ERP as New Social Engagement Tool - the Problem with Unstructured Data

A recent article in the Harvard Business Review Blog discusses innovations in Enterprise Resource Planning (ERP) systems and how some of these systems are starting to include engagement components. The author, R. Ray Wang, claims that firms who fail to embrace engagement systems will fall behind. He offers a good summary of nine traits of engagement systems, with a brief discussion of how these traits differ from ERP's of "yesteryear".

As an archives and preservation PhD student I have made this same argument, and learned through engagement with experts why I am wrong. Digital Archival and preservation systems are cumbersome. The xml used to describe the records being ingested, the interface to the ingest systems, the various steps and protocols all seemed very 1995 to me. We literally had to walk to a different building to upload an archival record!

While there is plenty of room for improvement in both digital archive systems and ERP's, assuming that social media, or "engagement systems" can replace these functions misses the business goal. My assertion when I was first exposed to these systems was that the xml and tarball process should be replaced by tagging and crowdsourcing. I've learned that consistent, accurate, and reliable data is sometimes more important than social engagement, and structured descriptions managed by experts is currently the only combination to get this done. This is the case with archives and ERP systems.

Engagement is an important aspect of business and innovation. A companies greatest asset is the knowledge and experience of its workers. The company that best "liberates" this wisdom will compete more successfully - which is part of Wang's point. HR and finance systems can facilitate this, but corporations will still need a reliable, expert driven, structured data infrastructure to manage the business of business.

The Third Party Doctrine

A new story about the LAPD being told they can't use cloud services, specifically Google apps, because it would threaten privacy. The article cites Google's inability to meet certain security requirements related to criminal records, but the real issue to me is the third party doctrine.

Records shared with a third party, such as Google, do not usually invoke the fourth amendment protection from illegal search and seizure. If all aspects of criminal records - email back and forth between attorneys, speculation about the case and possible suspects, issues with the investigation, etc., - are being stored by a third party such as Google, then all of this information moves into an area of disputed privacy protection. Future criminal investigations of a suspect may not require a warrant for law enforcement to access records that already exist on third party servers, depending on how current court cases are resolved.

This is one area where technology has significantly outpaced the law.

Privacy Roundup: Facebook's New Security Features, 2 New Copyright Bills, NY Sex Offender App

10/21/11 - 10/28/11

This week Facebook has made some improvements to increase security. The first is the App password which allows a subscriber to have a one-time use password generated by Facebook for a third party app that you connect to. By using an app password, you create another layer of security and control between your profile and any third party applications you have installed.

The second new feature is called trusted friends. This feature will allow you to designate a few "trusted friends" that will be notified if you get locked out of your account, either because you forgot your password or your account has been compromised. Facebook will send a code to this preselected group of friends, and this group can pass the code to you. I guess the idea is to encourage users to create stronger passwords, but it will definitely generate some interesting new data for Facebook. Who do you trust in the case of a security compromise? Do multiple subscribers trust that one individual? All kinds of influence ranking opportunities etc.

Apparently China is arresting social networking users for spreading rumors. The accusations range from an individual forging government docs to support his claims to a rumor that a man killed 8 government officials in a village because of pollution from a cement factory. Enjoy your freedom to circulate rumors while we still have it. This story may or may not be true. The Chinese Twitter is called weibo, for what its worth.

Two bills have been introduced recently; the Protect IP Act pushed by the Senate, and the E-Parasite Act coming out of the House, which is also known as the Stopping Online Piracy Act. More on both of these can be found at my earlier post.

NY state has released a Facebook sex offender app in time for Halloween. Apparently there are 3 levels of sex offender; level 1 being the highest. The app allows you to see the zip code of level three offenders, and the home and work address of level 1 and 2 offenders.

Basic Computer Terminology for Shoppers

Shopping for a computer requires fluency in a few three letter acronyms that might be confusing and/or scary to someone that isn't familiar with them. I've included a brief description of these below to help you out. I have posted my shopping process in an earlier post, which might also be helpful.

CPU

Central Processing Unit puts the computer into action, taking commands from software, running calculations, and managing multiple applications at one time. The quality of a processor is designated by the speed, measured in gigahertz (GHz). The faster the processor, the easier it will be to switch between software applications, run “heavy” software such as gaming and image editing.

You can buy multi-core processors, which allow for incremental increases in processing speed (most older software isn’t designed to really take advantage of a multi-core environment, but that is changing!)

AMD vs Intel? When you live in Austin, it really depends on which company your friends work for! Look for faster processor speed at lower cost. The speeds aren’t directly comparable (by design, huh), so unless you are using serious specialized software, it shouldn’t matter much.

System Memory

Measured in gigabytes (GB) of Random Access Memory (RAM), the system memory allows the system to manage multiple commands and software applications at one time. The more the better, usually measured in the single digits.

