- Ed Felten summarizes Wendy Seltzer’s comments on the NYT “Open Wifi is evil” article: “anonymous sources claim anonymity is evil.”
- The Department of Citizenship amends their terms and conditions. (Via Michael Froomkin.)
A man who pleaded guilty to hacking into an Arkansas data company’s computer system and stealing personal identification files was sentenced Wednesday to nearly four years in federal prison.
Daniel J. Baas, 26, of suburban Milford, entered his plea in December 2003, after being indicted that August.
Baas was a systems administrator for Market Intelligence Group, which had an agreement to analyze data for Acxiom Corp., of Little Rock, Ark., when he exceeded his authorized access and downloaded encrypted password files, prosecutors said.
In a plea agreement, Baas admitted that he stole the data between January 2001 and January 2003 and stored it on computer disks at his home, prosecutors said. On Wednesday, U.S. District Judge Susan Dlott sentenced Baas to 45 months in prison.
Acxiom’s clients include credit card issuers, banks, auto manufacturers, telecommunications companies and retailers. Baas bragged to other hackers that he had the files, but didn’t share them with anyone, prosecutors said.
According to Robert O’Harrow’s “No Place to Hide,” pp72, the company chose not to notify: “A company official said that the information was simply not that sensitive and ‘did not meet a threshold that would require customer notification.'” (Update: Try this Google Print link.)
Acxiom’s data would be covered under California law, the new laws that a number of states are putting in place after Choicepoint, but not the FDIC, FRB, or OCC regulations that have been put forth.
Declan McCullagh writes about new rules requiring banks to disclose breaches, as promulgated by an alphabet soup of federal regulators.
A brief digression: The new guidelines seem to make sense, but it’s difficult to figure out whether they go too far or not far enough. Normally consumers can shop around and choose products based on a whole range of different options.
For instance, a hypothetical BankSuperSecure might employ only bonded employees with government security clearances and hire armed guards to watch these employees all the time. Those security measures would probably reduce the chance of insider shenanigans — but would come at a substantial cost that would be passed on to consumers in the form of lower interest rates on savings accounts and higher interest rates on loans and credit cards.
Its hypothetical competitor CheapDiscountBank might take less rigorous security mechanisms but offer far better terms on savings accounts and loans. In this scenario (let’s assume that the banks were required to disclose their respective approaches to security), consumers could choose what risks they’re willing to take and companies could experiment. Because that process doesn’t exist today, we end up with a one-size-fits-all rule that sets both a security floor and also a de facto ceiling that banks seem unwilling to exceed. It’s difficult to know whether that security “level” is the best one for consumers.
I’ll suggest that the new rules don’t go far enough. As the Washington Post story (archived here) explains: “If the organization
determines that misuse is unlikely, it need not report the breach to its
customers.” So CheapDiscountBank might have one criteria for determination, while BankSuperSecure has another. But consumers won’t be able to compare those. As the regulation says “It also should generally describe what the institution has done to protect the customers’ information from further unauthorized access.” Generally describe? How can I assess a general description? (A non expert consumer might have difficulty, but could turn to Consumer Reports, or other trusted sources, for advice.)
Also, federally mandated “know thy customer” regulations require banks to gather, authenticate, and store everything an ID thief needs to go about their business. SuperSecureBank might promise to throw away all the non-essential data, so that they can’t have a breach. SuperSecure could thus lower their costs and increase their security. It’s too bad that a mere $50 billion in annual losses doesn’t prompt a review of how we’ve organized the regulatory regime.
I used to take it for granted that VCs were like this. Complaining that VCs were jerks used to seem as naive to me as complaining that users didn’t read the reference manual. Of course VCs were jerks. How could it be otherwise?
But I realize now that they’re not intrinsically jerks. VCs are like car salesmen or petty bureaucrats: the nature of their work turns them into jerks.
What I really like about Paul’s essay is that it talks about some of the economic pressures on VC funds, and how those pressures get pushed to startups.
This is a strange thing for a startup guy to say, but I have a lot of sympathy for venture capitalists. In some ways, a VC fund is like a startup. You have some guys who know something about business. They go out looking for money. If they get the money, they have 10 years to make good on it. I’m might get pilloried for this next sentence, by people who skim through why I’m saying it: Unlike a startup, most VC have relatively little in the way of compelling advantages. That’s not to say that investors are indistinguishable, only that it’s even harder for a VC firm to create, maintain, and communicate a compelling advantage over the other firms.
Most investors don’t get to build disruptive technology. They get slight first mover advantages. Most VC are in cutthroat competition with other VC for the ability to put cash into a few good companies, and a lot of ‘maybes.’ A good investor brings good strategic advice, and a big rolodex, and a willingness to work for you. Well, so does that other fund. Compare to a startup which can get a strong first mover advantage, building, say, a database that’s 10 times faster, or with six signed customers in the fortune 500.
So I think, to extend Paul’s economic analysis of why investors and startups clash, it goes back to the limited partners who invest in venture capital funds, and the way they need to behave.
As a side comment, Rick Segal asks:
And what is this issue with a liquidity event. Why is that evil? What’s wrong with making some coin, selling companies, IPOs, mergers, whatever. I’ve yet to see anybody, Paul included, to give me a compelling reason why this aspect of venture capital means we all suck.
Let me start by reiterate that I don’t buy the suckage claim. At the same time, there are businesses which may look like VC-fundable businesses, and, to everyone’s surprise, turn out to be organic growth sorts of businesses. For these companies, who need to contort to give their investors an exit, the liquidity requirement can suck. If the investors and CFO are good, I think there are usually options, such as a management-lead leveraged buyout, converting equity to debt, and giving the cash to the investors. But, really, the issue is that VC firms are on a ten year schedule, and that creates pressure on the startups to be on (at most) a 5-6 year schedule. If you don’t know this going in — if you’re starting a startup to build a great business like your grandparents did — then you can find a world of hurt.
“What would Gandhi do?” is the title of a soul-searching post by Joi Ito about positioning. It reminded me of a passage in William Shirer’s memoir of his time with Gandhi. I’d like to quote the passage, which ends chapter 11, and then add some comments. The context is Gandhi’s visit to England, and in particular, his visit to the Lancashire mills, which were suffering from an Indian boycott on English cloth. Gandhi visited the mills to find allies and support for his goal of Indian independence.
Gandhi was too tactful to mention–to the workers or the employers–a strong impression he had gained after three days in Lancashire. It would have amazed them, I think. But he remarked on it to me the last day in Manchester. He was taken back he said, by the backwardness of Lancashire’s cotton industries.
“I’m no mechanic,” he smiled, “but I’ve seen enough up here in three days to show me that the English are using antiquated machinery. It probably explains there inability to compete with other countries. The machinery in the Bombay and Ahmedabad mills is one hundred percent more efficient.”
So, when it came to searching for allies, Gandhi did not feel compelled to say everything he thought. He was truthful, and had someone thought to ask, he probably would have answered honestly. So I think pulling back from offending your audience so much that they close their ears is a fine thing.
At the same time, sometimes you may not be able to be diplomatic. I think we agree that over the next decade, copyright is likely to change dramatically. Innovative publishers like Baen books and O’Reilly are experimenting with new models. If a publisher wishes to call Baen and O’Reilly’s experiments ‘disgusting,’ they’re free to do so. (Well, they may have a fiduciary duty to their shareholders to figure out how likely a change in copyright law is, and how they’d handle it if it happens, but they can still call it disgusting.)
Earlier in the chapter, Shirer discusses how, at the London conference on India, Gandhi ignored the wishes of the rest of the delegation, and announced that Britain should take on India’s national debt. He did this because he thought it was right, and important. I suppose to sum up my reading of Gandhi, consider if what you’re saying needs to be said. If something needs to be said, don’t be afraid to speak the truth.
The DMV on Wednesday will send out letters describing the incident and new driver’s licenses with different numbers to the 8,738 people whose personal information was stored on the stolen computer, said Kevin Malone, spokesman for the DMV.
The state elections and technology departments agreed that the systems were vulnerable, but they told the Office of the Auditor General they are not aware of any time information in the Digital Driver’s License System and the Qualified Voter File was compromised.
“We identified numerous and, in some cases, very significant vulnerabilities in the configuration of the QVF operating system and database that preclude management from preventing or detecting unauthorized access,” auditors said in their report.
and finally: INTERNATIONAL STUDENT FILES: UNLV server accessed:
University of Nevada, Las Vegas computer analysts were conducting a routine security check on network activity when they found a hacker accessing the Student and Exchange Visitor Information System, also known as SEVIS.
The two things that all of these stories have in common is that last year they’d have been swept under the rug, and that they all involve government computer systems being breached.
(All courtesy of Internet Security News.)
Well, actually, there might be some methodological problems. It’s hard to tell, since the survey costs $1,500. First, consumers often have mistaken information about security issues. Second, its not clear if this was a survey of consumers who had suffered ID theft, or if second-hand data was accepted. No comparison to FTC data is provided.
The telephone survey of 4,000 consumers was done by the Better Business Bureau, and funded by eMarketer online. I called Sheila Adkins, CBBB’s Associate Director, Public Affairs,
but have not heard back., who called back, and gave me other folks to talk to. Not yet sure if I’ll track this down for analysis.
The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.
Read this transcript about former UN Oil-for-Food program lead, Benon Sevan. Apparently the UN is paying his legal fees.
Question: The other question was a follow-up to a story in the New York Sun today. The United Nations has been paying Benon Sevan’s legal fees. Is this appropriate? Is this normal practice? And why did the United Nations not announce this?
Spokesman: Indeed — well, first of all, we haven’t paid for anything yet. But it is true that the Secretary-General decided, in principle, to reimburse Mr. Sevan for what we called “reasonable legal fees” as determined by the United Nations for services in connection with his appearance before the Volcker Commission. The payment of these fees was to be made on a strictly exceptional basis, for the purposes of facilitating the work of the Commission.
Jason Young has a great, thoughtful post at Blog*on*nymity:
Like other nations, Canada has moved to adopt criminal sanctions for electronic voyeurism, a social problem that has become acute with the availability of cheap and inobtrusive surveillance technologies. The legislative efforts are welcome and yet I cannot help but wonder if we are missing the forest for the trees.
Privacy is a mutable value and can mean many different things. It can represent distinct legal interests as well as broader social ones. Our respect and disdain for privacy – our own and that of others – alters the nature of our relationships to one another and also the very fabric of the community. Legal sanctions for voyeurism seek to mitigate the personal harms and protect individual interests, and to some degree they will do so, but they are ill-suited to address the social harms or protect the social value of privacy.
I was trying to enter someone’s web address into Apple’s Address book recently. Unfortunately, Apple believes that you have a home page. This is at odds with almost all the other fields in Address Book. You can have lots of phone numbers. A profusion of email addresses. And one home page.
Me? I have a longstanding personal home page. I have this blog. I have a side consulting business. I have a personal journal. If I was working for a company, I’d have a corporate page. That’s five. Ooh, I have a page at Flickr, too, to share photos. So six. Unless you ask Address Book.
But dig those nice green plus signs. You have to figure, it would be pretty easy to add that to the other fields that are there.
Now, admittedly, I may be a little extreme in having six web pages one might call my home page. But I think that two or three (personal, professional, blog) is no longer unusual, especially amongst the Mac’s new target audience of tech executives. So come on Apple! Let’s have more home pages.
The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.
Once again, the question comes down to whether the TSA was incompetent or lying: Was the TSA actually unfamiliar with the FBI’s analysis of the content of PNR data, even as the TSA was devising massive, and massively intrusive, systems highly dependent on what such data might contain? Or was the TSA actually aware, from its familiarity with at least the structure of the FBI data set, that PNR’s invariably contain personally identifiable information on people other than passengers, in the form of the required unique agent sine?
These folks would be a lot more trustworthy if they could be relied on to get basic facts right in their public statements.
The BBC is reporting that
Opposition demonstrators in Kyrgyzstan have taken control of a town, as protests continue a week after the second round of disputed elections.
In Jalal-Abad, a police station was set on fire, and protesters took control of the airport to prevent reinforcements being flown in.
Protesters say President Askar Akayev’s party used fraud to win the elections.
As I mentioned previously, Daniel Solove and Chris Hoofnagle have written a paper on “A Model Privacy Regime.” This post makes a lot more sense if you’ve read their paper. I’ve read through it, and think that it’s pretty good. My responses to specific sections are below. First I’d like to comment on the free speech critique of data protection law.
A number of smart people (for example, Jim Harper writing on Politech) critique the drag on innovation that such a regime entails. I’m very sympathetic to this critique. I’d like to suggest that the regime only kicks in when there is government issued, certified, or verified data involved. That is, if you want my (government issued) social security number to link records, or my drivers license to certify my name, or you check against a list of voters, then you’re taking advantage of the threats of penalties the government applies. It becomes harder for me to protect my anonymity. If, like supermarket discount cards, I can use any name I want, then I see no need for generalized privacy law. Such a balance would encourage companies to offer deposits as an alternative to credit. (I’ve written about why this is good business practice in the past.)
That said, onto specific responses to their model law: