March 28, 2005
Spammers Make Creative Use of Dictionaries

Has anybody else noticed this recent trend in spam? I have been getting tons of spam recently where the "From" name is some ridiculous combination of English words. Never before have I derived this much enjoyment from browsing through my Junk folder looking for e-mails I actually want.

The following are examples of some of the most ridiculous names:

Hump P. Recombining
Jersey A. Judgmental
Oxygenates F. Refocussing
Affidavits V. Exclusivity
Telepathically H. Acoustics
Junctions B. Permafrost
Coolest O. Taciturnity
Pralines V. Marinate
Blameworthy I. Insoluble
Dreary D. Scream
Pirouette F. Waterproofing
Social F. Frighteningly

Here are some that (accidentally?) seem quite appropriate to the obnoxious unsolicited material contained within:

Exasperate H. Unasked
Seller T. Scandalously
Subdued K. Industriousness
Monopolization C. Mistreated

The words do not seem to have any relationship to the content of the particular messages. Anyone have an idea why spammers are doing this? I assume it is part of the neverending quest to not be recognized as spam by spam filters, but mine still catches them every time.

I wish someone would think up something funny like this to do with these crazy names.

Posted by Tara Wheatland at 10:48 PM | Permalink | Comments (0) | TrackBack (4)
March 16, 2005
March 29th

As we progress towards the oral argument in the Grokster case, I'm sure more articles like this nytimes one will pop up. This article is mainly topical, but it highlights the growing stress cloud on every technologist's brain. With Sony in the background we can code away and create whatever general purpose technology our imagination allows us to. If the Supreme Court modifies Sony, every line of code will be harder to write since we'll have to think of its ramifications and potential liability.

Here is to hoping that the Supreme Court realizes that the **AA's immediate problems pale in comparison to the severe long-term harm a gray-line Sony modification would cause.

Posted by Susheel Daswani at 10:35 PM | Permalink | Comments (1) | TrackBack (0)
March 14, 2005
Let the Sun Shine on DRM

Oh irony, how delicious you are:

+ Sunday, March 13 marked the beginning of the first Sunshine Week, an undertaking of the American Society of Newspaper Editors dedicated to "[o]pening a dialogue about the public's right of access to government information."

+ BoingBoing reports that the Government Printing Office will begin employing DRM on certain government records. See a paper by three librarians from UC San Diego's Social Sciences and Humanities Library for more info. The GPO describes their plan as a "new model for no-fee public access," which is (somewhat cynically) doublespeak for "a way to make sure the public doesn't get too much information for free."

Consider the dialogue opened...

Posted by Tara Wheatland at 11:07 PM | Permalink | Comments (0) | TrackBack (0)
March 10, 2005
Solove on Database Privacy: Kafka v. Orwell

Earlier this week, boalt.org hosted Daniel J. Solove, law professor at George Washington University, who talked about his fantastic new book The Digital Person: Technology and Privacy in the Information Age. His talk and his book come at an opportune time--on the heels of problems with ChoicePoint and other commercial databrokers. The book is a must-read!

Prof. Solove's book identifyies the "other you"--the digital you--that lives through your personal information inside of countless commercial databases, databases maintained by companies that you may not have heard of, but that certainly have heard of you. Why should you be concerned about this digital person? The information in these databases is used all the time to make decisions about you--it is used to determine your credit rating, how you might vote, whether you can get a credit card, whether you can get a job, what advertising should be sent to you, and even whether a retailer or business wants to do business with you. Wouldn't you like to have a say in this? ...If not to completely control what information is included, or how that information is used, but at least to make sure the information is correct? Sorry. No dice.

In The Digital Person, Prof. Solove argues that any hope of remedying this situation must begin with an overhaul of the way in which we conceptualize the problem. Outmoded metaphors used to describe the nature of privacy and privacy violations can, according to Solove, inhibit effective laws which intended to remedy the particularized problems presented by the proliferation of commercial databases of personal information. Such metaphors mischaracterize both the activities of the bad actors and the nature of the harms they cause.

Commonly invoked, of course, is Orwell's image from 1984: "Big Brother"--a central authoritarian power that aims to control, oppress, and dominate the people through constant conspicuous surveillance. The harms envisioned here are inhibition and self-censorship due to the surveillance. Solove argues that this metaphor is inaccurate because in today's world, the digital person is constructed by businesses who want to collect information as inconspicuously as possible, for the ultimate purpose of getting you to buy more stuff. Solove presents an alternate source of metaphor, more appropriate to this situation--Kafka's The Trial. Josehp K.'s struggle with an invisible bureaucracy replicates the helplessness, vulnerability, and frustration that many experience when they discover false information in a commercial data broker's file, or worse, are rejected from a job or for reasons unknown to them.

Go read The Digital Person! The book includes a comprehensive description of the developments in commercial collection of personal information, a history of privacy regulations, more analysis of the 1984 and The Trial metaphors, and proposed legal solutions! You can also watch video of Prof. Solove's talk, linked from boalt.org's speakers page under 2005, Daniel J. Solove.

Posted by Tara Wheatland at 04:24 PM | Permalink | Comments (0) | TrackBack (0)
March 03, 2005
Un-Spinning the ChoicePoint Scandal

Many of the popular news media have got the most recent ChoicePoint scandal all wrong.

The following are a few headlines (culled from Google News) of stories regarding this issue, including the other similar past incidents now surfacing:
Hackers crack ChoicePoint (The Glove and Mail/AP, Feb. 16, 2005, reg. req'd)
Californians warned that hackers may have stolen their data (USA Today/AP, Feb. 16, 2005)
Report: SoCal thieves stole ChoicePoint records years ago (SignOnSanDiego.com/AP, Mar. 2, 2005)

The persons, admittedly criminals, who gained access to "critical personal data" on hundreds of thousands of U.S. citizens did not steal the data--ChoicePoint sold it to them.

The inaccuracies and inconsistencies in these stories go far beyond the headlines. For instance, the above cited AP article states that "hackers penetrated the company's computer network" and that "several hackers broke into its computer database and purloined data." However, the article continues to describe that the so-called hackers used stolen identites to establish businesses and create about 50 "accounts" with ChoicePoint. This line of explanation stops there, leaving out the next event in the chain, in which ChoicePoint granted these accountholders access to intimate and valuable personal information on hundreds, thousands, millions of U.S. citizens. Some articles, however, get the details mostly right. MSNBC, for example, broke the story as "Database giant gives access to fake firms."

Now, I do not mean to say that what these persons did was right, or legal. First, the use of the personal data to defraud or steal from individuals is certainly illegal, and second, their actions in gaining the data might be criminal under theories of theft by fraud or false pretenses (see, e.g., Cal. Penal Code § 487 (" Every person who shall... fraudulently appropriate property which has been entrusted to him or her... is guilty of theft."). But there was certainly no case of of "hacking" as we normally understand this activity--no skilled computer users breaking through technological security measures to gain access to information they have no "right" to see. In this case, ChoicePoint voluntarily granted access to these accountholders. The real "wrongdoing" here is very complex--it is entwined with ChoicePoint's business practices, practices about which the public remains primarily unaware.

To be fair, ChoicePoint itself is technically honest about the nature of the incident--in an online statement (that I only found through Googling, not through any intuitive or easily discovered link on ChoicePoint's website), ChoicePoint points out that "[t]his incident was not a breach of ChoicePoint's network or a 'hacking' incident, and did not involve any of ChoicePoint's customer information." By customer information, it means information about ChoicePoint accountholders, businesses who purchase consumer information from ChoicePoint. Despite this technical honesty, ChoicePoint has done nothing to widely publicize this popular misconception, and is overall pretty "squishy" about addressing this incident, and more broadly, about discussing how they do business.

So what went wrong here, putting aside the use the criminals made of the information gained from ChoicePoint? The criminals did not hack into ChoicePoint databases, nor did they, by common definition, "steal" any information. The main problem was arguably on ChoicePoint's end--the criminals successfully circumvented ChoicePoint's "tests" for legitimacy of purpose.

To understand what really happened here, you have to know a little bit about ChoicePoint's normal course of business. According to the Electronic Privacy Information Center's ChoicePoint page, the following is a partial list of the information that ChoicePoint sells to businesses (among other entities):

claims history data, motor vehicle records, police records, credit information and modeling services...employment background screenings and drug testing administration services, public record searches, vital record services, credential verification, due diligence information, Uniform Commercial Code searches and filings, DNA identification services, authentication services and people and shareholder locator information searches...print fulfillment, teleservices, database and campaign management services...

Some of this information contains such sensitive information as Social Security Numbers and Drivers License Numbers. According to an interview with ChoicePoint CEO Derek Smith from a Georgia NBC television news affiliate, when a business comes to ChoicePoint requesting to purchase such data, ChoicePoint subjects this business, as a requirement for opening an account, to a "credentialing" process, one he claims is among the most rigorous in the market. Smith characterizes this process as one that is aimed at determining whether the company is a "legitimate business" with a "permissible purpose" in accessing U.S. consumer information. This credentialing process can involve such activites as making sure the business is properly licensed in the state in which it is located, checking to see if the business receives and pays utility bills for business facilities, and sometimes a site inspection, activities which let ChoicePoint know if the entity has a "real likelihood of being a business capable of accessing the information."

This interview with Smith, linked from ChoicePoint's website and clearly intended to inform consumers about the issues and alleviate concerns, leaves many questions unanswered, and Smith is less than thorough in his responses to many of the interviewer's questions. For example, when asked how a company like ChoicePoint could let something like this happen, Smith defends their rigorous credentialing standards, and chalks the fiasco up to the "sophistication of organized crime to infiltrate all American businesses." Although little information has been released about the perpetrators in this case, a similar scam has been revealed to have taken place in 2002--are the "Nigerian-born brother and sister" convicted as a result of that incident the sophisticated members of organized crime Smith refers to?

In fact, Smith has boldly claimed that "ChoicePoint's core competency is verifying and authenticating individuals and their credentials." Yet it appears, from statements he makes later in the interview, that these individuals were able to pass muster by presenting California business licenses alone. Smith gives no indication that of any of the additional safeguards he described earlier were employed.

Smith also stresses the fact that "we were the ones that identified the fact that there appeared to be fraudulent activity taking place, and we notified the California authorities to the fact that we thought something in fact was awry." He does not mention that ChoicePoint was required by law to notify California residents if certain pieces of their personal information are "leaked" or disclosed improperly. It was only after this required disclosure that ChoicePoint voluntarily notified the hundreds of thousands of consumers in other states that their information had been compromised as well.

More importantly, it is VERY unclear what qualifies as a "permissible purpose." When asked, Smith states that permissible uses of information are outlined in regulatory guidelines, without identifying these regulations or what uses they deem permissible. Later in the interview, when asked what he believed to be legitimate uses of the personal data they sell, he gives only one primary concrete example--doing background checks on applicants for employment or volunteer positions, to determine that they are "who they say they are," and that they don't have any criminal record. He also refers vaguely to several cases of ChoicePoint assisting in the tracking of missing or kidnapped children, without giving details about how personal information was used to accomplish this task. Smith makes no mention whatsoever of the activites that make up the great majority of ChoicePoint's business: selling data to direct marketers and law enforcement agencies. Unlike the examples given by Smith, these activities have little to do with the lofty and emotionally resonant purposes of protecting consumers' personal safety.

While the compromising of so many thousands of persons' personal data is truly a tragedy, many hope that this incident will raise awareness of the serious privacy problems presented by the actions of modern commercial data brokers. But the spin put on these issues by ChoicePoint, and picked up by the popular media, is standing in the way of a deep public awareness of the problem. Unspinning these reports is the first step to a solution! As a next step, consider the following--ChoicePoint considers direct marketing and law enforcement investigations to be legitimate uses of your aggregated personal data. Do you agree?

For more information on the various dangers presented by ChoicePoint and similar commercial data brokers, see EPIC's ChoicePoint Page.

Posted by Tara Wheatland at 07:35 PM | Permalink | Comments (1) | TrackBack (3)
March 02, 2005
On understanding "End to End"

One of the most succinct briefs submitted by amici to respondents in the MGM v. Grokster case was authored by a team of CS professors. The crazy thing is that an earlier post of mine pretty much summarizes their argument. Which isn't to say I'm special in any way - the ideas present in both pieces are basic knowledge to all computer scientists. The main point is that the Internet, and every type of communication the Internet allows, is content neutral. When organizations say they have a problem with file sharing, they should blame this content agnostic nature of the Internet, not file sharing companies. Unfortunately, though they either aren't keen enough or willing to pick up on this, they are trying to lock down new digital platforms so they can avoid 'problems' in the future.

Posted by Susheel Daswani at 12:45 PM | Permalink | Comments (0) | TrackBack (2)