Lauren – Page 16 – Lauren Weinstein's Blog

Google’s War on Trolls Could Help Save the Internet

As I’ve noted before, pretty much every day I receive emailed queries (and sometimes phone calls) from desperate persons who have been driven effectively largely offline for fear of retaliation from anything that they might say publicly online.

I don’t usually know them. They don’t usually know me except perhaps by reputation. They’re taking a leap of faith anyway.

They almost inevitably begin with words to the effect of “I hope that I can trust you” — and the fact that they’ve been driven to tell a total stranger some of the most intimate details of their lives is heartbreaking beyond measure.

I do what I can for them in terms of offering advice, but the range of options is in reality quite limited. Law enforcement is usually uninterested in dealing with these cases even when they’ve risen to obviously dangerous levels — their typical response to concerned persons is along the lines of “stay off the Internet.”

And the fact is that nowadays it’s a vast understatement to say that you can’t safely have a thin skin if you’re going to make public statements in most Net venues.

I’ve been at this game for a long time — effectively since the earliest days of the Internet — so my skin is pretty damned thick by now.

But even I’m not completely immune to twinges of discomfort when I survey the scope of attacks that I routinely receive.

Some of them are from trolls who make the mistake of incorrectly assuming that I’m female — the speed with which they retreat if I direct them to my Harley profile shot can be awesome to behold. And of course there are the usual antisemitic morons and other white supremacist cretins, right-wing imbeciles, and all the rest. These days they seem to almost inevitably be Donald Trump supporters. As we know, he joyfully attracts them like flies to you-know-what.

Among the Internet’s — and so the world’s — most crucial questions are ones of freedom of speech vs. privacy — open communications vs. trolling, threats, and hate speech.

It’s an incredibly delicate balance — how to limit hateful attacks that drive people to desperation, without creating a social media ecosystem that unreasonably limits free speech.

There are various ways to approach this set of difficult problems.

Over in Italy right now they’re taking exactly the wrong path — proposing a law that would fine “site managers” 100,000 euros if they don’t take action against posts that simply “mock” another person. The proposal’s standard is that a person simply “feels” that they were insulted. Laughably insane, impractical, and unworkable. Pretty much anybody could really rake it in under a law like that!

Back in the real world, Internet services with a sense of responsibility have long used their Terms of Service agreements to deal with posting abuse, with various degrees of success. Keep in mind that these firms have the utterly appropriate right to determine what they will permit and host — this is reasonable editorial responsibility, not censorship (I usually view censorship per se as almost inevitably being repressive actions by governments against third parties).

It has long seemed clear to me that appropriately dealing with the rising tide of trolls and other social media posting abuses would inevitably require an intensifying partnership between automated detection systems and human insights, each bringing different strengths and limitations to the table.

This is why I wholeheartedly support the ongoing efforts of Google (or more precisely, the “Jigsaw” division of Google’s parent Alphabet, Inc.) to leverage Google’s sophisticated and powerful artificial intelligence assets to help deal with the growing trolling and hate speech scourge.

I won’t attempt to summarize the details of their project here — you can read about it at the link just above.

But I did want to take this opportunity to express my view that while obviously we cannot expect any particular efforts to completely solve the deeply complicated and significantly multidisciplinary problems of social media posting abuse, I am convinced that Google’s approach shows enormous promise.

Through the efforts of Google and others working along multiple paths of research and associated policy analysis, we have some excellent opportunities to make seriously positive inroads against posting abusers, and in the process making the Internet a better place for the vast majority of its users and the global community at large. Communications will be greatly encouraged when the “fear factor” that holds so many wonderful people back from public postings is significantly reduced.

And frankly, if these efforts also have the side-effect of reducing the number of horrific posting abuse nightmares that fill my inbox from desperate persons seeking help, that will personally be for me a very welcome plus as well.

Be seeing you.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Hillary Was Wrong About Trump’s “50% Deplorables” — They’re Actually Much Higher

Hillary Clinton apologized today for a remark she made yesterday where she said that around half of Trump’s supporters were in a “basket of deplorables” –“the racist, sexist, homophobic, xenophobic, Islamophobic — you name it.”

Her remark was wrong, but she shouldn’t have apologized.

It was wrong because she significantly understated the degree to which Trump’s supporters are horrific, racist pigs — and far worse.

Polling data backs this up decisively.

A full two-thirds of Trump supporters cling to the racist and xenophobic belief that Obama is a secret Muslim. Almost that many still insist that he wasn’t born in the USA — a popular Trump claim that he has never repudiated.

But those opinions are a walk in the park compared with some of the other data on Trump’s salivating minions.

A third of them think that the WWII Japanese internment camps — one of the darkest actions in USA history, were a good idea.

Almost a third would support banning LGBT people from entering this country.

A full 30% of Trump voters feel that the white race is “superior” or aren’t sure that it is.

Of course the stink from Trump supporters comes directly from the top with Trump’s own xenophobic, racist, and fascist remarks and behavior — not limited to his love fest with racist dictator Putin — and from the bottom with his overwhelming support from white supremacist monsters like David Duke and the rest of the sickening, racist, “Alt-Right” movement — some of whom now hold high positions in Trump’s own campaign organization.

And in a vivid proof of the “rotten father: rotten son” theorem, zombie son Eric Trump has continued this past week Tweeting false stories, including regarding imaginary Hillary secret earphones and — just today — a fake, doctored photo claiming to have been of a Trump rally last night (it was actually from last year). Talk about a family that’s rotten to the core.

It is undoubtedly true that not every single Trump voter is themselves a racist per se.

But there’s an old saying: “If you sleep with dogs, expect to arise with fleas.”

And by allying themselves with the racist, duplicitous creature of evil that is Donald Trump, his supporters have voluntary accepted unto themselves Trump’s filth, his disease, his hideous sensibilities that have no place outside of a nest of dung-feeding roaches — no offense meant to roaches, of course.

This is why Hillary’s estimate of the depth of Trump’s followers’ depravities was too conservative, too “politically correct” as it were.

Because Trump’s followers — by the mere fact that they’d be willing to put an ignorant, perverted sociopath like Trump in control of nuclear weapons that could destroy civilization on Earth many times over — have demonstrated that they are at the very least “deplorable” — and by most measures simply supplicants to Donald Trump’s evil itself.

The Downsides of Google’s Chrome Security Push

Google has world class security and privacy teams, but I continue to have misgivings about certain aspects of their Chrome browser security push — particularly regarding warnings to users when connections are using unencrypted http: as opposed to https: encryption.

While the push to encrypt Internet connections by default is a laudable one, it is also essential that fundamental aspects of practicality and user reactions also be carefully considered.

I touched on some of this over a year ago in “Falling Into the Encryption Trap” — but now that Google has made more explicit their plans for browser address bar warnings to users regarding http: connections, I’m again concerned.

Apparently in January of next year Google intends to replace the current quite reasonable “information circle” indicating non-encrypted pages, with an explicit “Not secure” warning — ultimately to be displayed in bright red with a danger triangle.

I am absolutely certain — based on the many queries I receive routinely from users who are already confused and concerned about other security warnings they see and misunderstand — that the escalation to these sorts of warnings by Chrome will vastly and unnecessarily increase confusion and even panic among significant categories of non-techie users when accessing various sites important to them.

Because the truth of the matter is that it remains both impractical and unnecessary for all sites to convert to https: at this time.

It is certainly true that theoretically any site could become a vector for misinformation or malware via man-in-the-middle manipulation of their connections, and the use of various insecure and/or poorly managed ad networks increases the risks in this context.

But as a practical matter, the vast majority of exploits that users must contend with do not come from the manipulation of Internet connections. Rather, infections via email phishing, contaminated sites, and similar techniques represent the overwhelming majority of successful attack vectors.

Still, it is inarguable that all else being equal, having all connections as encrypted https: rather than unencrypted http: is extremely desirable.

Unfortunately, all else isn’t equal.

There are uncountably vast numbers of legacy sites that provide widely referenced information to enormous numbers of users, yet do not sell anything, don’t collect usernames or passwords or other private information, and don’t participate in any ad networks.

Many of these sites have been online not just for many years, but even for decades. They typically use older software systems that are difficult or impractical to directly update, and frequently operate on a shoestring (or even zero) budget, while not creating any income at all.

It will frequently prove impossible from a money and/or time standpoint for the operators of such sites to convert to https: — yet Chrome’s warning system will likely confuse their users into assuming that they are actually being spied on — rather than the actual fact that such surveillance is in any given case theoretical (and in practice an extremely low probability) on those individual connections.

And while the cost of encryption certificates has now dropped to zero with the advent of services such as “Let’s Encrypt” — the effort required to actually make them work can be anything but trivial.

I recently converted all of my sites, some of very long standing, to https: using Let’s Encrypt. Even though my sites are not fancy in any way, it was an enormous amount of work, and required every ounce of knowledge I had regarding the sites’ internal architectures. While Let’s Encrypt promotes scripts to supposedly handle such conversions automatically, I cannot recommend those procedures except for the very most trivial and simplistic of sites — anything beyond that and you’re liable to end up with a mangled site configuration nightmare — you’d better have good backups handy!

I’m frankly uncertain how to best achieve a practical compromise position regarding browser security warnings.

I do know that a scary red “Not secure” warning is likely to unnecessarily panic many users and unreasonably disadvantage many sites.

This is especially true when there is no explicit indication to users as to how they can obtain more information about that warning — such as what does it really mean in terms of actual risks? — in language that non-techies will actually understand. Even now, the security details that Chrome provides if one knows to click on the address bar security icon are pretty much technical gobbledygook as far as most users are concerned.

My sense is that despite their great skills in privacy and security matters, Google has not genuinely considered the impacts of their upcoming browser warnings on significant segments of the user and site populations, who by and large do not live 24/7 in the same rarefied security worlds as do many of us.

Luckily, this is a fixable problem, if Google is willing to put forth the effort and outreach to fix it. I respectively urge them to do so.

Be seeing you.

Oscar’s Ageism and Society’s Disposable Workers

I’ve long had a policy of avoiding involving myself in Hollywood politics — not always easy having resided here in L.A. for my entire life to date.

But something’s going on with Oscar — or more precisely the Academy of Motion Picture Arts and Sciences (AMPAS) — that is disturbing both in and of itself, and for what it says about our society at large (including here in the tech world).

The Academy Award (Oscar) presentations have always tended to be quite “white” — more so than ever in recent years, leading to calls of racism and protests.

The Academy does have real problems in this respect. It’s not purposeful racism per se, but it is a form of effective racism that has been an outgrowth of AMPAS membership policies and the structural history of popular films and Hollywood production patterns pretty much since the dawn of the movie industry.

With recent protests being particularly embarrassing to the Academy, AMPAS has now moved to try deal with what they perceive to be their “too many voting old white men” problem.

But they’re doing it in exactly the wrong way, exchanging their existing diversity problems for outright ageism.

Rather than changing their membership and voting rules going forward for new members in a manner that would encourage racial and other diversity, they’ve decided to try cull their oldest members — some in their 90s who have been Academy members for many decades and have always played by the rules — by stripping them of their Oscar voting rights.

While this obviously does not rise to the level of the kind of rampant workplace ageism and discrimination as reported recently by The New York Times, it still is a slap in the face to loyal, older AMPAS members who have done absolutely nothing wrong, and is yet another example of society kicking older persons in the gut as an ostensible “quick fix” solution for complex structural problems. Quick “fixes” — I might add — that typically make those problems far worse rather than fixing anything at all.

Outside of the Hollywood ecosystem, the intricacies of who votes for or receives Oscars is not a matter of much import to most people.

But what AMPAS’ actions tell us about the treatment of older persons in general is very much in scope, and perhaps the sheer ham-handed, doltish approach of the Academy to their very real diversity problems shines a key light on society’s failings in this regard — illuminating the broader issues in a way especially difficult to dismiss or ignore.

And that’s the truth.

Network Solutions Still Operates Like a Bunch of Crooks

I still have a couple of my oldest Internet domains — including one that turned thirty years old this year and was among the first 40 dot-com domains ever issued — with Network Solutions (NSI) for historical reasons, and I continue to be impressed with the firm’s ability to closely emulate the practices of the worst kind of Internet crooks.

NSI sends out important notifications missing key information, worded like spam or phishing attacks, transmitted from unfamiliar domains, and as HTML-only email messages. All the hallmarks of illicit contacts, or at least of rank amateurs in action.

Their “off the shelf” domain renewal prices are abysmal of course, but even worse are their outrageous attempts at upselling during the domain renewal process.

They by default select (pre-check) expensive options like “private” domain registration (as far as I’m concerned, anyone doing business over the Internet should not be permitted to have a private registration, absent some relatively rare special situations — but that’s a discussion for another time).

Their form sequences attempt to trick you into switching your domains to their DNS servers, to sign up for hosting services you don’t want or need, and they employ all of the lowlife tricks — confusing interfaces, low contrast decline buttons — you know the drill.

Network Solutions has been pulling these kinds of stunts for years, but it seems like they’re continually striving to reach even new lows.

These clowns don’t deserve our business. Hell, they don’t deserve to be in business. They’re a stain on the Internet.

If you haven’t already done so, shun them as soon as you can.

A Horrific New Animal Cruelty Commercial from Toyota

Toyota is running a new TV spot (internally titled “Camping”). It’s already triggering letters and petitions to Toyota to remove it from the air immediately. It’s breathtakingly stupid and could easily trigger dangerous copycats.

It features a moronic couple who throw a stick into a rapidly flowing river so that their dog will chase after it into the water. You then see the dog being rapidly washed away down the middle of the river. The couple races ahead downstream in their new Toyota to meet up with the dog who has somehow managed to survive the ordeal.

Then the woman says “My turn!” and throws the stick back into the river to bait the dog into the rapidly flowing water yet again.

It’s obviously supposed to be funny. Instead it’s hideous.

Whomever green-lighted this monstrosity at Toyota and their ad agency should be fired and never permitted to own animals of their own. What kind of total idiots produce a commercial like this that is bound to inspire other idiots to try the same thing?

Breathtakingly evil. Here’s the video of the spot. I’m told that there apparently is at least one additional version of this commercial that is even more disturbing.

Please let Toyota know how you feel about this. Thanks.

When Associated Press + Twitter = The Big Lie About Hillary Clinton

UPDATE (8 September 2016): “The Associated Press today is deleting a 2-week-old tweet about Hillary Clinton’s meetings as Cabinet secretary after concluding the tweet fell short of AP standards by omitting essential context.”

– – –

The venerable Associated Press news agency was formed in 1846 by New York City newspapers to fund a Pony Express route for obtaining news regarding the Mexican War. In the approaching two centuries since then, AP has maintained a solid reputation for diligence and accuracy in its reporting, that’s depended upon by the vast number of news outlets and other media that publish AP’s reports.

In my own dealings with AP over the years, I’ve found their reporters to be knowledgeable, intelligent, and fair-minded, working hard to get to the facts of events. In AP items where I’ve been quoted, my referenced quotes have always been correct and in the appropriate context.

So it’s difficult for me to fathom AP’s behavior in the current controversy over their direct misstatement of facts regarding Hillary Clinton and the Clinton Foundation, and their refusal to admit that they royally botched this up, even in the face of virtually universal condemnation regarding this case.

AP started down this self-humiliating path last Tuesday, when it tweeted:

BREAKING: AP analysis: More than half those who met Clinton as Cabinet secretary gave money to Clinton Foundation.

That tweet is still up on AP’s Twitter feed. AP continues to refuse to remove it or admit that as written it was a totally false statement — that is, a lie.

In reality, that statistic applied to an extremely limited subset of meetings — only 154 out of many thousands — that Hillary Clinton had held in her official capacity with both government employees and private citizens during her tenure at the State Dept.

The AP’s cowardly explanation of this tweet and their failure to report accurately regarding this matter basically boils down to their frustration that the State Dept. has been slowly releasing Clinton’s calendar records from the period — so apparently they felt it appropriate just to go ahead and misrepresent the available small subset of data as if it were the entirety of the data that will ultimately become available for analysis.

