December 30, 2009

Web Sites Display Stolen N-a-k-e-d Full Body Scan Images!

Greetings. Here's a "fun" question to think about as we get ready to close out 2009. With politicians clamoring for massive deployment of full body scanners at airports, how long do you imagine it will take before we start to see headlines like the title of this posting, inappropriately blaming the Internet generally and Search Engines in particular for the mess that these scanners are likely to create?

Subscription sites for body scan celebrity images (and different sorts of sites focused on imagery of children) would seem inevitable, as well as more routine "gawking at the big breasts" sites.

Despite claims of privacy improvements, most of these full body scanners still present imagery in astonishing detail.

Getting the images to the outside world will be relatively straightforward, despite the claims that images aren't recorded and that observers will be isolated.

When there's money to be made, it will be done.

Saving the images should be pretty easy. The observers simply need any sort of small (and you can get them teeny tiny these days!) digital image capture device that they can use to shoot images directly from the scanner display screens. If camera cell phones aren't allowed in the "naked body observation chambers," any of many other minuscule digital image devices -- if necessary easy to sneak in using the same sorts of techniques that would-be terrorists will use to defeat the body scanners -- can be employed.

Observers can snap images of general or specific interest for the amusement of friends and family, and for local posting on nearby walls, then upload the best ones to the Web sites later. "Wow, take a look at the [blank] on that [blank] -- Whooo!"

Celebrity shots (including politicians of course) would require a bit of coordination. The easiest way would be to simply have an associate near the body scanners to allow for matching up images (based on time of scan) after the fact. "Yeah, Senator Bilbo and his family came through at 8:05. You got those? Great!" Real-time signaling using a variety of easily accessible means will often be another possibility of course, depending on the logistical set up at any given airport.

Sound far fetched? Too complicated? Nobody would bother?

Given human nature ... ya' really wanna bet?

Oh, and by the way, while the body scanners will probably be great at finding nail clippers that the magnetometers missed, you definitely can rest assured that any serious terrorists will either (a) target the wide variety of venues other than airports and/or (b) hide their explosives through a variety of uncomfortable but certainly not novel methods that these body scanners can't touch, including orifice insertions, and external masking techniques taking advantage of the limitations of these scanners.

When it becomes obvious how easily the current body scanners can be defeated by determined terrorists, are we ready for full strength, full-body x-rays and/or routine body cavity searches for the privilege of flying? Because those are the obvious next steps that are already in use among other "captive" audiences (such as inmates).

The only real cure for terrorism is coordinated intelligence -- in the IQ, political, and "three-letter agency" senses. Trying to scan and search terrorists out of existence makes for a fine show and votes in the next election, but simply guarantees that those persons who hate us will adjust their techniques and targets to render our expensive and depersonalizing anti-terror scanning efforts ever more impotent and useless.


Blog Update (January 9, 2010): Fun With Body Scanner Images -- and Cutting Through the Body Scanner Bull

Posted by Lauren at 09:58 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

December 28, 2009

"Search Neutrality" and Propaganda Deluxe

Greetings. When it comes to complex technical issues with political overtones, muddying the waters is a time-tested technique to try draw attention away from the pertinent facts.

In recent years, there arguably has been no better example of this game plan in action than in the way that forces opposed to Net Neutrality have organized their offenses.

We've seen all manner of fanciful, irrelevant anti-neutrality arguments thrown into the pot. For example, anti-neutrality proponents have argued that Internet content edge-caching (like that used by Akamai, Amazon, Google, and many other Web services) somehow violates net neutrality principles -- clearly a false assertion. There have been claims that major, popular Web services represent monopolies akin to the warped and restricted environment present in the U.S. Internet access (ISP) landscape -- again, not true -- another disingenuous attempt to divert consumers and regulators from actual facts.

Today's New York Times provides a case in point, with a "sour grapes" op-ed by an author promoting the wacky idea that FCC Net Neutrality regulations should also include "opinion neutrality" -- oops, sorry that's not what he actually said -- the term he uses is "search neutrality" -- but really they amount to the same bizarre concept.

There are so many vectors from which to disassemble this "search neutrality" argument that it's hard to know where to begin.

We can start with the obvious. Unlike most consumers' interactions with ISPs, changing search services is literally just a single URL click away. Changing ISPs -- even amongst the extremely limited (if any) cost-effective broadband choices available to most U.S. Internet users, is often nothing short of harrowing. Net Neutrality relates specifically to ISPs because ISPs are -- by definition -- the only path to the Internet for most Internet users. Every single byte of data that we send or receive is in the hands of our ISP. No non-ISP Internet service, even the biggest ones -- come anywhere near such a universal access to our data.

Add to that the fact that the few large, dominant ISPs who control the majority of U.S. Internet subscribers are now rapidly moving into the content provision business (e.g. video), and are deploying usage and bandwidth caps that impact competitive Internet content but not most of their own content -- well, the anticompetitive fox guarding the hen house analogies are impossible to ignore.

The big ISPs have mostly attained their dominant positions by virtue of their historical, legislatively-mandated monopoly telephone and cable origins, that gave them an enormous advantage against all comers. Combine that with the industry's cherry-picking of areas for high-speed Internet deployments, the telephone industry's decades-long trail of broken deployment promises, plus their intense lobbying aimed at restricting effective Internet access competition -- and the regulatory focus on ISPs is clearly well placed.

