Big Data and Social Media: Selling U 1 Click @ A Time

I understand that my social media interactions are being bought and sold like T-shirts at a rock concert. After all; I used to sell digital media for a living.

But after reading a CNET article reporting that privacy experts are planning to file a complaint with the Federal Trade Commission over a new Facebook data sharing deal, and a CNN article suggesting that Microsoft should offer its products for “free” like Google; I think there’s good reason to feel that as a consumer; I’m being more than a little exploited, and that I should take some kind of action.

The question is; what can any of us do to protect any shred of personal choice and privacy in the face of the unrelenting, fast-moving Juggernaut of ad-driven internet commerce?

Right now, the answer is “not much”, unless we are willing stop or at least limit our use of social media  applications such as Facebook, and let go of the idea that there is anything “free”on the internet.

In the CNN post “Teaching an Old Dog New Tricks: How To Fix Microsoft”; it was suggested that Microsoft stop selling its software, and start offering it “for free” like Google.

Umm…Hello?

First of all, Microsoft’s profits come in large part from the sale of licensed software. They would be insane to start offering it all for free.

In addition, Google products are not free. Every single thing you do with Google is tracked, recorded, and sold to advertisers. You are paying for it by incrementally and continuously allowing them to invade your privacy.

At least I know that when I create a document in the Microsoft Word program that I paid for; the contents of my document are not going to be scanned and shared with advertisers. You can’t say the same thing about Google Docs. There are some things worth paying for with actual cash, and I think retaining control over the contents of the documents I create is one of them.

When it comes to new privacy issues regarding Facebook; here’s my suggestion. Read the book I reviewed recently for USA Today called “Digital Vertigo: How Today’s Online Social Revolution is Dividing, Diminishing, and Disorienting Us.

Its author, Andrew Keen, contends; “Data is the new oil, and the consumer has become the product. We need protection against these new data barons that are undermining our privacy… and I think in many ways, undermining what it is to be human”.

Find out more by reading my USA Today book review, and by following this link to Andrew Keen’s website.

Like this post? Share it with your friends, and add your comments below.

iDoubt: Confessions of an iPhone Skeptic

All the hoopla over the new iPhone 5 has me a bit perplexed. I totally get that the iPhone as a stand-alone product now produces more revenue than all of Microsoft. I get that people love new gadgets, and I get that this particular model is more sleek, shiny, and sophisticated than earlier models.

But really, people…it’s just another mobile; it’s not a miracle. Yes, the profits it generates will be miraculous indeed for Apple’s bottom line, but for the likes of average folk who fork over gigantic wads of dough to be one of the many, the proud, the cash-strapped; what, in the end, is it really all about than another glitzy status symbol that will be tomorrow’s trash once a new new model is released in another year or so?

Don’t get me wrong; I love Apple products. I really do. I just take issue with the worldwide hysteria over yet another disposable product that has failings just like any other mobile phone.

For example:

• High price: Even if you buy your new iPhone from a lower-cost, prepaid,  no-contract carrier like Cricket; it’s still more expensive than any other phone out there.
• Not immune to malware: Although Apple employees may try to convince you otherwise; you are absolutely not immune from viruses, Trojans, and other stealthy bugs that can steal information, track your location, and/or secretly send expensive overseas text messages.
• Privacy stealing apps: Even if your phone hasn’t been hacked and infected; the information you hand over by signing up for mobile apps, as well as the data generated by those apps is not private. If the FBIor another government agency wants to know where you’ve been, and what you’ve been doing; they don’t even always need a warrant to get that information from your mobile carrier, or from an app provider such as Google.  A Congressman has just introduced a new bill that requires app makers to include more privacy protection; but there is no guarantee that bill will ever actually pass. In addition; even if it does; it’s not going to change the way the law works with regard to police agencies and the information they can obtain from your mobile phone records.
• Mobile Spectrum Crunch: You probably never think about it; but there is a finite amount of bandwidth available out there for all of your video downloading, music-streaming, text messaging, and plain old yack-yacking on the phone. In order to alleviate what’s known as the mobile spectrum crunch, the FCC has agreed to hold a voluntary spectrum auction sometime in the next few years that would allow TV Broadcasters to sell off some of the bandwidth they’re not using to mobile carriers that are scrambling to find ways to accommodate ever-increasing mobile demand. In the meantime, AT&T is in the process of making a deal with a consortium of cable companies to buy a big chunk of their spectrum. While that may not seem like a big deal to you now; remember this. Anything that is in limited supply will eventually cost you more.
  

I offer these examples simply as ways to help keep the iPhone hysteria in perspective. If you can afford one, and you love the way it works; by all means–buy one and enjoy it. But if you don’t have one, and you find yourself feeling like you’re missing out on the greatest thing ever; honestly, just dial it back a notch.

One thing that is sure in our tech-obsessed, consumer-driven culture and economy, is that there will always be something newer, shinier, more expensive, and more crave-worthy for sale tomorrow.

Like this post? Share it with your friends, and add your comments below.

Why Is The Internet Unstable?

Updated: 8-18-12

If you’ve been hearing about an increased number of internet attacks, hacking, military grade malware, cyber espionage, cybercrime, and other internet security issues lately; it should come as no surprise.

In a recently released summary of a soon-to-be published book, cybersecurity experts from a Washington, DC-based non-profit organization known as the Cyber Conflict Studies Association (CCSA), say that the current strategic cyber environment is fundamentally unstable. As a result it:

• Undermines deterrence against cyber attacks, especially against non-state actors
  

• Leads to the temptation to consider preventive or preemptive war options

• Provides strong incentives for escalation to the use of other military capabilities once (cyber) conflict has started.”

This is especially true for the United States,  they conclude, because it is the most internet-reliant country in the world. After all, the internet was originally conceived and built here. However, back then; security was not an issue.

According to the to the CCSA study,”Addressing Cyber Instability“:

“The core technical problem at the heart of cyberspace is that the underlying architecture was never designed with security in mind; indeed, the original designers never imagined that the network would be used for malicious purposes. The priorities were, and generally remain, openness, ease of interconnection, and facilitating technical innovation.”

Since then, security measures have been “bolted on”, but they have had limited, and ever-diminishing effectiveness, as a result of constant, and increasingly sophisticated attacks.

Jason Healey, who is on the CCSA Board of Directors, and who is also the Director of the Atlantic Council’s Cyber Statecraft Initiative, says he believes non-state actors, such as Internet Service Providers (ISP’s) and non-profits such as the Internet Corporation for Assigned Names and Numbers (ICANN) can do a lot to strengthen cyber-defense by “shoring up the backbone” of the internet.

For example, he says, over the past five years, ICANN has increased security for the DNS root servers that are at the very heart of the internet. Those servers ensure that you actually arrive at the internet destination you intend, when type in URL or click on a link. So, making sure security is extremely tight on those servers is vitally important, he says.

An example of what can happen if you’re re-routed on the way to your destination on the web, is the cybercrime associated with the recently much-publicized DNS Changer malware. Hundreds of thousands of computers worldwide were infected with that virus, which netted millions of dollars in revenue for the perpetrators of the Ghost Click scam until the FBI busted them last spring.

Meanwhile, according to a story on Networkworld.com, AT&T’s DNS servers were hit by a distributed denial of service (DDoS) attack this week. DDoS attacks overwhelm servers with so many requests that they are unable to handle regular traffic, thereby effectively shutting them down.

Those types of attacks, Healey says, ought to be addressed by Internet Service Providers (ISPs).  “ISPs have the biggest responsibility for stopping DDoS attacks”, he says, because  they can see when those attacks are taking place on their networks, and they could block them.

However, they do not.

Why ISP’s don’t block attacks, and what could be done to induce them to do so, was a frequent topic of discussion on Capitol Hill this year, as both the US House and Senate tried to come up with new cybersecurity laws.

What came out during those congressional hearings, is that ISPs are reluctant to stop malicious traffic on their networks because they are afraid of getting sued by their customers. Their fear stems from the fact that in order to ascertain if packets of information flowing over the network contain malware; they have to take a peek inside to see what they hold.

But, those packets could also include emails, and other information that many people would like to consider private. What the ISPs asked Congress to do, as a result, was to grant them “safe harbor” from privacy lawsuits, so that they could actually block malicious network traffic without fear of getting sued by the same customers they’re trying to protect.

But Healey says doesn’t think most customers would have a problem with ISPs taking direct action to block attacks. “I can’t imagine you’d get a lot of complaints”, he says.

Indeed, most people would probably be relieved if their ISPs blocked malicious traffic such as botnets (vast collections of infected computers remote-controlled by hackers to perpetrate denial of service attacks).

But, it’s exactly how the ISPs would do it, and with whom they would share the information they might uncover; that became a thorny issue when cybersecurity legislation was being debated by Congress this year.

For example, Electronic Frontier Foundation  (EFF) Media Relations Director Rebecca Jeschke said during an interview for a post on this blog a few months ago that she was unhappy with the much-maligned House Cybersecurity Sharing and Protection Act (CISPA) because it, in effect,  allowed ISPs to “spy on their customers”,for the Federal government.

But while officials from companies such as Comcast and AT&T stressed during House cybersecurity hearings that they didn’t need to share “personally identifiable” customer account information with the government, and that customers should not be worried that they would; that isn’t how the bill wound up being written. Instead, it allowed ISPs to not only share personally identifiable customer details; it also allowed the government to do whatever it wanted with the information once they had it.

However, the Senate’s version of the bill was actually well-received by the EFF and the American Civil Liberties Union (ACLU), because it included more privacy protection for consumers.

Even so; that measure failed to pass a couple of weeks ago, because Republicans opposed it on the grounds that it would be too costly for business, and that mandatory regulations for critical national infrastructure (such as the electric grid and nuclear power plants) should be voluntary.

But the White House isn’t taking that defeat lying down. In fact, President Obama is considering issuing an executive order making the Senate vote, at least with regard to protecting critical national infrastructure, moot.

However, Healey says while some increased government regulation could be useful; it won’t solve the problem.

That’s because it’s much easier and cheaper for “the offense” to exploit holes in security measures, than it is for “the defense” to block them, he says. Attackers only need to find one way in, he explains, and defenders need to block all possible routes–something that is virtually impossible to do.

In addition, the CCSA study explains, the way the internet works, “often provides the attacker with anonymity and plausible deniability”.

But, Healey notes, the same anonymity that allows hackers and governments to launch cyber-attacks, is the same anonymity that allows regular internet users to log on and surf the web without having to enter some form of official identification–something essential to the kind of freedom of use, and freedom of speech that internet users worldwide value very highly.

So, what is the average internet user supposed to do? What can people do to remain safe online, given the fact that the experts agree that the internet at its very core is unstable and hard to defend?

What can the average person do, in light of the fact that the same network that allows them to post cute kitten videos on Facebook, could also enable governments to wage cyber-war?

Or, perhaps even more ominously; what could the average person do if someone totally unconnected to any government, anonymously launches a cyber-attack that could be mistakenly attributed to a particular country? What if that mistaken assumption then triggers a response–perhaps against the wrong people–with actual (kinetic) bombs and guns?

Well, in light of all those threats, Healey says, regular internet users–and even security experts such as himself– can’t do much, other than take basic computer security precautions. Those include “using anti-virus software, not using the same passwords on different sites, and not visiting sites that might be dangerous”.

To keep the average user safe, he says, you have to address the issue from a larger, more global perspective. That, he says, will take cooperation and coordination between private business, the US government, network operators, non-profit organizations, the tech community, and even other countries around the world.

The the CCSA study advises:

“If decision makers accept that cyberspace is inherently unstable from a strategic conflict management perspective and abandon attempting to create a stable cyber environment, this may naturally result in an increased emphasis on resilience, risk management, and mitigation and the potential creation of risk reduction centers.”

What’s needed, the study concludes, is “a national or even global strategy in cyberspace to create stability through resilience and efforts to clean up the ecosystem.”

Click here for a link to information about the CCSA’s “Addressing Cyber Instability” study, and follow these links to learn more about the topic. There are of course, many more, but these are some good places to start.

Cyber Conflict Studies Association (CCSA)

FBI: Cyber Crime

Schneier On Security (Security expert Bruce Schneier’s website)

CNET.com (Security & Privacy News)

ICANN

Senate Amends Cybersecurity Bill: Civil Liberties Groups Applaud

A Senate cybersecurity bill which has been on hold for months, has now been given a new lease on life as a result of provisions that both soften its impact on private industry, and strengthen civil liberties protections for citizens.

The Senators who co-sponsored the revised bill said they did so in a “good faith effort to secure enough votes to address the immediate threat of attack from foreign nations, hacktivists, criminals, and terrorists against the nation’s most critical cyber systems.”

While acknowledging that the bill was actually stronger as originally proposed; Senate Homeland Security Chairman, Joe Lieberman (I-Conn),  said in an US Senate press release: “This compromise bill will depend on incentives rather than mandatory regulations to strengthen America’s cybersecurity. If that doesn’t work, a future Congress will undoubtedly come back and adopt a more coercive system.”

Here is what  The revised Cybersecurity Act of 2012 would do:

• Establish a multi-agency council National Cybersecurity Council – chaired by the Secretary of Homeland Security – to lead cybersecurity efforts, including assessing the risks and vulnerabilities of critical infrastructure systems.
• Allow private industry groups to develop and recommend to the council voluntary cybersecurity practices to mitigate identified cyber risks. The standards would be reviewed and approved, modified or supplemented as necessary by the council to address the risks.
• Allow owners of critical infrastructure to participate in a voluntary cybersecurity program.  Owners could join the program by showing either through self-certification or a third-party assessment that they are meeting the voluntary cybersecurity practices.  Owners who join the program would be eligible for benefits including liability protections, expedited security clearances, and priority assistance on cyber issues.
• Creates no new regulators and provides no new authority for an agency to adopt standards that are not otherwise authorized by law.  Current industry regulators would continue to oversee their industry sectors.
•  Permit information-sharing among the private sector and the federal government to share threats, incidents, best practices, and fixes, while preserving the civil liberties and privacy of users.
• Require designated critical infrastructure–those systems which if attacked could cause catastrophic consequences –to report significant cyber incidents.
• Require the government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.

With regard to civil liberties; organizations such as the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) are applauding the revisions, while remaining cautious that what they see as improvements in the bill’s language could change before it becomes law.

Debate is reportedly expected to begin on the measure sometime next week, though the Senate calendar of upcoming hearings does not yet list an exact date.

A blog post on the EFF website outlines what parts of the bill they see as an improvement over previous versions:

• Ensure that companies who share cybersecurity information with the government give it directly to civilian agencies, and not to military agencies like the National Security Agency.  The single most important limitation on domestic cybersecurity programs is that they are civilian-run and do not turn the military loose on Americans and the internet.

• Ensure that information shared under the program be “reasonably necessary” to describe a cybersecurity threat.

• Restrict the government’s use of information it receives under the cyber info sharing authority so that it can be used only for actual cybersecurity purposes and to prosecute cyber crimes, protect people from imminent threat of death or physical harm, or protect children from serious threats.

• Require annual reports from the Justice Department, Homeland Security, Defense and Intelligence Community Inspectors General that describe what information is received, who gets it, and what is done with it.

• Allow individuals to sue the government if it intentionally or willfully violates the law.

ACLU Legislative Counsel, Michelle Richardson notes in a blog post: “…it looks like the Senate is moving to pass something much better than CISPA from a privacy standpoint. Not all of the problems with the Cybersecurity Act are solved yet, and you better believe that amendments to strip the privacy protections are in the mix.”

CISPA, the Cyber Intelligence Sharing and Protection Act, the US House of Representatives bill that was passed despite civil liberties objections, back in April. But, because the Senate had not taken up its version of the measure; nothing further has been done to move forward on new comprehensive cybersecurity legislation.

Now that the Senate is going to debate their version of the bill; the issue is back on the front burner.

According to Lieberman, “This legislation is urgently needed to address the clear, present, and growing danger of cyber attacks against our most critical systems.”

One of the bill’s co-sponsors, Senator Susan Collins (R-Maine), added “Experts have repeatedly warned that the computer systems that run our critical infrastructure – our electric grid, water systems, financial networks, and transportation systems – are vulnerable to a major cyber attack.  A cyber attack is a threat not just to our national security, but also to our economic edge and way of life.”

If you would like to read the bill as it is now proposed; click here for a summary  (CYBER 2pagesummary july2012.docx) and here (CYBER sectionbysection july2012 ) for a section by section view.

Online Privacy: The Great Debate

Can consumer privacy can be protected online without new legislation?

That was the topic of debate Wednesday afternoon at the National Press Club in Washington DC.

On the side of increased legislation were Andrew Keen, the author of a new book called “Digital Vertigo: How Today’s Online Social Revolution is Dividing, Diminishing, and Disorienting Us“, and  Marc Rotenberg, President Of The Electronic Privacy Information Center (EPIC).

Arguing against that position, were Andrew Thierer, Senior Research Fellow, Mercatus Center, and Berin Szoka, President TechFreedom.

Keen contends that consumers really have no choice other than to use “free” online applications provided by companies that make their money by aggregating consumer data and selling it to advertisers. But, he says, consumers are paying for those so-called free services by relinquishing control of their private information.

“Data is the new oil”, Keen says, “and the consumer has become the product.”  He contends that “We need government protection against the infinite speed of technology, and technology companies, and the way in which they’re turning consumers into products. We need protection against these new data barons that are undermining our privacy, flattening publicness [sic] and privacy, and I think in many ways, undermining what it is to be human”.

Rotenberg agrees. “We are undergoing a fundamental change in how personal information is collected and used not only in the US economy, but in the information economy around the world. This change is so fundamental and so pervasive that… and I think people here would all acknowledge it that… we need to find some new solutions. ”

He also noted that the government’s role in protecting privacy can be traced all the way back to founding father,  Ben Franklin, who was instrumental in creating the U.S. Postal Service. “Franklin’s almost immediate insight about the value of this new service was that it had to afford privacy and confidentiality, otherwise people would not trust it.”

While Thierer agreed that consumer privacy is currently at risk on the Internet, he contends “We should not respond to those risks with top-down or heavy-handed approaches.”

Instead, he suggests;  “You use literacy, you use empowerment–and yes–sometimes use selective and targeted enforcement to address real legitimate harms. But that is the bottom up approach to dealing with technological risk that societies face. It’s the more constructive one, because it allows innovation and progress to happen, without the heavy hand of top-down Internet governance coming in and crushing all that we love about the information age.”

Szoka argued that the US Federal Trade Commission, while not perfect, already has privacy regulations in place that protect consumers from unfair and deceptive business practices.

“I’m not saying the government has no role here, the question is what that role is… to think that role has to be one of legislation is a fundamental mistake.”

To find out more about this topic, check out the following links:

Digital Vertigo: How Today’s Online Social Revolution is Dividing, Diminishing, and Disorienting Us

Electronic Privacy Information Center (EPIC)

TechFreedom

Can Digital Locks Be Trusted?

Two days after I wrote about briefings here in Washington, DC, where the nation’s top cybersecurity experts said the internet is both insecure and structurally unstable; there was another massive hack on a huge company–Yahoo–that resulted in the theft of 450,000 user passwords.

As if that weren’t enough; those who hacked the system reported they didn’t even have to try very hard, because Yahoo–like LinkedIn, a few weeks ago–hadn’t even bothered to lock down their database with even the most basic security measures.

As a result; tech websites have been advising everybody who has a Yahoo account to change their passwords, and even more than that; to change the passwords of every account connected to their Yahoo account. That may sound relatively easy on the surface, but it’s a huge time suck and pain in the ***** for all of the millions of people who have a Yahoo account–who may or may not have been part of the breach.

So, as I ruminated and fumed over what a huge hassle this is for so many people; this gigantic light bulb went off in my head, and I thought “hmmmm….what if there were biometric scanners built into my computer, so that I would never have to use a stinkin’ password again?”

Ha! Brilliant!

But then again–maybe not so much.

That’s because, it turns out that even though biometric scanners are pretty darn awesome; able to document and process all kinds of  very personally identifiable data–that data still goes into a database somewhere….and that database can be hacked. That stark reality takes us right back to the point made by the cyber gurus who say there need to be serious, substantive, and immediate changes to the way data is secured and transmitted online.

Check out my blog post “Cyber Insecurity“, and follow the links for more information.

What you’ll see is that the people in the know on this topic believe there need to be changes to laws, additional military personnel, information sharing between the private sector and government, a focus on information assurance and security in the courses offered at top universities, collaboration with other countries to address shared issues, and more.

Until there is a better and more reliable way to secure information; we are all at risk. But the more security we demand and expect from our government; the more civil liberties and privacy we may have to give up.

Is that what you want? What should we do about it? Follow these links, and join the discussion:

Addressing Cyber Instability

Cybersecurity and American Power

Surveillance Self Defense

Protecting Civil Liberties in The Digital Age

FBI Prepares a Vast Database of Biometrics

Ur Busted! Txt Msg Sting Upheld By Court

A Washington State Appeals court has ruled that police did not violate the State’s privacy law when they busted a man in Longview, WA for buying heroin as a result of a sting they set up via text messages stored on his drug dealer’s iPhone.

Although Washington’s privacy law (RCW 9.73.030) forbids the interception or recording of “private communication transmitted by telephone” without consent of all parties involved; the court ruled that the defendant should have had no expectation of privacy because he knew his messages would be “recorded” (saved) on his drug dealer’s phone.

In a dissenting opinion; one Appeals Court judge wrote that the ruling was “clearly contrary to the legislature’s intent with regard to the law”.

For more information, check out the following stories from Forbes and CNET.

Yes, The Cops Can Text You From Your Drug Dealer’s iPhone To Bust You

Court: Cops Can Read Suspect’s Texts, Spring Trap

Click on links below for transcript of the Washington State Appeals Court ruling, the state’s privacy law, and one of my recent blog posts on mobile phone privacy issues.

State Of Washington, Respondent V Jonathan N. Roden, Appellant

Washington State Privacy Law: 9.73.030-Intercepting, recording, or divulging private communication

Tell Me No Secrets: Mobile Privacy

Just Walk Away: The Future Of Social Networking

You don’t need a crystal ball to see that the future of social networking depends on two things; security, and privacy. Right now, we don’t have either.

In the wake of yesterday’s revelation that more than 6 million LinkedIn passwords were stolen and posted online, comes news today that popular internet dating site eHarmony has been hacked as well.

Also this week; Google began warning users of its enormously popular Gmail service that their accounts may have been the targets of  “state sponsored” malicious attacks. They’re not saying exactly which country may be to blame; but the company earlier this year blamed China for hacking the email accounts of US government officials.

Why is all this happening? Money. Why are people eventually going to stop using these services? Money.

When user information is leaked; hackers can immediately turn that information into cash with scams, such as the email phishing attack masquerading as a legitimate email from LinkedIn. It contains a link for users to “secure” their accounts, but when scam victims click on the link; they’re directed to an illegal pharmaceutical site that sells Viagra and other drugs.

In all of these cases; the companies are urging users to take action such as changing their passwords to secure their accounts. What they’re not doing; is securing the accounts for their users, and they’re not demonstrating that they can be trusted to provide safe environments that don’t expose their users to harm.

Eventually; people are going to vote with their feet, and walk away from using so-called “free” services which eventually cost them a lot of time and money as a result of online fraud, identity theft, and other criminal activity. When they do, the companies that haven’t adequately protected their customers are going to lose billions. And you know what?

They deserve it.