It’s pretty easy to guess what happened next. Someone in AP’s social media department presumably wanted the most “bang for the buck” when they tweeted this story, and composed a clickbait tweet that would fit within Twitter’s 140 character limit.

That the tweet utterly misrepresented the actual facts, and instantly provided Donald Trump and other Hillary haters a handy piece of false propaganda to yell at rallies, apparently was not within the sphere of AP’s concern.

We all understand what’s been happening in the news biz. Clicks and eyeballs increasingly come before facts and truth. But to see AP sink to this low level is painful and distressing.

To make matters worse, AP appears to now be channeling Trump himself, refusing to admit that their story was misleading and that their tweet was an outright travesty. They’re refusing to apologize or correct the record, and are displaying much the same sort of intransigence that Trump himself famously displays when caught in misrepresentations, half-truths, or outright lies.

Perhaps worst of all, we’re now faced with the inevitable question of how much we should trust AP’s future stories, tweets, and other pronouncements, especially while AP continues to permit that original false tweet to stand.

In a sea of rapidly declining journalistic standards around the world, Associated Press has stood out like a bright beacon of truth amid the gloom. Now it appears that even that light is dimming.

I hope that AP changes course and admits their errors and misjudgments in this matter. They can still avoid the fate of so many other news organizations who have permitted themselves to devolve into lowest common denominator clickbait pablum.

But this is indeed a dark time for journalism. And it’s an even darker time for all of us who depend upon professional journalists to fairly and accurately help us understand what’s going on in the world around us.

And that’s the truth.

Foolish and Dangerous: Europe’s Clothing Attacks Against Muslim Women

UPDATE (26 August 2016): France’s “burkini” ban has wisely been overturned by the country’s top administrative court.

– – –

I am probably among the last guys on this planet who would normally ever become concerned about issues related to clothing fashions of either women or men. But I do care a lot about civil liberties and fighting terrorism, so it’s impossible for me to ignore the stupid, inane, and frankly dangerous actions by officials in France who have been banning the women’s fashion popularly known as the “burkini” from beaches along the Riviera.

The burkini — primarily a choice of some Muslim women but reportedly with around 40% of sales going to non-Muslims — is a beach garment that only exposes the face, hands, and feet. Frankly, given the increase in ultraviolet radiation and risks of sunburn or much worse these days, this indeed sounds like an eminently practical garment for a lot of folks, irrespective of their religion.

Oh, but not in France. Not in the land of “Liberté, Égalité, Fraternité” (Liberty, Equality, Fraternity), from where photos and videos are appearing showing armed police forcing women to remove clothing at the beach, then ticketing them for failure to wear “an outfit respecting good morals and secularism.”

But beaches where women can go topless or nude in France? Hey, no problem there, eh?

Now, I have nothing against “clothing optional” beaches.

But the sheer hypocrisy on display by French officials in the context of the burkini ban is nothing short of breathtaking.

While French officials have attempted to claim otherwise, their actions are a direct attack specifically on women who choose to dress modestly at the beach — and yes, while that doesn’t mean only Muslim women, the French focus against Islam in this instance is obvious to everyone.

This is only one example of Europe’s growing obsession with restricting the clothing choices of Muslim women.

It’s not just burkinis under attack, but also other forms of traditional Muslim dress ranging from burkas to simple head scarves.

Ironically, these European governments are imposing their own “clothing oppression” while claiming that they’re protecting Muslim women from religious oppression! This displays either vast ignorance or massive hypocrisy or both — since many Muslim women prefer these modest forms of dress, and are not forced nor coerced into wearing them.

In any case, for governments to dictate women’s clothing choices in this manner is abominable.

I’m not a religious person, but I consider religious freedoms being trampled this way by ostensibly enlightened countries in Europe to be utterly disgraceful.

Worse, it’s potentially extremely dangerous, since it plays directly into the hands of radicals who can easily leverage these government actions into “War on Islam” propaganda to inspire terrorists and other criminals. It’s almost as if these governments are purposely choosing dictates most likely to provide terrorists with as much ammunition as possible for evil efforts.

France and the rest of Europe need to get their figurative heads out of their figurative behinds. They need to be working on the foundational issues of conflict within and related to the Middle East, not women’s choices in clothing.

And they need to stop behaving as if the West is on the verge of a new Crusade against Islam.

Europe’s current approach is wrong and foolhardy, and can only lead down the path toward further intolerance and hatred — and risks sucking the entire world down into an endless nightmare significantly of these governments’ own making.

When Hiding Passwords Is Stupid — or Worse!

As I’ve noted a number of times previously, the fact that we still have accounts “secured” by passwords this far into the 21st century is pretty much a security abomination. Adding on multiple-factor security tokens and such is a big help, but passwords themselves remain a weak link in the chain of security, and a vast number of sites and apps rely on passwords without any additional authentication measures at all.

Since the dawn of online systems, it has been standard practice to obscure the display of entered passwords by one means or another.

There are basically two reasons for this. One is the obvious issue of someone looking over your shoulder while you’re logging in.

The other is steeped in computing history.

Early online systems were primarily accessed with paper printing terminals (e.g. Teletype Model 33, IBM 2741, etc.), and leaving around or carelessly disposing of a printout with your password visible could be a serious mistake.

The earliest printing terminal systems were often “half-duplex” in design, meaning that typed characters were echoed locally. To obscure passwords in this instance, the common technique was for the system to overprint a bunch of characters a number of times before the user entered their password over the resulting black blob of ink. This wasn’t foolproof, but was remarkably effective at the time.

For printers on full-duplex circuits, it was possible simply to suppress any echoing of the user password at all, or to print a character like asterisk in place of each typed character.

This same basic model continues today on the Web and in app ecosystems.

Entered passwords either aren’t echoed, or commonly are replaced with asterisks. Some app systems will give you a brief glimpse of the input character before replacing it with an asterisk.

Unfortunately, these kinds of techniques have become decreasingly useful as users have been encouraged or required to use ever longer, ever more complex passwords and passphrases, because the probability of mistyping these entries increases with their complexity.

And it isn’t just a matter of having problems logging in.

The same obscuration techniques are often employed when setting or changing passwords, typically combined with the ever-popular “enter it again” prompt or field, based on the flawed theory that you’d never type the same obscured input in error twice and so set your password incorrectly (and locking yourself out) as a result.

For that matter, even typing the same complex password twice in a row in an obscured field to set the password correctly can be an exercise in frustration.

Recently, the trend toward obscuring input fields has been spreading to all manner of other entries as well, including check account data, credit card numbers, even dates of birth — and much more. I’ve seen forms where even the fields for inputting your first and last names were obscured with asterisks!

Such obfuscations wouldn’t be such a significant problem if there existed a routine way for the user to disable them on demand.

It’s stupid — bordering on insane — to force users to jump through the hoops of blindly entering complicated passwords or other data when they’re alone and there’s no risk of anyone surreptitiously peering at their screen.

And for users with poor typing abilities, motor skill or visual limitations, or other related issues, these input methodologies can be downright abusive. This is one of the most common complaints showing up in my inbox about interface issues.

But wait, it gets even worse!

Many user interface designers, laboring under a twisted misconception of security, purposely make it even more difficult for users to enter their passwords, by rigging their pages or apps to prevent copy/pasting of passwords, and/or by blocking the use of password managers, field autofill systems, and so on.

This really isn’t rocket science.

Except in crucial enterprise environments or especially elevated security situations, it should be common practice for user interfaces to provide a method for the user to see their passwords or other data as they enter it if they choose to do so — a simple enabling checkbox with an appropriate warning would suffice. And this would be the display of the entire password or other input, not just a flash of each letter as it’s being typed.

Some systems already provide this to one degree or another, but this is relatively unusual to find.

Android for example has a little “eye” symbol next to where you enter Wi-Fi passwords, that can be clicked to display the password. This is good, though I’ve had many users tell me that they had no idea of what that symbol meant and so didn’t realize that they could view their Wi-Fi passwords in that manner.

