SPOT-ON Writers:  Nolan  |  Klosky  |  Holt  |  Schmidt  |  Martinelli
Jackson  |  Spinney  |  Weeks  |  Kaul  |  Rodriguez  |  Allbritton

Archives for Tech and Politics

Big Brother’s Riding Shotgun

May
12
2009

I live in Massachusetts where the governor and state legislature seem bent on giving new life to the moniker “Taxachusetts.” Our local news headlines lately have been all about turnpike toll increases, gas tax increases, sales tax increases, and a new kind of road use tax assessed through the use of a GPS tracking device that tallies the miles a car travels over state asphalt.

Sadly, Massachusetts isn’t the only place considering such a tax – known as a VMT (vehicle miles taxed). Following a pilot program, Oregon officials concluded that a VMT was a “viable” option for that state, and although the U.S. Transportation Department has said a VMT program “is not and will not be Obama administration policy,” Transportation Secretary Ray LaHood has made conflicting statements, including, “We should look at the vehicular miles program where people are actually clocked on the number of miles that they traveled.”

Now, I’m not a black helicopter, Trilateral Commission-Star Chamber conspiracy theory kind of guy, but I don’t like the way this is headed. So this isn’t just an anti-tax rant. Rather, it’s a warning about giving state and federal agencies the authority to track the comings and goings of individual citizens. Little thought is being given to the negative implications on privacy, liberty, or peoples’ faith in government.

To date, the clear trend favors unfettered tracking. Government use of GPS is being tested on a number of different fronts in the courts, and the government is winning. In many states, sex offenders’ movements are monitored by the use of a GPS ankle bracelet, and while a judge in Massachusetts recently ruled that a suspected sex offender cannot automatically be required to wear such a device, their use was lawful in specific instances. Meanwhile, a Wisconsin appeals court just this week ruled in favor of the warrantless attachment of GPS devices to automobiles in order to track individuals suspected of crimes, athough that court did offer the caveat that it was “more than a little troubled” by the practice. Other jurisdictions are using the devices to ensure compliance with court orders restricting the movements of offenders in domestic violence cases.

As use of GPS tracking devices moves into the realm of revenue collection, spokespeople for the state and federal agencies involved have offered verbal assurances that citizen privacy would be a primary consideration. Such acknowledgements and caveats are cold comfort for anyone who is concerned by steady governmental encroachment on individual privacy and liberty.

Some would explain away these developments as necessary in an age where the people require more protection of their public servants. Threats both foreign and domestic, they argue, lurk in every shadow and safeguarding from such dangers costs money. Technology, of course, is the cure for both ailments. It’s easy, it’s getting less expensive and tagging your car or boat is only nominally intrusive – until you consider where the information about where you go and what you do ends up.

I very much doubt that I am the only person who – even in a post-9/11 world – is more troubled by the imminent prospect of having Big Brother as my constant driving companion than I am at the remote chance of becoming the next victim of al Qaeda or a more mundane villain. Nor am I interested in making it any easier for Uncle Sam to gain access to my wallet.

But I also get the sense that this relentless but nevertheless quiet assault on personal liberty and “creative revenue enhancement” has inflicted a kind of societal post traumatic stress disorder on the American people. We’re in a stupor and don’t know how to respond, nor do we have the collective strength to respond. We’ve been bombarded by overhyped fear of terrorism, economic collapse, environmental disaster, and social crisis to the point where we barely put up a fight even as Congress demands trillions of our money without a clear reason why. I have to wonder: do we even care anymore?

In his Barr Code blog, former GOP congressman and Libertarian presidential candidate Bob Barr recently wrote of the public’s waning faith in government and of how recent studies show the country is growing increasingly suspicious of its public agencies. That’s, in part, Barr concludes, because the politicians and bureaucrats who staff these agencies conduct themselves as if they are above the laws they have sworn to uphold.

The many tax cheats nominated (and confirmed) for cabinet positions within the Obama Administration, along with the previous administration’s penchant for secrecy, illustrate Mr. Barr’s point.

When the message coming out of Washington is, “Do as I say, not as I do,” and all the while the hands and eyes of government continue to probe into the personal affairs of the average Joe, it is clear that there is a disconnect between the citizens and our elected officials.

No taxation without representation was once a rallying cry against tyranny. Today it seems the Sons of Liberty have lost their voice.

Posted by Mike Spinney at 7:44 PM | Permalink

You Have Zero Privacy — Enjoy It!

Apr
23
2009

Oracle Corporation is the apparent winner in the $7.4 billion race (power walk?) to buy Sun Microsystems. I’m not a tech industry analyst, so I don’t have a lot to add to the conversations taking place over the financial or industrial implications, but the deal does bring to mind the now infamous words of former Sun CEO Scott McNealy, who said in 1999, “You have zero privacy anyway. Get over it.”

That quote has echoed down through the years since it was first uttered and it is either praised for its insight or decried with varying degrees of fervor depending upon your view on the subject. For my part, I think McNealy was spot-on – and dead wrong. You have zero privacy — enjoy it!

“Zero privacy” was McNealy’s way of pointing out that the then-nascent issue of the Internet’s impact on consumer privacy was merely accelerating the pace at which an individual’s personal information could be gathered, accessed, processed, and put to use by the organizations already using and abusing names, addresses, telephone numbers, and credit profiles. And he was absolutely right. Our personal information has always been part of the currency required to transact business, but the democratization of commerce in the Internet age opened a vast array of new opportunities to access and put that currency into circulation.

Yet pronouncements of privacy’s death, it turns out, have been hoist by their own digital petard. That same democratization has given individuals – you and me – more control over that information and more say in the privacy of our personal information.

I am a big believer in the marketplace of ideas and have full confidence that, as a whole, regular folks are smart enough to make their own good decisions. Others disagree, and have made it their life’s purpose to urge state and federal governments to layer more and more legislation on top of an already byzantine regulatory landscape that seems to have only one purpose: protecting people from themselves. Thanks, but I like to make my own decisions.

Crusaders like the Center for Digital Democracy and its director Jeff Chester seem to never be satisfied until their vision of how the world should be has been foist upon an ignorant and ungrateful nation. Their weapons – volume and hysteria – are brandished against corporate American in the mistaken belief that there is evil lurking behind every successful business plan.

The Federal Trade Commission recently issued a repudiation of the demands of overzealous privacy advocates like Chester when it allowed the online advertising industry to self-regulate rather than issue a set of rules that would likely be obsoleted by the inexorable march of innovation by the time the rules were ratified. The guidelines, drafted under the Bush Administration and issued by the FTC this past February, were delivered with a stern warning when Commissioner Jon Leibowitz said, “This could be the last clear chance to show that self-regulation can – and will – effectively protect consumers’ privacy in a dynamic online marketplace.”

Companies like Google and Microsoft, popular targets for the advocates’ ire, have been pretty good citizens in spite of what has been implied. But under the Obama administration Liebowitz’s lingering threat might be enough to keep companies from taking too many chances. Taking chances is what innovation is all about – it’s in the DNA of many tech companies – so it’s anyone’s guess who wins this fight.

(more…)

Posted by Mike Spinney at 10:00 AM | Permalink

Danger: Government At Work

May
4
2007

Yesterday, while conducting some researching for an article I’m writing for one of my clients, I skipped over to the Privacy Rights Clearinghouse’s website to get the latest update on one of my favorite subjects: data breaches. Yes, I know I need to get out more often, but I’ve had a front-row seat for this suddenly hot issue since I joined the staff of the International Association of Privacy Professionals in five years ago, (which, I guess, is a privacy geek’s way of saying, “I liked that band waaaaay before they were popular”).
In the process of reviewing the year in failed data security, I noticed a very disturbing trend that did not come as a surprise, but which hadn’t struck me as until that moment: while TJX Corporation has been rightly getting raked over the coals since the January 17 disclosure that credit card and other personal information of more than 45 million customers had been compromised, the data privacy of most Americans has been perpetually at risk thanks to information security bungling at the hand of local, state, and federal government agencies.
Add state run colleges, universities, and primary and secondary schools in the mix and the story gets more disturbing.
Perhaps we’ve grown numb to garden variety privacy violations. After all, when the Veterans Administration allows an unencrypted laptop computer with the names, addresses, Social Security numbers, and other individual-specific information of more than 28 million current and former military service members (a breach that affected me) to go home with an employee, and that computer is stolen, we can’t be expected to get too worried when a computer hard drive is stolen from the California National Guard and the identities of a mere 1,300 soldiers deployed to the Mexican border are put at risk. Or when 4,000 employees at the Indiana Department of Transportation mistakenly have their names and SSNs posted to a non-secure network. Or when sensitive information on 12,000 Broward County, Florida child welfare cases, including adoption information, is stolen by a dishonest employee.
And the list goes on.
According to the Privacy Rights Clearinghouse’s tally, more than 6.2 million people have had their personal information stolen or otherwise put at risk because of security failures at government agencies since January 1, 2007. Included on the list of offenders is:
Wisconsin Department of Revenue
North Carolina Dept. of Revenue
Internal Revenue Service
United States Veterans Administration (Seattle, Wash.)
Chicago Board of Elections
Washiawa (Honolulu, Hawaii) Women Infants and Children program
Indiana Department of Transportation
Massachusetts Department of Industrial Accidents
New York Department of State
U.S. Veterans Administration (Birmingham, Ala.)
New York Department of Labor
Indiana State Government constituent services website
Social Security Administration (Milwaukee, Wisc.)
California Department of Health Servicse
United States Census Bureau
California National Guard
United States Department of Agriculture
Ohio State Auditor
St. Mary Parish, Louisiana Child Support Services
Georgia Department of Community Health
Georgia Secretary of State
Federal Emergency Management Administration
Baltimore County Department of Health
Note that the above doesn’t include school systems and state colleges and universities, which would have added no fewer than 275,000 names to that number. Offending schools and systems include:
University of Arizona
University of Idaho (twice)
University of New Mexico (twice)
Clay High School (Ohio)
Eastern Illinois University
University of Missouri
University of Nebraska
Central Connecticut State University
East Carolina University
Iowa Department of Education
City College of San Francisco (twice)
Georgia Institute of Technology
University of Montana – Western
University of California, San Francisco
Chicago Public Schools
Black Hills (South Dakota) State University
Ohio State University
New Mexico State University
When TJX blows it, lawyers get involved, Congressional committees are assembled, and customers can vote with their feet by choosing to shop at competitive stores. When the agencies at which we must do business mess up, where do we constituents go? Is there another agency competing to collect my tax dollars, or must I still send my check to the IRS – even if I don’t feel as though I can trust that organization?
Market forces compel TJX to respect the customer. A sense of civic responsibility should be all that is needed to ensure that public agencies maintain the public trust.

Posted by Mike Spinney at 1:46 PM | Permalink

Save Me From Myself!

Dec
7
2006

On November 27, an article in the independent, non-commercial online journal The NewStandard carried an article with the headline Marketers Still Free to Stalk Consumers Online.

Chilling. Sinister. Creepy. Nonsense.

The complaint focuses on very narrow view of the online world, exploits a general lack of understanding of how that world operates, and rises from the faulty premise that interactive marketing, by definition, requires that companies spy on consumers. If you recall from my “Fear of the Unknown” series of a few months back, you know I’m not a big fan of this kind of fear mongering. I get especially piqued when published arguments are based on far-fetched, sometimes dangerous assumptions, and one-sided reporting.

The premise is that consumers must be saved from themselves, and that only the good people at US PIRG and the Center for Digital Democracy (with a little help from our benefactors in Washington DC) are able to see and eliminate the danger for the rest of us. Specifically naming boogeymen like Microsoft, Yahoo!, and Google (big companies, and Microsoft in particular, make good foils for David and Goliath scenarios), US PIRG and the CDD have asked the Federal Trade Commission to step in and assail capitalism… er, protect citizens’ best interests.

The problem is that the idea of customer choice is completely ignored. Here’s a revealing line from the press release announcing the two group’s 50-page complaint filed with the FTC:

[T]he data collection and interactive marketing system that is shaping the entire U.S. electronic marketplace is being built to aggressively track Internet users wherever they go, creating data profiles used in ever-more sophisticated and personalized “one-to-one” targeting schemes.

Schemes. I like that word. It’s so… loaded.

What US PIRG and the CDD are really saying is that the American public would much rather receive random marketing messages while online than to establish trusting relationships with their preferred merchants. We’d rather receive more spam in our in-boxes and be interrupted by yet another offer for a low-interest home equity loan than to willingly be notified of offers we’re more likely to want.

Behavioral targeting, the demon US PIRG and the CDD seek to exorcise, is not a sort of fulcrum used to pry money unwillingly from the public’s wallet, as the two groups would have us believe. It is, rather, a means by which our favorite vendors can better communicate with individual consumers and cater to our preferences. What’s so wrong about that?

I often shop for fly fishing gear at the online sites run by Orvis and LL Bean. I have done business with both stores for years, I trust both to respect my personal information, and when they communicate with me, I’d rather they stick to telling me about the stuff I’m most likely to buy. And as long as that trust is not violated, I’ll continue to do business with both companies and to provide them with information about my preferences so they can better serve my needs.

Orvis and LL Bean don’t need to “spy” on me because they’ve earned my trust. That trust translates to a competitive advantage. I willingly cooperate with them in that effort because it is to my benefit.

And while it seems a token effort was made by the author of the article to reach out a couple players in the behavioral targeting industry, I see no input by accessible and well known experts in the field. Guys like Alan Chapell, or even anyone at the industry’s leading consortium, the Network Advertising Initiative.

What US PIRG and the CDD are doing is attacking the holy grail of on- and off-line marketing by saying that companies, rather than target customers and potential customers with highly specific messaging, should instead go back to the mass mail model – send postcards to tens of thousands of “residents” in a particular zip code and hope for a strong enough return to make a profit off of the effort.

In marketing they call it “spray and pray,” and it is far more maddening than behavioral targeting. Regulating away a company’s ability to target based on behavior would be counter productive; it would eliminate an important tool that responsible companies are already using to provide consumers with better service. Behavioral targeting isn’t about spying, it’s about two-way communication and it’s about telling people who are likely to buy certain goods that those goods are available – or, better yet, available on sale.

Besides, I’m not sure the feds are the best folks to put in charge of any effort to eliminate domestic spying.

Posted by Mike Spinney at 4:15 PM | Permalink

Merry Christmas and a Vista New Year

Nov
30
2006

In early 2007 Microsoft will finally get around to blessing the world with its new Vista operating system, which is being unveiled today in New York. Touted as a major upgrade from Windows, including a slick new user interface and sturdy new security features, the new OS has been the subject of a great deal of discussion and debate.

An operating system is the software that allows jamokes like me to be productive with a computer even without a working knowledge of binary code. Click on a pretty picture and stuff happens. Fast. I’ve long since forgotten the DOS commands I once used to coax information out of antediluvian green-screen computers, and it is all thanks to the geniuses who figured out how to build commands behind an icon.

Some folks can’t wait for Vista to hit the shelves, but don’t expect pent-up market demand to explode into the sort of violent frenzy that plagued PlayStation 3. Prevailing sentiment is less than enthusiastic – word on the street is more bust than blockbuster.

That doesn’t mean Vista won’t be a commercial success; it absolutely will. But Vista’s eventual popularity will be more testament to Microsoft’s inexorable market dominance than to the company’s engineering prowess. If Mr. Gate’s little venture has proven anything, it is that is knows how to use market dominance to it’s fullest effect, and that savvy will ensure that fans and critics alike will be using Vista before long. They have no choice.

Lance Ulanoff, PC Magazine’s reviews editor, explains why this will happen, even if the process takes a couple years.

“Vista will not be a runaway success,” Ulanoff deadpans. “It will be an evolutionary one, where, over time, Windows XP fades and Vista emerges as the default OS for PCs. Don’t be so shocked. This tale played itself out with Windows 95, 98, and XP. Vista’s success is, as far as I’m concerned, a fait accompli.”

Andy Rathbone, author of the Windows for Dummies series of books, including Windows Vista for Dummies, agrees.

“Vista lacks a killer feature that convinces people to upgrade,” he says. “Instead, Vista will trickle into the marketplace when people buy new PCs, eventually pushing XP to the number two spot in a few years.”

Rathbone doesn’t believe Vista’s new security features – one of the oft-mentioned improvements baked into Vista – offer users much of a step up over Windows XP. In fact, he says all that has been added is an extra step that gives the user an opportunity to stop or continue a potentially risky operation.

“Most users won’t have a clue – they simply expect their PCs to work,” Rathbone says. “So they’ll click ‘continue,’ exposing their PC to the same problems as before.”

Users are also skeptical. Rich Place, proprietor of the technology services firm MantisTech, says he’s not looking forward to Vista, which he characterizes as a “RAM hog.” RAM – meaning Random Access Memory – is the processing power available to run most of a computer’s programs. A computer should have 2 gigabits of RAM available for Vista to run efficiently, and because most folks are running systems with 1G of RAM, Place says he doubts the average user will benefit in proportion to the investment.

“Not sure why you would plunk down the dough for the OS and upgrades or get a new, bigger computer just to say you have Vista,” he says, adding that the computing habits of most users – word processing, email, web browsing – don’t require all that is wrapped into Vista.

Place is a power-user, so migration to newer products is often not optional for him if his clients’ needs require that he also upgrade, and he grudgingly accepts that it’s part of the PC economic cycle. Windows 98 may still work fine for some folks, but by forcing those systems into obsolescence and introducing software products that demand more processing speed and power, the tech economy is assured of a boost every few years.

Michael Wexler, co-founder and CTO of HiWired, a company that provides tech support for small businesses and consumers, sees a mixed bag in Vista. Like Rathbone, Wexler believes the security process may prompt users to fall into the dangerous habit of continuing with dangerous executions for the simple reason that they do not understand what is being asked. And, like Place, he sees potential problems for users who upgrade to Vista without also upgrading RAM on their current platform.

And while Wexler is disappointed enough about what he calls Vista’s “limited backward compatibility” that he is not recommending an immediate upgrade for his customer and clients, he does say that it’s not all bad. Parental controls for children on the Internet, and a “crisp new look and feel that end-users will find valuable” are a couple of the new features he likes.

Microsoft declined an opportunity to respond to the criticisms of the user community. Perhaps the inevitability of Vista’s eventual success through market coercion has dampened their motivation to rise to their own defense, or maybe it’s simply corporate hubris at play. One would think there would be enough brand pride to prompt some sort of counterpoint, though there are enough Vista advocates available to stand up where Microsoft will not.

“I’ve been using Vista on a number of different machines for well over a year now, so I’m intimately familiar with both its strengths and its flaws,” says Paul McFedries, author of Windows Vista Unveiled. “There has been much speculation in the press and in the blogosphere abut the merits of Vista and whether people will move to it.

“For me, however, all the Vista pros and cons boil down to a simple question: Will I switch to Vista as soon as it’s available? The answer is a no-brainer: I can’t wait to upgrade my main machine from XP Service Pack 2 to Vista. It’s fast, robust, secure, and beautiful to look at. What’s not to like?”

Meanwhile, Ken Colburn, president of the national computer service chain Data Doctors Computer Services, sees the grousers as nothing new for Microsoft, and that legions of detractors merely come with the territory for a market leader. Colburn says the dramatic improvements some pundits wanted to see could never happen without causing unacceptable upheaval within the existing Windows installed base, which is close to 90 percent of the total personal computer market. Beyond the immediate gains Vista users will enjoy, another thing Colburn says Vista will do is provide a broad economic boost for the tech sector.

“From an economic standpoint, Windows Vista stands to kick-start many technology related companies in 2007,” Colburn predicts. “Everyone from vendors of hardware, software and peripherals, to anyone that services Windows-based systems and networks will be presented with many new revenue opportunities based on the adoption of Vista.

“Those of us in the industry all have the same opinion,” he continues. “It’s about time.”

Posted by Mike Spinney at 7:00 AM | Permalink

Analysis Paralysis

Nov
9
2006

Back in mid-1990s, when the high tech sector was on the cusp of exploding into an economic runaway train and I was knee-deep in flackery, there were a number of shell games that my clients would use to appear bigger and more vital than they really were. I was still either naïve or all to willing to suspend disbelief and help them carry off the illusion, diligently assembling communications strategies and writing copy replete with terms like strategic partner, product vision, and leadership position.

Like the frilled lizard putting on an impressive display, the hoped-for outcome was to cause some to believe we were bigger than we actually were, or to pause long enough for us to figure out a way to assess the situation and gain an advantage.

We called it stalling competitive sales. It was a transparent move, and a dangerous one for companies with no real product to sell, but it played to the client’s ego and to unrealistic product development expectations. New laws and regulations designed to create more transparency in corporate governance, plus the threat of public backlash and public relations disaster seemed to put most of corporate America back on the straight and narrow, but a recent look at the news shows that the specter of the “strategic partnership” remains with us.

I point to a recent announcement by Microsoft and Cisco on the subject of network security — keeping the bad guys from figuring out clever ways to sneak onto your computer and steal valuable information. It’s a serious issue, and in recognition of that fact the two technology giants have given us a “technical white paper.”

Is that sound I hear angels singing, or the derisive laughter of less heavenly beings?

With vague images of terrorist crashing the U.S. banking system – or worse – the idea of “network security” is front-and-center on the minds of companies and government officials. Billions are spent each year in an effort to protect digital information assets. Still, there’s a groundswell building behind the idea that the basic approach to network security needs to change if wholesale improvement is to happen. Microsoft and Cisco both understand this.

Consider that, for as long as there has been networking, the goal has been to achieve fast, reliable access in order to enable data communications. Problem is, the “access first” model that puts performance – you get what you want quickly – over security has proven risky. Dangerous elements outside and careless elements inside the network put constant pressure on IT security to carry out the Sisyphean task of keeping information under lock and key, while still available for doing business day-to-day.

Issues related to bandwidth and access have largely been overcome so no one thinks twice about whether stuff is going to work when it gets plugged in. These days, it’s the largely invisible machinations of security-related activity that keep network admins up at night.

In to this balance comes the concept of Network Access Control (aka NAC). NAC takes the approach that networks are fast, reliable, and intelligent enough now to flip the equation. It’s no longer incumbent on the user to be adept enough at a keyboard to be productive, so the time has come to put the onus of security on the network. There’s too much at risk to rely on aftermarket products for security. Security needs to be pervasive, not tacked on.

Rod Murchison, vice president of marketing with Mountain View, California-based Vernier Networks says that “Security concerns, regulatory compliance, and public outrage are driving the motivation” behind NAC, and that the market is catching on. There are as many as 50 companies building and selling products based on the NAC concept. Muchison says that Vernier, which has been around for more than five years, has more than 1,000 installations.

The problem for Microsoft has been that its version of NAC has been infused with Redmond bravado. Rather than build on the open source model, Microsoft demands that NAC be carried out its way. Companies are voting with their feet, and they aren’t walking toward Microsoft, thus the need for an interoperability partnership announcement with Cisco. If Microsoft can convince the market it’s on the verge of delivering a product that works with the world’s biggest networking systems vendor, it might buy some time.

No one doubts that the big brains at Microsoft won’t get it right, eventually. Indeed, Vista is headed in that direction, but with true NAC availability not expected until 2008, what’s a prospective customer to do?

Microsoft is hoping that their white paper announcement will stall enough decisions in the interim that it will have less ground to make up when they are ready to deliver. The ironic twist in all this is that it really is the innovators who are delivering the goods, while the stalwart is on the defensive. The question is whether or not the ruse will work, whether a promised “architecture” will create enough analysis paralysis to buy Microsoft the time it needs.

Posted by Mike Spinney at 7:15 PM | Permalink

Candygram! Pretexting Made Easy

Sep
13
2006

This thing called pretexting has gotten a lot of attention lately. You’d think it was a novel concept, that private investigators hired by Hewlett Packard chairwoman Patricia Dunn had invented the technique in order to ferret out the source of persistent information leaks from the company’s board of directors.

In its current context, the word “pretexting” sounds arcane: A technology company searching for an information leak by digging into telephone and cell phone call records. Another reason to recoil in fear from digital society!

Problem is, as a means of obtaining information, pretexting is as old as mankind itself. Oh, sure, in its current usage the term is new, but there is no shortage of perfectly good words – words with which we are more familiar – that can be used to describe the activity in question. “Social engineering” comes to mind, but that’s a fairly new description itself. “Spying” is another. “Snooping, prying, cajoling”… were I ambitious enough, I’d grab my Roget’s Thesaurus and fill the next couple paragraphs with more words that would also work.

I do think it’s an interesting phenomenon that, because a slick new word has been affixed to the situation, our attention is on Dunn – who will step-down as chair of H-P’s board of directors in January – and the means by which her private dicks learned that board member George Keyworth II was passing information on to reporters. Keyworth violated his responsibility as a director and member of HP’s board, potentially broke the law and put the company at risk of repercussions from the Securities and Exchange Commission, but we’re focused instead on the methods used to expose his underhandedness.

Yet, because of this pretexing thing all the attention and bad press have fallen to Dunn and the real villain, Keyworth, has gotten a free pass.

So, what exactly is pretexting? It’s convincing someone to do something they wouldn’t normally do by convincing them that you are something you’re not. It’s lying to obtain something you shouldn’t have. It is, in a word, fraud.

According to mythology, the Greeks used pretexting, sold with the help of a giant wooden horse, to defeat the Trojans. We are told that, moving through his camp dressed as a common footsoldier, King Henry V used pretexting to learn and raise the spirit of his army before the English victory at the Battle of Agincourt. And, in the famous Saturday Night Live Jaws II sketch, the land shark uses pretexting to get unwitting New Yorkers to open their apartment doors. Candygram!

When an organization like AT&T hands over information as a result of a clever ruse, and when the circumstances surrounding the betrayal of that information becomes a highly publicized event, it’s natural to think about how such a thing could happen. Did the gumshoe use unethical means to obtain the information? Most likely, yes, but if the information were easily obtained, it would be unnecessary for a private investigator to get involved. Was there some technology that could have prevented the breach? Maybe, but it’s unlikely since, at some point a human being had to make a decision whether or not to give the information away. Is the person who gave away the information at fault? Yes – and no. Yes because they were the point of failure in the security chain, and no because they were doing their job and likely lacked proper training.

Customer service representatives are a lot like puppies. With proper training, they’ll do a lot of great things for your company, and when they perform their tricks well, they make people happy. They are trained to want to please everyone, so when they are asked to perform a trick they haven’t been trained to perform, they’ll try to figure out a way to please the person asking. That’s a recipe for trouble.

With all this in mind, the fixation on pretexting seems to me to be something of a canard, but what’s a company to do? CSRs don’t get paid a lot of money, and they don’t tend to stick around very long, so investing in extensive training can be an expensive prospect without a whole lot of return.

Then again, when these logical failures occur, spending the extra dough seems in hindsight like it would have been a pretty good deal.

Posted by Mike Spinney at 12:31 PM | Permalink

At a Loss Over Data Loss

Sep
8
2006

Unless you’ve been living under a rock the last couple years, you’ve probably noticed the regular headlines telling of companies that have lost sensitive information. Whether through the negligence of employees or through acts of deliberate calculation on the part of individuals with criminal intent, data known as “personally identifiable information – information that can be used to perpetrate credit and identity fraud – is seemingly exposed to unauthorized eyes on a perpetual basis.

Through my work with the Ponemon Institute I’ve had the privilege of being involved in a number of recent studies on this issue. It’s been interesting and enlightening. Anyone with half a brain can clearly see there’s a problem. Corporate data security systems seem to be made by the same company that makes colanders.

Since I last touched on this topic as part of the “Fear of the Unknown” series, there have been more high profile leaks, including AT&T, Sovereign Bank, and more. I’ve also been affected by another breach – my second this year – having just this week received notice from the Carlson Companies that a laptop containing information about me was swiped from an employee’s “locked rental car.”

So what have I learned from my foray into the world of industry analysis?

Companies don’t give a rat’s toches about protecting your personal information.

Okay, that’s a rather broad statement, and there are plenty of companies that do go to great lengths to keep prying eyes from your files, but consider how easy it was for HP’s board to employ pretexting in order to sniff out their own rat by accessing cell phone records.

According to one of the Ponemon studies, 81 percent of companies surveyed said protecting personal information was a priority (only 81?). But when 81 percent of companies also reported losing a mobile device containing the personal information of customers or employees, there’s an obvious disconnect.

Furthermore, a second study on the subject reveals that 63 percent of companies have no confidence in their ability to prevent a data breach. So much for priorities translating into action and results.

Cost seems to be a factor. If a solution to the data loss problem requires paying out big bucks, the actuaries get to work deciding if the investment is worth it. In other words, if a product designed to prevent the problem costs $5, and the cost of an incident is determined to be $20, but the chances of such an incident occurring are only 1 in 6, that means the odds are a company will save money in the long run by not spending the money. (Those are my hypothetical numbers, by the way, not anything derived from the study.)

Again, so much for priorities.

One consistent finding, and a factor that strikes at the root of the problem, is that there appears to be no executive accountability. In other words, the individual responsible for preventing the problem doesn’t have a “C” in his or her title – as in “chief executive” or “chief technology officer” – or doesn’t have spending authority. Proclamations may be issued from the corner office or the boardroom, but no one with the power to actually make things happen has the digital Sword of Damocles hanging over their head.

If there’s any good news for us common folk, it’s that the actual risks are low that our compromised information will be put to evil use, but that’s cold comfort when you stop to think of what low regard we’re held by the companies with which we do business each day. Your bank, credit card company, retailer, school… few of them seem to care.

What are our options? Vote with your feet. Related studies suggest that a negative consumer response to data breaches can cost. Let those companies know that you value the security of your private information and will only do business with companies that respect the same. If you get a notice, or hear of an incident in the news, take your business elsewhere and let them know exactly why.

When, collectively, we take action that costs a company money, things will begin to change.

Posted by Mike Spinney at 4:42 PM | Permalink

Fear of the Unknown Part IV

Aug
28
2006

Radio Frequency Identification

Time to wrap up the series, and I saved the best for last.

Thus far, we’ve looked at adware, digital privacy, and biometrics. But for you conspiracy theorists out there, there are few technologies that can rival radio frequency identification, aka RFID.

The recent explosion of applications for RFID, including a big push by one of the world’s biggest economic engines, Wal-mart, is seen by the black helicopter set as evidence of the government’s insatiable desire to intrude on our lives and track our every movement. And the naked ambitions of at least one RFID magnate do little but add fuel to an already hot fire.

First, as a primer on RFID, check out these FAQs at RFID Journal. There are many different types of RFID, broadly segmented as passive or active identification, but in short, RFID is a means of identifying objects by transmitting and/or receiving information embedded within or otherwise attached to that object. That’s not always a bad thing as my Spot-on colleague Nicole Martinelli recounted, talking about her use of RFID at her gym in Milan.

Retail giant Wal-Mart, with its multi-billion dollar influence, is solidly behind RFID as a means of trimming cost from the transport and storage of the products it sells. Seen as a way of making it easy to stock shelves and keep on top of orders, Wal-Mart famously issued an edict to its suppliers three years ago to adopt RFID as a means of tracking inventory from factory to retail, or risk losing Wal-Mart as a customer. Already the target of much public enmity, Wal-Mart’s zealous adoption of RFID was seen by some as further proof of the company’s domineering business practices.

What’s more, the idea that some products might include RFID chips piqued fears that the company, the government, and unknown criminal elements would be able to track consumers’ every move by “watching” their purchase. Buy a package of socks, the theory goes, and clandestine receivers in the store, on the street, or circling somewhere in the firmament would follow you through the aisles, to your car, and all the way home.

Truly sinister stuff that has spawned a cottage industry.

Recently, governments around the world adopted RFID as a means of thwarting document counterfeiting, such as the kind that results in fake passports being distributed to terrorists or other unsavory elements. Makes sense, right? Some shady traveler hands a border agent phony papers and, if the requisite checks don’t match, John Law steps in and ushers said individual off to a side room for the rubber glove treatment. The rest of us can jet to our destinations safely and the world is a better place.

Not according to the folks who wear foil hats. Nope, they believe there’s a global cabal in place that seeks only to seize control of our lives and monitor our traipsings, a la George Orwell.

At the recent Black Hat conference, one researcher took aim at RFID-enabled passports by showing their security to be flawed. Lukas Grunwald, founder of German security consultant DN Systems , has made a name for himself by exposing deficiencies with RFID systems. It’s a coincidence, I’m sure, that DN Systems makes a living off of rampant paranoia over RFID….

But, for me, the real villain in this story is Scott Silverman, chairman of the board of a company called Applied Digital and its subsidiary VeriChip. VeriChip made headlines a couple years ago when one of its products, an implantable RFID capsule, received FDA approval for use in human beings.

Since that nod, and in spite of public fears over RFID implants, Silverman has been on a crusade, advocating that anything that walks on two or four legs be chipped, implications be damned. Earlier this year he went as far as suggesting that “guest workers” be injected with RFID chips in order to be tracked by the US government. During a televised interview on Fox News, Silverman said that chip implantation could be either “an election on the part of the immigrant or an election on the part of the government.”

Just this month he offered that the men and women of our nation’s military service would make ideal guinea pigs for implantable RFID chips. Adding weight to Silverman’s words is the fact that former Health and Human Services secretary Tommy Thompson is a member of VeriChip’s board, allowed himself to be injected with an ID chip, and remains an influential voice in Washington DC.

And you wonder why there’s so much hand-wringing over RFID?

I’ll be the first to admit I don’t want to live in a world where surreptitious intrusion into my personal business is the norm. I value my privacy as much as the next guy, but I also embrace the idea that technologies, such as RFID, can make my life better, safer, and move convenient. Shorter, faster lines at the checkout? Count me in. Better service at the hospital? It’s got my vote.

For now, though, I’ll be leaving my Reynolds Wrap headwear at home.

Posted by Mike Spinney at 9:14 PM | Permalink

Fear of the Unknown Part III

Aug
9
2006

In Part I we looked at the questions behind adware/spyware. Last week, Part II examined misconceptions related to privacy, and today we look at another technology that has folks looking to the sky for black helicopters.



Biometrics

My bank employs a facial recognition system. When I walk into my local branch the tellers look up, scan me with their eyes and, recognizing my ugly mug, offer pleasantries as I conduct my business. It’s not state-of-the-art, but it is effective – and has been for a few millennia.

Biometric identification is as natural as can be, yet the idea that a machine might be programmed to recognize one individual from another on the basis of unique physical measurements makes many people uncomfortable.

This phenomenon is sometimes known as the “creepy factor,” as it is based more on perception than on fact.

Consider that one of the most common forms of biometric identification, the fingerprint, is most closely associated with criminal behavior. We’ve learned over decades of social programming, courtesy Efrem Zimbalist Jr.’s Inspector Lewis Erskine of The F.B.I. (a Quinn Martin Production) and Jack Lord’s Steve McGarrett of Hawaii Five-0 that only people suspected of breaking the law have their fingerprints taken.

Creepy.

Facial geometry is often part of surveillance systems, where digital cameras surreptitiously record the comings and goings of people, silently measuring their features and comparing the results against a database of known criminals and suspects. Very Big Brotherish.

Very creepy.

Retinas and irises, much like fingerprints, provide intricate patterns unique to each of us, and are an excellent form of biometric identification. But we are naturally protective of our eyes and so the prospect of having a laser beam shot into our visual organs is a touch unsettling.

Extra creepy.

But most creepy of all is the specter of these personal physical metrics, the very measure of a man, being captured and stored – and shared with who knows who.

In Kurt Vonnegut’s Jailbird, Mary Kathleen O’Looney, head of the fictitious multinational mega-conglomerate RAMJAC Corporation, knew all too well the dangers of having one’s biometric data fall into the wrong hands. She withdrew from society in order to prevent it from happening.

Then again, O’Looney lived up to her moniker, existing as a paranoid bag lady, in constant fear that someone was out to cut off her hands in order to use her biometric data to fake her identity and gain control of the giant company.

Listen, I’m not trying to argue that personal information is invulnerable to misuse or abuse. That is always a risk, but the worry over biometric data seems to imply that certain sorts of information have the magical ability to multiply the risks in manifold ways. As we learned last week, it simply isn’t true. Ninety percent of the incidents of identity fraud occur because of the careless handling of non-digital information. It’s human error (most often our own) that results in bad stuff happening.

The challenge, of course, is for companies that develop or wish to use biometric information to convince the public that it’s safe and offers benefits that will positively affect their lives. It’s a steep challenge, especially when headlines feed on the public’s ignorance and fears.

Other stories, such as the recent disclosure of AOL subscriber search data, while not specific to biometrics, underscore that we often think too highly of technology too much and not enough of our fellow human beings – or is it the reverse? Either way, we can end up outwitting ourselves in an attempt to out-think technology.

I guess living a life of fear and paranoia is one way to deal with the trappings of this modern world. It worked out well for the Luddites.

Posted by Mike Spinney at 11:51 AM | Permalink

spinney
Mike Spinney's bio | Email Mike Spinney




Get Our Weekly Email Newsletter




What We're Reading - Spot-On Books

Hot Spots - What's Hot Around the Web



Spot-on.com | Promote Your Page Too

Spot-on Main | Pinpoint Persuasion | Spotlight Blog | RSS Subscription | Spot-on Writers | Privacy Policy | Contact Us