May 31, 2007

Thoughts on Google Maps Street Level Photos ("Street View") and Privacy

Update (August 16, 2007): Would you believe that something very much like Google Maps "Street View" existed in 1907? Well, there are some remarkable similarities given the technology of the time, for sure. Take a look!

Greetings. The New York Times noted today that Google Maps is now displaying street level photos ("Street View") for some locations in some areas -- the list of which is sure to be expanding rapidly.

I've been asked what I thought about the privacy implications of this -- some people seem to be pretty upset.

I started noticing this feature on various Google Map searches around here in L.A. some time ago. It's certainly handy for getting a feel for what an unfamiliar place looks like before heading on over.

Given the static nature of the images, which currently are unlikely to be updated very frequently, I do not see a big privacy risk at the moment. Real estate companies are constantly snapping photos of houses in many areas for their databases -- though obviously these are not public in the way Google Maps now is. In my neck of L.A., I've seen film camera trucks bristling with lenses plowing up and down the streets shooting movie backgrounds.

In general, such photography from a public point (street, sidewalk, etc.) is legal -- though there are exceptions that can come into play for purposeful harassment and in other special cases.

However, it is possible to imagine possible situations where this feature of Google Maps could cause problems, and even potential risks for Google, depending on how Google chooses to manage the service.

So long as the images being used by Google Maps are from authenticated sources and are relatively infrequently updated, the privacy risks stay low for most locales. This isn't to say that various government agencies won't go berserk over particular images anyway -- given the ease with which you can get hassled by police these days for taking a photo of the local freeway overpass -- but by and large that won't happen for shots of most locations, to be sure.

However if Google decided to allow users to submit their own more frequently updated photos of locations, either for the official Google Maps database or through public "mashups" that link such photos to the mapping database, the situation becomes more problematic. Not only could much more frequently updated photos cross the line into real privacy violations, but the risk of photoshopped photos being submitted or used that show faked imagery would seem a real possibility. You can use your own imagination about the range of ways in which such fakes could be manipulated to attract attention, harass, or mislead.

Now, I have absolutely no indication that Google has any intention of permitting such "self-submitted" location photos scenarios. In fact, Google does have a link with which you can report "inappropriate" photos for possible removal, though if photos were faked, figuring out what was really inappropriate in different situations could get rather complex. In any case, all I'm saying here is that so long as Google Maps is using authentic photos on a reasonably infrequent update interval, the privacy risks remain relatively low in the vast majority of cases.

A bigger risk to the service might loom in the future though. I can't count the number of times I've gotten queries from people that amount to: "My neighbor has a camera pointed at my house -- who can I report him to? I feel like my children are at risk," etc. In almost all of these cases, my response is that so long as someone is taking photos from public spaces or their own property, and isn't making a special effort to see things they couldn't otherwise normally see, such photography or video is usually permitted. That answer seems to infuriate many people.

This seems to suggest -- given the post-9/11 mentality -- that it is not impossible to imagine laws that could be written specifically to restrict the use of such street level photos, ostensibly on personal security and privacy grounds. If Google Maps were painted as a major privacy problem -- which again is an opinion I don't subscribe to, but that some others already do -- this could act as a catalyst toward the enactment of such legislation. This would be very unfortunate in the absence of genuine, major privacy concerns of a sort that do not currently exist in the Google Maps context, and that might not ever exist there if Google and its competitors use due care.

I only bring up this sort of possibility as did the "Ghost of Christmas Yet to Come" -- not as something that Will Be, but as something that Might Be -- a cautionary thought experiment, as it were.

So, bottom line -- for now the Google Maps street level photos provide a useful service and should not raise significant privacy concerns, except for a tiny percentage of photos, and they can be easily expunged. Whether this benign situation will remain the case depends upon Google's decisions regarding the service moving forward.

The late Allen Funt would probably have been amused, anyway.


Posted by Lauren at 07:11 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 30, 2007

The Big, Simple Reason Why the Immigration Bill Should Be Rejected

Greetings. I don't claim to be an expert on immigration policy. I'm not schooled in the intricacies of the different visa types and their ramifications. Personally, having lived here in Los Angeles my entire life, I don't have problems with a multicultural environment, and I can't help but suspect that a large part of the organized opposition to the Immigration Bill is driven by racism, even if below the conscious level in many people.