But again, this is an exception to the more general situation of user interfaces across the Web and app worlds that don’t provide such options.

We should be striving to completely eliminate passwords from our systems, replacing them with more robust authentication and security models.

For now though, we still must live with passwords in most cases, and the option should be routinely provided for users to display entered passwords or other obscured data when they choose to do so.

And as for those user interface designers who purposely and unnecessarily block tools and techniques that would make it simpler for users to enter complex passwords — well, since this is a family-friendly blog I won’t mention here what I feel should really happen to them!

Be seeing you.

Google Questions & Unofficial Answers: “Does Google Make Junk Solicitation Phone Calls?”

This is a new entry from my Google+ Community Google Questions & Unofficial Answers.

It seems like almost every day I get junk solicitation phone calls “from Google.” They call about my Google business local listings, about my not being on the first page of Google search results, and so on — and they want me to pay them to “fix” this stuff. When I look up the Caller ID numbers they use, I often finds pages of people claiming they’re Google phone numbers. Sometimes the Caller ID display actually says Google! Is Google really doing this?

Negative. NONE of these calls are from Google. Zero. Zilch. Nada.

These callers are inevitably “SEO” (Search Engine Optimization) scammers of one sort or another. They make millions of “cold calls” to businesses using public phone listings (from the Web or other sources) or using phone number lists purchased from brokers.

If you ever actually deal with them, you’ll find that their services typically range from useless to dangerous — “black hat” SEO firms often use illicit techniques to try boost search rank, which can result in your being demoted or even banned from Google search entirely.

These callers usually either falsely identify themselves as actually calling “from Google” — or they may say they’re “calling about your Google account” — or similar words to that effect.

Now about those “Google, Inc.” Caller ID numbers on these calls. They’re always fakes of one sort or another.

As you may have heard, Caller ID — which a relatively ancient control and signalling methodology not designed for the 21st century — is easily and widely spoofed with false names and numbers. You cannot put any reliance whatsoever on what Caller ID tells you these days.

For example, one common technique is for a scammer in some distant call center “boiler room” to set the Caller ID to a “local”-appearing number, sometimes combined with the name of a local business, in an attempt to make the call more attractive for you to answer. As you can imagine, the innocent parties whose names or numbers are abused in this manner are also victims of these spammers and scammers.

And that’s how these SEO crooks operate. They spoof the Caller ID system to falsely show numbers (and/or names) that are associated with Google — such as numbers used for 2-factor authentication calls or various Google Voice numbers — to try fool you into thinking that the calls themselves are coming from Google, Inc.

Various persons unaware of how this spoofing works then list those numbers on “spam alert” site pages claiming that the numbers indicate that Google is actually making the calls. They are incorrect — again, Google never is the source of such calls.

Also — and this is very important and an issue I touched on in some other Q&As on this page — Google NEVER uses the phone numbers you provide them for account recovery and/or 2-factor authentication for any other purpose without your explicit permission, never uses them for solicitation calls, doesn’t sell them to third parties — and … you get the idea. And by the way, you really do want to proactively set up account recovery and 2-factor — as per the Q&A items at:

https://plus.google.com/+LaurenWeinstein/posts/L3DcshM4Nmi

and:

https://plus.google.com/+LaurenWeinstein/posts/avKcX7QmASi

The bottom line is that none of those harassing, scammy SEO phone calls are from Google.

And frankly, you really don’t want to deal with any of the firms who are actually making those calls — unless you’re a masochist with money to burn who wants to ruin your site’s reputation, that is.

— Lauren —
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Care About Science and Tech? Our Job One: STOP TRUMP

When we think of politically-oriented publications, it’s unlikely that venerable, more than 170-year-old Scientific American typically comes to mind.

So I was definitely stopped in my tracks when I saw their new editorial titled “Donald Trump’s Lack of Respect for Science Is Alarming” — that included these very accurate words:

“Scientific American is not in the business of endorsing political candidates. But we do take a stand for science — the most reliable path to objective knowledge the world has seen — and the Enlightenment values that gave rise to it. For more than 170 years we have documented, for better and for worse, the rise of science and technology and their impact on the nation and the world. We have strived to assert in our reporting, writing and editing the principle that decision making in the sphere of public policy should accept the conclusions that evidence, gathered in the spirit and with the methods of science, tells us to be true.”

For those of us who care about science and technology, about demonstrable truths vis-à-vis ignorant, tinfoil-hat ramblings, it’s clear that we’ve now come to a critical, likely historic, moment of reckoning.

It’s long been de rigueur for scientists and technologists — most of whom have spent entire careers working tirelessly (and often vastly underpaid) to advance the developments in their fields for the sake of the global community at large — to be told that they should avoid directly engaging in political matters, even when their work is directly involved.

There have always been some individuals in these fields who have ignored this dictum and spoken out anyway — sometimes to the serious detriment of their careers and livelihoods.

But when a publication with the stature of Scientific American raises the red flag about a major presidential candidate, it’s time for everyone in the tech and science fields to take notice and do some serious soul searching.

Because the dangerous, ignorant, fascist, racist, misogynist, continually lying monster that is Donald Trump is significantly of own creation.

We must now come to terms with this truth while we still can, much as ultimately did J. Robert Oppenheimer relating to his key role in the creation of nuclear weapons.

By staying relatively silent regarding specific political matters and in particular regarding specific political candidates, we have permitted anti-science, anti-technology propaganda, misinformation, lies, and fantasies to flourish — all of which can have and have had serious detrimental real-world impacts.

Fear of invoking the Streisand Effect or being accused of “not being balanced” has caused various major tech firms to not speak out directly against obviously false statements by ignorant and opportunistic politicians regarding established scientific principles and technological realities — this holds true for everything from climate change to Internet competition and net neutrality, and far beyond.

We have also more explicitly contributed to the chain of events that has led to a hideous, sociopathic, erratic creation like Trump, who — if given control over our nuclear arsenal as USA president — could literally destroy human civilization on this planet in only slightly more time than it currently takes him to send out a stream of incoherent, babbling Tweets.

The incredible global Internet that we have spent decades building and nurturing is a quintessential tool that can be used for both incredible good and for horrific evil.

There’s no avoiding the fact that it is very much various aspects of the Internet and Web that have enabled “echo chambers” where like-minded thugs, bullies, white supremacists, and other ignorant and violent haters could congregate and then coalesce around Donald Trump, who feeds on their vileness as a diseased-laden mosquito feeds on human blood.

Censorship of such demons is of course not an answer — but political action is indeed the solution.

If you honor humanity and civilization, if you care about science and technology and what’s factually true on our world and in the greater universe, then you must accept that keeping Donald Trump out of the White House is of the very highest priority. For his presence behind the desk of the Oval Office and his possession of nuclear codes could quite literally be the greatest threat to all that we have created and hold dear since the rise of civilization.

All legal means must be employed to STOP TRUMP. It’s not enough just to register to vote and to get your friends, family, and associates to register. Actually following through and voting for Hillary Clinton — even with her various acknowledged faults — is the only effective means to stop the human nightmare of Trump in his tracks.

Complacency in this election — not actually bothering to vote, or throwing away a vote on a third-party candidate (even in states that Trump is overwhelmingly unlikely to win) — would be a disastrous mistake that could net Trump a victory that would cause fascists and racists of the past to smile broadly from their graves.

Nor is it enough to simply stop Trump on Tuesday, November 8th.

He needs to be overwhelmingly beaten, massively crushed in a landslide if possible. We must send a message to future right-wing, racist demagogues — who could be even more dangerous than Trump given similar heinous sensibilities but fewer of his obvious, self-defeating character flaws — that they will not be anointed with political power and that American patriots will always reject their vile rants of hate.

Early voting starts in less than six weeks in some locales. I ask that you please take a few minutes away from your current projects to consider carefully what is at risk in this election and what a Donald Trump presidency would mean for us all should he and his ignorant band of anti-science, anti-technology cronies gain such awesome power.

I earnestly hope that the thought sends a chill down your spine.

Now we must move from that very real fear to very real political action. There is no time to waste. History would never forgive our faltering at this crucial juncture.

STOP DONALD TRUMP.