Hard Drive

Hard drive memory is also measured in gigbytes (GB), and is usually measured in the hundreds. If you have a lot of movies and music or work with large files, you will want a lot of storage. To get an idea of how much you might need, take a look at your current computer. Right click on the “my computer” icon and check out the properties. If you have a 500 GB hard drive and you are using 350 GB, you will definitely want to upgrade!

Other stuff –

Networking – make sure you have a wireless card.  You can always add a USB wireless card, but it is easier to just have it built in.

CD/DVD – you can get by without one as long as you have a USB port, but it is definitely more convenient to have a built in CD/DVD player.

Japanese Nuclear and Military Secrets Stolen in Data Breach

Mitsubishi Heavy Industries, Japan's largest defense contract, has reported that an attack including at least 8 different pieces of malware and actors outside of the company has led to sensitive nuclear and military information being leaked.

The company didn't report the breach to the Japanese Defense Ministry until a month after the attack, and when they did, they claimed to have taken the appropriate steps to secure their resources.

8 different pieces of malware, yet they had taken appropriate steps to protect the network and sensitive data? If malware is written specifically for a particular break-in, the usual malware detection software (anti-virus type software) wouldn't necessarily detect an unpublished signature. Spear Phishing was supposedly part of the attack, tricking specific individuals into installing the software on their machines. Definitely sounds like an attack coordinated by someone who knew what he or she was doing, and did their homework.


http://www.eweekeurope.co.uk/news/defence-firm-probably-compromised-by-spear-phishing-attack-40396

http://www.eweekeurope.co.uk/news/nuclear-and-military-data-stolen-in-mitsubishi-cyber-attack-43592

http://www.reuters.com/article/2011/10/24/us-mitsubishi-heavy-cyberattack-idUSTRE79M3XS20111024

Protect IP Act and the E-Parasite Act

Two bills have been introduced recently; the Protect IP Act pushed by the Senate which I have written a bit about in an earlier post, and the E-Parasite Act coming out of the House, which is also known as the Stopping Online Piracy Act.

The Protect IP Act (PIPA - a good overview can be found here) called for web sites accused of violating a copyright holders rights to have their DNS entry blocked - essentially creating a denial of service situation for anyone trying to access that site.

The E-Parasite Act (Enforcing and Protecting American Rights Against Sites Intent on Theft and Exploitation Act - the people who named this must be the same creative folks that came up with the PATRIOT Act!) goes a few steps further. PIPA limited action to sites outside of the U.S. whose sole purpose was to distribute unlicensed material. E-Parasite expands this by focusing on sites that have distribution as their major purpose.

E-Parasite would place the burden of enforcement of a government established blacklist on ISP's - a common regulation point. Additionally, attempts to bypass this filter would result in liability for the ISP. Some are calling this the great American Firewall - censoring sites that the music and entertainment industry determine undermine their financial interest.

Currently, the Digital Millennium Copyright Act (DMCA) allows for notice and take-down, creating a safe harbor for ISPs under the assumption that an ISP does not, and should not, monitor all traffic on their network. This set of bills definitely takes steps to erode the safe harbor concept.

TSA Inspectors and Privacy

A female attorney and blogger has her bag inspected at the airport and the TSA inspector writes in large, scrawling letters across the inspection notice "get your freak on girl". Apparently he found a "personal" item in her luggage, he couldn't have chosen a worse victim from a defense of privacy standpoint. 

This story has been around for awhile, but what I find interesting about it are the reactions to the picture of the TSA notice of inspection. If you haven't seen it, check out: http://twitpic.com/753bq9

The reactions range from lewd requests to a discussion of whether women or men are more "sexually replaceable". A few are disturbed by the event and the privacy implications, and a few point out that even if she complained, nothing would happen. 

This is a great cross-section of the range of reactions to any privacy violation. What's the privacy harm? Most people point to the revelation of (potentially) embarrassing personal information. I think this reaction sums up the real harm:

Jesus. I assume reporting it will do no good? They'll be "unable" to find out who wrote it?

The idea that we can't hold authority to account when they abuse power is dangerous. A sense of helplessness and lack of agency - or the ability to affect change - can lead to self-censorship and both a lack of willingness to try to hold people accountable, and a higher likelihood that people in authority will take advantage of that role. TSA did find out who did it and removed them from inspection duties. It is unclear whether this means they are fired and will not be able to perform inspection or security related duties in the future. 

Wikipedia Permanently Deletes Posts

Wikipedia, the poster child for crowd-sourced knowledge and transparency, permanently deletes "dangerous content" on a regular basis. Dangerous content most often refers to copyright violations, but could include cases of libel or criminal threats. Both the posts and the records of the post in history are deleted. 56,000 out of 47.1 million, or .1%, of changes fit into this category.

When the wikimedia foundation uses the term "dangerous content" they mean dangerous to them in terms of legal action, since most of the dangerous content is copyright violation, which takes them 21 days to spot and remove, on average.

With an open source activity like Wikipedia, there is bound to be a number of posts that don't belong and that harm the rights of others. Having a process to make that information permanently unavailable, while leaving a trail that such action has been taken, seems consistent with transparency to me.

New Social Networking Site "Unthink" - Not a Privacy Revolution

A new site called "Unthink" supposedly has $2.5 million in venture capital funding and is making a run at Facebook and Google +, trying to stand out as a different social network that protects your privacy. I'll briefly review some of the features, and then analyze Unthink's data protection to see if they actually do anything different than leave ads off of your page.

The big claim is your data will not be sold to third party advertisers, protecting your information from being spread around the web. To do this, you will be able to choose a corporate sponsor to sponsor your page, or pay $2 per year as a subscription fee. It is tempting to think of this as an economics experiment - is privacy worth $2? The only problem is, all of my friends are already on Facebook, so it is expensive to move. The first year should be free.

Unthink has two separate declarations and a law enforcement set of practices that they have published.
The first set are called the emancipation covenants, and the pieces that stand out to me are the Optional disclosure of identity and the "Freedom from changes". Optional disclosure means you can use pseudonyms, but you will be labeled as unverified. Freedom from changes means you can choose to accept changes made to the site or not, which is every software developers nightmare because multiple software versions will have to be maintained, or this promise will have to be broken.

The second document is the Privacy Policy. The software default is private, meaning information you share will not be shared with others unless you change this setting - overall good for privacy. Rather than friend or not, Unthink allows you to follow, friend, or connect. Depending on the implementation, this can actually reduce privacy by increasing the granularity related to your relationships. If I ask to be friends and you only want to connect, your intentions are more public. Unthink promises a limited license to the content that you publish on their site, which can be revoked at any time by deleting your content. The right to delete is good, and the site has to have some ownership in order to actually provide a service.

The last bits seem misleading. They will collect your IP address and other routing information - they have to in order for you to use the site. But, this information can be used for statistical analysis and to improve your experience. Too vague. If you are going to claim a "revolution" - make your terms revolutionary. This last bit got me:

We hate cookies! We and our Partners only use cookies to remember your login information, to keep you logged in, if necessary to provide a service you request, and generally for ease of your use and for statistical monitoring of the use of UNTHINK.com, Suites and Stages.


We hate cookies, but we will use them and share them with third parties. Ugh.

And of course, these terms are subject to change.

So, lets test out the privacy claims against Schneier's taxonomy:

1. Service data. Service data is the data you need to give to a social networking site in order to use it. It might include your legal name, your age, and your credit card number. 
1. Unthink collects and shares these data with third parties.
2. Disclosed data. This is what you post on your own pages: blog entries, photographs, messages, comments, and so on.
   
1. Unthink collects and shares these data with third parties.
3. Entrusted data. This is what you post on other people's pages. It's basically the same stuff as disclosed data, but the difference is that you don't have control over the data -- someone else does.
   
1. Unthink collects and shares these data with third parties.
4. Incidental data. Incidental data is data the other people post about you. Again, it's basically the same stuff as disclosed data, but the difference is that 1) you don't have control over it, and 2) you didn't create it in the first place.
   
1. Unthink collects and shares these data with third parties.
5. Behavioral data. This is data that the site collects about your habits by recording what you do and who you do it with.
1. Unthink collects and shares these data with third parties.

So, when we take off the wrapper, Unthink seems really similar to existing social networking sites, all claims of revolution aside.

Update - Everyone Wants a Piece of the Universal Service Fund

10/28 -
The FCC voted Thursday to grant $4.5 a year to broadband deployment, and $300 million a year to mobile broadband deployment. Sprint Nextel is one of the winners, praising the decision to compensate broadband companies for expanding their infrastructure.

We'll see where net neutrality goes from here.

-----------------------

An article in The Hill highlights Walter McCormick's blog accusing the wireless, cable, and media reform lobbyists of trying to manipulate the $8 billion Universal Service Fund for their own purposes. The Universal Service Fund was established by the 1996 Telecommunications Act and requires a portion of every phone bill to go to a fund that would help bring telephone service to rural areas. The idea was everyone should have access to basic telecom services; this was seen as a life safety issue.

The question has shifted from telecom access to broadband access since 1996 and the line between broadband, television, entertainment, and telephone services has blurred. Some insist we should dig trenches and lay fiber optic cable. Others would like to see wireless service deployed nationally. Still others, like Lightsquared, would like to use that money to build out a satellite infrastructure.

How the FCC distributes the $8 billion will privilege one company over another, and with net neutrality (wikipedia entry, a good starting place) still up in the air, the owner of the pipes will have a long-term competitive advantage.

Privacy Report: Government Access to Subscriber Data

There are two reports out today, one in the Washington Post claiming the FBI is going to court more often to get customer data from service providers and the other from Mashable analyzing Google's report of government requests (not just U.S. government).

As the Washington Post points out, investigators used to routinely use National Security Letters to gain access to customer information. A National Security Letter (NSL) is an administrative subpoena; it doesn't require judicial oversight or probable cause. Section 505 of the PATRIOT Act expanded the use of NSL's beyond the investigation of foreign terrorist suspects. The Washington Post report indicates that service providers (such as Google) are limiting their response to these letters more than they have in the past by only responding with "envelope data" - name, address, length of service and billing info.