But from a technical and privacy standpoint, there are aspects of the bill that seem potentially problematic in their current form, particularly mandated data sharing of Social Security Administration data with the Department of Homeland Security, and the ordered use of the significantly error-prone employee verification database to verify the status of all future and even current employees. The latter is likely to falsely indicate that millions of persons don't have legal employment status.

But there's a much bigger, fundamental reason why the bill should be rejected, that overrides any and all positive and negative details.

The Immigration Bill is enormous, and if enacted would trigger immense changes throughout the U.S., and by extension around the world. It is inexcusable beyond words that such a massive undertaking be foisted on the public as a result of secret, backroom negotiations, with nary a meaningful public hearing to openly discuss the issues and ramifications.

An exercise of such scope demands a major series of hearings and comment periods, not a "grand compromise" by the same sort of politicians who have "compromised" us either directly or indirectly in the past into other bad legislation, not to mention the Iraq war and similar travesties.

Immigration reform is a highly emotional topic, but it's also an extremely technical one, with complex impacts throughout the economy and people's lives. It is not an appropriate subject for wink and handshake legislation, and the legislators involved -- in both parties -- should be ashamed of themselves.

A bad bill is most decidedly worse than no bill, especially with ad hoc changes in the legislation now taking place that appear to make matters even worse than the existing status quo. The only reasonable approach now is to deep-six the current Immigration Bill and start from scratch with due process.

The people of this country should demand no less.


Posted by Lauren at 08:25 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 29, 2007

Google Says: "We're for Adults Only" -- and a Legal Trap for Us All

Greetings. As noted here, Google's Terms of Service (TOS) apparently indicates that non-adults may not use Google services.

This sort of language (restricting use to adults) is not uncommon on many Web sites, even non-porn ones. It's usually used in an attempt to provide self-protection for the sites in question. However, I view it increasingly as something of a legal trap both for the sites that say this and for their users.

Just a week ago, in MySpace, Google, and the Path to Tyranny, I noted the big legislative push toward forcing "social networking" sites to positively ID users (to prove they were of acceptable age), and how this could easily spread to other types of sites, destroying the ability to use the Internet anonymously without complicated technical workarounds that would be beyond most users.

If this push proceeds along its proponents' desired path, it can only be a matter of time before they make the next logical leap. This would be to legislate that any site that says that children shouldn't be allowed access -- even apparently Google according to that TOS -- must do the same sort of positive ID verification that will be mandated for social networking, porn sites, and the like.

It's only logical, and probably inevitable, if these ID regimes take hold on the Net. Once you start down the Internet ID path using age as the enabling factor, how can you assert that one type of site must verify ID to prove age, but another type of site shouldn't have to and can just operate on the honor system?

Worse, it will be easy for proponents to justify this at each stage of the game, using particularly egregious cases as examples.

This is the "path to tyranny" that I wrote of. The day could come when you not only have to be over 18, but you'd also need to show an ID to use Google -- or most other sites. Does Google really want this? Of course not. But this is the path that we are paving, ID stone by stone.

While I do understand Google's short-term concerns relating to their TOS, I assert that the long-term ramifications may be far more serious given the increasingly oppressive push to get the Internet "under control," by those who fear open communications most of all. The enemies of free speech are enemies to Google and its users alike, and that's only the beginning.


Posted by Lauren at 12:45 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 26, 2007

Google, Privacy, the EU, and a Question of Attitude

Greetings. You may have heard that the European Union Article 29 Working Party, which deals with privacy issues, has recently sent Google a letter asking for "clarification" of their data retention policies and related matters. While the chairman of the working party seemed to express significant support for Google's position, it's increasingly clear that individual member countries have their own not always identical privacy concerns.

There are reasonable arguments on both sides of the equation when it comes to search engine privacy. When Google recently announced some positive changes in their retention policy, I applauded this publicly as a good first step, though the amount of Google-retained data still potentially linkable to individuals is vast.

But in reports of Google privacy chief Peter Fleischer's comments relating to the EU query, a bit of the old Google "arrogance" is starting to push through, and this is not to Google's long-term advantage. Peter and I have had cordial communications in the past, and he's a good guy. Obviously, I have had differences with Google regarding their data retention policies in particular. I have never asserted evil motives by Google, rather, my main concern is that their policies may enable others to do evil with Google collected data.