“Highly Illogical”: The Hysteria Over Google’s Wi-Fi Scanning

(Original posting date: 28 May 2010)

Greetings. I don’t find many opportunities (nor do I have much inclination) to channel characters from Star Trek, but I can only imagine Mr. Spock’s likely bemusement related to the shrill and illogical brouhaha over Google’s Street View Wi-Fi scanning.

To quote the ungrammatical Mr. Bumble, a reprehensible yet occasionally insightful character in Charles Dicken’s Oliver Twist, sometimes “the law is a ass–a idiot.”

Such is the case — as far as I’m concerned — when it comes to laws and controversies regarding the scanning of open Wi-Fi networks.

Let’s start with a basic truth — an open Wi-Fi network is, duh … open!

While the number of open Wi-Fi networks has been falling relative to nets secured at least with weak WEP crypto, or much better with WPA (or better yet, WPA2), there are still vast numbers of open Wi-Fi networks that pop up without prompting all over the world.

Raise your hand if you’ve never seen an open Wi-Fi net when attempting to connect your laptop to the Internet. Very few hands raised out there, I’ll wager.

Now raise your hand if you’ve ever opportunistically connected to an open Wi-Fi net, without permission. Lots of hands raised now.

And have you ever driven around your neighborhood with wardriving software enabled on your laptop or phone, listening to the “pings” as Wi-Fi sites registered at nearly every home or business you passed — and perhaps you saved the data and created Wi-Fi maps to use and share?

This is not just a hobbyist activity. Companies like Skyhook Wireless have built entire businesses around geolocation systems that involve the scanning of Wi-Fi signals.

And why not? Wi-Fi networks are essentially as obvious to outside observers, walking down the sidewalk or driving up the street, as are porch lights, or the flickering TV screens visible through curtains after dark.

Even when Wi-Fi access points are configured with their “SSID” beacons disabled — which tends to cause various user complications — Wi-Fi routers and hotspots are about as secret as a full moon on a cloudless night, and pretty much just as impossible to actually hide.

You can still pass laws to ban Wi-Fi scanning of course — just as the order can be given to ignore the fact that the emperor actually is parading down the central square stark naked. But reality generally triumphs over nonsensical laws in the long run.

Laws related to Wi-Fi scanning don’t exist in a vacuum, and seem to often be related to laws that attempt to ban photography of imagery that can be easily seen by observers from public places. Such illogic has been used to attack Google’s Street View photos, in much the same way that Google is now being chastised for Wi-Fi scanning associated with Street View vehicles.

Amusingly — in a sick kind of way — the fact is that the same government entities who tend to push forth a dramatic show of disdain for Street View — and now Google’s Wi-Fi scanning — are often the same ones rapidly deploying massive real-time CCTV (closed circuit TV) surveillance systems, with vast amounts of real-time imagery data pouring into government servers to be used in often unspecified ways for indefinite periods of time. Some of these entities have also conducted mass and sometimes illegal surveillance of their telephone and Internet networks.

Their complaining about Street View and Wi-Fi therefore seems highly disingenuous — but obviously politically expedient.

Google did made mistakes — they’ve publicly taken responsibility for these — related to the Wi-Fi Street View controversy. It probably would have been wise to publicly announce their Wi-Fi scanning capabilities before beginning the project, so that various governmental entities could register any concerns based on their associated national laws — however ridiculous those laws might be in this sphere, given the ease with which anyone with simple tools can scan Wi-Fi anywhere.

But since Google’s “adversaries” now “pile on” at every opportunity, proactive discussion of the Wi-Fi aspects of Street View might have avoided a fair amount of the current controversy.

The ostensibly more dramatic aspect of Google’s Wi-Fi situation relates to their revelation that their Wi-Fi scanning systems were unintentionally collecting highly fragmentary “payload” data from open Wi-Fi nets, in addition to locationally-related (e.g., SSID) data.

Google critics have been screaming — how could this possibly happen by accident? “What kind of nightmarish, nefarious plot is in play?” — they demand to know.

First, contrary to some of the accusatory claims being made, it’s extremely unlikely that any banking or similarly sensitive data was exposed even in fragmentary form, for the simple reason that virtually all sites dealing with such data use SSL/TLS security systems (https:) that would provide typical encryption protections regardless of the open, unencrypted nature of (extremely unwisely configured) underlying Wi-Fi systems.

And while clearly the collection of Wi-Fi payload data by Google was a significant oversight, it’s the kind of mistake that is actually very easy to make.

It’s completely ordinary for network diagnostic tools and related software to include mechanisms for the viewing and collection not only of “envelope” data but also of test data “payload” traffic flows. Virtually every Linux user has a tool available for this purpose that can provide these functions — the ubiquitous “tcpdump” command.

In Google’s case, it seems highly likely that a procedural breakdown — not criminal intent of any kind — led to the payload data capture portion of the Wi-Fi scanning tools not being appropriately disabled. Such procedural problems are naturally to be avoided, but for critics to try balloon such an issue into fear mongering and conspiracy theories just doesn’t make sense.

And given the very high capacity of inexpensive disk drives today, it’s simple to see how even relatively large amounts of data — like accidentally collected payload data — could collect unnoticed in an obscure directory somewhere deep in a file system over long periods of time.

Like I say, I’m not a lawyer. Other heads will thrash out the legal aspects of this situation.

In my own view, the entire saga has been blown out of proportion, largely by forces primarily interested in unfairly and inappropriately scoring points against Google, rather than treating the situation — both as relates to Google’s Wi-Fi scanning and more broadly to Street View itself — in a logical and evenhanded manner.

But then, that’s pretty much what we’ve come to expect from you humans.

Right-Wing Internet Sites in Panic over FBI Smartphone App Solicitation

One of my rather right-wing correspondents sent me a note this morning with materials making the rounds of right-wing Internet sites about a new surveillance-oriented FBI smartphone app solicitation.

While most of the stuff on those sites is total hogwash, this particular solicitation actually does exist — dated 29 July 2016 — and is worthy of some analysis.

The solicitation itself:

Smartphone-Based Audio Recorder
Solicitation Number: DJF-16-1200-N-0007
Agency: Department of Justice
Office: Federal Bureau of Investigation
Location: Procurement Section

And the quite interesting draft technical requirements are available for download.

The background description includes capabilities such as:

– Running on Android, iOS, or Windows
– Overt (e.g. interview) and stealth/remote control surveillance modes
– Not requiring jailbreaking for installation
– Storing and streaming of audio, plus GPS, and eventually video
– Cryptographic hash for data integrity and chain of custody control
– Encryption of data on phone not required
– And more

So what’s really going on here?

Right-wing sites are spinning this as “the government is going to turn all our smartphones into bugs!” That clearly is not the goal here.

First, we know that there are already a large number apps available for these phones that provide many of the capabilities asked for in this solicitation. We can be sure that governments are already using these off-the-shelf apps for surveillance purposes.

But the solicitation technical requirements reveal the government’s main “problems” in this regard: authentication and chain of custody.

When the government goes to court currently with such recordings, they often have to provide testimony vouching for the veracity of the recordings, and provide technical details in open court that they’d prefer not to discuss. As the solicitation itself notes: “In fact, the Government works diligently to limit and control who has access to these details as they could be used against us.”

Here’s what I think this all boils down to:

The government wants to replace their current rather ad hoc recording/surveillance apps with a system that would include integral verification that the recorded and/or streamed audio/video/gps data had not been edited or tampered with in any way.

This would have obvious benefits for the government, as in making presentation of such evidence in court potentially much more streamlined, but could also benefit innocent defendants who would be less likely to face evidence that had been unscrupulously altered in the government’s favor.

It does seem odd that encryption of data on the phone is not a requirement, since this suggests that the data could be exposed “in the clear” if the phone fell into unauthorized hands — even if we assume that https: crypto is used for actual data streaming out from the phone.

Perhaps the bottom line question here isn’t whether the government is planning mass deployment of smartphone control and surveillance systems as the right-wing Internet sites appear to fear — that’s clearly false.