The designated enemy of the anti-net-neutrality forces these days is usually Google. Google is very large and certainly dominant in search over much of the world. But it attained that position not by buying politicians to maintain monopolies, nor by attempting to restrict competition, nor by dirty tricks.

Fundamentally, Google has simply provided better products, that more people want to use. And anyone else is free to do the same thing, at least as long as ISPs aren't permitted to strangle the Internet playing field via their total hold over Internet access to all sites!

Finally (for now) one other point of interest. The author of the "search neutrality" op-ed in question is apparently upset about how Google orders search results, especially those of his own company. But his example of MapQuest's decline in favor of Google Maps undermines his own case. Almost any unbiased observer would be forced to admit that Google's maps system has simply represented a more full-featured product than MapQuest's for many applications.

Similarly, the author's complaints about his own firm's treatment by Google have been undermined by independent analysis suggesting that these complaints are the result of his firm's own Internet operational philosophy and site design, not bias by Google.

As we're increasingly faced with the intersection of technology, money, and politics, it is unfortunately inevitable that we'll see everything (possibly including the kitchen sink) thrown into these debates by those parties who wish to undermine the true facts -- by sowing the seeds of confusion among consumers, legislators, and regulators alike.

But even though these are technically complex matters, they are in terms of some basic aspects of human experience -- especially when viewed through the lens of history and past behaviors -- not all that difficult to understand.


Posted by Lauren at 01:30 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

December 27, 2009

Securing the Cloud -- and the Trade-Offs Therein

Greetings. A few days ago, I briefly discussed my belief that "cloud computing" has and will have enormous promise, but I also expressed the concern that some fundamental security and privacy issues -- while solvable -- may not be sufficiently developed today to satisfy the requirements of all potential users.

I received quite a few comments, mostly asking in what circumstances I believed that cloud computing is or isn't appropriate for any given application.

That's a difficult question to answer succinctly, since user requirements vary so widely, and the very concept of "cloud computing" (as the term tends to get tossed around) covers a great deal of territory -- storage, e-mail, real and virtual machines for general purpose remote computing, and so on.

So right now I'll just touch on a couple of points. As always, there are lots of trade-offs involved in the selection of information technologies.

One basic issue is the degree of privacy that you desire or require, vs. the costs you're willing to pay. For example, since most Internet users have neither the capability nor inclination to run their own mail servers (though significant numbers would do so if their ISPs didn't forbid it!) it's common to host (at least part of the time) your e-mail "in the cloud" -- e.g., on ISP servers, Google's Gmail, or whatever.

Such remote e-mail hosting, whether accessed via POP, IMAP, Web browsers, or other means, is different in key ways from local mail storage.

First off, as long as the e-mail is on remote servers, it's likely better backed-up than if it was just sitting on your own computer. On your own machine, statistics suggest that your mail and other data likely isn't backed-up well or at all. On the other hand, e-mail not under your immediate control will likely incur a different (and in some respects generally weaker) set of legal (privacy) protections than e-mail in the cloud.

Does this really matter in practice? The easy answer is yes -- but that wouldn't be entirely accurate. For many people, the trade-off between reliable remote storage and comprehensive (e.g. Gmail) mail handing functionalities, vs. theoretical privacy concerns, may skew heavily toward the cloud. This may particularly be true for services like Gmail that offer the option of full-time TLS (https:) secure connections between user browsers and Google servers. However, there are other users who wouldn't want to store their e-mail remotely under any conditions, for any period of time longer than required for transit and delivery (with server-to-server crypto at least of the STARTTLS variety when possible).

The honest analysis is that these sorts of decisions are very much personal ones. The key is to try be sure that you fully understand the implications -- both positive and negative -- of these choices, and not choose your applications and services paths solely based on the say-so of either boosters or detractors.

When you're mostly concerned with remote storage rather than remote computing and processing per se, the situation can sometimes be a bit more straightforward.

If you simply wish to store data securely and reliably "in the cloud," then there's no obvious reason why the service provider would typically need access to the plaintext data or the means to decrypt encrypted data.

Various interesting work has been proceeding in this area.

The open-source Tahoe-LAFS project shows particular promise for providing a cloud-based, encrypted, reliable remote system for storing data -- much like a secure, distributed RAID environment.

With the increasing sophistication of client-side applications operating in advanced browser-based, server-supported cloud environments, it seems likely that a range of applications beyond "simple" storage will increasingly be able to function in modes where the actual data will not need to be plaintext accessible to the cloud provider.

But here again, there will be trade-offs. Some functionalities will likely perform more comprehensively or faster with server-based processing requiring plaintext data availability. Some valuable and popular services that may be viably provided for free when users allow plaintext scanning (e.g., of e-mail for ad displays) might not exist or might need to be fee-based without such scanning.

In the future, it's possible that both the free and fee service models will coexist in new contexts that don't exist widely today, perhaps based on both service capabilities and user-selected privacy paradigms.

It's undeniable that the future of computing is in the clouds. But the shape of Internet clouds, like the clouds fleeting across an azure sky, are a process rather than a fait accompli. Our sky gazing at cloud computing has only just begun.