My proposal a year ago for a Google Privacy Initiative didn't seem to have much impact at the time, nor did related calls for a broad, industry-wide approach for dealing with these issues.

Google's Peter Fleischer now appears to be pushing for a single global approach for data protection and a global privacy treaty:

"We as a company have a single approach to privacy right across the world. We can't run a system that has different privacy levels for, say and the Dutch site -- that would be crazy... So if we can do it why can't policymakers?"

As attractive as such a concept might be in theory (but only if that single approach were strong enough in terms of protecting privacy), I suspect that it is unrealistic. And that's where that touch of Google arrogance I mentioned above comes in, and it's a problem a lot of techies share (and as a techie of long standing myself, I'm not entirely immune either!)

It's natural for technologically-oriented people to see straightforward, logical, encompassing approaches to dealing with problems. That's part of how advanced technology is thought up and engineered.

But when we try to map that attitude onto the non-technical world, we can easily step into the quicksand of decidedly non-technical human emotions and concerns. In particular, the key aspects regarding the very concept of privacy vary widely around the globe. For that matter, they vary significantly among the different states here in the U.S., and even between different courts at the state and federal level.

This suggests that a formal "one world policy" when it comes to privacy is unlikely to be formulated and/or maintained, though individual subtopic agreements regarding particular forms of data transfer and the like are always possible.

By seeming to push for the governments of the world to conform their privacy views with Google's technological approaches, I believe that Google is setting a very high bar that diverts us from more achievable goals of better protecting user data while preserving its value for Google and other search engines. In essence, Google seems to be saying that it wants the world to change to match what Google wants to do, rather than Google adjusting to the world's privacy sensibilities. This is probably not a winning position in the final analysis.

Apart from the current EU query, which I don't suspect will end up being a particularly big issue, there are much more serious privacy-related threats to Google's current business models waiting in the wings at the hands of legislators and courts, and these will be pulling at Google from the opposite extremes of demanding both stronger and laxer privacy protections in particular contexts. Talk about being between a rock and a hard place.

Peter Fleischer makes some excellent points when he notes the difficulty of meeting a widely disparate range of privacy rules. He's right, but that's the ball game right now, and there are legitimate reasons for those disparities in many cases. We should work toward harmonization where appropriate, but that's likely to go only so far. Peter also called on Yahoo! and Microsoft to clarify their data retention policies and practices. I completely agree with this call, though as the industry leader and trendsetter by far, it's obvious why the spotlight tends to stay firmly affixed on Google.

Speaking of policymakers and the global debate over privacy, Peter also said:

"We need to start talking now. We in the industry have to start the debate."

Many of us have been calling for just such a debate and discussion for years. We're well past the time when this dialogue should have been initiated. The privacy dilemmas now facing Google and other Internet services have been long predicted, and specific palliative approaches have been suggested from various quarters but generally ignored by the major players.

That's history, and it's tomorrow that must mainly concern us when it comes to such issues, not yesterday. So perhaps the time is finally right for really reaching the core of both the technological and non-technological aspects of privacy at Google, and at their competitors as well, around the world.

Let's get to work.


Posted by Lauren at 09:10 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 22, 2007

MySpace, Google, and the Path to Tyranny

Greetings. The current controversy regarding MySpace -- where they've now agreed to turn over Sentinel Tech data that purports to match registered sex offenders to MySpace profiles -- is nothing less than a harbinger of how easily the entire Net could become even more of a surveilled space than it is now.

At first, when some states demanded this data, MySpace refused, seeming to properly cite privacy laws. When the demands escalated and media attention became intense, MySpace buckled. It is not entirely clear from press accounts to what extent those states that will now receive the data have served MySpace with the appropriate legal documents to enable the legal release of data, or whether MySpace has now "altered" their interpretation of the relevant laws.

In either case, states are now also apparently planning to demand copies of all related e-mails, and in some cases already threatening to require even more data retention (including e-mails), positive identification of all users of "social networking" sites, and so on.

What makes this situation so dangerous to honest, law-abiding Internet users is that nobody wants to make things easier for sex offenders -- though one might assume that many sex offenders are smart enough not to use their real names on MySpace if they have offenses in mind.

But the use of sex offenders as a wedge is providing the perfect tool for those who would ultimately require every Internet user to provide a credit card number or similar instrument to positively ID themselves before accessing any Internet discussion forum, mailing list, or search engine (you never know what evil links might be found, right?), and to push for universal long-term data retention of all e-mails and other data.

Demands for universal ID on the Net appear inevitable, once it is generally understood that the fundamental nature of the Internet means that "forbidden" conversations (on any topic) can occur anywhere. Once MySpace and other self-described social networking sites are nailed down with ID requirements, children and adults who wish to protect their anonymity and privacy (for good or ill) will simply migrate to other venues, either above or below ground. In fact, this is likely already going on, but to the extent that it's underground it is not subject to simple observation.

I've had people suggest to me in all seriousness that nobody should be able to access Google or ultimately any sites without certified identification and what amounts to an Internet "drivers' license."

Why does Google keep coming up in this context? Because they are viewed by many persons (who want total control of the Internet) as the major enabling agent that allows people to find the forbidden fruit. Without Google's comprehensive facilities, such folks reason, it would be much harder for anyone -- children or adults -- to locate those "dangerous sites" -- however "dangerous" is being defined at the moment.

That sort of reasoning could easily lead to laws that would be extremely hazardous to Google and other search engines' continued basic operations. Such laws could also turn the Internet into the most effective tool for oppressive surveillance dreamt of by any dictatorship -- all in the ostensible name of -- as television's Agent 86 Maxwell Smart used to say many years ago -- "the forces of goodness and niceness."

This is why we must take a stand. We all want to rein in child predators. But allowing the hysteria surrounding admittedly heinous crimes to distort our basic foundations of free speech and technology would be a terrible mistake. To use child abuse as an excuse for broad Internet identification and data retention requirements would itself be a massive abuse to civil liberties and would in fact create yet more underground problems and widespread, major unintended negative consequences.

The future will look back on this period as a crossroads between technological freedoms and tyranny. We must not be seduced by fear into taking tyranny's preferred path.


Posted by Lauren at 08:42 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 17, 2007

Censorship Run Amok: XM, Big Money at the FCC, and the Rest

Greetings. There is a controversy now raging regarding XM's suspension of the raucous "Opie and Anthony" team for a month, over their admittedly vulgar remarks regarding some highly-placed female personages. Apparently the suspension has caused considerable outrage and blowback from many XM subscribers, who thought they were paying XM's non-trivial fees for uncensored programming free of the usual Nanny-FCC constraints.

I am not a fan of O&A's style of humor, nor of Howard Stern's for that matter, but Howard nicely crystallized the rapidly declining environment for freedom of speech when he reacted to this case by telling his Sirius audience, "If you want free speech, walk in a closet and talk to yourself."

There are two primary forces at work creating an increasingly suffocating situation. One is persons using religious, racial, and related concerns to try enforce a "we'll tell you what you can say" attitude, often with threats of new regulations and laws, which given Congress' willingness to pander is not an outcome to be easily dismissed as unlikely.

Related to this is the mess at the FCC, where the enormous amounts of money involved in broadcasting and telecommunications have caused distortions that can impact many facets of our lives in extremely negative ways.

In the O&A case, many observers feel -- including myself -- that XM's action is a thinly veiled attempt to garner favor at the FCC for the proposed XM/Sirius merger (to which I'm firmly opposed).

There's lots of speech that is crude, obnoxious, and just plain disgusting, even outside of government offices! But that's the price we pay to live in an ostensibly free society, and that freedom is ensconced right there at the top of the Bill of Rights.

Holier-than-thou demagogues are now engaged in a concerted campaign to restrict public and even private discourse -- on conventional airwaves, satellite and cable, the Internet, and even on the streets, to meet their small-minded mentalities and limitations. Preying on the fears of government officials and legislators is key to their modus operandi.

We may individually dislike -- even strongly hate -- much of what we see or hear when it comes to speech, but if we let these wannabe moral dictators have their way, we'd better start clearing out some room in our closets right now. As Stern suggested, those may soon be the only uncensored venues left.


Posted by Lauren at 08:09 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 16, 2007

CVS Admits Unsolicited E-Mail to Addresses From Third-Party Service

Greetings. On May 10, I reported apparent spamming from CVS/pharmacy. At the time, a CVS spokesman suggested to me that customers likely were providing the wrong e-mail addresses, and admitted that e-mail address verification on those submitted addresses was perhaps not being done in at least some cases before starting solicitations.

This didn't seem an adequate explanation, especially given the e-mail address to which I've received these unsolicited CVS mailings.

The reality is clearer today -- CVS has now admitted to me that they have been sending offers to e-mail addresses obtained from a third-party e-mail address "matching" service.

Such services usually attempt to "guess" an e-mail address (in this case for CVS "ExtraCare" members who declined to provide one) based on other customer-provided information. These services can have major inaccuracy problems, since there is no sure way to do such e-mail address matching. The result is often sending materials to the wrong persons.

This would still seem to qualify under most definitions as spamming, even if an initial "may we use this address?" message was sent first (a common spam bait technique), and in my case and others I've heard about the spams just started without prior e-mail address contacts.

If people wanted to provide an e-mail address to CVS or anyone else, they would do so. Using a matching service is undermining that choice, even if an accurate e-mail address happens to be listed by the service. The use of e-mail addresses not directly provided by the customer, or use of customer-provided addresses that have not been verified and confirmed via e-mail before associated e-mail solicitations begin, can easily result in spamming in the view of many or most jurisdictions, as far as I know.

CVS points out that they have a customer service toll-free phone number and e-mail address on their Web site, which is appreciated, but isn't the point.

Unsolicited commercial e-mail is spam, and use of third-party services to obtain e-mail addresses is asking for trouble.


Posted by Lauren at 03:26 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 15, 2007

Wiretaps and Homeland Security to Protect Copyrights, RIAA, Etc., Proposes Bush Admin

Greetings. The Bush administration has proposed a sweeping expansion of copyright infringement "criminalization" -- including more wiretap authority and involvement by the Department of Homeland Security. Yes, this is copyright we're talking about gang, not Al-Qaeda.

My initial reaction to the Bush proposal was to consider it a bizarre and potentially dangerous augmentation of already over-entrenched IP rights, suggesting that the RIAA and MPAA seem to actually have the kind of influence over our government that conspiracy theorists have long attributed to the Illuminati.

But then I realized that there's a bright side. Since the proposal would turn the Department of Homeland Security into a Compact Disc/RIAA watchdog agency, this suggests that all the doom and gloom we hear about budget and management problems at DHS must have been fixed! Otherwise, nobody in their right mind would propose adding copyright policing to their mandate.

And now we can finally understand why there's been the big push to force the inclusion of wiretapping/monitoring capabilities in virtually all phone systems and computer networks. We always figured that such broad requirements didn't make sense just for fighting terrorism and violent crime. But now we can see the light -- it's for keeping tabs on all those college kids and their evil file sharing!

Wow, it's great to know that the Bush team has finally gotten their act together when it comes to allocating scarce resources. I guess we can all sleep much better from now on.


Posted by Lauren at 05:27 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 14, 2007

In Desperation, Microsoft Claims Massive Linux Patent Violations

Greetings. Microsoft, claiming that they're taking the intellectual high road, now asserts that Linux and its various Open Source components violate 235 Microsoft patents, and is already talking about compensation -- big time, we can assume in the end.

Some details are in this article from Fortune.

Here's a fun project for some grad students or other interested parties with time on their hands. How about combing through the masses of Microsoft OS and applications software and seeing how many patents they potentially infringe? And how many of Microsoft's patents in any contexts might be invalidated by prior art?

If Microsoft really wants to play Intellectual Property Roulette, let's give them their money's worth at the table.

Aside: Aren't there really better ways for the smart boys and girls at MS to be spending their time rather than with more patent foolishness?

And assuming that Microsoft could find a way to wangle bucks out of the big Linux users, let's together name one of the biggest Linux users on the planet (if not the biggest) that MS would presumably be just tickled pink to sock with either a massive bill and/or continuing royalty demands. Can we all spell G-O-O-G-L-E? I knew you could. Google is quite possibly MS' real target in this regard as well.

Microsoft's obvious desperation in going this route almost inspires pity.



Posted by Lauren at 01:57 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 13, 2007

Google, Thailand, and an Internet Mushroom Cloud

Greetings. By now you've probably heard that Google has very recently dropped some videos from YouTube that were considered offensive enough to the Thailand government that Thailand threatened a criminal lawsuit. That threat is now dropped, though at last report blocking of YouTube by Thailand may still be in place.

What you may not know -- and what has not been widely reported -- is that the controversy over the original offending videos has triggered countless mirrors of those videos themselves in various locations, and a slew of even more directly "vulgar" videos on the same theme, playable at YouTube and a morphing list of other sites.

It doesn't take more than a few minutes of research on Google to find piles of these materials, once you're provided with (or figure out) some "second-tier" keywords relating to the subject and the various personages involved in the disputes. Will Thailand soon demand that Google remove those links? Once we pass over the event horizon into the vortex of "political" censorship is it possible to ever escape?

And to what end? As predicted, it appears that Thailand's demands and Google's response in this case have fanned the flames rather than put them out, along the very lines I've talked about recently.

This is but the beginning. Google (and other Web entities) must understandably enforce their stated policies, but to the extent that these policies are viewed by the world as largely ad hoc and subject to pressure or expediency, the politically-based demands will keep on coming, much as the stereotypical blackmailer is never satisfied with the initial payment and always wants more. Meanwhile, "offending" materials will continue to circulate around the globe largely unimpeded, in ever wider circles, never to be eradicated no matter the rationale. That's just the way it is. No escape.

We can and should make diligent attempts to work through these issues -- and that means brainstorming on a scale beyond any individual boardrooms. Even then a possible -- perhaps even likely -- result of current trends will essentially be content and copyright chaos, with freedom of speech ironically a casualty as ever more repressive means to try controlling content are brought to bear. We may despite our best intentions be powerless to prevent this outcome. However, we haven't yet really even made a sincere effort at dealing with this dilemma, so it's too early to write off the possibilities of success -- yet.

But if we don't get off of our collective butts soon, we will absolutely guarantee a bad outcome for everybody involved, except perhaps for those who have long viewed free speech as an enemy, and the Internet as their personal mechanism for societal control.

The Internet is arguably in its own way the most powerful tool created since the nuclear bomb. The battles over control of the Net's content may prove to be as important in the sphere of human rights and culture, as battles over nukes are to the survival of mankind.

This isn't just about money, business plans, and stockholders, or even stimulating R&D. It's about human rights and our collective intellectual and political futures. We're screwing up. We will not be forgiven if we haven't even tried to get this right.


Posted by Lauren at 06:36 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 11, 2007

Remote Monitoring Capabilities in New Intel Chipsets

Greetings. I haven't seen much discussion regarding Intel's new "Active Management Technology" being deployed as part of at least some new Intel CPU chipsets. Touted as a grand tool for remote maintenance, repair and monitoring -- including "compliance with government regulations" -- a key feature is that it apparently works even when the associated notebook is powered off (however "powered off" is being defined).

While these new capabilities are initially usually disabled, the scope of the possible back channels created by this technology and the possible opportunities for sophisticated abuse, appear significant enough to be worth serious debate.

I'd be interested in the readership's opinions regarding this.

You can read details at Intel's AMT page and from this Intel PDF document.


Posted by Lauren at 12:42 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 10, 2007

Receiving Spams from CVS/pharmacy?

Greetings. I've been getting reports of people receiving unsolicited commercial e-mail offers (that is, spam) apparently from the large CVS/pharmacy drugstore chain. I've started receiving these myself as well, claiming that I'm a member of their "ExtraCare" shopping "club" (I'm not) and arriving at an e-mail address that was never provided to them during any transaction or on any CVS forms or related materials (in fact, I've never provided any e-mail address to a CVS store).

While these e-mails are not coming directly from CVS (they are being distributed via and -- these ultimately map to Digital Impact in San Mateo, CA), they appear to have been sent on behalf of CVS.

In fact, I am in contact with CVS corporate about this situation, and while they have not yet confirmed responsibility for these particular mailings, they did seem to admit that they have been conducting an ExtraCare-related e-mail campaign and that they have apparently not been verifying submitted e-mail addresses for permission before adding them to their mailing lists.

I am attempting to ascertain the full scope of this situation. If you have recently received unsolicited e-mail of this sort from CVS, I'd appreciate your letting me know with as many details as you feel comfortable providing to me.

Thanks very much.