The Google report shows that the U.S. made 5,950 requests between January and June of 2011, a 70% increase. All of the U.S. requests were filled, according to the report.

This is slightly misleading - there are content removal requests and user data requests. There were 92 content removal requests, 67% were fully or partially complied with. There were 5,950 user data requests, and 93% were fully or partially complied with.

The content removal requests were mostly made by court order. The type of user data request (NSL or court order) was not published.

The Google Transparency Report

Wyden - Privacy Laws Need to Change, Protect GPS by Requiring a Warrant

http://www.statesmanjournal.com/article/20111025/NEWS/110250312/Wyden-says-privacy-laws-need-changes?odyssey=mod%7Cnewswell%7Ctext%7CNews%7Cs

Oregon Senator Ron Wyden (D), would like to require law enforcement to obtain a warrant before conducting GPS surveillance. This would require law enforcement agents to go before a judge and attest to probable cause before they could begin surveillance. The article claims this would cover suspected terrorists, but foreign actors should be covered by the United States Foreign Intelligence Surveillance Court, or FISA, which has a different set of processes for monitoring non-citizens.

We see a lot about 1984, but I can't wait to see more mentions of Kafka's The Trial. Daniel Solove explained it well in his Educause essay promoting his new book "Nothing to Hide":

Another metaphor better captures the problems: Franz Kafka's The Trial. Kafka's novel centers around a man who is arrested but not informed why. He desperately tries to find out what triggered his arrest and what's in store for him. He finds out that a mysterious court system has a dossier on him and is investigating him, but he's unable to learn much more. The Trial depicts a bureaucracy with inscrutable purposes that uses people's information to make important decisions about them, yet denies the people the ability to participate in how their information is used.

I prefer the Kafka metaphor because I think it better describes the contemporary situation - not an individual authority monitoring behavior and reporting up to "big brother" but a vast pool of data that can be called on by various authorities without your knowledge.

I'm Getting Arrested App

http://www.washingtonpost.com/business/technology/brooklyn-software-developer-creates-im-getting-arrested-app-for-wall-street-protesters/2011/10/25/gIQAQfXTFM_story.html

First I have to confess that I love protests. I don't really care what they are about, but seeing a group of people with signs makes me happy. It could be hope that democracy lives, it could be inspiration that people are passionate enough about a topic to lend their true identity, in public, in support of it. I know I would feel differently if they were on my front lawn or in front of my business, and I know people can be manipulated into believing some things that are misleading. But still, protestors make me smile.

The story linked above is about a Brooklyn app developer who launched the "I'm Getting Arrested" app. Essentially, you pre-configure a distribution list and write a text that lets people know you are getting arrested. When you get arrested, you push the button and the text is sent. The developer doesn't know how many people have used it because he built in privacy protections, which is admirable.

I have heard of a similar app that will actually delete all of your data off of a mobile device, making a casual search more difficult. The data could be recovered by a more in depth search, but the theory is such a search would require a warrant.

IPhone Defaults Risk Privacy

http://www.dailyfinance.com/2011/10/24/iphone-4s-siri-defaults-put-privacy-at-risk/

Interesting article about Siri and the fact that she never sleeps. Even when you turn your phone off, she still listens and will be glad to help you out. Or anyone that  has physical access to the machine. A good IT security person or hacker will tell you that if they can touch it they can own it, making mobile devices especially difficult to secure.

There is a really interesting article about software defaults by Kesan and Shah in the Notre Dame Law Review: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1760120

One bit that is relevant here -  users are incapable of protecting their own privacy due to a few behavioral economics theories:

Bounded rationality - People don’t have all of the information they need to make a decision about privacy implications of default settings, so they remain uninformed that another choice exists.

The authors point to a number of cognitive biases that are interesting:

1. The status quo bias, or our predisposition to favor status quo over change.
2. The omission bias, or our belief that actions are worse than omissions if the harms are equal. I would rather have something bad happen to me because no one did anything to stop it than if the same bad thing happened because someone made it happen. This is why we avoid making a change, we think it will break the computer.
3. The endowment effect. We place more value on settings when the default initially favors us – people demand more money to give something up than they would be willing to pay to aquire it.
4. And lastly, the legitimating effect, which leads people to assume that defaults convey information on how people should act.

Obviously this is a really short summary, but something to keep in mind as we work with people to help protect their privacy or our organizations important records.

Facebook Warned by Europe Over Facial Recognition

http://www.cio.com.au/article/405062/facebook_warned_over_face_recognition_app/

There is a short article indicating that Facebook has been warned to bring their facial recognition software into compliance with German privacy laws. The software identifies Facebook subscribers that are in a photograph using facial recognition technology. If you upload a picture of your friends at a party, the software will attempt to identify and tag the people in the picture.

