The SDK: The Privacy Edition 2015.03.09

Preview: The SDK: The Privacy Edition 2015.03.09 includes stories about TMI from Twitter, my insight into our super-hackable world, and a “heads up” that you don’t have a right to bear electronic arms, despite the 2nd Amendment. Continued analysis which begins in this blog piece is available in these two blog pieces: Privacy/Engineering to Lay People translation: Dr. Ian Oliver’s “The Semantics of PII” and Consider A Book – Oh and Casper Doesn’t Run Ghost Networks.

And They Did It:
Researchers Sitting On ‘Largest Known Database Of Twitter User Locations’, Forbes, March 7, 2015
“In one of the more intriguing papers that has gone under the radar until this week, researchers claimed they could ‘geolocate the overwhelming majority of active Twitter users’ by looking at their contacts’ locations and in their tests were able to ‘geotag over 80 per cent of public tweets’.. . . There’s no need for users to panic, however.. . . They admitted their technique was ‘only useful for static [(standing still)] location inference’ and that ‘fast-moving users with large activity radii will be tagged incorrectly by our method’.”
Note: So, um, “just keep swimming, just keep swimming.” And your Twitter location won’t be identified. Or turn off geolocation, whichever makes more sense in your eyes.

Reaction to Regulation: 1934 vs. Today, NYTimes, March 5, 2015
“Last week, the Federal Communications Commission voted to regulate Internet service as a public utility, reclassifying broadband providers under Title II of the Communications Act of 1934 and subjecting them to stricter rules.. . . Republicans and many broadband providers have criticized the decision, arguing that it was driven by the president and gives the federal government too much control, draws on dated laws and will result in subjective interpretations of broad mandates. Sure sounds familiar. Eight decades ago, when Congress passed the Communications Act of 1934 and created the F.C.C., Republican lawmakers objected just as loudly, and with similar concerns.”
Note: Depending upon how you think things have turned out as a result of the creation of the FCC, this could be comforting or horrifying.

Spyware vendor may have helped Ethiopia target journalists – even after it was aware of abuses, researchers say, The Washington Post, March 9, 2015
“The Ethiopian government appears again to be using Internet spying tools to attempt to eavesdrop on journalists based in suburban Washington, said security researchers who call such high-tech intrusions a serious threat to human rights and press freedoms worldwide.. . . “In 2013, the computer of one of . . Neamin Zeleke, the managing director of Ethiopian Satellite Television, which is commonly known as [Ethiopian Satellite Television] . .  colleagues was infected with malware after the colleague opened what appeared to be a Microsoft Word file. They later learned that it was probably a commercial spying tool sold to governments around the world by the Italy-based vendor Hacking Team.. . . So after receiving the recent suspicious e-mail, Zeleke said he forwarded it to the Citizen Lab researchers instead of opening the attachment.”
Note: I used to write (and still do sometimes) code in what is called “Visual Basic”. Most programmers would laugh that anyone still writes code in Visual Basic – it’s a “dead language” – but it runs in Microsoft files. I did this 1) because I learned Visual Basic right out of High School, and it’s pretty much the only programming language I’m any good at (in the case of the apocalypse, I could also squeeze out some Matlab), and 2) it will run on a computer which has, what I affectionately call, “kindergarten rights”. When your computer has “kindergarten rights”, your computer administrator has set up your computer so that you can’t install anything. No Firefox for you! But since Visual Basic allows code to run inside, say, and Excel Spreadsheet (and for other reasons which I don’t actually understand), a user can still run these programs on their computer without installing anything. Thus they will run even on a machine with only kindergarten rights. Now, while I used mine for “hacking for good” purposes – in that I wrote code to rename pdf files – often this code is used to run programs which the user would have no idea were even running. Scary. I’m not sure whether the Ethiopian government used this, but even the average programmer could.

Crash Course In Privacy Engineering
Pseudonymity and Context Dependency: The Implications for Privacy Engineering, Privacy Association, March 9, 2015
The Semantics of PII Available here. “Dr. Ian Oliver, in his excellent post ‘The Semantics of PII,’ [PII = Personally Identifiable Information] mentions the inherent difficulty in ascertaining whether a particular network or hardware address is PII, given the number of different contexts in which this kind of information is transmitted or collected, some of which may raise privacy concerns and some of which may not.” Steve Rosa theorizes that “common safeguards deployed to achieve pseudonymity—the state of being non-PII—can, in fact, be easily defeated, based on a consideration of all the contexts in which a particular piece of information is collected.”
Note: I will explore this topic later, as a separate post in Tech Talk Translated, as it will require a more thorough explanation. I merely wanted to bring it to your attention, because it’s really cool. However, in the meantime, Dr. Oliver’s post itself is worth a quick summary. Both are, of course, great to read, but for even me to understand them, I had to get a crash course in the engineering from my father, who builds networks. But seriously, if you can parse through it, props!

The Semantics of PII, Privacy Association, Feb. 26, 2015
Dr. Oliver wrote in response to Profs. Peter Swire’s and Annie Antón’s Privacy Perspectives, written last year. His post essentially boils down to: “Somewhere between [Privacy Law and Mathematics] . . . lies software engineering, the discipline that actually implements privacy law into our systems, in ostensibly mathematical (programming language) terms. Software engineers, much to the chagrin of privacy lawyers, do not understand legal terms. Well, ok, they do to a point, but you try coding a statement such as “reasonable privacy” into C++ or Java!”
Note: Well said! Now, for the cliff’s cliff’s notes of the crash course in the engineering I got from my father this morning: (fun fact) The “web” and the “Internet” are actually two separate things.
And my father gave a great analogy for this: Think of a book. The Internet is the paper, the glue, and then ink; all necessary for creating the book. But the “web” is the content (the actual words on the page) inside of the book. The privacy engineers have worked their butts off over the years to make opening the book as hard as possible. Everyone cares a lot about making opening the book as hard as possible. But no one has focused on writing the book in Pig Latin. PGP (Pretty Good Privacy) took a stab, but the issue with PGP is that it’s too hard for the average user to implement, so no one really uses it. So until we tell the privacy engineers that they need to focus on writing the book in Pig Latin, the second that user credentials are compromised (Target, Anthem, iCloud ß all cases where user passwords were hacked using key loggers), and anyone can open the book, all of your PII is exposed, and… well… you’re toast.
Also, I would like my new job title to be “grand chief-overseer-of-the-worshipful-court-of-privacy-dudes” – one of the job titles which Dr. Oliver joking references – please and thank you.

Just Sort of an FYI:
You have the right to bear arms, not “electrical” arms, court declares, Ars Technica, March 8, 2015
“Ruling comes as all types of weapons are being constructed in homes via 3D printers”
Note: Be careful, and pay attention to new law, if you’re using new Tech.

Debug This!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s