Blog Update (May 16, 2007): CVS Admits Unsolicited E-Mail to Addresses From Third-Party Service

Posted by Lauren at 06:21 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 08, 2007

CBS Blocks Web Comments on Obama

Greetings. Illustrating once again the effects I often discuss, CBS has chosen to block Web comments about Senator Barack Obama -- and only him, they're reportedly not blocking comments regarding other candidates -- due to the volume of racial and other ugly remarks in an apparently unmoderated forum.

You'll recall a month ago back in Thoughts on Blogging Wars and Blogger's Code of Conduct I talked about the asymmetric power to disrupt in unmoderated posting environments, and the associated risks.

The CBS situation is yet another example, in this case resulting in a particular candidate being disadvantaged. CBS should either shut the entire comment section down, or appropriately moderate comments about all of the candidates in advance of allowing any to be published on the site.

Show some responsibility, CBS.


Posted by Lauren at 12:12 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 06, 2007

Strangling the Internet with ID

Greetings. This New York Times piece gives an excellent overview of efforts now in progress in various states to require verified ID before allowing anyone to sign-up for "social networking" sites like MySpace, and the impacts these could potentially have on all manner of Web sites.

In particular, the article notes the view that such efforts would be impractical and could even do more damage by pushing children (the group these laws would ostensibly protect) toward other sites completely under the radar. The article also recognizes that requiring ID (most likely a credit card) would then provide networking sites (or their third-party subcontractors) with a direct linkage to all users' true identities that could be subject to later exploitation and abuse.

While we all want to protect children, these ID-based models will not do so, and indeed will bring with them a whole host of other major risks.

How long will it be before some bright boys inside the Beltway get the idea of requiring that all Internet usage be tied to verified IDs? This would fit in just dandy with the mandated data retention push, COPA, and the other efforts to turn the Internet into an ever more purpose-built computerized arm of law enforcement.

Wanna use Google? Verify your ID first, please, so retained records can be retroactively tied to you at any point in the future by various agencies.

Too dark a scenario? Couldn't happen? Do you really want to bet against me on this one given current trends?

Of course, we can still turn the tide, working together as consumers and Internet service providers alike. We can tell the politicos that enough is enough. But will we? Or will it be business as usual?

Place your bets.


Posted by Lauren at 02:35 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 04, 2007

Congress vs. File Sharing

Greetings. This very recent letter from the House of Representatives demanding that universities "testify" as to their students' use of file sharing (including port numbers, ability to run inbound servers, and other details, no less) demonstrates a profound lack of understanding regarding how the "abuses of concern" could easily migrate to underground, off-campus networks.

But one paragraph in the survey particularly caught my attention:

II.9: Does your institution retain records that enable the identification of specific users of computer and network resources who may be the subject of a notice of infringement from a copyright holder? For how long are these "user logs" maintained? What factors were considered in making the decision to retain such "user logs" and in determining how long to retain such records? Is the lack of such records or a limited retention time a practical impediment to the effective identification of violators of your institution's acceptable use policies?

Ah! There it is -- the handwriting on the wall for yet another "mandated data retention" argument sees the brighter light of day in a public context. First we were told that Internet usage data retention was to fight terrorism. When that argument didn't fly so well, the current popular line -- fighting child abuse -- became the data retention talking point de rigeur. Now we see the next phase brought even further out in the open -- data retention for DMCA enforcement.

There's no need for complex analysis to understand all this. It's abundantly clear that government dreams of the day that they can have unfettered access to the complete Internet usage records (and often content) of everyone on the Net. They view Internet records as a law enforcement and policy enforcement boon of a sort that Stalin and his ilk could never have imagined. Broad data retention advocates will keep dragging out argument after argument, and any persons who fight such concepts will be branded as being soft on crime and as opponents of the American way.

Government has been relying so far mostly on the Internet usage records that are being kept voluntarily by Internet services for their own corporate purposes -- that's created a bad situation in and of itself. But now the moves toward legislation are becoming a drumbeat. In the process, the concepts of privacy and free speech are being pounded into oblivion, and the necessary balance between laudable law enforcement and basic freedoms risks being thrown utterly out of balance.

You can bet that even as universities are the target today, conventional ISPs and their users in general will be in the crosshairs tomorrow.