To comply with the law Facebook would have to request permission from each person that is identified in a photo before that identification is recorded. I use the word recorded intentionally - not just published, but documented in a FB database.

Mexico Focuses Drug Wars on Violent Cities, Allowing Increased Production in Rural Areas

http://www.washingtonpost.com/world/americas/mexicos-drug-war-bypassing-growers/2011/10/20/gIQAPKv93L_story.html?wpisrc=nl_headlines

The Washington Post has an article about the Mexican government shift in focus from fighting drug production - mostly rural growers of marijuana and poppies, to fighting crime in the cities. Apparently this is leading to a fresh surge of drugs across the U.S. border, which will probably lead to a renewed call for border security.

I thought it would be fun to guess what happens next: drones to identify and destroy crops and to identify and stop illegal crossings. This approach may not stop all drug flow, but could substantially reduce it. Privacy issues, of course, abound when we deploy drones within our own borders and into neighboring countries.

United Kingdom Office for Cyber Security and Information Assurance Looks to "Trusted Computing"

http://www.guardian.co.uk/government-computing-network/2011/oct/21/cyber-security-strategy-trusted-computing

The U.K. is looking to "trusted computing" to improve the security posture of the country. It isn't clear from the article whether the intention is to create an incentive for government agencies and acquisitions to move toward trusted computing, or to create an incentive for manufacturers of computers in the U.K. to provide trusted computing enabled devices to citizens.

A computer that uses trusted computing has a security chip embedded in it that requires a code to be entered by the user in order to access the machine.

Security experts like TC because it can be used to encrypt the hard drive, protecting sensitive data, and it allows for remote access in case of "emergencies" - meaning a security expert or government official can access the machine remotely if necessary - often used to "wipe" the hard drive by erasing sensitive data if the machine is stolen.

Privacy advocates hate it for the same reason - allowing remote, encrypted, and difficult to detect access to a private device.

The four stated objectives are:

1. making the public safe online and ensuring the country is one of the best in the world for online business;
2. making the UK more resilient in the face of cyber attack and better able to protect its interests; 
3. proving a more "open and vibrant" cyber security environment; 
4. and having the knowledge, skills and capability to underpin these

Privacy RoundUp: Shadow Profiles, Brain Density and Friends, BlackBerry Outage and Safer Roads

This past week we saw a few interesting developments related to Facebook: The British Office of Fair Trading is warning debt collectors not to pursue people who owe them money on social networking sites such as Twitter and Facebook. The OFT is concerned that embarrassing details about their financial problems will be revealed on the internet: http://www.bbc.co.uk/news/business-15348205

I was surprised by this recommendation, which speaks to the cultural value of privacy, at least in this context in Britain. When it comes to collecting parking revenue and reducing traffic our friends across the pond have a different equation - cameras on every corner and license plates they can read from a distance.

Facebook has been accused of creating "Shadow Profiles" - profiles of people that haven't signed up for Facebook. Apparently when you "find friends" by uploading your address book, Facebook creates a profile for people in your contacts list that don't already have a profile.

There are a number of problems with this; these people can then be tagged in photos and their information (gathered from comments and database matching) can be sold to third parties. More importantly, these data can be used to identify people and deduce things like their sexual preference and ssn by combining data sources. as Acquisti points out in a recent presentation at Black Hat: http://www.pcmag.com/article2/0,2817,2389540,00.asp

A recent study claims your brain density is tied to the number of friends you have (brain density is a good thing, means you have more gray matter). Study participants underwent an MRI to check for brain density and their density was measured against the number of friends they had on FB. With 135 participants, we can't say these results represent any population. In other words, this is an interesting study, but it doesn't necessarily mean smarter people have more friends, or that you will get smarter if you add friends.

In Google news, Google has switched to https, encrypting all requests and giving a slight bump to privacy. Also, Google+ will support pseudonyms, backing down from their "one identity" original stance. An interesting article from Wired on why this matters: http://www.wired.com/epicenter/2011/07/google-plus-user-names/

According to media reports, police in the United Arab Emirates have given a surprising explanation for a dramatic fall in traffic accidents last week: drivers' BlackBerrys weren't working. We don't need cars that drive themselves, stay off the phone and drive!

Airline Travel, Pre-Check and Privacy

The Transportation Security Administration (TSA) has started it's pre-check program. The program will allow passengers at Boston's Logan airport or Detroit's Metro to volunteer for pre-screening. TSA's blog has instructions on how to sign up for the program. The idea is you will submit to a pre-flight background check by handing over some personal information and then at the airport, during this testing phase of the program, anyway, you will undergo an interview (some people are calling this a "chat-down" rather than a pat-down).

I have a mixed reaction to this one. My mother-in-law had a terrible experience flying. She has a replaced knee that meant she was signaled out for more screening and a pat-down, which made her never want to fly again. This program might make it so she would be willing to fly again and come visit the grandkids.

There are four conflicting values that I understand in this situation; convenience, security, safety and privacy. I hate airport lines just as much as the next person. It would be very convenient to be on a shorter line, and I can completely understand why people would be willing to give up personal information and undergo a background check to speed the airport security process up.

The second value is security. This is the actual increase in safety we can expect from whatever screening measures are in place. Some have said that we are more likely to be attacked by a shark or struck by lightning than to be a victim of a terror attack. This calculation is Bayesian; it assumes that the American experience with terrorism in the past is indicative of what will happen in the future. Terrorist attacks are relatively rare in the U.S., but that doesn't mean we can assume this will be the case in the future. The calculation also assumes a victim is someone directly involved - injured or killed. With terror, anyone who is "afraid" after the attack can be considered a victim.

The third value is safety. Security researcher Bruce Schneier refers to this as security theater - law enforcement actions that may not actually make us more secure, but make us feel more safe. There is value in feeling safe, emotional, psychological, and economic value, since people are more likely to go about their daily lives if they feel safe.

The last value is privacy. In this context, it is difficult to see how privacy can be balanced against the other three values. Whether you give up your personal information before the flight or during the check in process, you will most likely have to give it up if you want to travel, so why not trade personal information ahead of time for added convenience?

Daniel Solove (and a number of other legal scholars) talks about privacy as a way to limit government control in his book "Nothing to Hide"(link goes to Amazon). Giving up personal information before your flight and submitting to a background check increases our acceptance of surveillance as a society. Our expectation of privacy is reduced, which can have serious long-term consequences for the "reasonable expectation of privacy" test.

Convenience and safety are tough values to compete with.

Six Tips to Help Internet Newbies Avoid Scams

I receive all kinds of email from my father - some of them are these long chain letters that have been forwarded by a long list of people. You know the kind of email I'm talking about - a few are hilarious, some are inappropriate, but almost all are dangerous from an information security perspective.

For younger folks that were born during the age of the Internet, email is a stogy form of official communication. For those of us born when the TV remote control was a new invention and had one button and a round dial that clicked when you changed the channel, email is a great way to communicate, even if it is mysterious and sometimes frustrating.

There usually is no training when you get your first computer hooked up to the Internet, so I thought I would share this list of basic tips to help people that are new to Internet use avoid some of the most common ways that bad guys take advantage of you. You can use these tips yourself, or forward them to someone you love who might be new to this whole Internet thing.

1. Keep your antivirus and operating system up to date and keep your firewall on. Most computers now offer recommending security settings, if you follow these settings you will be off to a good start.
2. If someone sends you an email and asks you to click a link to correct account information, don't do it! the link can be redirected or faked. Instead, type the URL into a browser window (Internet Explorer or similar) and get to the site on your own. 
3. If you typed in the URL to a page that was sent to you via email and you don't see the little "lock" icon, and the first five letters of the site address aren't "https" the S is the important letter - then don't use the site (and don't enter any of your contact information on the site)!
4. If you are browsing the web and anything pops up and tells you your machine is infected, close the browser completely. Don't click "okay", "cancel", "dismiss", or any other button.
5. If you are browsing the web and something unexpected happens (a window pops up, a message shows up, the web page changes), don't trust it. Close the browser window or shut down your machine.
6. Never open a power point, word doc, excel spreadsheet or image file unless you asked that person to send you the file. If the file has been forwarded to you, chain letter style, leave it alone.

Simple rules to follow on the web - if you didn't expect it to happen, be suspicious. If you didn't initiate the action (ie go to the web site to update your account), don't put account or personal information in! These tips won't protect you from everything, but they are a good place to start.

Oxford Researchers Test Autonomous Car

We have all been annoyed when the person driving in front of us suddenly slows from 65 mph to 50 while they answer a call or send a text. University of Utah researchers have found that driving while texting is as dangerous as drinking and driving, but are cars that drive themselves the answer? Researchers at Oxford University are testing an autonomous car that they say will cut emissions, increase safety and reduce traffic. Oxford joins the Google Toyota Prius, General Motors, Volvo and others in the race to develop cars that drive themselves, but with thousands of sensors and millions of dollars in software development, is developing an autonomous car a more rational choice than improving public transportation? Check your email and text all you want, just stay off the road and ride the train!

Anything that raises life safety issues and depends completely on software should immediately raise significant concerns. If our tire sensors can be hacked, and our military drones can be hacked, certainly a self driving car is just a matter of time. Other questions around insurance when one of these cars crash, surveillance of your movements, speed and time spent at any location, and what to tell your boss when you are late to work will also make life interesting...

Privacy Roundup: Data Leakage, Facebook Digital Dossiers, Public Surveillance

The Irish 1988 Data Protection Law says that a subscriber has the right to access all records a company keeps on that subscriber. Last week an Austrian group called Europe Vs. Facebook has been encouraging people to request access to their data profile. As part of this campaign, Europe V. Facebook has come across an interesting bit of information; Facebook isn't releasing all data they have about each subscriber. When asked about this, Facebook claimed that some of these data need to be protected because revealing them would compromise trade secrects.

The Intelligence Advanced Research Projects Activity (IARPA) has released a call for participation looking for researchers to help them analyze what they are calling "big data" - any publicly available information. Some examples from the NY Times article:
Web search queries, blog entries, Internet traffic flow, financial market indicators, traffic webcams and changes in Wikipedia entries. 


These data will be used to predict economic, social, political, and health crises/revolutions. To decide whether this activity would have privacy implications, you would first have to decide whether public data can implicate privacy. Can you have a private conversation in public? There is a good Techdirt article about the third party doctrine here, and of course the wikipedia article on the stored communications act. The upshot is if you hand your data over to a third party, e.g. use the Internet, your privacy is less protected. This is an example of technology outpacing the law and social understanding.


Sony has a new round of problems with Playstation and some TV's burning up. I wonder if we are already seeing the new Internet enabled TV's being hacked, or Microsoft XBox Kinect? A gaming device that can recognize the people in the room and tie them to a corporate database has to be a great target for mischief.


The Protect IP Act (PIPA) is making the rounds. The idea behind this one is that a copyright holder would have the ability to lock the IP Address of a web site that copyright holder claims has violated their copyright. A good description about the problems with PIPA can be found here.


Jonathan Mayer of Stanford University has published an interesting research article on data leakage called Tracking the Trackers. He measures data leakage - how third parties get access to identity information and web surfing records from first parties. He describes a really interesting information ecosystem.


And lastly, some more information about the NYPD infiltrating NY City colleges from NPR: http://www.npr.org/templates/story/story.php?storyId=141225420 From the article:
Investigators have been infiltrating Muslim student groups at Brooklyn College and other schools in the city, monitoring their Internet activity and placing undercover agents in their ranks... Police photographed restaurants and grocery stores that cater to Muslims and built databases showing where people shopped, got their hair cut and prayed. 

Six Tips to Protect Your Privacy on Facebook

Facebook is a great tool to communicate with friends, and with 800 million users, there are plenty of potential friends out there! However, with 800 million people using any software, there are a number of different ways your privacy can be threatened. Both Facebook and third-party advertisers can track your actions as you move around the web, criminals can use the information you share to decide when to rob your house, and you can accidentally post embarrassing information to the wrong group of people. Below are 6 tips that will help you limit the chances that your privacy will become a problem.

1. Log out when you aren’t using it:

Ever click the “like” button on a non-Facebook web page? Notice how you didn’t have to log in for Facebook to know that you “liked” that page or piece of content? Facebook uses cookies to track your actions on any site that includes Facebook code. With rare exceptions, web sites want to make it easy for you to “like” their content so you can advertise their product to all of your friends. Even when you don’t click a Facebook related content button, your profile information and actions on that site are shared back with Facebook. This is easy to prevent by logging out of Facebook when you aren’t using it.  Except, of course, when Facebook tracks you even after you have logged out (http://nikcub.appspot.com/logging-out-of-facebook-is-not-enough ). Try using Facebook in a different browser – if you use Internet Explorer for most of your surfing, download Firefox or Safari and use it as your exclusive social media browser.

2. Make lists:

Think of lists as different identities you can use when you post information to Facebook. Do you have embarrassing inside jokes that you share with your oldest friends? Are there things you share with your family that you wouldn’t want your employer to know? Of course! Lists are a way to keep the things you share separate. On the top right of the page, click the home button, and then click  “Lists” in the left hand navigation bar. Think through the different types of postings you plan to share and build lists that reflect those divisions. Once you give the list a name, you will be able to add people to that list

Add existing friends to your new lists by clicking on account > edit friends.  You can also add people to lists as you send or accept friend requests.

3. Manage access to your posts:

When you add a status update, there is a small gray button in the bottom right of the status update window, right next to the blue button that says “post”. The name of this button will depend on your default posting settings, mine says “friends” since my status updates are sent to my friends list by default. If you click the drop down button, you will see the other lists that you have created. Get into the habit of checking this button to make sure your post is going to the right list.

4. Don’t use the “with” or “location” options for status updates:

In the bottom left of the status update window are two buttons – a small circle that represents a map pin and a silhouette with a plus sign next to it. The plus sign allows you to select a friend and include their Facebook profile name in your post. Ask first. There is nothing worse than sharing the fact that you are at a baseball game with a friend and that friend had to call in sick to make the game, and their boss is somewhere in your network!

Sharing your location is also a bad idea, unless there is some reason a particular group of people needs to know where you are at a point in time. Keep in mind; if you share the fact that you are at an art opening, you are clearly not at home. This information has been used to determine when to break into someone’s home or office.

Also, in your privacy settings, choose the “how tags work option” and turn “friends can check you into places” option off to reduce the chances of this happening to you.

