Perfecter than Perfect

So I’m having a conversation with a friend about caller ID blocking. And it occurs to me that my old phone with AT&T, before Cingular bought them, had this nifty feature, “show my caller-ID to people in my phone book.”

Unfortunately, my current phone doesn’t have that, because Steve Jobs has declared that “Apple’s goal is to provide our customers with the best possible user experience. We have been able to do this by designing the hardware and software in our products to work together seamlessly.” Setting aside Michael Arrington’s excellent deconstruction, there’s a little feature, easy to implement if you have access to the call setup function (dial with a prepended *67). But we don’t have the ability to do that. Because that would be better than the best possible experience, and obviously, that’s not possible.

What Are People Willing to Pay for Privacy?

So I was thinking about the question of the value of privacy, and it occurred to me that there may be an interesting natural experiment we can observe, and that is national security clearances in the US. For this post, I’ll assume that security clearances work for their primary purpose, which is to keep foreign intelligence agents out of sensitive jobs. But articles like this indicate that it’s worth a $5-15,000 salary premium.

Part of the premium is getting a clearance for an employee is slow and expensive, as this Govcentral article says, “…it can take noncleared employees between six months and two years to receive a new clearance — an unacceptable time frame for many organizations that have significant contracts to deliver in the near term. In addition, the clearance process often is very expensive.”

But even with that issue, has the number of jobs requiring a clearance gone up that quickly as to create that degree of salary imbalance? At some point, the number of cleared people should catch up with the surge in government employment. At that point, the difference between a cleared and uncleared employee is down to (1) the cost of getting a clearance and (2) the market impact of having your life examined and judged by strangers.

Is that $1,000 a year for being unable to select the strangers?


Moore’s Law is a Factor in This

I remember when Derek Atkins was sending mail to the cypherpunks list, looking for hosts to dedicate to cracking RSA-129. I remember when they announced that “The Magic Words are Squeamish Ossifrage.” How it took 600 people with 1,600 machines months of work and then a Bell Labs supercomputer to work through the data. I had a fun little stroll down memory lane reading about average machines not having more than 16MB of ram, and how they borrowed a server with 2, later 3 900 MB disks. 129 decimal digits fits in 430 bits. The RSA-129 paper concludes:

We conclude that commonly-used 512-bit RSA moduli are vulnerable to any organization prepared to spend a few million dollars
and to wait a few months.

Fast-forwarding to this week, David Molnar mentions that “We’re living in the future now:”

The 512-bit RSA key used for signing applications and firmware updates for the TI-83 has been factored. By some person working on his or her own. With one computer.

David links to “Calculator hackers crack OS signing key, opening a closed platform,” and following links, we get to “fun number theory facts:


A mathematical morsel for your entertainment and edification.

The number

is the product of


Renaming the blog to Emergent Chaos (I)

In 2007, Artist Kristin Sue Lucas went before a judge to get a name change to…Kristin Sue Lucas. She’s put together a show called “Refresh” and one called “Before and After.” My favorite part is where the judge wrestles with the question “what happens when you change a thing to itself:”

JR: And I don’t mind the time. I just don’t know that I have the
legal authority to change your name when it’s not a change. The
code sections talk about changing. Can I give you an order that
doesn’t change your name at all? That keeps your name the same? Is
that the same as granting a name change? And I think not. And I’m
going to do this, I’m going to continue this matter for two
weeks… and try to think about these issues in this time…

Via guerrilla-innovation.

New on SSRN

There’s new papers by two law professors whose work I enjoy. I haven’t finished the first or started the second, but I figured I’d post pointers, so you’ll have something to read as we here at the Combo improvise around Cage’s 2:33.

Paul Ohm has written “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,”

Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often ‘reidentify’ or ‘deanonymize’ individuals hidden in anonymized data with astonishing ease. By understanding this research, we will realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention. We must respond to the surprising failure of anonymization, and this Article provides the tools to do so.

Michael Froomkin has posted a draft of “Government Data Breaches.”

This paper addresses the legal response to data breaches in the US public sector. Private data held by the government is often the result of legally required disclosures or of participation in formally optional licensing or benefit schemes where the government is as a practical matter the only game in town. These coercive or unbargained-for disclosures impute a heightened moral duty on the part of the government to exercise careful stewardship over private data. But the moral duty to safeguard the data and to deal fully and honestly with the consequences of failing to safeguard them is at best only partly reflected in current state and federal statute law and regulations. The paper begins with an illustrative survey of federal data holdings, known breach cases, and the extent to which the government’s moral duty to safeguard our data is currently instantiated in statute law and, increasingly, in regulation.

Entering Our Prime

Today is amazingly enough the fifth anniversary of Adam starting this blog. It’s amazing how fast time flies when things are chaotic. Seems like just yesterday Adam was doing the initial Star Wars posts. Appropriately enough the most recent in the category was just this past Saturday. Thank you to all of our readers for making the last 5 years so much chaos and so much fun.

What should the new czar do? (Tanji’s Security Survey)

Over at Haft of the Spear, Michael Tanji asks:

You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will?

I think it’s a fascinating question, and posted my answer over at the New School blog.

We Live In Public, The Movie

One of the best ways to upset someone who cares about privacy is to trot out the “nothing to hide, nothing to worry about” line. It upsets me on two levels. First because it’s so very wrong, and second, because it’s hard to refute in a short quip.

I think what I like most about “We Live In Public” is how it shows how well that nothing to hide idea screws with people’s lives. The movie is the story of Josh Harris and some bizzare experiments he ran, including putting 100 people under constant surveillance and interrogation in “Quiet,” a bunker under New York City with free flowing drugs. After that screwed a lot of people up, Josh and his girlfriend decided to “live in public” on the web. Roughly quoting “after a fight, we’d both run to see who the people watching thought had won it.” In many ways, it was unpleasant to watch, in the way any view of dystopia is.


The movie was one of my favorite parts of the Privacy Enhancing Technologies Symposium, and not just because it was the end and I got to kick back with a beer while we watched. It was my favorite because we talk a lot about privacy in very technical ways: what it means, how to protect it. We talk less about the why or the communication of it. The movie was pretty impactful for a lot of us. One of the best, and perhaps most post-modern was having a Skype conversation with the director, Ondi Timoner, after the screening. (Another member of the household stopped by, said hi, and covered the camera. And sorry about the butt-in-camera, Ondi, we had the beer near the laptop running Skype.)

Ondi-Timoner on Skype.jpg

In the future, we’re inspired to have more art at the conference, and I’d encourage all of you to see We Live in Public. It’s currently in limited engagements [Updated with links]:

8/28 – IFC Center, NYC
9/4 – Brattle, Cambridge
9/25 – NuArt, Los Angles
10/2 – Roxie – San Fransisco, CA
10/9 – Alamo Draft House – Austin, TX
10/16 – Music Box – Chicago
11/13 – Landmark Varsity – Seattle

You can also follow @onditimoner on Twitter, read the blog about the movie, or get in touch with her by, just kidding. I think she deserves some privacy.

Spinal Tap, Copyright

There’s a cute little story in the NYTimes, “Lego Rejects a Bit Part in a Spinal Tap DVD.” I read it as I was listening to a podcast on Shepard Fairey vs The Associated Press that Dan Solove pointed out. In that podcast, Dale Cendali (the attorney representing the AP) asserts that licensing is easy, but she fails to consider transaction costs or denials as a possible downside. Of course, if we didn’t commercially license out Emergent Chaos, none of us would write here. Or something.


This photo (fairly used) gives the lie to that argument. Lego prevented it from being used in the movie:

“We love that our fans are so passionate and so creative with our products,” said Julie Stern, a spokeswoman for Lego Systems, the United States division of the Lego Group, a Danish company founded in the 1930s. “But it had some inappropriate language, and the tone wasn’t appropriate for our target audience of kids 6 to 12.”

In the most appropriate language I can use: that’s some fucked up over-reaching, and the system that lets Lego prevent such a use with threats of expensive litigation is messed up.