Posted by Lauren at 03:53 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 02, 2007

A Futile Attempt to Censor the Net

Greetings. As you may know, a few months ago one of the decryption keys to high-definition DVD copy protection (for both Blu-ray and HD DVD) was discovered and has been spreading around the Internet ever since.

What you may not have heard is that AACS-LA -- the entity that controls the copy protection system itself -- is now engaged in an broad legal effort to stamp out every copy of the key anywhere on the Net (via "takedown" notices and related threats).

This is the textbook definition of an utterly and totally hopeless endeavor, demonstrating once again my maxim that "You can't effectively censor the Internet." This keeps coming up over and over again in different contexts (DMCA, governments upset about YouTube video depictions, political repression ... you name it).

You can harass, you can subpoena, you can threaten. You can cry, you can demand, you can plead. You can certainly try (and often succeed) at holding specific individuals or persons responsible legally and even financially, and you can sometimes block particular distribution points.

But you still won't be able to significantly suppress the actual information or other data in question once it's out there. Attempts to do so -- as in this copy protection case -- will typically only speed the spread! Once leaked, it's leaked. Once done, it's done. Like with my motorcycle, there's no reverse gear available.

This applies whether you're talking about a pirated music video, or, very unfortunately, national security secrets of the highest order.

After materials have circulated more than trivially on the Internet, you can't ever stop them. There are simply too many sites, too many ways to encode and obscure, too many alternatives for persons wishing to continue disseminating the data in question.

We do not necessarily have to like this state of affairs in all cases. Though it is a boon for free speech, there can indeed be situations where it carries significant financial, security, and other risks. But we might as well come to grips with the fact that this is the way the world works now, and there's no escaping that reality.

Get used to it.


Posted by Lauren at 09:07 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 01, 2007

Benefits and Risks in Google's Public Records Access Project


I'd like to expand a bit on the issue of the shifting legal landscape for search engines. This story discusses how Google is working with states and other governmental entities to improve public records database access. This could provide some real benefits by enabling typical Google high-quality access to this important and useful data, but could also easily open up a new Pandora's Box of major privacy and related risks.

To the extent that such databases become more easily searchable and integrated with Google's core database, there may unfortunately be a qualitative change in the potential for bad actors to take advantage of the system.

For example, right now, a search for "David J. Farber" on Google will of course find lots of material, mostly related to this person's professional writings and activities. Integration into Google of major public records databases means that much more potentially intrusive and abusable information -- real estate records are full of this stuff -- would be as easily found, either when targeting individuals or searching for broader classes of "targets" based on particular criteria (age, health, address, etc.)

True, the data is coming from state, federal, or local databases which already contain the information, but the very awkwardness of accessing these systems -- in comparison to the ease of using Google -- creates something of a crude firewall against at least some casual and largescale abuses, without depending solely on the quality of "sensitive information" redactions by the source agencies.

I believe that it would be extremely useful for Google to consider the implementation of additional privacy protocols particularly aimed at lowering this risk potential with public record data. A hands-off approach (treating all data equally) is unlikely to provide long-term legal protection to Google or other search engines, since it seems increasingly probable that courts will ultimately find that entities who organize data in ways that lead (however unintentionally) to abuses may share responsibility and liability for those abuses along with the data source providers.

I've seen significant public-records data nightmares even with the existing crude database access systems. Individuals and organizations can be and are hurt by abuse of such data. As I noted above, a high-quality Google interface to this data will bring both broad global benefits and a wide range of serious new risks on a much larger scale, that could have major public policy and privacy ramifications in a number of key areas.

It appears inevitable that courts and Congress will at some point start clamping down on "enabling technologies" -- like search engines -- which judges and legislators will view as being directly involved in copyright and other data access related abuses, since these services act as "middlemen" by organizing the data in ways that so vastly increases the ease of access.

I doubt that the sort of "safe harbor" provisions as in the DMCA today will last indefinitely without significant modifications that would likely mean new liabilities for Google and others, unless proactive steps are taken by these firms to try balance out some of these benefits/risks factors. I do believe that such proactive steps are technically and reasonably possible.

To not take such corrective actions risks draconian legislation and court decisions that could have drastic negative impacts on search engines' income and operations, and dramatically reduce the usefulness of these services to the world's users.


Posted by Lauren at 10:51 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein