions have been simmering in the background.

And as I noted earlier, it also fits in very nicely with the "government needs to be in charge of private computer security" storyline as well.

However, we don't even need conspiracies to work this one out to a significant degree of confidence.

These kinds of cyberattacks are notoriously difficult to source. There are so many ways to confuse and obfuscate and false flag and misdirect -- that we're unlikely to ever know with certainty who was actually behind the Sony hack itself.

Yet we do know with certainty that there are commercial "cybersecurity" firms itching to leverage panic into sales, and government "cyberwar" divisions always on the prowl for excuses to further inflate their already obscenely bloated budgets.

So ... which is going to play more effectively into these narratives -- the 18-year-old in the basement lounge chair with a keyboard in their lap ... or a nightmarish cyberattack conveniently pinned on the megalomaniac leader of a pariah nation?

Yes, I could be wrong. Maybe we're actually getting the straight story on all this from our elected officials and their multitude of minions. Maybe this all really was a dastardly attack by North Korea on a mediocre Sony film.

Then again, there's a bridge over the East River connecting with New York City that you might want to buy as well.

Just sayin' ...

Be seeing you.

I am a consultant to Google. I speak only for myself, not for them.

Posted by Lauren at 01:16 PM | Permalink

October 24, 2014

Stop the Ebola Witch-Hunt!

There's a wonderful old 1963 episode of the classic original "The Outer Limits" series called "The Sixth Finger."

It stars David McCallum as a man who is artificially and rapidly evolved into the human of the far future, both in terms of physical appearance and vastly enhanced intellect.

At one critical juncture, as he surveys the pitiful confusion of the ordinary humans who want to destroy him for being different, he proclaims, "Your ignorance makes me ill and angry."

But you don't have to be a super-intellect to feel both ill and angry at the spectacle of the current Ebola witch-hunt, being largely orchestrated by so-called radio and television "journalists" and lowlife politicians, with masses of ordinary folks being whipped into a frenzy of hate and prejudice as a predictable (and we may reasonably assume, intentional) result.

The worst offenders are the usual sycophant suspects. Moronic right-wing talk show hosts like Rush Limbaugh, the FOX News clowns, and the rest of the theocratic, anti-science, anti-health care, racist boosters of the rich and haters of the poor. You can tune them in anytime, ranting that Ebola is all a plot by Obama, that we should ban anyone who has been in Africa, and that we're about to be destroyed by an Ebola mutated into an airborne horror.

Sad to say, CNN -- once a great news organization -- now spinning out of control into the pit of mediocrity under the reigns of Jeff Zucker, has been a particular offender, going wall to wall for ratings with breathless, panicked Ebola stories, only sidetracking into other items if they're bloody enough or feature globe-trotting chefs or the new retread of "Dirty Jobs." In fact, one of the few sane recent commentaries I've seen on cable news lately about Ebola actually was on FOX News -- proving once again the old adage about a stopped clock not being incorrect quite all of the time.

And the Internet is now playing a major role as well. Blogs and other social media are being used to spread completely false rumors about Ebola outbreaks and deaths in the U.S., or attempting to capitalize on fake Ebola cures. Facebook and Twitter are being used today to vilify a doctor back from treating Ebola patients who has now tested positive for the disease.

Naturally, these purposeful attempts at panicking the populace are having nightmarish, sickly effects. One of those effects is to terrify health care workers, who know all too well what the sorts of demands now coming from talk show hosts, politicians, and panicked citizens would mean in terms of making a horrible situation in Africa even worse.

Attempts to ban persons who have traveled or transited from Africa would decimate relief efforts, as would country-specific travel bans in general. Demanding that every symptom-free health care worker who has been trying to help Ebola patients be quarantined upon return is not only unnecessary but would vastly undermine the willingness of health care workers to volunteer for such efforts in the first place. Meanwhile, where Ebola really is endemic -- in Africa -- it would continue to spread in the horrendous living conditions and primitive health care environment there -- putting ever more people in Africa at genuine risk.

Now, get this through your thick skulls, you idiot Ebola panickers and profiteers ...

The only people who get Ebola are ones who are in direct, close contact with persons in the throws of major Ebola symptoms -- like vomiting, horrible coughing, and other symptoms you wouldn't want to be anywhere near even if all they represented was a case of the flu.

It is not an epidemic here. It is not going to be an epidemic here.

And speaking of the flu -- now that's something you should be worried about! Thousands die every year from the flu here in the U.S., many for lack of simple vaccinations (thank the anti-vaccine nutcases for contributing to that). Unlike Ebola, the flu is airborne and easily spread.

Oh yes -- and ironically, the same GOP fanatics so desperate to repeal the Affordable Care Act ("Obamacare") that has provided millions with insurance and preventative care against diseases such as the flu, are the same hateful creatures who are out there now seemingly demanding draconian restrictions against anyone who even utters the word "Ebola" in public.

And just to be clear, this isn't just a GOP-orchestrated witch-hunt -- though they're the masters of the method. There are also Democratic politicians who are playing the Ebola scare card for all it's worth.

Given the toxic political landscape, it's six of one and half a dozen of another (and I don't mean "Outer Limits" fingers in this case) when it comes to reigning in our politicians on this. Ebola is their natural element for exploitation. You might as well try keep a bear away from a beehive dripping with honey.

But there is one thing I believe we can do. As I noted earlier, social media is being widely abused to spread Ebola panic and prejudice. When you see this occur, I urge you to call out the perpetrators publicly for what they are. Don't sit silently and let them get away with their hateful garbage.

Yes, this means having a thick enough skin to deal with the inevitable trolls, but this is a situation where we're talking about real lives being ruined not only by Ebola itself, but by purposefully orchestrated false stories and resulting panic, often using the Web as its carrier.

Thankfully, the Internet is still one place where we individually and collectively still have some real control.

Take care.

I am a consultant to Google -- I speak only for myself, not for them.

Posted by Lauren at 05:43 PM | Permalink

August 13, 2014

In UK, Experimenting With Heart Attack Victims Without Consent

Direct from the UK comes word of one of the more dubious medical experiments I've heard of in some time, that should raise ethical red flags around the world.

If you live in the Welsh, West Midlands, North East, South Central and London Ambulance Service areas, and you take no action to opt-out from a planned new University of Warwick study -- and you're unfortunate enough to have a heart attack -- you may randomly find yourself treated with a placebo rather than the conventional treatment of adrenaline. If you die from your heart attack, researchers will not actively seek out your relatives to inform them of how you were treated.

Persons who happen to see advertisements about the study in those areas and so learn of its existence can in theory opt-out --otherwise, you're a lab rat whether you want to be or not.

Researchers have a legitimate question -- does adrenaline therapy in these situations do more harm than good? Unfortunately, in their attempt to avoid study bias, they have violated a basic informed consent principle of ethical experimentation.

I suspect that this study stands a good chance of collapsing in the light of publicity, and the litigation potential appears enormous even for the UK. If nothing else, I would expect to see campaigns urging UK residents in the affected areas to opt-out en masse.

I would opt-out if I lived there.

Sometimes ostensibly "good science" is unacceptably bad ethics.

I am a consultant to Google -- I speak only for myself, not for them.

Posted by Lauren at 11:19 AM | Permalink

July 29, 2014

When Web Experiments Violate User Trust, We're All Victims

If you ever wonder why it seems like politicians around the world appear to have decided that their political futures are best served by imposing all manner of free speech restrictions, censorship, and content controls on Web services, one might be well served by examining the extent to which Internet users feel that they've been mistreated and lied to by some services -- how their trust in those services has been undermined by abusive experiments that would not likely be tolerated in other aspects of our lives.

To be sure, all experiments are definitely not created equal. Most Web service providers run experiments of one sort or another, and the vast majority are both justifiable and harmless. Showing some customers a different version of a user interface, for example, does not risk real harm to users, and the same could be said for most experiments that are aimed at improving site performance and results.

But when sites outright lie to you about things you care about, and that you have expected those sites to provide to you honestly, that's a wholly different story, indeed -- and that applies whether or not you're paying fees for the services involved, and whether or not users are ever informed later about these shenanigans. Nor do "research use of data" clauses buried in voluminous Terms of Service text constitute informed consent or some sort of ethical exception.

You'll likely recall the recent furor over revelations about Facebook experiments -- in conjunction with outside experimenters -- that artificially distorted the feed streams of selected users in an effort to impact their emotions, e.g., show them more negative items than normal, and see if they'll become depressed.

When belated news of this experiment became known, there was widespread and much deserved criticism. Facebook and experimenters issued some half-hearted "sort of" apologies, mostly suggesting that anyone who was concerned just "didn't understand" the point of the experiment. You know the philosophy: "Users are just stupid losers!" ...

Now comes word that online dating site OkCupid has been engaging in its own campaign of lying to users in the guise of experiments.

In OkCupid's case, this revelation comes not in the form of an apology at all, but rather in a snarky, fetid posting by one of their principals, which also includes a pitch urging readers to purchase the author's book.

OkCupid apparently performed a range of experiments on users -- some of the harmless variety. But one in particular fell squarely into the Big Lie septic tank, involving lying to selected users by claiming that very low compatibility scores were actually extremely high scores. Then OkCupid sat back and gleefully watched the fun like teenagers peering through a keyhole into a bedroom.

Now of course, OkCupid had their "data based" excuse for this. By their claimed reckoning, their algorithm was basically so inept in the first place that the only way their could calibrate it was by providing some users enormously inflated results to see how they'd behave, then studying this data against control groups who got honest results from the algorithm.

Sorry boy wonders, but that story would get you kicked out of Ethics 101 with a tattoo on your forehead that reads "Never let me near a computer again, please!"

Really, this is pretty simple stuff. It doesn't take a course in comparative ethics to figure out when an experiment is harmless and when it's abusive.

Many apologists for these abusive antics are well practiced in the art of conflation -- that is, trying to confuse the issue by making invalid comparisons.

So, you'll get the "everybody does experiments" line -- which is true enough, but as noted above, the vast majority of experiments are harmless and do not involve lying to your users.

Or we'll hear "this is the same things advertisers try to do -- they're always playing with our emotions." Certainly advertisers do their utmost to influence us, but there's a big difference from the cases under discussion here. We don't usually have a pre-existing trust relationship with those advertisers of the sort we have with Web services that we use every day, and that we expect to provide us with honest results, honest answers, and honest data to the best of their ability.

And naturally there's also the refrain that "these are very small differences that are often hard to even measure, and aren't important anyway, so what's the big deal?"

But from an ethical standpoint the magnitude of effects is essentially irrelevant. The issue is your willingness to lie to your users and purposely distort data in the first place -- when your users expect you to provide the most accurate data that you can.

The saddest part though is how this all poisons the well of trust generally, and causes users to wonder when they're next being lied to or manipulated by purposely skewed or altered data.

Loss of trust in this way can have lethal consequences. Already, we've seen how a relatively small number of research ethical lapses in the medical community have triggered knee-jerk legislative efforts to restrict legitimate research access to genetic and disease data -- laws that could cost many lives as critical research is stalled and otherwise stymied. And underlying this (much as in the case of anti-Internet legislation we noted earlier) is politicians' willingness to play up to people's fears and confusion -- and their loss of trust -- in ways that ultimately may be very damaging to society at large.

Trust is a fundamental aspect of our lives, both on the Net and off. Once lost, it can be impossible to ever restore to former levels. The damage is often permanent, and can ultimately be many orders of magnitude more devastating than the events that may initially trigger a user trust crisis itself.

Perhaps something to remember, the next time you're considering lying to your users in the name of experimentation.

Trust me on this one.

I am a consultant to Google -- I speak only for myself, not for them.

Posted by Lauren at 01:04 PM | Permalink

     Privacy Policy