5. Limit the visibility of old posts:

If you haven’t been keeping up with all of this privacy stuff in the past, you may have some clean up work to do. You can go back through old wall posts and change the visibility of any post by changing the list the post was originally published to. To change access to all previous posts, click account > privacy settings and choose “Limit the audience for past posts.” You will receive a bunch of warnings, but if you have a lot of posts this is the easiest way to update them all.

6. Monitor your tags:

One of the biggest concerns, especially among job seekers, is being tagged in a photo. When you are at a party and someone takes a picture, run and hide! If that doesn’t work, you may need to turn on tag monitoring to reduce the chances of being tagged in a photo or video and having that tag show up on your wall. To do this, go to Account > Privacy settings and choose the How Tags Work option. Turn on both Profile Review and Tag Review. This will allow you to review and approve any posts in which you have been tagged before they are added to your wall. You can’t keep these tags from showing up elsewhere, but at least they aren’t related to your profile.

Let me know if you have any other suggestions to protect your privacy while using Facebook!

Facebook Privacy Challenges, Social Networking for Good, Moving Away from Innocent Until Proven Guilty

Facebook is moving to create a Political Action Committee to further it's interests: http://articles.sfgate.com/2011-09-28/news/30211216_1_sheryl-sandberg-political-profile-chief-privacy-officer
At the same time, Facebook faces calls for investigation into its use of cookies even after the subscriber logs out: http://www.zdnet.com/blog/facebook/us-congressmen-ask-ftc-to-investigate-facebook-cookies/4218 Here's how it works - instead of deleting cookies when a subscriber logs out of Facebook, the cookies are modified. When a user visits a page that includes a Facebook feature (such as the "like" button - just about every page on the web) Facebook can continue to gather behavior data about that subscriber. Facebook says they have stopped the practice, but calls for investigation continue. Australia has agreed not to investigate Facebook for the same offense since FB has claimed to fix the problem: http://www.theaustralian.com.au/australian-it/australias-privacy-commissioner-will-not-investigate-facebook/story-e6frgakx-1226156749063

The Irish data commissioner will investigate Facebook after receiving a list of 22 different complaints: http://www.zdnet.com/blog/facebook/irish-data-protection-commissioner-to-begin-facebook-audit/4262 Two items I found particularly interesting:

1. Postings that have been deleted showed up in the set of data that was received from Facebook.
2. Messages (incl. Chat-Messages) are stored by Facebook even after the user “deleted” them. This means that all direct communication on Facebook can never be deleted

These accusations, if they are found to be true, are disturbing.

Facebook also faces a lawsuit regarding the new timeline feature: http://news.cnet.com/8301-1023_3-20113958-93/chicago-company-sues-facebook-over-timeline-feature/

It's hard to be the big dog on the block.

Mobile phones are making a difference to the health of Africans: http://mashable.com/2011/09/27/phones-doctors-africa/?WT.mc_id=en_top_stories&utm_campaign=Top%2BStories&utm_medium=email&utm_source=newsletter with a variety of different programs such as text messages to remind people with chronic illness to take their medication, support numbers to call for help with AIDS and HIV related questions, and Dr.'s are being issued mobile devices with pre-loaded medical information  on them, such as drug guides.

The European Commission for the digital agenda has issued a report on the safest social networking services: http://www.dmwmedia.com/news/2011/10/04/habbo-and-xbox-live-safest-for-kids-with-infographic X-Box live and "Habbo" come out on top.

A company called OneRecovery uses social networking as a support tool for recovering addicts, and hires a new chief medical officer: http://eon.businesswire.com/news/eon/20111004005528/en/Laura-Clapper/social-networking-in-health-care/personalized-platforms-for-behavior-change, and nudists get a chance to connect with one another in their own social networking forum called True Nudists: http://www.prweb.com/releases/2011/10/prweb8835245.htm

Last, but certainly not least, there have been a number of developments related to "passive surveillance". The idea here is that surveillance should only bother people that have nothing to hide. A very well articulated argument by a lieutenant in the university police force on the Channel Islands: http://chronicle.com/article/Mining-Student-Data-Could-Save/129231/?sid=at&utm_source=at&utm_medium=en

Four New York Senators argue the first amendment should be a privilege rather than a right, allowing for that privilege to be revoked if someone acts in an offensive or bullying manner, especially using electronic communication: http://volokh.com/2011/09/30/four-new-york-democratic-senators-proponents-of-a-more-refined-first-amendment-argue-that-this-freedom-should-be-treated-not-as-a-right-but-as-a-privilege/

The "known traveller" program begins: http://thehill.com/blogs/transportation-report/tsa/185491-tsa-begins-testing-known-traveler-program-at-four-airports allowing individuals to skip the long lines at the airport (which Schneier calls security theater: http://www.schneier.com/blog/archives/2009/11/beyond_security.html) in exchange for undergoing a background check prior to traveling. The incremental erosion of privacy by the seduction of convenience is difficult to fight. Each time we volunteer to participate in surveillance in exchange for avoiding an inconvenience, we take a step away from our ability to both hold government and corporations accountable, and limit their power.