But a completely valid question for consideration is whether such a “new and improved” recording/surveillance app would encourage its use in targeted situations where surveillance wouldn’t have been considered (or accepted by courts) in the absence of such an app, and to what extent that could encourage actual overreach and potential abuse by the FBI and other government agencies in specific cases.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t
fall into the trap of using the latter. It’s just plain wrong!

Was Facebook Correct Blocking Video During Fatal Korryn Gaines Confrontation?

Many persons have been sending me materials relating to the death last week of 23-year-old Korryn Gaines during a violent police confrontation (in the process of serving a warrant) at her Baltimore area home. Of particular note in these messages has been Facebook’s decision to temporarily suspend her Facebook account about seven hours into the ongoing standoff when police asked Facebook to do so (her Instagram account was temporarily suspended as well).

Gaines had been recording videos of the confrontation and posting them as the standoff continued. Far more troubling were her followers, many of whom — in response to those videos — were apparently urging her not to comply with police and even suggesting aggressive actions against them.

Sometime after the accounts were suspended, police shot and killed Gaines, who was herself reportedly threatening police with a shotgun. Her 5-year-old child was also shot but is reportedly recovering.

The main reason I haven’t commented on this case publicly to date is that, frankly, I’ve been thinking about it and didn’t come to any immediate conclusions.

One way I try to analyze complicated Internet-related issues is to see if I can think of parallels in the “non-Internet” world that might shed some light on the matter.

Such parallels do exist in this case, and suggest that the most problematic aspect of the technology-related portion of this tragedy wasn’t the videos being posted per se, but rather the feedback Gaines was receiving from her followers in real time.

If we think about this situation in a non-Internet context — an angry confrontation, a suicidal person, or other similar scenarios — law enforcement would normally attempt to clear boisterous onlookers (“Go ahead, jump!” — “Shoot the pigs!”) from the scene, so that negotiations (in the case of Gaines, we’re talking more than seven hours) could proceed with some semblance of calm and without third parties attempting to escalate the situation for their own sordid jollies.

By these analogies, frustrated police in requesting the account suspensions were doing the social media equivalent of getting the yelling crowd away from the negotiation scene (which of course also has the effect of getting potential witnesses away from the scene, we must also note).

In this particular instance I feel that — overall — the police and Facebook/Instagram’s social media account actions perhaps were on balance justified, but that’s not the end of the story by any means.

We really need to often conceptually separate the videos themselves (being broadcast live over social media, or being posted in real time), from the live responses and comments that viewers of those videos are making back to the person in the confrontation itself, though this area is also very complicated.

For example, we’ve already seen cases of persons streaming live Facebook video to broadcast a suicide, and in another instance a rape. In such circumstances, it can certainly be argued that the videos alone are egregious enough to warrant blocking.

But it’s the instant feedback aspect of comments and chat dialogues — typically associated with live or posted videos — that seem the most problematic in ongoing confrontations, in the same manner as the crowd screaming for blood outside a physical building.

This all suggests to me that society, law enforcement, and the social media firms themselves would benefit in the long run from a more finely-grained set of tools to deal with these these kinds of events.

We can start with the given that cutting off a person’s social media accounts at the request of law enforcement should always be a last resort only to be used when absolutely required — not a first-order default decision.

But when the decision is made to take actions in this regard, there may be many instances where simply cutting off the feedback to the user rather than shutting down the videos and entire account may be more appropriate — the equivalent of getting the screaming crowd pushed back for a time so that negotiations can proceed with less chaos.

Would the user become angry or upset when they realized that the real-time feedback had ceased? Perhaps, but probably less angry or upset than they’d be if the entire account suddenly went dark.

We’re on the cusp of a vast explosion in the numbers of these kinds of situations in which social media will play important, even crucial roles. Today the policies and tools for dealing with these events appropriately are either too primitive and coarse, or simply don’t really exist at all.

We have a lot of work to do.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.

As We Age, Smartphones Don’t Make Us Stupid — They’re Our Saviors

(Original posting date: 16 March 2015)

Throughout human history, pretty much every development or invention that increased our information storage and management capabilities has had its loud and voracious naysayers.

Around 370 BCE, both Socrates and Plato were already badmouthing the written word as inherently inferior to in-person verbal dialogue. The printing press, typewriter, telegraph, telephone, and Internet have all been targeted as the presumed bringers of universal intellectual decay.

So it comes as no surprise that when Web search engines appeared on the scene — to organize Internet-based information and make it widely available — much the same tired old attack arguments were trotted out by the usual suspects, in the form of multitudinous “Google Is making Us Stupid!” articles and similar varieties of vacuous commentaries.

The crux of most arguments against having quick access to information seem to largely parallel the attempts not that many years ago (and in some venues, still continuing) to routinely ban calculators from physics and other similar subject tests, on the grounds that not doing the math by hand was somehow — perhaps in a moral judgment “You’ll go to hell!” kind of sense — horribly cheating.

But unless the test you’re taking is specifically one for mathematical skills, the rote manual calculation process is practically worthless compared with developing the necessary skills to actually analyze a problem and determining appropriate methodologies for reaching correct answers. Even a specific answer itself may often be far less relevant in many contexts than development and analysis of appropriate problem solving processes.

One wonders how many potentially brilliant would-be physicists with wonderful analytic skills were sidelined into other professions simply due to not having a knack for manual math.

With the rise of the mobile Net comes the latest incarnation of this twisted saga, the “Are smartphones making us stupid?” meme. There seems to be a new version of this one somewhere pretty much every few days.

In a very real way the term “smartphone” in this context is being used by detractors largely as a proxy for saying “Portable Google” — as a wireless retread of search engine criticisms.

However, in this case the critics are even farther off the mark than usual, because smartphones not only don’t reduce our intelligence, they can be our saviors as we age.

Physiological studies show that our memory for much specific data usually begins to decline at the ripe old age of — 20. Yeah, pretty depressing. But in contrast, our reasoning and analytic skills can in many cases continue developing throughout our lives without limit, as we integrate ever more experiences into the mix.

And here is where the smartphone (along with the vast information ecosystem that supports it) really becomes something of a technological miracle.

For there on your belt or in your purse is a little box that can act as an almost limitless adjunct to your own memory, to your own brain.

Type on it, talk to it. Ask it questions, note its reminders. Smartphones can provide us with very much the exact kind of information that our brains gradually become less adept at recalling past age 20 or so.

To argue that it’s somehow wrong, somehow cheating or unethical or unnatural, to use these devices and their supporting infrastructures in this way, is itself as dumb and stupid as forcing a potentially brilliant future physicist to drop out of school because you wouldn’t let them use a calculator.

Obviously, for smartphones to be most useful at all ages, issues of accessibility become paramount — matters for ground-up consideration, not after-the-fact excuses. Input and output methodologies, font sizes and contrast, all become especially important, since our vision typically begins to decline at the same young age as our memory. These are all relatively straightforward user interface design issues though, given the will to deal with them appropriately.

It would probably be a pretty tough slog to get Plato comfortable with smartphones. On the other hand, he’s quoted as saying: “We can easily forgive a child who is afraid of the dark; the real tragedy of life is when men are afraid of the light.” And especially when it comes to smartphones and the immense value they can bring to us throughout our lives, only a fool would argue with Plato about that.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.

Confirmed and Unacceptable: Social Security Administration Cutting Off Users Who Can’t Receive Text Messages

UPDATE (14 August 2016): I’m told that SSA has removed the mandatory cell phone text messaging access requirement that was strongly criticized in the original posting below. I appreciate that SSA has now done the right thing in this case. Perhaps in the future they’ll think these things through better ahead of time!

– – –

If you don’t have a cell phone, or some other means to receive SMS text messages (and have them enabled, and know how to deal with them), you won’t be able to access your Social Security Administration “My Social Security” online account starting next month.

The SSA is currently sending out emails announcing that SSA online users MUST receive an SMS text message with a two-factor authentication code to access their accounts starting in August.

UPDATE (29 July 2016): Here is the official SSA announcement.
UPDATE (14 August 2016): SSA has now deleted this referenced announcement page since they have removed the mandatory cell phone text messaging login requirement, as noted in the update at the start of this posting.

According to Congressional testimony in May, SSA “expects” to make other two-factor methods available at some point in the future.

While the “expectation” of additional two-factor options at some unspecified time down the line is interesting, the move to now block users who do not have cell phones, or text message capable cell phones, or do not have text messaging enabled, or do not know how to access and read text messages — IS UNACCEPTABLE, especially on such short notice to SSA users.

Two-factor authentication systems are very important, but keep in mind that SSA by definition is dealing mostly with older users who may have only recently become comfortable with online services, and may not make any use of text messaging. Many do not have cell phones or somebody to receive text messages for them. There are also many people living in rural areas where cell phone service simply is not available at all!

Additionally — and ironically — text messaging is considered to be a substandard means of receiving two-factor authentications. And — get this boys and girls — NIST (the USA’s National Institute of Standards and Technology) — just a few days ago officially declared that text messaging based two-factor should no longer be used at all — it’s simply not safe and secure. The possibility of crooks leveraging this SSA text messaging system with fake messages targeting this particularly vulnerable user population is also very real.

It appears that SSA has really mucked this one up. This isn’t secure two-factor, it’s a three-ring circus. And it’s going to leave many SSA users out in the cold.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.

How Some ISPs Could Subvert Your Local Network Security

When most Internet users think about the security and privacy of their communications, they tend to think mainly about the associated practices of the sites they visit on the Net. Rarely do they think much about their ISPs in this regard, even though by definition the ISP has access to the entirely of their communications usage over that ISP (we can assume that in most cases this does not include the ability to read encrypted, e.g. SSL/TLS data, though man-in-the-middle attacks on that secured data are not at all impossible).

But have you ever thought about how the practices of your ISP might affect the security of your local network — and data that (at least ostensibly) never leaves the confines of your local net?

Though best security practices include running your own routers and firewalls (if not even more secure systems using FIDO security keys or other similar advanced technologies) the truth is that most consumer and small business users who run local nets (that is, communications between some number of local machines at their site or sites) depend on the firewalls and security mechanisms configured into ISP-provided modems.

The thing is that you’re often not the only one in control of those modems.

Leased cable or other wireless or wireline data modems typically provide the ability for the ISP to control and configure the modem remotely. Even if you buy an approved modem on your own when that’s permitted, network provisioning and maintenance/support requirements may still permit your ISP a great deal of control over the device.

Another truth is that most consumers and organizations tend to run rather lax security (if any at all) behind what they assume to be secure modem firewalls, meaning that if that firewall is breached, their local net is pretty much wide open.

In an ideal world, we could all employ methodologies similar to Google’s excellent BeyondCorp security model, which puts a well-deserved nail in the coffin of firewalls. Unfortunately, this usually isn’t practical for most non-techie consumers.

Fundamentally, the question boils down to this — can your ISP remotely change modem configurations that could give them or third parties inappropriate access to data on your local network?

For example, some ISPs now provide the means for customers to reconfigure the Wi-Fi on their modems via the ISP’s website. In the case of Time Warner Cable (aka Charter, Spectrum, or whatever they’re called this week), their site allows users to view and change Wi-Fi passwords, change or even disable Wi-Fi security completely, and more.

Handy? Yeah. But what happens if TWC’s super-deluxe website gets hacked? Or perhaps law enforcement or intel agencies come around and want to use loopholes in the laws to try access your local network data without your even knowing about it?

You can see the problem. If your local net has typically lax security, and you don’t have your own firewall downstream of that ISP modem, the modem Wi-Fi security could be disabled remotely, your local network sucked dry late one night, and security restored by the morning. You might not even have a clue that any of this occurred.

How often does this kind of scenario occur in practice? I have no way to know. But it’s clearly possible.

Luckily, this is a case where there are steps you definitely can take to minimize these risks.

First, make sure that your local network is internally as secure as possible. You can’t simply assume that just because a machine is on your local network with a local IP address that it necessarily is a friend!

Second, consider putting your own firewall downstream of the ISP modem. Routers/switches with this capability are plentiful and relatively inexpensive.

Third, consider not using the ISP modem Wi-Fi at all. Those routers I mentioned just above often have their own built-in Wi-Fi that you can configure, making it unnecessary to use the ISP modem Wi-Fi, and permitting a more comprehensive firewall under your complete control.

I’m not suggesting that you go into a panic and start ripping Ethernet cables out of the walls or cease using Wi-Fi. But it would be wise to start thinking now about how you can reconfigure your local network for maximal security in a world of expanding network security concerns.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.

The Sensible Safeguards Needed Now for Pokémon GO

Unless Pokémon GO turns out to be a relatively short-lived popular phenomenon (and actually even if it is, since PoGo will be but the progenitor of many future augmented reality games and other applications) it appears likely that the full real world impacts of the game were seemingly not completely considered before launch, leading to a growing collection of alarming situations.

There were signs of some sloppiness from the outset, when it was noted that the PoGo iOS app was asking for far more account permissions than was appropriate. The actual privacy risk in this case was minimal, but the mere fact that the app got out the door this way — given the intense concerns about app permissions generally — suggested a possible lack of due diligence in key respects.

While various of the problematic reports we’ve seen about PoGo can be chalked up to user inattention (plowing a car into a tree, driving off a cliff, etc.), many others cannot be blamed on the users alone, per se.

To note but a sampling, these include PoGo being used to attract players to be robbed, a registered sex offender who was supposed to stay away from children using the game to partner with a young child, and very recently, two players who were shot at by a homeowner when they were prowling a residential neighborhood at 1 AM. An array of other trespass-related occurrences have been noted, including players entering restricted areas at a nuclear power plant.

Of broader impact is the swarming of neighborhoods, parks, and other public places by far larger numbers of people than they were designed for — or that local authorities are prepared for — at all hours of the day and night. There are serious public safety concerns involved.

Such gaming activities become especially inappropriate when they occur at locations that are utterly unsuitable for gaming, like ordinarily quiet and respectful cemeteries and Holocaust museums.

Fans of PoGo enthusiastically declare that it’s a great way to meet new people and get exercise. Perhaps. In some locales at least, it seems that players are mostly driving around in their cars to reach designated targets, but we’ll let that pass for the moment.

One suspicion that’s difficult to shake is that seemingly there wasn’t much (if any?) attention given to purging inappropriate locations from PoGo’s ancestor game — Ingress — before deploying them in PoGo. The need for such a purge should have been obvious, given that PoGo would have been reasonably expected to attract far more users than Ingress (as it indeed dramatically has) and would also be far more attractive to children.

Historical side note: Ingress was originally developed at Google (in fact, I was one of its earliest players, I believe while it was still in beta), then spun off to a separate company — Niantic — in which Google holds a major stake.

As I noted above, PoGo is but the beginning of what will certainly be a long line of innovative and important augmented reality mobile apps. And that makes getting the real world implications of this tech in line with real world requirements and impacts as quickly as possible — without stifling innovation.

The most important requirement is to give more control to municipalities and persons who are impacted by these applications and their users.

For example, it doesn’t exactly take rocket science to figure out that sending users wandering around quiet residential areas in the middle of the night is a recipe for potentially dangerous (even lethal) confusion and confrontations, or that flooding a small park with thousands of people at once — without prior warning to local authorities — can easily lead to serious problems.

Niantic needs to immediately work toward providing much better mechanisms for involved homeowners, business owners, municipalities, and other associated entities, to request removal of specific locations from the PoGo location database (much as you can request removal of locations from Google Street View currently). And there should be ways to specify PoGo app operation “curfews” for specific locales as well — especially in residential neighborhoods, or areas with special concerns about the safety of late night visitors.

It is also crucial that accessing this kind of request/control system not require use of the PoGo app itself, nor ideally use of the Internet in any way — given that many affected persons may not even have Internet access.

Obviously, different areas, regions, and countries will have their own individual attitudes and concerns about participation in the PoGo ecosystem, and we can reasonably expect the sorts of location removal and/or Pogo app curfew requests received to vary widely around the globe.

But it is not appropriate for these decisions to be made wholly by Niantic alone. And unless they and we get a handle on the real world impacts of augmented reality apps in short order, you can be sure that politicians — already expressing concerns about this area — will be moving in with their own “control ideas” — that will likely not be of the form that many of us would want, nor that would protect innovation going forward.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.

The Coming Government Showdown over Live Video Streaming

Over the last few days, we’ve dramatically seen the force of Internet live video streaming, and the obvious hints of policy battles to come regarding this powerful technology are clearly emerging.

Beyond the tragic images of a man shot to death by police in his car, and then live scenes of a sniper in Dallas who ultimately killed five officers, we’ve already seen other ugly shadows of what might become the new normal, including a streamed rape and suicide — both streamed by the perpetrators themselves for maximal publicity.

And yes, this is only the beginning. For while it has been possible to stream live video from portable devices since years ago, only now has the concept reached a critical mass, an “inflection” point where it is likely to have enormous impact on society at large.

While most of the attention to date has been on Facebook’s video streaming app, Google and other firms also have live streaming services, and that number can only be expected to grow for the foreseeable future, around the world.

Notably, these streaming systems typically include the means for viewers to comment live back to the video originators during the streams themselves, to do everything from expressing admiration or condemnation, to “simply” urging them on.

The positive public interest and probative value in the streaming of many public events is fairly obvious in most cases.

But even in the public space the associated dilemmas are vast.

Unfortunately, large audiences can bring out the worst in some people, and there is an enormous range of potential abuse for this technology in an ecosystem of unfiltered live streaming — in terms of risk-taking behavior to please your streaming audience, encouraging violence (either explicitly or implicitly), privacy attacks, and other abuses.

Even when no harm is actually intended, the mere fact of a live streamed dramatic event with a significant viewership will in some situations lead to potentially dangerous “flash crowds” as nearby viewers rush to participate in person.

And while these risks exist aplenty even with streaming from public places, the potential problems likely multiple by orders of magnitude when we consider live video streaming from private homes or businesses, perhaps by surreptitious means.

The bottom line is that live video streaming is a quintessential tool. It can be used for enormous good that could greatly enhance public knowledge and participatory democracy. It can also provide a morbid audience and incentive for hideous monsters (including both individuals and groups) whose real world streamed depravities could make fictional “torture porn” films pale by comparison.

So we find ourselves facing a familiar dilemma. If live video streaming firms don’t do the hard policy work required to provide reasonable controls over and filtering of this content, we can be sure that governments around the world — both of their own volition and pressured by their citizens — will move forcefully to enact control and censorship regimes to meet their perceived agendas.

And history tells us that once that kind of censorship takes hold, it’s extremely difficult to stop from spreading in all directions.

This makes it more imperative than ever that we move forward toward establishing best practices and policies to harness this uber-powerful technology in a reasonable manner, before governments move in with possibly knee-jerk “solutions” that will almost certainly make matters worse, not better.

I don’t claim to have any magic wands available for addressing these complicated issues, though my gut feeling is that we should be able to harness the enormous crowdsourcing power of the Net to rapidly categorize streams in real time and trigger filtering or other actions as appropriate.

But just sitting on our hands about this is not a viable option. That is, unless our goal is to see an incredibly useful technology being branded as “the enemy” just as it’s really beginning to flower.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.

How Ancient Monopolies Keep You from Getting Decent Internet Service

Many of us tend to assume that here in U.S. we have the most advanced technologies on the planet. So it may be startling to learn that by global Internet standards, numerous experts consider us to be living in something of a Stone Age Internet nation.

The reality is stark. Many countries in the world pay far less for their Internet services than we do, and get much faster and more reliable services in the bargain. While many countries have set a national goal of fiber optics directly connecting every home and business, here in the United States phone companies still are arguing that snail’s pace Net connections should qualify as broadband.

Even when relatively “high” Internet access speeds are available via cable, they tend to be mainly in the downstream direction. For example, I have the highest cable modem speed available in my location here in L.A., which is 300 Mb/s downstream — but only 20 Mb/s up. Obviously, high upstream speeds are important for a range of applications (not just limited to obvious ones like remote data backup). Cable modem speeds are getting better, but the fundamentals of cable system technology continue to dampen upstream speeds.

You might reasonably ask how so many other countries have been able to get much better Internet access to their residents, compared with us here in the country that invented the Internet.

The detailed reasons are complicated technically, legally, and very much politically, but the bottom line is that the Internet ecosystem here in the U.S. has long been rigged against effective competition, a direct outgrowth of early telecommunications monopoly environments.

One example of this may be visible right outside your window.

Have you ever wondered who owns those “telephone” poles throughout your community, or the underground cables and conduits in some towns?

The short answer is: What a mess!

Poles may be owned by power companies, by phone companies, by cable companies, or in some cases by communities themselves — or various combinations thereof.

The land that these poles are planted in typically is in the form of an “easement” — a specific area of land still owned by the main property owner, but with access and other rights granted by government to various utilities and other firms. It works basically the same way with underground cables and conduits.

As you might imagine, easements can be the subject of complex and varied legal entanglements and disputes, even though most are granted when housing or commercial developments are being initially planned.

But for the sake of our discussion here right now, the most interesting aspect of easements is in older communities (for example, areas built up prior to the AT&T divestiture of 1984).

History matters in this context (as in so many other aspects of life) because when these easements were granted to communications companies back in the day, they were usually “monopoly” grants. That is, while we would probably agree even now that assuming a single water and/or power company would be logical, those historic easements were usually assuming only a single communications (phone) company, or later the original incumbent phone company plus a single cable TV company.

This is incredibly relevant today, because the entities controlling these easements, and that usually own the poles, cables, and conduits that everyone must use to provide landline communications services to homes or businesses, are quite powerfully in the catbird seat.

Here’s why.

In many countries, governments have national Internet plans that provide for robust competition in various ways. But here in the U.S., if you want to bring — for example — high speed fiber Internet to a community, you often have to deal with the incumbent telecom or other utility firms to gain access to those poles and/or underground facilities.

And those firms — like AT&T, Verizon, and the rest of the gang you likely are familiar with — have very little incentive to be particularly cooperative with new competitors bringing in far better services. In fact, the old guard firms have frequently pushed through laws — and/or filed lawsuits — aimed at preventing communities from encouraging or even permitting such competition.

So we find it not uncommon for the incumbents to demand exorbitant “pole attachment” or other access fees, or to delay and obfuscate as long as possible.

It’s important to remember that these incumbent firms typically only control these access assets because of those original monopoly grants from many decades ago — giving them exclusivity that is nonsensical and unfair so many years later. But they’ve become experts at milking every last possible dollar out of the jolly old monopoly days, even now!

If this sounds bad, it gets worse for the captive residents of many apartment buildings and commercial developments.

Building owners and landlords frequently view Internet access as a massive personal profit center, and engage in restrictive shenanigans — some of which can be viewed as illegal — to strike lucrative, and yes, monopoly deals with telecom firms, demanding sweetheart payments for access to their tenants, and treating those tenants as if they were medieval serfs. For more on this particularly seamy side of Internet access, please see Susan Crawford’s excellent recent article: “Dear Landlord: Don’t Rip Me Off When it Comes To Internet Access — When building owners get kickbacks from big providers it’s the tenants who lose.”

You might think that this sorry state of affairs would be pretty much obvious to everyone, but in our toxic political environment that would be very far from the truth.

In fact, there are many in Congress who don’t see any consumer problems here at all. Whether or not one chooses to consider these access issues under the “network neutrality” umbrella, many politicians who have long enjoyed the “generosity” of the incumbent telecom firms are lined up to block any attempts to improve the competitive landscape for Internet consumers, thereby condemning us to continued laughingstock status in the eyes of most other countries.

We do have some power though — in the voting booth. These issues tend to have local, state, and often federal components, and we’re unlikely to see significant improvements while lapdog beneficiaries of dominant Big Telecom remain in political control.

Or perhaps you’re satisfied with exorbitant prices and “Flintstones-class” Internet access throughput. Frankly, this far into the 21st century, I strongly believe that we can do much better than having so many of us running at bare feet pedal power Internet speeds.

Yabba dabba doo!

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.