“An Empirical Approach to Understanding Privacy Valuation”

Luc Wathieu and Allan Friedman have an article in Harvard Business School’s ‘working knowledge,’ titled “An Empirical Approach to Understanding Privacy Valuation.”

In it, they present the results of a survey of 647 people with regard to a number of privacy hypotheses. Their results include:

  • Contrary to some research, the chief privacy concern appears based on data use, not data itself.
  • There is consumer demand for social control that focuses on data use.
  • Sophisticated consumers care about economic context and indirect economic effects.

It’s a good short paper, and I’m glad to see research prising apart the ways people think about privacy.

I’d love to know if the authors attempted to extract any initial (qualitative) reactions to the scenario they presented. I’m also curious how long people took, and if their results would be different under time pressure. Both of these questions are related to my belief that transactional costs are dominant in many privacy scenarios, and that people choose defaults to avoid the costs of considering many questions about privacy: they’ll often say either yes or no without a lot of consideration.

Update: s/per/pir/g in title [cw][as]

Failure of Imagination

Writers

USA Today tells us, “Sci-fi writers join war on terror,” in which, “the Homeland Security Department [sic] is tapping into the wild imaginations of a group of self-described “deviant” thinkers….”

There are many available cheap shots as well as fish to shoot in that barrel. I’m going to take a cheap shot at one not in the barrel. The writers brought in are: Jerry Pournelle, Arlan Andrews, Greg Bear, Larry Niven and Sage Walker.

Do you notice anyone missing who should be there? How about Tom Clancy, who wrote a novel in which a Boeing 747 is used as a cruise missile to take out the US Capitol and much of the government?

I can almost excuse the DHS, after all, they’re the ones who admit to not having enough imagination. But look at this:

During a coffee break at the conference, Walker, Bear and Andrews started talking about the government’s bomb-sniffing dogs. Within minutes, they had conjured up a doggie brain-scanning skullcap that could tell agents what kind of explosive material a dog had picked up.

Oh, wow! Brain-scanning dogs. (Incidentally, this shows how ignorant they are of how sniffer dogs work. They’re playing “find the ball” by smell. They don’t know explosives from treats.) Why did none of the writers ask each other in a coffee break, “Hey, why isn’t a guy who actually predicted this sort of thing here?”

Probably because, “for this group, Walker says, there’s no such thing as an ‘unthinkable scenario.’”

Sometimes with imagination, less is more.

Lrn 2 uZ ‘sed’, n00bz

The iTunes Plus music store opened up today, which sells non-DRM, 256kbit AAC recordings. In case you have missed the financial details, the new tracks are $1.29 per, but albums are still $9.99. You can upgrade your old tracks to high-quality, non-DRM, but you have to do it en masse and it’s only for the ones presently offered.

In a delightful bit of evil, you can also set up iTunes to display iTunes Plus first. This effectively gives EMI the endcap.

Ars Technica reports that these tracks, however, contain your account name and email address in them in their article, “Apple hides account info in DRM-free music, too.” They say,

With great power comes great responsibility, and apparently with DRM-free music comes files embedded with identifying information. Such is the situation with Apple’s new DRM-free music: songs sold without DRM still have a user’s full name and account e-mail embedded in them, which means that dropping that new DRM-free song on your favorite P2P network could come back to bite you.

I have verified that this is correct. Apple has encoded both the account name and email address using a steganographic coding mechanism standardized in ISO 10646. Colloquially, a subset of this is often called “ASCII.”

I have also verified, however, that you can patch out this information using a variety of tools. Despite my snarky subject line, I did not use sed, I used a text editor. I happened to use one that Doesn’t Suck, but I’m sure it will work with vi or emacs, or even Notepad. I give no further instructions, though, as it’s easy to botch this if you’re not well versed in the technical arts.

As I’ve noted in the past, they aren’t the only one to watermark the files. Emusic does this as well, but with a more obscure scheme. It is possible that there is some other scheme that takes more wit than typing command-F, which is all I did. It is also possible that there are side effects; all I did was play the modified file all the way through and check the info screen, which I show below.

One last bit of advice — if you’re going to put music files up a P2P network, you cannot be paranoid. They are out to get you. It would be folly to take any music you bought from any service and serve it up.

LRn2uZ-sed-n00bz.png

Movie Plot Threat No Longer a Metaphor

movie-plot-terrorist.jpg

Director Mike Figgis flew into LAX airport and was detained for five hours because he oopsed. He said, “I’m here to shoot a pilot.”

On the one hand, yes indeed, on the list of things you shouldn’t say while in Immigration, “I’m here to shoot a pilot” is right up there with being careful how you greet your friend John.

But on the other hand, is the US government really filled full of so many beady-eyed, mouth breathers with brains the size of cashews that it takes five hours to clear this up? And in Los Angeles, of all places? Dear God, click on the link above. It’s a Google search for “Mike Figgis.” All ten links on the first page point to the director, celebrity, and film maker Mike Figgis. Link #1 (IMDB), link #3 (filmbug.com), and link #5 (mooviees.com) all have pictures of him.

Admittedly, IMDB says he was born in Cumbria, England, and hollywood.com (link #4) says he was “Kenyan-born.” Hmmm. Highly suspicious. But filmbug says,

Born in Carlisle, England, Figgis moved to Nairobi, Kenya as a baby. He lived there until his family relocated to Newcastle in the north of England when he was eight.

And that seems to clear it up a bit. Mooviees tells us: Born: Saturday, February 28, 1948
(Carlisle, Cumbria, England, UK), and that seems to let us know that Carlisle is in Cumbria, and hey, there’s a date that might be on his passport! Wikipedia (link #2) agrees with that date, but says, “Cumberland” instead of “Cumbria” and unless you’ve taken Latin, that might look suspicious as well.

So what happened? Did the dates not match properly? Did he cut the curls and go all Bruce Willis? Surely there must be some reasonable explanation. Maybe they really hated Leaving Las Vegas. Or perhaps it was that Sopranos episode. Maybe he called the Immigration agent “Sugartits.”

Tip of the hat to 27 B Stroke 6. Original article from The Guardian. Photo of the perp along with Saffron Burrows shamelessly stolen from IMDB, whom I would have linked to if they’d made it easy.

Update on 31 May 2007: This story is apparently too good to be true. Boing Boing got told by people in the know that it’s not true.

Venn and the art of empirical breach research


As EC readers may recall, I have made various Freedom of Information requests to state governments in order to obtain data regarding breaches reported to them under their various notification laws.
This week, I received responses to the latest request I made to New York and North Carolina. New York has 822 pages to send me (for a quarter each), so the scanner and the checkbook will be busy in June. North Carolina sent a printout from their “Breach Notification Log”. Interested readers may obtain a PDF copy, which covers breaches from December 2005 until April 2007.
Since I already have info on breaches reported to New York from 12/05 through 12/06, I thought it would be interesting to see how much overlap there is between these sources. The thinking here is that as breaches go there are some that are purely local or perhaps regional, and there are some that sprinkle their effects nationally. Until now, I only had a deep view into one state, but now that has changed.
Herewith, the results for the period 12/05/2005 – 12/31/2006:

New
York
North
Carolina
New York 281 41
North Carolina 41 77

I wouldn’t try to squeeze a journal article out of this table, but it is interesting that so many of North Carolina’s breaches hit New Yorkers, while a smaller portion of New York’s hit North Carolinians. I am eager to receive the actual North Carolina reporting forms and notification letters.
(If you would like to support the gathering of these documents, along with their scanning and publication, you can do so over here)

Pure Evil Entertainment

deadline.jpg
My friend Jeff Herrold has a new production company, Pure Evil Entertainment. Jeff is one of the best storytellers I know, and he’s put a short he made a few years back up on YouTube. It’s DEADLINE, and it’s a pretty entertaining bit of twistedness.

Posted in art

White House Data Breach Prevention Guidelines

So the Office of Management and Budget sent a memo this week, “Safeguarding Against and Responding to the Breach of Personally Identifiable
Information
.”

The cool bit is that the memo directs agencies to act within 120 days, including evaluating their data collection, and continuing collection of personal information only if it’s necessary. Unfortunately, what I expect to happen is that all data collection will be declared necessary.

However, far more important than the nature of the changes that were announced is why they were announced, and that is that is that these breaches weren’t just swept under the rug. What that means is that breach disclosure is good for you, the American citizen.

It’s also why we see so much resistance to talking about breaches. Because as we do, we’ll catalyze change. I think that’s a good thing, even if it’s scary. Some senior officials seem to think the same way.

Via Threat Level 27B-6.bis, “White House Issues Data Breach Prevention Guidelines” and several others

Billions for Fashion Police, but Not One Cent for Tribute Bands!

uniform.jpg

Woo hoo! I feel so much safer! The TSA reports, “Transportation Security Officers SPOT Passenger in Fake Military Uniform at Florida Airport.” Picture at right is my foofification of the picture on the TSA site.

Our brave protectors write:

A TSA behavior detection team at a Florida airport helped catch a passenger allegedly impersonating a member of the military on May 10 as he went through the security checkpoint.

The passenger, who was en route to New York’s John F. Kennedy International Airport, exhibited suspicious behavior that caught the attention of officers. In addition, he was in a military uniform but had long hair, which is not consistent with military regulations, and had conflicting rank insignias on the uniform.

When officers asked for his military identification, the passenger said he had none. He was then questioned about the irregularities of his uniform. The passenger first claimed that the uniform was his brother’s, and later, that it was his nephew’s.

TSA contacted law enforcement partners at the airport who interviewed the passenger. The passenger was arrested on a state charge of impersonating a U.S. soldier.

Behavior detection officers are trained to focus on behavior and not physical characteristics as part of TSA’s Screening of Passengers by Observation Techniques (SPOT) program.

I have questions:

  • What exactly constitutes “impersonating” a soldier? If it were me, and I saw a guy with long hair and “conflicting rank insignias,” I would presume that it’s a fashion statement, not “impersonation.”
  • Did he try to use military status to get a discount at Starbucks, or a freebie into the Admiral’s Club, or was he just called out? It appears the latter.
  • Did he have boots and everything, or was it just shirt and pants? Were they the black ones that should go with green camo, or did he wear the desert tan?
  • Was he carrying more than 100ml of liquids outside of a one-quart baggie?

Based solely on the information above, it does not appear that he actually impersonated a soldier. It appears that he was walking around with irregular bits of regalia, and someone called him on it, and he got nervous. Many people get nervous when confronted with authorities like police or TSA, and actually, the better a person you are, the more likely it is that you’ll say “brother” when you meant “brother’s kid.”

I got this courtesy of Bruce, who advocates procedures like “SPOT” which look for “hinky” behavior.

I agree with Bruce, that it’s better to look for hinky than rip apart every laptop bag, but the TSA needs to look at this as a failure, even if this guy was actually guilty of a crime worthy of punishment stronger than an afternoon with Carson Kressley. This ain’t what we’re paying you for.

Let me finish with an anecdote. Like many people in this industry, I have clothing with NSA logos on it, or embroidery that says, “National Security Agency.” The NSA sells them in the gift shop of the National Cryptologic Museum as part of their widows-and-orphans fund.

A few Defcons ago, I was wearing such a shirt as I checked out of my hotel. The doorman pointed at the logo as he was getting me a cab and asked, “Do you work for them?”

I met his gaze, smiled and replied, “If I did, I wouldn’t be able to answer that question, would I?”

I locked my eyes to his as he went compute-bound for a good three seconds, which is a long time when someone’s not flinching. He finally nodded sharply, said, “Right,” and pulled my cab over.

Here are some essay questions:

  1. I consider it ipso-facto not impersonating a soldier, if you’re obviously irregular. The TSA obviously disagrees. If you refuse to confirm nor deny that you work for the NSA, is that impersonating a spy? If so, does being a smartass mitigate the crime, or is it worse — “Aggravated Denial” or “Equivocation with Intent to Confuse” or something else like that? Can we tack on a charge of using steganography? Discuss. Extra credit will be awarded for high towers of compounded paradox.
  2. If wearing contradictory insignia is impersonation, especially with long hair, how many pieces of a uniform does it take to make it impersonation? Can you make it no longer impersonation if you wear a uniform and other things, too? For example, if you had a “uniform” and a Ramones leather jacket over it, does that make it better or worse? What about a Groucho mask? What if you’re just a customer and wear an “Army Mom” t-shirt and it’s your step-kid?
  3. Does this only apply to the US armed forces? What about The Coalition of the Willing? NATO? National Guard? State Militias? Colbert Nation?
  4. Would the TSA benefit by some training in Brattleboro, VT? Would Brattleboro?

Overwhelmed or Under-notified: Consumers and Breach Notices

In asking why customers don’t leave after a breach, there are two theories that people have put forth that are interestingly contradictory. the first is that they don’t know about the breaches. This was suggested by a questioner at Toorcon Seattle. The second is that customers are overwhelmed with notices. This is popular amongst bankers, insurance people, and my buddy Scott. The trouble is, I haven’t met anyone who says that they’ve gotten so many notices they just ignore them now. Absent data, I’m leaning toward the first explanation. Have any readers gotten so many notices that they’re ignoring them?