Posted by Lauren at 06:07 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

December 17, 2009

Operation Chokehold -- and the Trapped Ambulance

Greetings. Yesterday I suggested that "Operation Chokehold" -- an apparently satirical call for an iPhone-based protest against AT&T's mobile data network that appears to have rapidly morphed into a real event -- was irresponsible and even potentially deadly.

A number of iPhone users and others contacted me with their arguments about why Chokehold is a simply grand and glorious idea.

Let's explore their thinking, along with an ethics quiz question to ponder. We'll leave aside for now the obvious point that purposely flooding the network with data in an explicit attempt to disrupt its operations is certainly a violation of the AT&T Terms of Service.

Some observers feel that since AT&T's mobile data network is so bad in many areas anyway, hardly anyone would notice even a large-scale attempt to flood the network with data in protest. Others suggested that AT&T was "so evil" (some mentioned their ongoing PATRIOT Act wiretapping concerns) that any protest was justified, and that to argue against protesting corporate activities would reduce us to -- for example -- the current situation in Iran. A couple of people were concerned that the protest had been compared with terrorism in some quarters. I would call the protest potentially criminal, but not terrorism -- given that the latter generally involves a different motivation, at least by my personal definitions.

A more common theme -- which I noted as a legitimate concern in my original item -- is that important services perhaps shouldn't be using these kinds of public mobile networks in the first place. This is a serious issue, but the reality is that given the funding and other limitations of many public safety infrastructures, it is not uncommon for some workers, who are going to do anything they can to get their jobs done (whether officially approved or not) to use ordinary cell phones and conventional mobile data resources, at least as fall-backs to their official equipment.

Several people suggested that even though the problems with AT&T's mobile data network are already very well documented, the protest would help to highlight the situation and emphasize how dangerous it was to use that network for crucial activities.

The issue of public safety takes us to the ethical quiz. I find it very useful when analyzing Internet issues to try find historical or non-Internet comparisons and analogies that might help to focus the situation.

So let's think about a typical freeway (or thruway for you Easterners). This freeway is pretty busy much of the day. Sometimes it's awful -- traffic slows to a crawl. Ambulances, whose drivers are always trying to find the quickest routes to move their patients, sometimes choose to use the freeway at times when they expect the traffic will be relatively light and especially when their patient needs particularly urgent care. Getting stuck in traffic -- for example behind an accident -- could result in a dead patient (this is not merely a hypothetical outcome).

Now one day, the "Our Freeways are Too Damn Crowded" group coordinates a protest among their members. They want to completely shut down a major freeway at midday for an hour, when it would ordinarily be moving along pretty well in that particular area.

At the designated time, drivers from the group synchronize their movements across a section of freeway and pretend to have simultaneous engine failure, completely blocking the road.

The ensuing mess takes more than an hour to clear up. Just behind the protest blockage is a now trapped ambulance carrying a critical patient. The ambulance driver -- based on his experience and traffic reports up to that hour -- had chosen to take the freeway as the best route for that particular trip.

Due to the delay, the patient dies.

The ethical question: Should the protest organizers (and/or the persons who actively engaged in the protest) be held culpable in some manner for that death?

If your answer is no, then a secondary question would be how many deaths would be required "up front" for you to change your mind? 5? 100? Or do you feel that innocent deaths -- even if low probability -- resulting from such an event are always justified to make a point?

Please be sure to include the text of a condolence letter to the families of any victims with your replies as appropriate.

Odds are that the Operation Chokehold protest won't kill anyone. It may in fact not even be significantly noticed. Those aren't the issues. The question is whether even taking the risk (whether proposed satirically or seriously in the first place) for the purposes of protesting iPhone performance is worth the chance of innocent persons being harmed, however small that risk may be.

Common sense, and basic ethics, say no.


Posted by Lauren at 10:02 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

December 16, 2009

"Operation Chokehold" Demonstration Could Cost Lives

Greetings. Whether or not it started "merely" as a satiric suggestion, plans to disrupt AT&T's mobile network as a protest against iPhone data performance are childish, stupid, irresponsible, and potentially extremely dangerous.

Users of iPhones share the same data network with other AT&T mobile users, including public safety workers and other users with critical functions accessing resources via laptop dongles and the like.

To purposely attempt to disrupt a publicly used mobile data network of this sort is criminal -- or should be. While one can argue about the advisability of using public data networks for crucial functions, the reality is that they are, and without being overdramatic, such "Chokehold" demonstrations could actually cost lives.


Posted by Lauren at 02:02 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

December 13, 2009

The Google Phone vs. A World of Flatulence

Greetings. One of the worst-kept recent telecom-related secrets is finally out, with "official" word that Google will be selling a GSM-based cellular smartphone.

Bits and pieces of stories regarding this HTC-produced Android phone (the same manufacturer as the Android G1 and myTouch) have been dribbling out for months.

Various sources are tagging this basic device as "Nexus One" -- aka HTC Passion.

Presumably this carrier-unlocked device will include both EDGE+3G bands for T-Mobile and AT&T, plus associated international frequencies.

If HTC follows its usual pattern, a more or less similar phone will appear at some point for Verizon/Sprint CDMA, but not necessarily a full "Google Experience" device. (Both of the names HTC "Passion" and HTC "Dragon" tend to be used interchangeably, but not necessarily correctly, in some circles).

Unfortunately from my standpoint, smartphones without physical keyboards are non-starters for me in terms of routine use these days, but of course remain very useful for my Android testing and development purposes -- so if someone tossed me a Google Phone/Passion, I definitely wouldn't throw it back in their face!

Typical iPhone users should be willing to at least give the new "Google Phone" a good look-see if the price point is right, and assuming that they're willing to embrace the open Android market rather than iPhone's locked-down "We Are the Law" market environment.

Still, it may be tough for some iPhone users to drag themselves away from Mama Apple's controlling grasp, especially given the iPhone market's enticement of a veritable plethora of "farting" apps, a sheer quantity of digital flatulence unmatched by similar Android apps at this time.


Posted by Lauren at 07:31 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

December 11, 2009

How to Blackmail with Facebook

Greetings. In Facebook's Devious Privacy Ploy, I strongly criticized various aspects of Facebook's recent changes to their privacy settings environment, particularly elements of their new recommended defaults -- that I feel are nothing less than a privacy disaster.

But it's always useful to try find a silver lining even in the darkest clouds, so today let's explore how the new recommended Facebook privacy settings are in some ways the "gift that keeps on giving" -- and can be used to help fill your bank account with riches -- if you're a criminal, that is.

To quote Gene Wilder as Leo Bloom in 1968's The Producers: "Let's assume, just for the moment, that you are a dishonest man."

How could you leverage Facebook's recent privacy changes toward your goal of achieving true "money is honey" status?

The key is Facebook's new recommended default that makes user postings ("Posts by Me") available to everyone, in contrast to the earlier essentially equivalent category of "Status and Links" -- which defaulted to "Only Friends."

Recommended defaults are extremely powerful. It can be expected that vast numbers of Facebook users, likely the majority over time, will accept the new defaults and rarely if ever take advantage of the new "per posting" privacy options that are now available.

As a bold crook, this plays directly to your advantage.

For your Facebook blackmail operation to blossom, you'll probably want to concentrate on the vast bounty of posted photo albums that will be open to public viewing, where previously they would likely have been restricted only to any given Facebook user's friends. These photos are gold to your criminal operation.

As we know, many Facebook users unwisely post a variety of "compromising" photos on Facebook to share with their friends. These often involve partying, drinking, and other potentially embarrassing (or even illegal) activities. You can use these ingrained posting habits -- combined with Facebook's new privacy changes -- to your definite monetary advantage.

The technique is simplicity itself, but you'll need to get going now for maximum payoff.

Simply troll around Facebook gathering up every potentially embarrassing photo that you can find. Archive them carefully, along with all other available Facebook information related to the associated users. You can do this on a small scale and manually, or on a larger scale via automated techniques.

Massive numbers of Facebook users will have inadvertently exposed such materials to "Everyone" as a result of Facebook's new recommended defaults. By collecting these photos and other compromising Facebook items now, you'll be in a position to monetize them to your benefit later, after these users have belatedly realized that exposing that stuff so widely -- particularly those nasty photos -- was a really, seriously bad idea.

Ah, but they're too late! You've already got 'em by the ... well, you know what.

Now comes the fun part. Keep watch and note when users who previously had exposed embarrassing materials suddenly change their Facebook settings to clamp back down and limit access. Many of these Facebook subscribers will be the patsies who'll end up buying you everything that you've ever dreamed of.

The rest is obvious. You simply -- via various reasonably difficult to trace communications channels -- offer a "service" to these Facebook users to help prevent archived copies of those formerly exposed photos and other goodies from falling into the hands of boyfriends, girlfriends, spouses, current or potential employers, law enforcement, and so on.

With a little luck, the bucks will come rolling in.

But as you count your ill-gotten gains, be sure to give thanks to those good folks at Facebook who made it all possible -- when they pushed their users into exposing to the world all those personal goodies that are now so enriching your life.

Yep, there's still a lot of money to be made on the Web!


Posted by Lauren at 02:40 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

December 10, 2009

Facebook's Devious Privacy Ploy

Greetings. The Net is abuzz about some major privacy changes by Facebook, which show signs in key ways of being yet another in their continuing history of ham-handed privacy gaffes. No, I'm not concentrating today on their notorious "beacon" system, though it was just announced that Facebook is shutting beacon down and paying almost $10M to settle a related lawsuit.

No, today let's talk about how Facebook has attempted to deceptively shill users into lowering their privacy protections, in the false guise of supposedly improving their privacy settings.

I am not a big Facebook user. In fact, I am hardly a Facebook user at all. I have an account for research purposes, but I don't publicize it. I've routinely ignored the multitude of "friend" requests I receive from people who find the account (and I do essentially the same thing for "LinkedIn" requests -- where I don't even have a account).

My attitude toward these services is that -- at least for me -- they do not bring significant value. Plus, the noise level of associated phishing, spam, and other crooked solicitations is way too high, and frankly the amount of time required to maintain more social networking accounts along with everything else I deal with would just be unproductive.

That's not so say that anyone else need share my opinions, but I hope this explains to those legitimate folks who have tried to contact me via those services why they did not receive responses (on the other hand, I'm plenty easy to contact in a multitude of other ways).

Facebook of course is all about sharing information. But as we know from a continuing sequence of news stories, many people are getting seriously burned from sharing their personal information on Facebook.

Youngsters -- and even adults -- are getting into trouble for photos they post showing partying or drinking. People have been fired -- or not hired -- on the basis of such photos. In one recent case, an insurance company has tried to kill a woman's health coverage, apparently because they thought she was having too much "fun" as shown in a Facebook entry.

Amanda Knox's very recent murder conviction in Italy may have significantly been unfairly influenced by the Italian media's fascination and exploitation of her Facebook materials. Law enforcement is now using Facebook for sting operations, even for such relatively mundane matters as targeting underage drinkers.

Without attempting to evaluate right now whether or not such uses of Facebook should be viewed as legitimate, it is clear that keeping the minutia of your personal life offline is obviously a good step to help ensure that you won't be subjected to judgment and possible exploitation based on that information.

But for those persons who do feel the desire to share their lives online, having complete control over the manner of that sharing is critical.

Unless you're a celebrity or some other sort of public figure, sharing more than the absolute minimum of personal information with the the world at large ("everyone") via Facebook usually just doesn't make sense. Even if you're a young person seemingly with nothing to lose, it must be remembered that once information, photos, or other data have been publicly available for any period of time, they are likely to be available in some form, archived somewhere, essentially forever. And photos that didn't seem to matter when you're 16 may have a whole different impact when you're 30.

Be that as it may, the key to using Facebook "safely" -- to the extent that this is possible -- is by consistent and careful use of their relatively confusing privacy controls, that determine which information that you put online will be shared with particular classes of users.

So it's a pretty big deal when Facebook, as they've just done, completely revamps their privacy system, and forces all uses to make new selections about virtually all aspects of their Facebook privacy.

Unfortunately, the manner in which Facebook has done this shows all the signs of being what amounts to a nasty privacy scam.

To be fair, the Facebook privacy changes are not all bad. For example, they now permit per-item controls over privacy settings. That's a positive change.

But the truly devious aspect of what Facebook has done is their choosing of new recommended privacy defaults for all users -- presented during the new "forced" privacy changes dialogue -- that in many cases seriously reduce default privacy protections on Facebook entries, in ways that will often share with much larger audiences key materials that you may previously have (wisely) restricted only to, for example, your friends.

While it's possible to override these new "suggested defaults," one of the worst actions that can be taken in a privacy context is to try manipulate users into accepting reduced privacy protections on a default basis, especially in the context of promoting "improved" privacy settings.

It's duplicitous, deceitful, and as with Facebook's ill-fated beacon system, calls into question the entire underpinnings of Facebook's "ethical" structure.

The reason why Facebook would risk behaving this way seems rather clear. They've watched as more "broadcast" oriented systems like Twitter have gained massive popularity, and Facebook wants a bigger piece of that pie.

Twitter users by and large are fully aware of the fact that they're potentially "tweeting" to the entire world. In many ways that's the whole point. And since this is understood, the sorts of information we tweet tends to be rather carefully framed with this in mind.

Facebook on the other hand is attempting to coerce users into drastically changing privacy settings on a potentially vast range of personally-sensitive materials in ways that could in some cases -- no kidding! -- seriously upset or damage their lives.

If users wish to voluntarily and without coercion increase the visibility of their Facebook data that's fine.

Facebook's new system of proposing changed defaults for most users, that will often drastically reduce users' privacy, is difficult to categorize as anything other than basically exploitative and -- yes -- evil.


Posted by Lauren at 11:33 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

December 09, 2009

Expedia's Disgrace: "Your Money *and* Your Life!"

Update: Dave Farber has announced that his dispute with Expedia has now been resolved. Too bad that so much unnecessary hassle was involved in getting Expedia to do the right thing.

Greetings. The Internet has undoubtedly and significantly brought all manner of remotely-accessible benefits to many aspects of our lives. These advantages are often extremely enticing, so much so that they tend to mask the evil twin that sometimes lurks parasitically along for the ride.

For some Internet-based services use the fact of Internet access as an excuse to mask a depersonalized lack of customer service, and in some cases a vacuous dearth of ethical conduct -- while still merrily charging our credit cards.

Case in point is massive travel service Expedia -- which trumpets itself as the world's leading online travel company.

Over the last few days I've watched a tragic saga play out over on David Farber's "IP" list, as we've learned of his intense upset at Expedia's refusal to refund monies paid for a trip canceled due to the likely terminal illness of his wife.

Expedia apparently hasn't even been willing to escalate concerns about this matter to a level beyond the, "Sorry, you're screwed!" customer "support" level.

Obviously firms need to be on the lookout for fraudulent attempts to cancel services. But in cases such as Dave's, where not only are the medical realities well documented, but the various involved airlines and hotels apparently would be willing to refund, Expedia's middleman role clutching tightly to the money in this situation is nothing short of unconscionable.

It's possible that Expedia actually does have -- hidden somewhere in their policies -- a clause that handles these sorts of situations in a humane and reasonable manner. But if Expedia patrons are unable to access such policies (if they even exist), and can't get past useless Web help forms and script-reading phone agents whose main purpose appears to be avoiding refunds come hell or high water, then Expedia has proven itself to be unworthy of patronage -- or even existence in any form as far as I'm concerned.

Perhaps this is all some sort of misunderstanding. If so, I invite Expedia to contact me directly and I'll be happy to help sort this out, and then I'll gladly report back here about Expedia's prompt attention to this situation.

But being big and powerful is not an excuse for being petty and greedy. Even if Expedia's actions in this case so far are completely lawful, they appear on their face to be, frankly, abominable.

When the Internet becomes a convenient vehicle for abusing people in clearly unfair and unethical manners, such behaviors denigrate not only the companies and customers directly involved, but also ultimately the entire community of Internet firms and users.

This should be unacceptable to us all.


Posted by Lauren at 05:08 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

"Web Sockets" in Google Chrome (and an Annoying Cookie Issue Persists)

Greetings. Google has announced an early implementation of Web Sockets in their Chrome browser, that shows much promise for helping to reduce a significant bottleneck in a variety of browser-based applications.

However -- and I'm gonna keep hammering on this! -- I still unfortunately cannot recommend Google Chrome as a general purpose browser until it includes reasonable per-site cookie controls at least up to par with what Firefox (and to some extent IE) natively offer. If this can be accomplished via a Chrome plugin, that's OK -- but there's no plugin to do this yet in Chrome as far as I know (am I wrong?)

I'm not a hardcore cookie hater, and clearly there are many reasonable uses for cookies, particularly for state control. But the "all, nothing, or no '3rd party' cookies" choice palette is insufficient. Users who wish to block cookies from specific sites (e.g. when they don't wish to be tracked by those sites) are typically stuck in Chrome with the only option being to turn off all cookies in a manner that breaks logins at most sites that require authentication.

Admittedly, some people get themselves into trouble with per-site cookie controls, by blocking cookies necessary to logins (creating the infamous "repeating login dialogue" effect).

But this is still not a valid excuse for users being unable to control -- per site and in detail -- how cookies will be managed in their browsers.

When I made earlier queries about this issue to Google, I was told that better Chrome cookie controls were on the wish list, but would have to wait. However, with so many sophisticated features now being rolled out for Chrome seemingly almost daily, the lack of better cookie controls -- which by all rights should not be a comparatively major implementation task -- seems more glaring. I might add that the same issue persists in the standard Android Web browser as well.

I hope that Google will move on this matter with due diligence.


Posted by Lauren at 01:20 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

December 05, 2009

Television's Money Complaints - 2009 and 1974

Greetings. Comcast's plans to buy NBC Universal are widely viewed as largely an effort to obtain a particular category of assets -- NBC's cable networks.

The battles between the massive dominant cable TV firms (and the large satellite TV delivery systems) vs. the network and local TV programming suppliers (both over-the-air broadcast and not) has turned into a continuing war.

On one hand, cable and satellite generally want as much programming as possible at the lowest possible cost (ideally free). Networks and local stations would prefer to be paid, and the use of mandatory packages ("if you want this network, you have to take all of these as well") has further complicated the issues.

By the way, this is a different (though somewhat analogous) situation from what cable and satellite subscribers face when choosing among different programming packages. However, I am not at this time a supporter of proposed rules to force a la carte programming, since I fear it will undercut the subsidies that keep various excellent niche networks alive, which generally don't have large audiences relative to the big movie and sports networks.

With the addition of Internet video viewing into the mix, the concentration of power represented by -- for example -- Comcast owning cable networks that its competitors would also want to distribute is an obvious problem.

But for now, the cable big boys are complaining again about the costs of programming, and Time Warner Cable in particular has now deployed the increasingly common approach of trying to scare subscribers into helping with TWC's negotiations.

TWC has started running a spot urging subscribers to vote on whether TWC should "roll over" or "get tough" in their negotiations, and warns of threatened programming cutoffs.

But amusingly, back at the dawn of cable TV, the roles were reversed, with broadcast TV urging viewers -- even through ads running in movie theaters -- to fight against pay TV and cable TV. Déjà vu all over again!

So let's see how much has really changed over 35 years or so. I've put together a short video including both the current TWC spot and a classic anti-cable ad from around 1974. (Apologies for the abrupt start and ending of the second clip -- time is not generous to ancient videotapes.)

By the way, I'm still trying to figure out which of the most recent presidential candidates the voice-over artist for the TWC spot was voicing ads for.

Television's Money Complaints - 2009 and 1974 (YouTube Video)

Once again we see that in many ways, the more things change, the more they stay the same.


Posted by Lauren at 07:38 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

Show the MPAA Your Cell Phone Cameras!

Greetings. Recently, in Use a Camcorder, Go to Jail! -- The Saga Continues, I noted my sympathy for the film industry's piracy problems, but condemned the continued escalation of increasingly draconian anti-taping and related laws -- pushed through largely by the MPAA -- that don't even address the major cause of film piracy these days -- "leakage" from the film production and distribution chain itself.

As much as we adore the commercial entertainment industries, they are -- perhaps surprisingly -- not essential for human life or most aspects of national defense. So when the film industry's MPAA and the recording industry's RIAA seem to be the primary forces skewing key aspects of national and international law enforcement, something is definitely way out of balance. It's especially ironic that massive civil liberties intrusions such as the new UK Internet Wiretapping Plan -- that are setting the stage for all manner of later spying on citizens by ISPs and governments alike -- are being instigated by the same industries that brought us Howard the Duck and Mrs. Miller.

So it shouldn't come as a big surprise to hear that a 22-year-old Chicago woman was recently arrested, spent two nights in jail, and was charged with a felony, for videotaping family members singing Happy Birthday in an area movie theater. Luckily for Samantha Tumpach's relatives, they weren't indicted for singing the ubiquitous (and still copyrighted!) birthday song. Unfortunately for her, the small digital camcorder she was using picked up a few minutes of material from the theater's movie screen in the process. The theater manager -- apparently in line with the MPAA's "zero tolerance" policies -- insisted on pressing charges. So off to the lockup for Samantha!

This kind of bull was completely predictable. Put wacky, out of proportion laws in the hands of petty, greedy, power-hungry fools and these sorts of events are inevitable.

One way or another, the MPAA needs to learn that its agenda isn't the only one of importance to society. Everyone carrying a cell phone camera into a theater isn't a likely felon.

Or are they? The MPAA seems to think so.

Can we prove the MPAA wrong?

Just how many video cameras are there in the pockets of typical moviegoers these days?

A picture is indeed worth a thousand words, so how about a little experiment?

The next time you and your friends go to a movie, before any films or trailers begin, I'd appreciate it greatly if you'd get some still photos of everyone holding up their cell phone video cameras toward the projection screen. Don't actually record any audio or video of course! You don't want to risk spending a month dangling by shackles in a secret MPAA prison cell somewhere in Lithuania.

And if the theater management admonishes you not to take any photos even while the main lights are lit and nothing is being projected, of course abide by their demands.

Photos of such demonstrations could taken from the rear of theaters shooting forward toward the screen, or from the front looking toward the rear (if everyone is brave enough to show their faces, that is).

The more people engaging in this mildly "subversive" activity in any given photo, the better. I'd love to see a shot of an entire theater filled with people all holding up their cell phones pointed directly at the screen.

What's the point of all this? Simply to demonstrate visually that video recording technology is now universal and ever-present in common devices that law-abiding citizens carry all day long as a matter of course, and that to treat brief, incidental capturing of copyrighted material as an act subject to either civil or criminal penalties is absolutely ludicrous and unacceptable.

If you're game to give this a try, please e-mail me your photos, and I'll publicly post the best.

But if you end up in chains deep in Lithuania ... I don't know you.


Posted by Lauren at 12:58 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

December 04, 2009

Google Now Personalizing Signed-Out Search -- and a Quick Note on the CNBC Google Report

Greetings. For quite a while, Google has offered a search personalization system tied to the history of your Google Searches when logged-in to Google.

Today Google announced the expansion of personalized search, and what could be termed a form of search history, for logged out users as well.

Rather than try explain the various ramifications of this here, I'll refer you to an excellent and detailed article over on Search Engine Land that really gets into the nitty-gritty, including privacy issues, data retention periods, etc.

I'll just offer a couple of quick points for now. These personalized Google services are all tied to cookies held by individual Web browsers. If you block future Google cookies and delete any current Google cookies, search history correlations will no longer take place. Or, you can simply (with Google cookies accepted) opt-out of this logged-out personalization service -- which will note your choice via an "opt-out"-indicating Google cookie.

So whether or not you wish to participate in personalized Google Search is up to you, whether you're logged-in to Google or logged-out.

Various people have asked me how I broadly handle cookies in my routine Web browsing. My current (suboptimal) "solution" is to use different browsers for various purposes.

Firefox has the most fine-grained site-based cookie controls, so I tend to default to using Firefox for many (but not all!) purposes. I block cookies from many sites, and accept cookies from other sites (typically ones where login is required). I pretty much make these determinations on what amounts to a "need to know" sort of basis -- or rather a "need to accept a cookie" basis.

I avoid using Internet Explorer for a variety of reasons, but sometimes do employ it for "alternate account" login situations. IE has fair per-site cookie controls, though not as cleanly implemented as Firefox in my opinion.

When dealing with particular Google services where I always want to be logged-in anyway, such as Gmail, Google Voice, or Google Wave, I use Google's Chrome browser. Chrome is rather blindingly fast when dealing with JavaScript-intensive Google services and is the obvious choice when using these products. However, at this time, Chrome's cookie-handling options are comparatively sparse -- no per-site cookie controls are available. So I typically don't use Chrome in situations where I don't want to accept cookies. Actually, Chrome is so powerful and user-friendly in most respects that the single factor preventing me from switching to Chrome as my primary browser is the lack of better cookie controls -- a situation that I hope will improve soon.

Finally, a quick segue into another Google-related topic. Last night (with various repeats scheduled going forward) CNBC ran what I would characterize as a rather overall "aggressive" hour report called Inside the Mind of Google. Piles of folks have been sending me notes today asking my opinion of a particular sound bite by Google CEO Eric Schmidt, where he said, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

That line seems to have been bouncing around the Net and some mainstream media all day.

So in answer to the many people asking me ... yes, I saw the program and heard the quote. Yes, I probably did a Spock-like single eyebrow raise at the time. And no, I don't think that Schmidt was actually suggesting that everything anyone would want to be private is somehow automatically illicit or something that you shouldn't do.

Given what I believe to be a reasonable understanding of the sensibilities involved, I think it's pretty safe to assume that the intent of the statement was actually limited to -- for example -- posting evidence of your own illegal activities. When a bunch of kids beat up another child then merrily post a video of the crime on YouTube along with graphic comments, complaining about getting caught as a result likely won't elicit much sympathy.

It's really pretty amazing the sorts of information regarding just plain illegal activities that some people will publicly post, then get all bent out of shape when public searches reveal their actions.

Schmidt's specific statement on that CNBC report may have been rather poorly worded, but trying to play "gotcha" on the basis of that single line, given the wealth of evidence that suggests this is not really representative of Schmidt's (or even more importantly, "Google Policy") attitudes in this regard, seems at the very least to be unfair.


Posted by Lauren at 08:06 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

Massive New UK Internet Wiretapping Plan Announced

Greetings. Remember the controversy over the UK's Phorm "ISPs Spy on Users" Internet ad system?

Phorm was eventually beaten back, but it was small potatoes compared to what the surveillance-happy folks in Jolly Old England have got up their sleeves now.

Britain's Virgin Media ISP has announced a stunning plan to actually spy on the data content of Internet users -- using law enforcement grade equipment -- in search of illegal file sharing.

The scope of the plan is breathtaking. File sharing protocol packets will be opened and the contents run through music fingerprinting systems to try determine if files are licensed or not. At this stage of the plan, any positive "hits" will be anonymous, but one can imagine how long that aspect will remain in force. And of course, if this sort of system can be justified to "protect" the music and film industries, it's a small step to arguing that all traffic should be monitored for any Internet content considered to be suspicious, illicit, or inappropriate by Her Majesty's government -- it's basically just a matter of how much communications and processing power you're willing to throw at the task.

There is no opt-out or opt-in. All files carried by any of the three primary file-sharing protocols are subject to inspection, with initially about 40% of subscribers being included in the "lucky" test group. And remember, these are private user-to-user Internet connections being monitored -- not postings on public Web sites where license fingerprinting can be reasonably justified.

What Virgin has announced is essentially the same concept as monitoring telephone calls in hopes of overhearing something illegal being discussed.

The question here isn't whether or not people should inappropriately trade licensed materials -- they shouldn't. The issue is Internet users -- including innocent, law-abiding subscribers -- being subjected to having their data content searched by whim of their ISPs, when such behavior would not (we assume!) be tolerated on conventional telephone calls (but what of VoIP phone calls traversing the Internet? A fascinating question of ever increasing importance ...)

Notably, the answer to these dilemmas is contained in a single word, which you've seen me use many times before: encrypt! As far as I'm concerned, all Internet traffic should be routinely and pervasively encrypted, not just to protect civil rights, but to protect economic and business security as well.

In fact, a spokesman related to the new Virgin ISP spying project notes that, "encryption of the data packet would defeat us."

Sounds like good advice to me.


Posted by Lauren at 06:29 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

December 03, 2009

Google's New Public DNS Service -- and Data Retention Issues

Greetings. In a move potentially of significant importance to the vast majority of Internet users who do not run their own DNS servers to resolve Internet site domain names, Google has announced their own publicly accessible DNS service.

Unlike some other publicly accessible DNS services that may redirect nonexistent domain queries for advertising purposes, Google explicitly states that "Google Public DNS never blocks, filters, or redirects users."

This is a key point for users who by default are configured to resolve their Internet DNS queries through sometimes restrictive ISP DNS services that may redirect or even block some DNS queries.

Using a different DNS service is usually as "easy" as changing the IP addresses in your OS DNS settings, but note that if your ISP is actually diverting the TCP/IP ports that DNS uses to communicate, it will be impossible for you to switch DNS servers through normal mechanisms. (For more information on testing for this condition, please see my Testing Your Internet Connection for ISP DNS Diversions page.)

A concern that frequently arises with DNS services is their logging policies. A DNS server potentially can gather a great deal of information about the Internet sites that you use. Both some ISPs and particular public DNS services have been criticized for their DNS data retention policies, which sometimes provide for indefinite or long retention of full DNS logging data.

Google has obviously recognized the sensitivity of this issue. Their separate privacy policy for the Google Public DNS strikes me as utterly reasonable, particularly given its very rapid (24-48 hours) deletion of what I would consider to be the key privacy-sensitive data.

No doubt this won't satisfy some hard-core Google haters, who will either suggest that Google shouldn't log any DNS query data even for a very short period of time -- or will simply claim that Google is lying about their privacy and data retention policies.

But I view graduated "data destruction" policies such as this one announced by Google as being completely appropriate to provide for reasonable research purposes without unreasonably impacting user privacy concerns. I can't help those critics who seem to cynically assume that Google is a serial liar about their privacy or other policies, or are convinced that integrated circuits were an "alien technology" gift from an extraterrestrial civilization.

Since I run my own DNS servers, I'm not in an immediate position to rigorously test the real-world performance of Google's new DNS service. But I'd be interested in your reports about this, including as much detail as you care to provide.

DNS is, for better or worse, at the heart of today's Internet. It will be fascinating to see what Google's efforts in this area will bring forth over time.


Posted by Lauren at 09:42 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein