Seattle: Pete Holmes for City Attorney

pete_homes_for_city_attorney.jpgI don’t usually say a lot about local issues, but as readers know, I’m concerned about how arbitrary ID checking is seeping into our society.

It turns out my friend Eric Rachner is also concerned about this, and was excited when a Washington “Judge said showing ID to cops not required.” So when Eric was challenged by the police, in accordance with the law, he refused. He was charged with obstruction of justice by city attorney Tom Carr. Well, it turns out Eric didn’t roll over, and after much stress, charges were dropped. The city shouldn’t be putting people through such things after state judges have ruled. It’s a waste of city resources, and it subjects nice folks like Eric or you or me to the leviathan power of the state. Such power must be responsibly exercised, and Tom Carr has shown he can’t do that.

On that basis alone, Tom Carr should be voted out of office.

It’s just a sweetner that Pete Holmes, his challenger, seems to have his head screwed on straight, with priorities that include government accountability and transparency, smart sentencing, and not a new $250MM jail that we don’t need and can’t afford.

As if you needed any more, our sole remaining newspaper has endorsed Holmes.

So please, vote Pete Holmes for city attorney.

[Update: Thank you! Tom Carr has conceded the race. I don't think I can claim lots of credit, but I'm glad he's on the outs.]

Fordham report on Children’s Privacy

Following the No Child Left Behind mandate to improve school quality, there has been a growing trend among state departments of education to establish statewide longitudinal databases of personally identifiable information for all K-12 children within a state in order to track progress and change over time. This trend is accompanied by a movement to create uniform data collection systems so that each state’s student data systems are interoperable with one another. This Study examines the privacy concerns implicated by these trends.

The Study reports on the results of a survey of all fifty states and finds that state educational databases across the country ignore key privacy protections for the nation’s K-12 children. The Study finds that large amounts of personally identifiable data and sensitive personal information about children are stored by the state departments of education in electronic warehouses or for the states by third party vendors. These data warehouses typically lack adequate privacy protections, such as clear access and use restrictions and data retention policies, are often not compliant with the Family Educational Rights and Privacy Act, and leave K-12 children unprotected from data misuse, improper data release, and data breaches. The Study provides recommendations for best practices and legislative reform to address these privacy problems.

For more, “Children’s Educational Records and Privacy.”

Bob Blakley Gets Future Shock Dead Wrong

Bob Blakley has a very thought provoking piece, “Gartner Gets Privacy Dead Wrong.” I really, really like a lot of what he has to say about the technical frame versus the social frame. It’s a very useful perspective, and I went back and forth for a while with titles for my post (The runner up was “Fast, Cheap and out of Bob’s Control.”)

I think, however, that my frame for a response will be Alvin Toeffler’s excellent analysis of Future Shock. In it, he describes our lives as most people in the professional class move more and more often for work. How the traditional means of social cohesion — church, scouts, the PTA, bridge clubs, the local watering hole — all down as we expect to be gone in just a few years. How we have friends we see annually at a conference or in airports. He explained that ongoing acceleration and the removal of support structures would lead to isolation, alienation and an ongoing and increasing state of future shock.

A great many Americans on the coasts live in many micro-societies. We have our professional groups and sub-groups. We have hobbies. We may have college buddies in the same areas as we are. We pick a fat demogauge to listen to: Rush Limbaugh or Michael Moore as suits our fancy. But our social spaces are massively fragmented. And so when Bob says:

But he’s right that we’d better behave. When we see someone else’s private information, we’d better avert our gaze. We’d better not gossip about it. We’d better be sociable. Because otherwise we won’t need the telescreen – we’ll already have each other. And we’ll get the society we deserve.

We no longer have a society, or the society. We have teabaggers screaming at Obamaphiles. We have neighbors suing neighbors. We call the cops rather than walking next door. We run background checks on our scoutmasters, all because we no longer have a society which links us tightly enough that we can avoid these things.

And amidst all of this which society will create and drive the social norms for privacy? Will it be the one that lets cops beat protesters at the G20? The one that convinced Bob to join Facebook? The one that leads me to tweet?

In a world where some people say “I’ve got nothing to hide” and others pay for post office boxes, I don’t know how we can settle on a single societal norm. And in a world in which cheesy-looking web sites get more personal data — no really, listen to Alessandro Acquisti, or read the summary of “Online Data Present a Privacy Minefield” on All Things Considered. In a world in which cheesy-looking web sites get more data, I’m not sure the social frame will save us.

The Conch Republic

Conch-Republic-battle.jpg
Apparently, in a sovereign-in-cheeck move, the the Florida Keys have withdrawn from the United States, and declared themselves to be “The Conch Republic.” Their motto is “We seceded where others failed.” Perhaps you haven’t heard of them because they make all the good jokes, making writing about them hard.

I heard about them because of an incident that was mentioned in this podcast. The United States will allow Cuban refugees to enter if they reach dry land. The Border Patrol declared that 15 Cuban refugees that had reached the bridge were not in the United States, and thus could be returned to Cuba. Based on this disavowal, the Conch Republic seized the bridge and declared it their territory, in what is now known as “The great invasion of 1995.”

Next time I need a good vacation in the sun, I know where I’m going.

Shown: “Close up Bloody Battle.”

Prisoners in Iran

There are apparently many people being held without charges by Iranian government. But as far as I know, I’ve only ever met one of them, and so wanted to draw attention to his case:

During this entire time, our son has had just two short meetings with us for only a few minutes. Please imagine that for every six months we just saw him for very few minutes. We have no information about his legal situation.

No court has been held yet and we don’t even know which institution or security organization Hossein is under the control of. Many times, from many different ways, we tried to get some precision about his situation, but we couldn’t. Does a detainee’s dignified manner deserve such treatment?

No one ever deserves to be held on secret charges for that long. Let Hoder out, or charge him. The same goes for all the victims of officious kidnapping, wherever in the world they are.

Vista Didn’t Fail Because of Security

Bruce Schneier points in his blog to an article in The Telegraph in which Steve Ballmer blames the failure of Vista on security. Every security person around should clear their throat loudly. Security is not what made Vista unpalatable.

Many people liked Vista. My tech reporter friends not only adored it, but flat couldn’t understand why people didn’t adore it. I have a number of other friends who adored it. In assessing Vista, this is important to keep in mind. Despite its bad rep, many people liked it. So why did many people not like it?

First, there were the gamers. Before Vista came out, Microsoft did a lot of marketing Vista to gamers. There were kiosks at gaming conventions and other places touting Vista as a gaming platform.

Unfortunately, it wasn’t. Reliable tests at the time said that Vista ran games about 20% slower than XP. Compounding this was that among the drivers that were dodgy when it first came out were video drivers. Many gamers felt that they had been sold a pig in the poke, and there was merit to this claim. Hardcore gamers are people who will spend money on bleeding-edge kit, and it was precisely this bleeding-edge kit that didn’t work well at first. And whatever it was that made games run slower (even if it was security features), that’s not the point. Microsoft’s statements to the gamers was that their gaming experience would be better on Vista, and it was worse. Once the 4chan crowd starts making memes about suckage, you’re behind the eight-ball.

Second, there were the cheapies. Many machines were marked as Vista-capable that either weren’t, or could only run the basics of Vista and not the fancy new stuff. There is an aphorism that Intel giveth and Microsoft taketh away. The problem is that most of the PC makers will try to sell you the cheapest possible computer, and these cheapest possible computers just didn’t have enough oomph to do Aero and the cool features in Vista. Microsoft took more than Intel gave and the customers felt they’d been sold a pig the poke. There were even lawsuits over this, and it added to Vista’s bad rep.

Third, there were the people on laptops. For whatever reasons, when Vista first came out, it was slow on laptops. One of my co-workers bought a ThinkPad to run Vista on for testing alongside her existing XP laptop, and it was much slower than the XP laptop running side-by-side.

I will add another personal anecdote. My brother-in-law bought my sister a brand-new Vista laptop. It ran slower than his older XP laptop. It was so bad that he would turn the screen of his XP laptop away so that she wouldn’t see him running XP and mentally compare it to her new laptop.

On the other hand, to repeat, the people who had high-end machines but not bleeding-edge machines adored Vista. If you had lots of memory, a not-quite-bleeding-edge video card, and a fast processor, Vista was great from the getgo.

However, this was not the buying trend of most PC makers. Their trend was to push people to ever-cheaper machines. Sadly, at the time Vista came out as well, all but the most expensive laptops were dodgy for Vista in all its glory.

This is a matter of zigging when you should have zagged, for the most part. But there were two other trends that caught Microsoft by surprise.

The first trend was virtualization. Vista was virtualization-surly. One of its cool features that’s great if you’re on a high-end computer is that it did a lot of pre-caching and pre-loading. Most people with lots of memory on a computer just don’t use that memory, and Vista had ways to use it to make the experience snappier. If you’re on a VM, this is precisely what you don’t want. In an ironically saving grace, though, Vista had a virtualization-surly license, as well. Only the most expensive Vista package was licensed for VMs, which was just as well given that it was optimized for big tower computers in a way that it was pessimized for VMs.

The second trend was netbooks. Intel gave not in the form of faster CPUs, but lighter, smaller, cheaper, less power-hungry CPUs in the Atom. The Atom, however, didn’t have the oomph for Vista, and this meant it had to run XP, which further tarnished Vista’s rep.

All of this together — bad performance among gamers, bad performance on cheap computers and laptops, combined with the trends towards virtualization and netbooks were what gave Vista a bad rep. The people who bought a computer that was a high-end desktop but not a gaming machine loved Vista (and love it to this day). Unfortunately, this demographic is precisely the demographic that also tends to buy Macs. Vista’s problems were all from zigging when you should have zagged.

Some of Vista’s problems can be laid at the feet of “security” (which I intentionally put in scare quotes. UAC was rightly ridiculed for excessive dialogs, but is that a security failure or a UI failure? Yes, kernel improvements delayed getting drivers out (which is one of the things that made the gaming experience suboptimal) and some other bumps. But those were compounded by marketing that went opposite of reality. If the Vista marketing had said, “Hey, it’s going to be a bit slow, and there will be some rough edges. But you’ll really like how we’re sticking it to virus writers” then there may have been a different perception. It is also not fair to blame counter-factual marketing on security.

The bottom line is this. Vista was great for some people. It was bad for others. But the marketing said it was going to be great for everyone. Good marketing that took Vista’s plusses and minuses as facts could have made things better. It was bad timing that Vista came out when the prevailing trend of every-faster computers everywhere started to change. Facing that could have made the difference.

None of that has anything to do with security.

Dear ChoicePoint: Lying like a cheap rug undercuts all that

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized individuals used stolen credentials to look up personal information on 13,750 people in one of ChoicePoint’s consumer databases.

In a written statement, ChoicePoint blamed the incident on a government customer that failed to properly safeguard one of its user IDs needed to access ChoicePoint’s AutoTrack XP Product…

Really? You’re blaming customers? Saying it’s not your fault? Claiming to be the victim? Ummm, lemme use small words here: you’ve played that card. Shot that wad. From 2004 onwards, you own all failures. You should have had systems to watch for unauthorized access, and failure to properly safeguard credentials.

Oh wait. You did. We agree on that need. You had a system to do that, and you turned it off. So really, all that work you’ve done to convince people you’d turned a corner? This undercuts that. You need to come out with an explanation of why you turned off that system, and you need to do it this week. It needs to be comprehensible to the techies who are taking you to task all over the blogosphere. No legal defensiveness. Tell people what happened. This:

The FTC expressed concerns that not detecting the former government customer’s inappropriate access was inconsistent with ChoicePoint’s obligations under the Final Order, which ChoicePoint denies. Notably, the Supplemental Order does not allege any current or ongoing violations of ChoicePoint’s Final Order. Following the incident and acquisition by Reed Elsevier, new policies and practices were put into place to enhance the strength and quality of ChoicePoint’s security. As part of that effort, certain security enhancements were made to the ChoicePoint product at issue including providing additional information and steps customers could take to further safeguard their IDs and passwords.

is incomprehensible. Your customers know what you did. Why not talk about both what you did and what you turned off, and most importantly, why? I bet there are real reasons, but your lawyers ain’t saying. How many false positives was that system shooting out? What did it cost to investigate them?

Either come clean, or suck it up, and be glad it was only $275,000.

For more, “ChoicePoint Breach Exposed 13,750 Consumer Records,” or our prior posts on Choicepoint.

[Update: Comments from ChoicePoint in the comments.]

PS to C: This is, once again, my opinion, on my blog, and has nothing to do with my employer.

Toyota Stalks Woman, Claims She Consented

clown-and-cops.jpg

In a lawsuit filed Sept. 28 in Los Angeles Superior Court, Amber Duick claims she had difficulty eating, sleeping and going to work during March and April of last year after she received e-mails for five days from a fictitious man called Sebastian Bowler, from England, who said he was on the run from the law, knew her and where she lived, and was coming to her home to hide from the police.

There was even a fictitious MySpace page reportedly created for Bowler.

Although Bowler did not have Duick’s current address, he sent her links to his My Space page as well as links to video clips of him causing trouble all over the country on his way to her former house in Los Angeles, according to the lawsuit.

“Amber mate! Coming 2 Los Angeles. Gonna lay low at your place for a bit till it all blows over,” the man wrote in one e-mail….

It turns out the prank was actually part of a marketing effort executed by the Los Angeles division of global marketing agency Saatchi & Saatchi, which created the campaign to promote the Toyota Matrix, a new model launched in 2008. …Tepper, Duick’s attorney, said he discussed the campaign with Toyota’s attorneys earlier this year, and they said the “opting in” Harp referred to was done when Duick’s friend e-mailed her a “personality test” that contained a link to an “indecipherable” written statement that Toyota used as a form of consent from Duick….(“Woman Sues Toyota Over ‘Terrifying’ Prank,” ABC News.)

Dear Toyota attorneys: a contract involves, first and foremost, a meeting of the minds. We’ve had years of farcical and indecipherable privacy policies. Anyone who’s ever tried to read them knows that you can’t figure them out. Everyone knows that no one even tries. The final thing which any first year law student knows: neither of those lead to terms which shock the conscience.

I’d like to ask readers to blog and tweet about this until Saatchi, Saatchi and Toyota explain what went wrong, and agree to all of Duick’s demands.

Shown, Toyota’s attorneys in conference with representatives of Saatchi and Saatchi. Photo by Jrbrubaker.